Category: SECURITY

SECURITY: PASSKEYS appears to be NOT the secuirty “silver bullet””

Published on by reinkefjLeave a comment

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

*** begin quote ***

The Enshittocene Period

Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can’t be extracted or exported in any capacity.

Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate – you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.

The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. And of course, all the developer examples only show you the options to activate “Google Passkeys stored in Google Password Manager”. After all, why would you want to use anything else?

A sobering pair of reads are the Github Passkey Beta and Github Passkey threads. There are instances of users whose security keys are not able to be enrolled as the resident key slots are filled. Multiple users describe that Android can not create Passkeys due to platform bugs. Some devices need firmware resets to create Passkeys. Keys can be saved on the client but not the server leading to duplicate account presence and credentials that don’t work, or worse lead users to delete the real credentials.

The helplessness of users on these threads is obvious – and these are technical early adopters. The users we need to be advocates for changing from passwords to passkeys. If these users can’t make it work how will people from other disciplines fare?

Externally there are other issues. Apple Keychain has personally wiped out all my Passkeys on three separate occasions. There are external reports we have recieved of other users whose Keychain Passkeys have been wiped just like mine.

Now as users we have the expectation that keys won’t be created or they will have disappeared when we need them most.

In order to try to resolve this the workgroup seems to be doubling down on more complex JS apis to try to patch over the issues that they created in the first place. All this extra complexity comes with fragility and more bad experiences, but without resolving the core problems.

It’s a mess.

*** end quote ***

So this ends my interest in “passkeys”.  Too bad.  It had a lot of promise.

Argh!

—30—

SECURITY: PSEG is behind the times

Published on by reinkefjLeave a comment

https://pseg.mypreferencecenter.com/Global/StandardEmailView?subscriberId=0b431ab7-81ba-4b16-a2c5-64639c48d2fb&campaignSendId=85b7bcf6-ed43-40f1-8b1c-874631f58ed8&isTest=False

*** begin quote ***

Lastly, you’ll be required to enter a phone number where you will receive an authentication code.

*** end quote ***

I guess PSEG hasn’t gotten the message that codes via text is NOT secure.

Argh!

And, no where to complain.

BPU? Maybe!

—30—

SECURITY: Email is NOT secure; password resets by email is just stupid!

Published on by reinkefjLeave a comment

https://www.ghacks.net/2023/04/28/protect-your-money-att-email-accounts-under-attack-by-hackers/

Protect your money: AT&T email accounts under attack by hackers
Onur Demirkol
Apr 28, 2023

*** begin quote ***

A recent report says that hackers have been breaking into email addresses provided by AT&T and stealing huge amounts of cryptocurrency.

According to a report from Tech Crunch, unknown hackers have been hacking email addresses provided by AT&T to steal cryptocurrency from users. The report says that the attacks started at the beginning of April by a gang of cybercriminals. They found a way to hack into email addresses and steal people’s money on crypto.

The hackers have gained access to a section of AT&T’s internal network, allowing them to generate mail keys for any user. Mail keys are used by AT&T users to log into their accounts with third-party apps like Outlook without using their passwords. In other words, they are a kind of “secure measure” that allows log-ins from third-party apps.

*** and ***

If you own an email account provided by AT&T, you might want to improve your security measures or the different precautions. The affected email addresses include att.net, sbcglobal.net, bellsouth.net, and other AT&T email addresses.

*** end quote ***

As a former Wall Street InfoSec guy, I never allowed my enterprises passwords to be reset by email.

Guess I was a little ahead of my time and a lot of good it did me.

Argh!

—30—

SECURITY: Passkeys don’t solve every security problem

Published on by reinkefjLeave a comment

https://www.reviewgeek.com/148254/why-you-should-start-using-passkeys/

Why You Should Start Using Passkeys
Danny Chadwick
Mar 16, 2023, 2:55 pm EDT | 5 min read

*** begin quote ***

Passwords have been our first line of defense against hackers since the 1960s. But, now they’re showing their age and limitations in the 21st-century data wars. Not even password managers are safe. Passkeys are now here to help. Here’s why you should switch and enjoy a more secure digital future.

