Passwords have existed as a means of security for millennia. And for most of their history, they’ve worked as advertised. But now that society has transitioned to digital, a massive market for stolen data has sent security experts scrambling to put out fires, all the while pleading with their clients to make their passwords more secure.
There may be a way to keep passwords and the convenience they provide without requiring people to do significantly more work. It’s called multi-factor authentication and it makes passwords work better by authenticating something else in addition to the password. It could be device authentication, knowledge authentication or even biometric authentication.
Source: Is it time to finally get rid of the password? – Quartz
Own-Mailbox is a home-plugged personal email server, with strong privacy protection measures integrated at its core. It provides self-hosted email addresses, or connects with your existing email address. In both cases you can seamlessly send and receive encrypted emails from anywhere in the world, through Own-Mailbox webmail, Smartphone app, or through an external email software (Thunderbird, Outlook, …).
Own-mailbox, is very easy to set-up and use: as easy as a gmail account.
Own-mailbox automatically encrypts your emails with Gnu Privacy Guard, a strong encryption software, the same software as used by Edward Snowden.
Own-mailbox allows you to send and receive 100% confidential messages even with people who don’t use email encryption yet. For this purpose we introduce PLM, a new technique consisting in sending to your correspondent, a filtered and temporary HTTPS link, pointing to your private message hosted on your Own-Mailbox.
Source: Own-Mailbox, the first 100% confidential Mailbox.
ProxyHam: It’s designed to use a radio connection to add a physical layer of obfuscation to an internet user’s location. It connects to Wi-Fi and relays a user’s Internet connection over a 900 megaherz radio connection to their faraway computer, with a range of between one and 2.5 miles depending on interference from the landscape and buildings. That means even if investigators fully trace the user’s internet connection, they’ll find only the ProxyHam box the person planted in a remote library, cafe, or other public place—and not their actual location.
Source: This Online Anonymity Box Puts You a Mile Away From Your IP Address | WIRED
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.
Source: Adobe Security Bulletin
Those moments between Wi-Fi connect and VPN launch can give away a lot.
By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don’t encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn’t widely appreciated.
But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a “captive portal,” which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.
In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
Configuring firewall software on your PC to block non-VPN traffic isn’t all that easy. It varies across operating systems and products, and it may not even be possible in Windows 8.1. On Windows, here’s a summary of what you’d need to do:
- Connect to the VPN of your choice using the normal procedure for that product.
- In the Network and Sharing Center in Control Panel, make sure the VPN connection is set as a Public network, and the home or public Wi-Fi network is set as Home or Office (Home is better). (In Windows 8 and later this can be problematic unless the network connection is brand new, because Windows 8.x provides no user interface with which to change the location type—so the whole exercise may be impossible—unless you first delete and recreate all your network connections.)
- Finally, in the Windows Firewall in Control Panel go to the Advanced Settings. Create a rule to block all programs from connecting on Public networks. Then create a rule to allow both the VPN program and the browser you want to use for the captive portal to be allowed to connect on Public networks. You will need to set these rules both for inbound and outbound connections.
Source: Even with a VPN, open Wi-Fi exposes users | Ars Technica
“Encrypting your Windows hard drives is trivially easy; choosing which program to use is annoyingly difficult… Based on what I know about BitLocker, I think it’s perfectly fine for average Windows users to rely on, which is especially convenient considering it comes with many PCs. If it ever turns out that Microsoft is willing to include a backdoor in a major feature of Windows, then we have much bigger problems than the choice of disk encryption software anyway. ”
Source: Encrypting Windows Hard Drives – Schneier on Security
Clearing your browsing history is a crime in United States according to the Sarbanes-Oxley Act of 2002
In a recent article published in The Nation, it revealed the improper use of a law meant for completely different purposes by by federal prosecutors. The Sarbanes-Oxley Act of 2002 was meant to provide authorities with tools to prevent criminal behavior by corporations. It was put into practice after the Enron meltdown when it was found out that executives or their servants following orders torn into shreds every document they could think of which may prove them guilty. The legislation’s goal was to stop companies from committing large fraud and then damaging the evidence of their conspiratorial criminality while investigations were under way.
As Hanni Fakhoury of the Electronic Frontiers Foundation put it, the government is saying:
“Don’t even think about deleting anything that may be harmful to you, because we may come after you at some point in the future for some unforeseen reason and we want to be able to have access to that data. And if we don’t have access to that data, we’re going to slap an obstruction charge that has as 20-year maximum on you.”
Source: Deleting your browser history could land you up in prison for 20 years in United States – DigitalMunition
OpenSesame is a device that can wirelessly open virtually any fixed-code garage door in seconds.
If you are using a gate or garage which uses “fixed codes”, to prevent this type of attack, ensure you upgrade to a system which clearly states that it’s using rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with traditional brute forcing attacks. Suggested vendors: current products from LiftMaster and Genie.
Source: OpenSesame – hacking garages in seconds
Chinese hackers are suspected of carrying out a “massive breach” affecting the personal data of millions of US government workers, officials said.
The Office of Personnel Management (OPM) confirmed on Thursday that almost four million current and past employees have been affected.
The breach could potentially affect every federal agency, officials said.
Using a new cyber security system known as Einstein, the OPM detected a “cyber-intrusion” in April 2015. The FBI said it was investigating the breach.
Ken Ammon, chief strategy officer of Xceedium – a cyber security firm – warned that the hacked data could be used to impersonate or blackmail federal employees with access to sensitive information.
Source: Millions of US government workers hit by data breach – BBC News
As you may have heard, criminals used the Internal Revenue Service’s own website to steal taxpayer information for about 100,000 U.S. households, the agency said Tuesday, showing how vulnerable it remains as fraud proliferates.
The IRS will send you a letter if your records were at risk.
The criminals attempted to crack 200,000 accounts and made it into about half of them. The IRS will send you a letter if your account was among those 200,000, regardless of whether or not it was hacked. The agency will not call, email or send letters that ask for your personal information in response, but scammers might. Cyber thieves often take advantage of incidents like this by calling people and posing as taxmen , or emailing taxpayers malicious links.
Nasty links could infect your computer with malware in an attempt to steal your personal information, or lock up the machine until you pay a ransom — a tactic hackers began using this year while sending fake refund receipts to taxpayers, according to KnowBe4, a Clearwater, Fla.-based security company.
Source: IRS data theft: 5 things you need to know – MarketWatch