The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeper’s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure that’s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.
Tag Archives: authentication
Kim Dotcom Threatens To Sue Google, Facebook And Twitter Over 2-Factor Authentication Patent If They Don’t Help Him
So, a lot of people are talking about Kim Dotcom’s latest gambit, which was to point out that he holds a patent (US 6,078,908 and apparently others in 12 other countries as well) that covers the basics of two-factor authentication, with a priority date of April of 1997. While interesting, he goes on to point out that he’s never sued over the patent because “I believe in sharing knowledge and ideas for the good of society.”
Facebook vs. Salesforce: An Identity Smackdown?
If an alternative did take root, his money would be on Salesforce to prevail. “There’s credibility for Salesforce being an enterprise identity provider,” Shaw says. “They have a legitimate claim for being an identity provider because so many people use salesforce.com. It’s hard not to run into an enterprise that’s not using Salesforce to some degree. Even small companies.
via Facebook vs. Salesforce: An Identity Smackdown? — Dark Reading.
When Active Directory And LDAP Aren’t Enough
Ultimately, the chaos is breeding a whole new niche in Identity as a Service (IdaaS) that’s being tightly contested by vendors like Okta and Identropy and others like Centrifiy and Symplified. It’s an exploding market that Gartner says will make up a quarter of all new IAM sales by the end of 2014 and 40 percent by 2015,
via When Active Directory And LDAP Aren’t Enough – Dark Reading.
Not another x as a service acronym. IAM=Identity and Access Management
OAuth – A great way to cripple your API
Even the original social networking sites behind OAuth decided they really need other options for different use-cases, such as Twitter’s xAuth, or Yahoo offering Direct OAuth, which turns the entire scheme into a more complicated version of HTTP Basic Authentication, with no added benefits. Perhaps the most damaging point against OAuth, is that the original designer behind it decided to remove his name from the specification, and is washing his hands clean of it.
Bypassing Google’s Two-Factor Authentication
TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP).
via Bypassing Google’s Two-Factor Authentication – Blog · Duo Security.
Also From: Google Security Vulnerability Allowed Two-Step Verification Bypass – Dark Reading.
A successful attack would require first stealing a user’s ASP, which could theoretically be accomplished via malware or a phishing attack.
PayPal, Lenovo Launch New Campaign to Kill the Password with New Standard from FIDO Alliance
Under the standards put forward by the FIDO Alliance, the device a person is using to log in to an account would play a more central role in authentication. That would make it impossible to compromise accounts by stealing passwords, as hackers did in order to break into Twitter this month and LinkedIn last year.
Requiring a person to offer both a password and a physically linked secondary proof is an approach known as “two-factor authentication.”
Is Identity The New Perimeter?
“It used to be that because everything was behind the firewall, they could architect IAM with LDAP authentication and NTLM. But now they’re got the business line going out and driving so much via SaaS.”
via Is Identity The New Perimeter? – Dark Reading.
SaaS=Software as a Service
KeePass Password Safe
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.
I haven’t tried this yet. Using something like this requires a complete paradigm shift as to how one uses the web. I currently have a password system in my head that has worked for quite some time. It will be interesting how useful this is in real life use cases. Having the ability to have some other entity remember usernames and passwords can lead to very secure authentication. There will be no way to authenticate however if one does not have contact to this password database which could be a problem.
New 25 GPU Monster Devours Passwords In Seconds
In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.
via Update: New 25 GPU Monster Devours Passwords In Seconds | The Security Ledger.