The attack on the Office of Personnel Management that was disclosed earlier this month began as early as December 2014 and likely was the end result of a social engineering attack that enabled the hackers to gain valid user credentials and move around OPM’s network. During a hearing on Capitol Hill Tuesday to address the […]
Tag Archives: Privacy
Beware of phishing scams after the LastPass breach
In a blog post , LastPass revealed that they “discovered and blocked suspicious activity on our network” and that it found “no evidence that encrypted user vault data was taken”.
LastPass seem to be transparent in sharing information about this security breach. They have provided what appears to be good technical detail about the information potentially compromised, along with the type of cryptography used to secure their user’s “Master” passwords.
The actual compromise of the ‘server per user salts’ and the ‘authentication hashes’ would allow the attackers to brute-force a targeted user’s password, but LastPass is claiming this information has been created using what is known as a ‘key derivation function’ called PBKDF2, considered best practice.
This makes it extremely difficult for attackers to brute-force the passwords in bulk and instead limit attackers to cracking one password at a time – meaning they would have to target a particular user (or use many computers to target multiple users).
However, the weakest link here is the compromise of ‘email addresses’ and ‘password reminders’. Two likely scenarios come to mind that may arise as a result of this compromised information:
(1) Phishing attacks to LastPass users is now very likely, if the attackers choose to send email pretending to be from LastPass to trick them into divulging their Master passwords.
(2) The password reminders may give the attackers clues when attempting to brute-force a password. Some users are known to provide password reminder clues that are very easy to interpret that almost reveal the password in full immediately.
Worse, the addition of the password reminder information to a phishing email may increase the success of that type of attack.
LastPass is right to advise all their users of this compromise, and hopefully all LastPass users are able to heed the warning and change their Master password, plus activate multi factor authentication options.
The positives in this case, however, appear to be the best practice use of cryptography in their storage of master passwords (i.e. PBKDF2) and the failure to access ‘encrypted data’ (stored passwords and Master Passwords). This is potentially down to LastPass having separate systems for this sensitive data.
If the attackers had been able to compromise the ‘encrypted user data’ then LastPass would surely be advising their users to not only change their Master password, but every other password stored within their accounts – and this would be a monumental task for all concerned.
The Dawn of Privacy-Driven Social Networks
As Avira focuses on privacy and security issues, and social networks now play a major role in people’s lives, CNET journalist Laura Hautala caught my attention yesterday with her article “Non-creepy social networks make it to your smartphone” (CNET, 15 June 2015).
Partly in response to outrage (in the wake of Edward Snowden’s disclosures) over government surveillance abuses and companies selling personal data from their customers to the highest bidders, a few companies are now attempting to disrupt the dominant paradigm – i.e. to provide private, encrypted alternatives to Facebook and other networks that the public perceives as being more concerned about profit than the privacy of their customers.
Meet the innovative Minds
Manhattan-based Minds, which has run an alternative social media website for two years, just launched a lightweight social-network app for mobile (for Android and iOS) that encrypts all communications – so they are secure and anonymous (able to be read only by the intended recipient). According to the company, Minds is the first social network with an encrypted app and it’s all based on open-source code to ensure that any attempts to read what shouldn’t be read will be transparent to developers.
According to Co-Founder and CEO Bill Ottman, the app launched this week with a two-year base of 30,000 people already using its social website. As Hautala points out, it’s not a number that will cause Facebook any pain (with its near 1.4 billion users), but the IT world can and often does change rapidly.
In addition to encryption of the data going through the app, Minds collects none of its customers’ data. So even if intelligence agencies demand users’ data, the company has nothing to give them.
As for earning revenue, Minds plans to give up traditional ad sales (which it has used on its website version) and instead offer ‘VIP services’ for points, which can be either purchased outright or earned free via interaction. Such services include being able to expand the reach of your content beyond your personal connections.
Others en route
With a focus on similar principles – namely, data privacy, anonymity, and seeing customers are more than just numbers – the Vermont-based social network Ello also plans to launch a mobile app for iOS, Android, and Windows devices. More will come.
While I have personally suggested to friends and colleagues that ‘privacy’ may have been a short-lived concept in human history (and is in fact already gone from our lives in the way our grandparents knew it), it seems that companies led by freedom-loving people continue to rise up against privacy’s seemingly increasing absence.
While writing this, I downloaded the iOS version of the Minds app myself. I’ll activate an account later today and, if I find it to be a promising social experience, maybe I’ll see you there.
The post The Dawn of Privacy-Driven Social Networks appeared first on Avira Blog.
EU data protection regulation overhaul inches closer
The 28 EU member states have taken a significant step towards a historic overhaul of EU-wide data protection laws, first proposed three years ago.