*** end quote ***

Passkeys solve the “password” problem for only one use case.

Use cases are programmer speak for how the application interacts with the User.

If you’re the average plain vanilla User, then they are fine. 

But, if you access the application from different hardware, then you can’t use a passkey.  

Apple shares the passkeys in its walled garden, so that is another use case addressed.

I’m not sure how Google / Android addresses the use case of a different platform usage.

Having password managers storing the passkey may solve the problem but defeat the concept.

IMHO

—30—

SECURITY: PARKMOBIL has been cracked

Published on by reinkefjLeave a comment

ATTENTION: ParkMobile

I use dedicated email addresses from my own domain. Yours is “parkmobile@reinke.cc”. I just received a spam message addressed to my unique email address for you. That means it was sent after someone got your data. Please investigate the hack.

# – # – # – # – # 

Anyone bet that no one responds?  And probably no one, other than me, cares.

This demonstrates the value of your own domain and using unique emails.

—30—

SECURITY: And why should I trust “PLAID”?

Published on by reinkefjLeave a comment

BY EMAIL FROM COINBASE

*** begin quote ***

Hi Ferdinand J,

As part of our continued effort to ensure the safety and security of our customers, we’re updating the payment method linking system for all banks that support instant verification system (Plaid). Any customer bank accounts that support Plaid will no longer be allowed to use the older, test deposit method.

For those customers whose bank accounts have already been unlinked from their Coinbase account, we understand this may have caused some confusion. Your bank account will need to be relinked using our instant verification system to ensure your payment method utilizes the safest, most reliable service.

If your current bank account is supported by Plaid, but your bank was originally linked via test deposit, please be aware that your account may be unlinked in the near future to support instant verification.

For relinking a Plaid supported bank account, you can verify your account by entering your online banking credentials with the instant verification process – you may either complete this during a Buy or Deposit, or by navigating to your Settings > Payment Methods in your Coinbase account.

For more information on payment methods, please see our help center article here.

Your banking credentials are never sent to Coinbase, and are shared with an integrated, encrypted, trusted third-party called Plaid Technologies Inc. More info about how your bank account information is secured can be found here.

The Coinbase Team

*** end quote ***

And why should I trust “PLAID”?

—30—

SECURITY: BBC reporter creates fake Americans.

Published on by reinkefjLeave a comment

https://apnews.com/article/us-elections-misinformation-social-media-BBC-americast-6749e362c3b3a5c8db7b3276a8a5bd91?utm_source=join1440&utm_medium=email

BBC tries to understand politics by creating fake Americans
By DAVID BAUDER — November 1, 2022

*** begin quote ***

NEW YORK (AP) — Larry, a 71-year-old retired insurance broker and Donald Trump fan from Alabama, wouldn’t be likely to run into the liberal Emma, a 25-year-old graphic designer from New York City, on social media — even if they were both real.

Each is a figment of BBC reporter Marianna Spring’s imagination. She created five fake Americans and opened social media accounts for them, part of an attempt to illustrate how disinformation spreads on sites like Facebook, Twitter and TikTok despite efforts to stop it, and how that impacts American politics.

That’s also left Spring and the BBC vulnerable to charges that the project is ethically suspect in using false information to uncover false information.

“We’re doing it with very good intentions because it’s important to understand what is going on,” Spring said. In the world of disinformation, “the U.S. is the key battleground,” she said.

*** end quote ***

This is easily prevented by requiring a credit card and charging for access.  Elon’s 8$/month will do more to eliminate, or down grade bots, than can be imagined.

The fee would eliminate fakes PDQ.  Surprising that no one mentions it in the article.

Of course, there’s no way to comment on the site, because they are just interested in attracting eyeballs.

—30—

SECURITY: CVS site won’t work with a VPN; so much for medical privacy

Published on by reinkefjLeave a comment

Thank you for contacting CVS.com.

