Stop Trying to Fix the User

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without­ — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ — “stress of mind, or knowledge of a long series of rules.”

Source: Security Design: Stop Trying to Fix the User – Schneier on Security

Social Security Administration Now Requires Two-Factor Authentication

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

Source: Social Security Administration Now Requires Two-Factor Authentication — Krebs on Security

Lenovo patches serious vulnerabilities in PC system update tool

One of the vulnerabilities is located in the tool’s help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That’s because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.

Source: Lenovo patches serious vulnerabilities in PC system update tool

Chrome extension thwarts user profiling based on typing behavior

But there is another type of biometrics that can be used to authenticate users – behavioral biometrics (“something you do”: speaking, typing, etc.).

The latter – information about how a user types on a keyboard – is particularly problematic if he or she wants to maintain their privacy online, as there are likely many websites that record these patterns and use (or might use them in the future) to identify users with a very high degree of certainty.

Source: Chrome extension thwarts user profiling based on typing behavior

So, he challenged infosec consultant Paul Moore to come up with a working solution to thwart this type of behavioral profiling.

The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Help, I’m Trapped in Facebook’s Absurd Pseudonym Purgatory

omeone reported my account as pseudonymous, and Facebook kicked me out. To get back in, I must provide various forms of identification proving the authenticity of my username. I’m not going to.

I am one of many casualties of Facebook’s recently rejiggered “authentic name” policy, wherein anonymous users can report a name as fake and trigger a verification process.

Source: Help, I’m Trapped in Facebook’s Absurd Pseudonym Purgatory | WIRED

You get what you pay for.

Statistics Will Crack Your Password

This means that the top 13 unique mask structures make up 50% of the passwords from the sample. Over 20 million passwords in the sample have a structure within the top 13 masks.

via Statistics Will Crack Your Password.

Based on analyzing the data, there are logical factors that help explain how this is possible. When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps)

Critical vulnerabilities in web-based password managers found

The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”

“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.

via Critical vulnerabilities in web-based password managers found.

How Welcoming Will the Smart Home of the Future Be?

This approach of binding our smart devices to our personal accounts may be an easy engineering decision today, but it will make less sense as more devices show up in households with multiple family members. Families shouldn’t be forced to decide if the dishwasher is bound to Mom’s Gmail account or Dad’s. Instead, the household should have its own identity, with different family members having different levels of access depending on their needs.

via How Welcoming Will the Smart Home of the Future Be? | MIT Technology Review.

Not sure why a dishwasher or any household appliance would need user authentication or even user management.  Does it matter if the person doing dishes is authorized as long as the dishes get washed?

44 Percent of Twitter Accounts Have Never Tweeted

According to the site, approximately 44 percent of Twitter’s 947 million accounts or so have never sent a single tweet. Of the number that have — approximately 550 million — just under half of these accounts are reported to have sent their last tweet more than one year ago (43 percent). Only 126 million have sent any kind of tweet at any point in the past 30 days.

via 44 Percent of Twitter Accounts Have Never Tweeted | News & Opinion | PCMag.com.

What Twitter has said, however, is that the service had a count of 241 million average monthly active users as of December 31 last year – a 30 percent increase over the same time period one year prior.

HealthCare.gov deferred final security check, could leak personal data

HealthCare.gov sends data to analytics providers such as Google’s DoubleClick and Pingdom. As Simo reviewed the Web requests being made as part of his movement through the HealthCare.gov site, he found requests sent to these two providers that included his visit to the password reset page—and all of the user data that was generated by the page. That runs counter to the privacy policy on HealthCare.gov, which states that no personally identifiable information will be collected by site analytics tools. This is the same sort of behavior that the Federal Trade Commission has fined social networks such as Facebook and MySpace for in the past.

via HealthCare.gov deferred final security check, could leak personal data | Ars Technica.