We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it — “stress of mind, or knowledge of a long series of rules.”
Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.
After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.
One of the vulnerabilities is located in the tool’s help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That’s because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.
But there is another type of biometrics that can be used to authenticate users – behavioral biometrics (“something you do”: speaking, typing, etc.).
The latter – information about how a user types on a keyboard – is particularly problematic if he or she wants to maintain their privacy online, as there are likely many websites that record these patterns and use (or might use them in the future) to identify users with a very high degree of certainty.
So, he challenged infosec consultant Paul Moore to come up with a working solution to thwart this type of behavioral profiling.
The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.
omeone reported my account as pseudonymous, and Facebook kicked me out. To get back in, I must provide various forms of identification proving the authenticity of my username. I’m not going to.
I am one of many casualties of Facebook’s recently rejiggered “authentic name” policy, wherein anonymous users can report a name as fake and trigger a verification process.
You get what you pay for.
This means that the top 13 unique mask structures make up 50% of the passwords from the sample. Over 20 million passwords in the sample have a structure within the top 13 masks.
Based on analyzing the data, there are logical factors that help explain how this is possible. When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps)
The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”
“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.
This approach of binding our smart devices to our personal accounts may be an easy engineering decision today, but it will make less sense as more devices show up in households with multiple family members. Families shouldn’t be forced to decide if the dishwasher is bound to Mom’s Gmail account or Dad’s. Instead, the household should have its own identity, with different family members having different levels of access depending on their needs.
Not sure why a dishwasher or any household appliance would need user authentication or even user management. Does it matter if the person doing dishes is authorized as long as the dishes get washed?
According to the site, approximately 44 percent of Twitter’s 947 million accounts or so have never sent a single tweet. Of the number that have — approximately 550 million — just under half of these accounts are reported to have sent their last tweet more than one year ago (43 percent). Only 126 million have sent any kind of tweet at any point in the past 30 days.
What Twitter has said, however, is that the service had a count of 241 million average monthly active users as of December 31 last year – a 30 percent increase over the same time period one year prior.