Tag archive: security

Original photo by Chris Makarsky - Creative Commons ShareAlike license https://creativecommons.org/licenses/by-sa/2.0/

Customer Service and Security: What Not to Do

I recently signed up for a financial service so I could pay my awesome editor and writing coach, Matthew Sweet. Matthew is in the UK, but I’m in the US, and while it should be easy to pay someone on a different continent, it actually isn’t. The simplest ways incur huge fees, major delays, or both. I’d love to just pay him via Square, but they don’t currently support global payments.So we’re trying out a different service. One we’d never heard of before. One whose sole purpose is to facilitate international payments while keeping fees down. Sounds great!

We both created accounts and the company collected our bank account information. There were no glaring security issues. Pages and links were encrypted. And since I didn’t feel like trying to break into a financial service’s website, there was no way to tell what was going on in the back end.

A few days later I received an email from the company. They told me that my bank account didn’t match the name I’d provided, and asked again for the name and address on the account.

As I read the email I noticed that the page collecting the information was served over HTTP, not HTTPS. It wasn’t encrypted. I then checked the link the form would be submitted to. That was also not encrypted. This meant that the form could be tampered with before I saw it, and that the information I supplied could be eavesdropped upon and tampered with.

Continue reading

Security, Privacy and IoT: The Week of March 18th, 2017

Security

One of the most significant stories of the week is a claim by a hacking group that they have several hundred million Apple account credentials and will use them to remotely wipe devices on April 9th if Apple doesn’t pay up. While it seems unlikely, there are simple precautions you can take which you should already be doing – use a unique strong password on your Apple account (one you don’t use anywhere else) and turn on 2 factor authentication. I’ll write up more about this soon. For now, you can read the original coverage at Motherboard and a follow-up at ZDNET.

Continue reading

Security, Privacy and IoT: The Week of February 13th

I’m experimenting with compiling a list of interesting articles each week – I’ll compile a list of articles that caught my eye. I’m trying to keep this quick and maintain a high signal-to-noise ratio.

Security

Adobe Flash Critical Security Update

Adobe has released Flash Player version 24.0.0.221 for Windows, macOS and Linux. It fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system”. If you have Flash installed on your computer, update it immediately. Also update Chrome.

Except for the copy of Flash that comes with Chrome, I haven’t had Flash installed on my Mac in years and I don’t miss it at all.

https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

Continue reading

Another Day, Another Massive Password Dump

Password Dumps: How To Protect Yourself

By now you’re probably used to reading about web sites getting broken into, exposing millions of accounts.

The information that crackers get varies… they may get email addresses and encrypted passwords. It may be your IP address, name, plain text password, credit card information, social security number… it all depends on what  the site collects and how they secure it.

This time around Adult Friend Finder was breached, exposing 340 million accounts as well about another 73 million accounts on other sex-related sites.

Continue reading

SMS two factor authentication

Two Factor Authentication, SMS and NIST

How many movies and TV shows have you seen where asks somebody else about a secret that they share? If they give the right answer, their identity is confirmed. If they don’t, they’re an imposter, an alien from Planet X in disguise.

Shared secrets are the basis of authentication in computer security. And two shared secrets – two factor – are even better than one, especially when the first is a password that many people have difficulty managing in a secure way. This is what we’re doing when we use both a password and a code that’s texted to us. And this week, we got told to stop using text messages for the second secret.

Continue reading

%d bloggers like this:
var _gaq = _gaq || []; var pluginUrl = '//www.google-analytics.com/plugins/ga/inpage_linkid.js'; _gaq.push(['_require', 'inpage_linkid', pluginUrl]); _gaq.push(['_setAccount', 'UA-239812-12']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();