The post EU data protection regulation overhaul inches closer appeared first on We Live Security.
Google rolls out a new password manager
Unveiled at its 2015 I/O developer conference, Google has begun to roll out a new security feature to all Chrome browsers and virtually all Android devices: the Smart Lock Password manager.
From now on, any website login details that you save in your desktop Chrome browser will be accessible via any Android device signed in with your Google account. So, if you’ve saved your login details for, say, Facebook or Netflix, you will be automatically signed in when accessing them from the Chrome browser on your Android device, and vice-versa.
In addition, if you were to install the Facebook or Netflix apps on your phone, they will also be able to automatically retrieve your login details from your Google account and sign you in.
The last feature requires individual app developers to include the newly released API codes from Google, but it’s a relatively simple matter, so we expect to see this feature rolling out across a variety of apps soon.
How to feel about Google managing your passwords for you is for you to decide. If you’re already saving these accounts in your Chrome browser, chances are you will enjoy this feature. However, you’re now putting more of your eggs in the same basket, so make sure that your main Google Account is locked down with strong passwords and two factor authentication.
So given our recent post about the fragmented nature of Android update deployments, when can you expect this feature? Well, for the last few years, Google has been using the Google Play Services app to get around this roadblock and send out major system updates to Android users, regardless of brand or make (but that’s a story for another time).
Any device running Android 2.3 or above will be receiving the update to Google Play Services 7.5 and be able to use the feature.
How to turn on or off Smart Locks Passwords
Interested in using the feature, or just want to make sure it’s turned off and Google isn’t vacuuming up all your passwords?
In your Android device, open the Google Settings app. This where all the details concerning your Google Account reside. You’ll find the Smart Locks setting at the bottom of the main menu in the Google Settings app. From there, you can select to turn on or off the password manager, allow auto-sign ins, and add exceptions to certain sites or applications.
From your Chrome Browser, you won’t find the Smart Locks name per say, but you will find where to manage the passwords saved in your browser. Just click on the menu in the top right corner of the browser, and select settings.
At the bottom of the settings page click on “Show advanced settings”. From there, you can scroll down to “Passwords and forms”. Any passwords you’ve saved can be found here.
If you feel the convenience isn’t worth the privacy tradeoff, you can delete them and also set the browser to no longer automatically sign you into websites. Just keep in mind: you will regularly be asked if you want Chrome to save your logins when you sign in to websites. Remember to say “no” and “Never ask for this website again”.
As always, stay safe out there.
Amazon Transparency Report Shows Few Requests For User Data
Amazon has released its first transparency report, and for a company as large as Amazon, there is surprisingly little in the way of detail or explanation in the report. The company reported that it received 813 subpoenas, 25 search warrants, and 0-249 national security requests. Of the 813 subpoenas Amazon received in the first five […]
Snapchat rolls out two-factor authentication
The feature, known as ‘login verification’, is a way that users can help protect the privacy of their Snapchat accounts.
Two Factor Authentication is a way to help secure your online accounts by adding another step when you login. With Two-Factor Authentication, your regular password won’t be enough to gain access to your account. You will also need a code which is sent to your mobile device, either in form of a text message or via an app.
In Snapchat’s case, the first time an account is accessed from a new device, Snapchat will require a code sent via SMS to the mobile number registered on the account. This code can then be used to access Snapchat normally. Afterwards, the authorization will not be required on that device again (unless you instruct Snapchat to ‘forget’ the device.)
For more information on two-factor authentication, check out the video below from AVG Academy.
Video
Two Factor Authentication
How to enable login verification on Snapchat
As detailed in Snapchat’s support page, here’s how to enable login verification in the app:
- Tap the ghost icon at the top of your camera screen
- Tap the Settings gear in the top right hand corner of your Profile screen
- Tap ‘Login Verification‘ under the ‘My Account’ section
- Tap the ‘Continue‘ button
- Enter the verification code sent to your mobile phone and tap ‘Continue‘
Once you have completed the login verification process, your device will remain a verified device until you elect to forget it.
Wikipedia switches to HTTPS by default
Wikimedia has announced that all of its web properties – including the enormously popular crowd-sourced dictionary Wikipedia – will now use HTTPS encryption by default.
The post Wikipedia switches to HTTPS by default appeared first on We Live Security.
Snapchat bolsters security with optional Two-factor authentication
Snapchat has added an option for two-factor authentication in its latest update, followed in the footsteps of Apple, Twitter and Facebook.
The post Snapchat bolsters security with optional Two-factor authentication appeared first on We Live Security.
Snapchat Offers Users Optional Two-Factor Authentication
Snapchat has given its users the choice of enabling two-factor authentication in the latest version of the photo- and video-sharing app.