Stop Trying to Fix the User

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without­ — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ — “stress of mind, or knowledge of a long series of rules.”

Source: Security Design: Stop Trying to Fix the User – Schneier on Security

Social Security Administration Now Requires Two-Factor Authentication

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

Source: Social Security Administration Now Requires Two-Factor Authentication — Krebs on Security

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday

Critical vulnerabilities in web-based password managers found

The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”

“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.

via Critical vulnerabilities in web-based password managers found.

How Welcoming Will the Smart Home of the Future Be?

This approach of binding our smart devices to our personal accounts may be an easy engineering decision today, but it will make less sense as more devices show up in households with multiple family members. Families shouldn’t be forced to decide if the dishwasher is bound to Mom’s Gmail account or Dad’s. Instead, the household should have its own identity, with different family members having different levels of access depending on their needs.

via How Welcoming Will the Smart Home of the Future Be? | MIT Technology Review.

Not sure why a dishwasher or any household appliance would need user authentication or even user management.  Does it matter if the person doing dishes is authorized as long as the dishes get washed?

a P2P microblogging platform

This paper proposes a new microblogging architecture based on peer-to-peer networks overlays. The proposed platform is comprised of three mostly independent overlay networks. The first provides distributed user registration and authentication and is based on the Bitcoin protocol. The second one is a Distributed Hash Table DHT overlay network providing key/value storage for user resources and tracker location for the third network. The last network is a collection of possibly disjoint “swarms” of followers, based on the Bittorrent protocol, which can be used for efficient near-instant notification delivery to many users. By leveraging from existing and proven technologies, twister provides a new microblogging platform offering security, scalability and privacy features. A mechanism provides incentive for entities that contribute processing time to run the user registration network, rewarding such entities with the privilege of sending a single unsolicited “promoted” message to the entire network. The number of unsolicited messages per day is defined in order to not upset users.

via [1312.7152] twister – a P2P microblogging platform. deferred final security check, could leak personal data sends data to analytics providers such as Google’s DoubleClick and Pingdom. As Simo reviewed the Web requests being made as part of his movement through the site, he found requests sent to these two providers that included his visit to the password reset page—and all of the user data that was generated by the page. That runs counter to the privacy policy on, which states that no personally identifiable information will be collected by site analytics tools. This is the same sort of behavior that the Federal Trade Commission has fined social networks such as Facebook and MySpace for in the past.

via deferred final security check, could leak personal data | Ars Technica.

Hacking RFID Tags Is Easier Than You Think

The RFID output that the Arduino gets is a 10-digit hexadecimal. With that in hand, Brown said it’s simple to replicate the remotely stolen information using a Proxmark device.

The unfortunate reality, according to Brown, is that with most of the building security badges that are running at 125KHz, there is no secure authentication mechanism.

via Hacking RFID Tags Is Easier Than You Think: Black Hat.

How Much is Your Gmail Worth?

The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeper’s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure that’s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.

via How Much is Your Gmail Worth? — Krebs on Security.