We are writing in regard to the issue you are experiencing with not being able to login into CVS.com and have received a response from our IT department. 

At this time we advise not using a VPN (Virtual Private Network) when also trying to access the CVS.com website as this can cause issues with connectivity.
If you have further questions or require additional assistance, please contact us by email at customercare@cvs.com or by phone at (888) 607-4287. Reference number ******

As always, thank you for choosing CVS.com.

Sincerely,

 

Derek

BICDAW

Customer Care Department

# – # – # – # – #

Sigh, YET ANOTHER clueless IT organization!

(Maybe I should send in my resume?)

—30—

SECURITY: Gooferment can be “trusted” to misuse “passports”

Published on by reinkefjLeave a comment

https://articles.mercola.com/sites/articles/archive/2022/02/27/nick-corbishley-vaccine-passport.aspx

What You Need to Know About Vax Passports, Digital IDs, CBDCs
Analysis by Dr. Joseph Mercola — February 27, 2022

*** begin quote ***

“The passports essentially function as a gateway to allow government to herd us into a totally new reality where our actions, our movements, our thoughts, our behavior are tracked and surveilled,” Corbishley says.

*** end quote ***

There is no reason to permit Gooferment, any level of Gooferment, to treat us like their cattle.

When will “We, The Sheeple” object?  When they are loading up the trains!

—30—

SECURITY: SMS should NOT be used for 2FA

Published on by reinkefjLeave a comment

*** begin quote ***

“The company that routes SMS for all major US carriers was hacked for five years. It isn’t revealing whether or not messages were exposed, but it’s just another reason not to use SMS for 2FA.”

*** end quote ***

So for the average layman, it means that if any service provider texts codes to your phone as a way of security your account, they are at risk of a security breach.

I’ve begin communicating with the providers I use putting them on notice that (1) they are using a insecure technology to secure my account; and (2) when do they plan to switch to a phone based authentication technology or something better.

Now, if they say they use GOOGLE or APPLE authenticator, you can point out that those too are insecure by design.  Since a hack of either high profile target, will make you vulnerable.

Using the “home grown” authenticator, (something written by the service provider like IDME), doesn’t have the transparency of the source code to assure security.

Any “home grown” authenticator, Google, orApple authenticators does NOT separate the necessary sufficient controls for good Information Security.

Suggest you tell them support AUTHY or other third party authenticators.  This is more secure because the “key” is only held by them and by you locally on your phone.

Or if they really want to protect you, they can give you are hardware token like YUBIKEY or a hardware authenticator like SECURE_ID.

—30—

SECURITY: Use an authenticator app; not a phone call

Published on by reinkefjLeave a comment

https://www.lifewire.com/why-phone-based-authentication-can-be-insecure-5087935

Why Phone-Based Authentication Can Be Insecure
Cyber criminal’s delight?
by Sascha Brodsky
Published November 17, 2020

*** begin quote ***

Key Takeaways

Hackers can steal phone-based multi-factor authentication (MFA) codes, experts say.
Phone companies have been tricked into transferring phone numbers to allow criminals to get the codes.
A simple, low-cost way to increase security is to use the authenticator app on your phone.

*** end quote ***

I don’t understand why corporate CSOs don’t insist on authenticator apps versus some lame alternative.

And, if you don’t want to “mandate” it to Customers, then their services should support it.

Argh!

—30—

SECURITY: Don’t Get ‘Juice Jacked’ While Recharging In Public

Published on by reinkefjLeave a comment

Do you plug your phone into free public charging stations? Be careful! According to NBC News , you may get ‘juice jacked’ by hackers who have installed malware that can tunnel and copy your sensitive personal information! Cybersecurity expert Jim Stickley demonstrates how a hacker could access a person’s phone through a public charging station.NBC News “Depending on the vulnerability they exploit, they would have access to everything you would have access to on your phone,” according to cybersecurity expert Jim Stickley.

Source: Don’t Get ‘Juice Jacked’ While Recharging In Public, Cybersecurity Expert Warns

# – # – # – # – #

Personally, I don’t use “public charging stations”.  I have several cheap battery blocks for the purpose.  In the rare instance that I have to, I “juice” the block and then connect the device to the block.

Can’t be too careful in “security”

— 30 —

SECURITY: Dump Verizon (aka AOL aka Yahoo) as well as your ISP email address NOW!

Published on by reinkefjLeave a comment

https://pjmedia.com/trending/yahoo-and-aol-can-now-read-your-emails-access-your-bank-records/

If you now have a Yahoo or AOL account, I recommend that you close your account.

​Seriously, not that I think​ Google is “Prince Charming”, but Verizon has now gone “over the edge”, imho.  Of course, it’s a giant PIA to change email addresses. 

That’s why I suggest that you have your own domain? The common wisdom, or is that common whizdumb, is to own your own name as a domain name. I own “reinke.cc”. (I like saying “sea sea me at reinke.cc”! me@reinke.cc will actually work!) I gives one quite a bit of control. 

And, it’s very cheap. I know three solutions at 15$/year using wordpressdotcom with gmail, 25$/year email only with 1and1, and 60$/year for domain+email+webspace also at 1and1. My point is not that you should use 1and1. http://www.1and1.com/?k_id=9113251 I could care less which one you use. It’s that getting on to your own domain with email is cheap and easy. And, it’s not hotmail, yahoo, or gmail. It IS your own “personal brand”.

If you find out later that you’ve been abused by Verizon aka AOL aka Yahoo or your ISP, then you can’t say you did get warned.

# – # – # – # – #

SECURITY: Don’t reuse passwords

Published on by reinkefjLeave a comment

It’s World Password Day

Passwords are in the spotlight today and it’s an important reminder to reconsider our online security routine. Our recent research project, The Psychology of Passwords, shows a startling reality of unsafe online practices. Here’s a little preview of the habits that make hackers very happy:

 59% mostly or always use the same password

 53% have not changed passwords in the last year

 64% want to easily remember their passwords
From this, we’ve learned that consumers are using the same easy-to-remember password for multiple accounts (despite the increase in cybersecurity threats and breaches).

Don’t let yourself be one of these stats – participate in World Password Day! Refresh your passwords today and secure your digital life.

# – # – # – # – # 2018-May-03 @ 12:21

SECURITY: FBI paid Geek Squad employees as informants

Published on by reinkefjLeave a comment

http://www.foxnews.com/tech/2018/03/07/fbi-paid-geek-squad-employees-as-informants.html

The FBI paid Geek Squad employees as informants

*** begin quote ***

The FBI has been in cahoots with Best Buy’s Geek Squad for at least the past decade, new documents obtained by the Electronic Frontier Foundation (EFF) via a Freedom of Information Act (FOIA) lawsuit reveal.

An FBI memo obtained by the nonprofit digital rights group reveals that Best Buy in September 2008 hosted a meeting of the law enforcement agency’s Cyber Working Group at a Geek Squad repair facility in Kentucky. The memo indicates that the local FBI division “has maintained close liaison with the Geek Squad’s management in an effort to glean case initiations and to support the division’s Computer Intrusion and Cyber Crime programs.”

*** end quote ***

While I have no love for child porn, its producers, to its consumers, I am concerned about the Fourth Amendment. It would seem that the Geek Squad has become agents of the police and subject to the usual requirements of warrants.

It sets up a very suspect set of circumstances.

How does one ensure that the evidence was planted?

Does Best Buy have a secure image taken before the staff works on it? Are patrons advised to take an image before submitting a computer for service?

Makes one think doesn’t it?

# – # – # – # – # 

SECURITY: “Mobile Witness” as a tool

Published on by reinkefjLeave a comment

http://www.zdnet.com/pictures/android-ios-apps-to-download-before-disaster-strikes/13/

Mobile Witness

If you are in the area when a situation calls for evidence — such as in the case of dubious behavior or crimes — Mobile Witness can provide a way to record audio and video.

Rather than store this footage on your mobile device, which may be lost, taken, or stolen, recordings can automatically be sent to third-party cloud storage providers including Dropbox and Google Drive.

# – # – # – # – #

Great idea!

# – # – # – # – #

SECURITY: A password manager is essential today

Published on by reinkefjLeave a comment

https://www.lifewire.com/password-managers-4151868

Password Managers You Need
Online security can be stress-free with a password manager in your corner
by Tom Nelson
Updated October 02, 2017

*** begin quote ***

A password manager is an application that can generate, store securely, retrieve, and manage passwords and other login credentials. And it may well end up being the best friend you have when it comes to keeping your privacy safe while browsing the web and accessing your favorite online services.

Password managers let you collect and store all of your passwords and login information for various accounts in one easy-to-access app that can log you in to any service you have subscribed to with just a couple of clicks or taps.

The ease of access to your passwords usually puts an end to two of the most common security problems involving online services: using the same password for multiple sites, and using easy to remember, and thus easy to guess, login credentials.

It’s important to use different passwords for each and every site/service you use because if one of the sites or services you use is hacked and the hackers gain access to your name and password, they will start trying your name and password combination on lots of sites (think banks and social media sites). By having completely different passwords for each site/service leaves you far less vulnerable.

*** end quote ***

I am a lastpass fanboy.

https://lastpass.com/f?408336

Just this week, I had to help two people with “password problems”.

Both were with IOS, which makes me suspect that IOS screwed something up?

In any event, one was with Yahoo mail. Of course, the noob had never set anything up with “disaster recovery” in mind.

(And, the Sprint tech, who swap her phone out on an upgrade, never backed up any of her “stuff”. She was in tears until I suggested that she request photos from her friends with whom she probably shared them with. That got her back a lot but no one knows if it was all. I set up Google Photos to archive all of them and turned on her iCloud back up. Argh!)

Any way, I was able to get her phone to register with Yahoo as a recovery alternative. And, then recover her original password. Eventually, Yahoo “timed out” and “excessive recoveried” her. But it was good enough to get her mail flowing again.

I set up her LastPass and it began automatically capturing passwords for her.

But why does everything have to be done AFTER a disaster?

Argh!

Do these technology companies not realize that it has to be brain dead simple and that the average User has no concept of what is going on?

Argh!

# – # – # – # – #

SECURITY: Print Your Google Backup Verification Codes

Published on by reinkefjLeave a comment

http://www.makeuseof.com/tag/print-google-backup-verification-codes-prevent-getting-locked/

Print Your Google Backup Verification Codes to Prevent Getting Locked Out
Saikat Basu October 26, 2017

*** begin quote ***

If you use Google’s two-step authentication system to protect your Google accounts, you could accidentally get locked out. It’s one of the biggest risks of two-factor authentication. And if you can’t get a mobile signal, then you can’t get the needed SMS messages in time.

*** end quote ***

The better question is WHY AREN’T you using two-step authentication anywhere it’s offered?

# – # – # – # – #  

SECURITY: He was moving terabytes of data off Congress’s system — why?

Published on by reinkefjLeave a comment

http://www.foxnews.com/opinion/2017/10/10/democrats-it-scandal-just-got-even-more-bizarre.html

The Democrats’ IT scandal just got even more bizarre
By Frank Miniter, Fox News

*** begin quote ***

I’m referring to the strange case of Imran Awan, the IT aide Rep. Debbie Wasserman Schultz, D-Fla., kept on her congressional payroll even after it became known he and his wife, Hina Alvi Awan, were being investigated by the Capitol Police for possible theft, fraud, moving terabytes of data off Congress’s system and more.

*** end quote ***

Sounds like this is getting more interesting.

Wonder when, or if, the whole story will come out?

I hope all the IT security folks are watching carefully!

# – # – # – # – # 

SECURITY: Don’t reuse the same password at ANY site

Published on by reinkefjLeave a comment

http://www.nytimes.com/2016/12/14/technology/yahoo-hack.html

TECHNOLOGY
Yahoo Says 1 Billion User Accounts Were Hacked
By VINDU GOEL and NICOLE PERLROTHD
EC. 14, 2016

*** begin quote ***

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

*** end quote ***

There are too many good password utilities that make this unnecessary. 

I have over three hundred sites where I have accounts and no site has the same password.

AND, my passwords are as long as the site allows and with whatever mix of character types they allow.

My financial sites (i.e., the banks and brokerage) have their passwords written down off line.

(Yeah, that a small PIA but I sleep better.)

Ask me if you need information security advice.

Otherwise, you’re just a target waiting for the random hacker or script kiddie.

Argh!

# – # – # – # – # 

SECURITY: TDAMERITRADE delayed reaction

Published on by reinkefjLeave a comment

2016-Jul-01

 
Dear Valued Client, 

The security of client information is a top priority for us. As part of routine monitoring, we have learned that client email addresses and passwords from a breach at LinkedIn® were compromised and recently published online. While the breach is not TD Ameritrade-related, we believe that the User ID on your TD Ameritrade Institutional account matches an email address from that breach. 

As a precaution, we have expired the password on your TD Ameritrade Institutional account. We know that many people reuse the same passwords on multiple websites, so it is important that we take this proactive step.* 

You will need to log in to your TD Ameritrade Institutional account to change your password. Please be sure that the new password you create is different from your previous one. 

If you have trouble accessing your account, or if you have any questions, please contact your Advisor or call TD Ameritrade Institutional at 800-431-3500 option 2. 

Sincerely,

John Tovar 
John V. Tovar 
Managing Director, Brokerage Services

 

# – # – # – # – # 

Argh!

So because they have Clients that are boobs, I have to be inconvenienced?

And, I hate to tell them the LinkedIn breech was a LONG time ago.

I guess they had to figure out how to expire all the old passwords OR they just heard about it.

Argh!

# – # – # – # – # 

SECURITY: Tell me that this is for MY benefit

Published on by reinkefjLeave a comment
Dear Ferdinand,

As we move closer to joining together with Starwood®, we want you to continue taking advantage of everything the Marriott Rewards® program has to offer by making sure your account information is current and secure.

It is our ongoing priority to ensure your personal information is protected. For your continued security, we will be implementing enhanced password protections over the next few weeks. 

You are receiving this email because your account password needs to be updated to comply with our revised security measures. We encourage you to log in and follow the steps below as soon as possible to ensure uninterrupted access to your account when the new password requirements take effect.

As a reminder, experts recommend that you periodically change the passwords you use to access websites as a precaution. Changing your Marriott Rewards password is easy. All you will need to do is:
Log in to your Marriott Rewards account on your desktop or laptop
 
Select “My Account”
 
Select “Profile”
 
Select “Edit” in the Password section
 
Enter current and new password
 
Confirm your identity if you are not using a registered device
Log on now to your Marriott Rewards account to take action. Thank you very much for taking the time to update your password information. 

Sincerely,

Argh! I’m SURE that this id for MY benefit.

Argh! Laugh!

# – # – # – # – # 

 

SECURITY: United Airlines resets their security?

Published on by reinkefjLeave a comment

*** begin quote ***
To better protect your United MileagePlus® account, we’ll soon no longer allow you to use your PIN to sign in. Instead you’ll need to have security questions and a strong password.
If you haven’t done so already, please sign in to your account today. You’ll be asked to complete these steps:
(1)  
Validate your email address
(2)  
Choose and answer new security questions
(3)  
Update your password
For now, you will still need your PIN when you call the United® Customer Contact Center, so don’t lose track of that just yet.
Thank you for being a MileagePlus member and for taking the time to update your account.

*** end quote ***

I guess that someone has hacked United Airlines.

Didn’t hear about this in the media.

# – # – # – # – #