twitter facebook rss

Bank Fraud: Whose Fault?

Posted by David Harley on May 31, 2016

David Harley photo

Owing to a houseful of grandchildren, I’ve not been giving quite the same attention to security news just lately as I do normally, so I nearly missed an article by John Leyden for The Register: Bank in the UK? Plans afoot to make YOU liable for bank fraud. While I don’t feel a lot of love […]

Obama is wrong about passwords

Posted by Kevin on March 17, 2016

Obama is wrong about passwords. He’s not alone, but given the quantity and quality of his advisers, it is very disappointing. This is what he said: In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like […]

Passwords, PINs, Needles and Haystacks

Posted by David Harley on July 13, 2015

David Harley photo

An interesting conference on passwords, but why so sloppy about deadline date formatting?

NSTIC – it will prove our identity but will it protect our privacy?

Posted by Kevin on May 4, 2015

NSTIC, the National Strategy for Trusted Identities in Cyberspace, is an Obama initiative designed to make internet usage more secure for everyday users. It will do this by allowing third parties to vouch for our identity. In theory, this will allow us to stop using multiple passwords – instead, the third party will confirm our […]

Researchers play Whack-a-Mole with Google Password Alert

Posted by Kevin on May 3, 2015

Phishing is a huge problem with no indication of any solution (see, for example, Phishing: detection and prevention). Last week Google attempted to alleviate the issue with the release of a Chrome extension: Password Alert. If you end up on a phishing page that asks you to enter your Google password, the extension pops up […]

ITsecurity Daily News: 10/10/2014

Posted by Kevin on October 10, 2014

The ITsecurity daily security briefing: Friday, October 10, 2014. If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com. News Papers/Reports WebThings Events M&A Alerts News Selfies to replace passwords?   The White House Cybersecurity Coordinator Michael […]

ITsecurity Daily Briefing: 08/15/2014

Posted by Kevin on August 15, 2014

The ITsecurity daily security briefing: Friday August 15, 2014. News Papers/Reports WebThings Events M&A Alerts News Gameover botnet being rebuilt as NewGOZ Now domain generation rather than P2P. “…how long will the threat actor focus on rebuilding their botnet before they return to focusing on stealing money?” Arbor Networks: AB Acquisition LLC Confirms Incident […]

HTB finds SQLi flaws – CyberVor uses them

Posted by Kevin on August 7, 2014

News that Russian cybercriminals had amassed a database of 1.2 billion unique access credentials broke on August 5 when Hold Security published a report titled You Have Been Hacked. The report explained the method used by the gang, dubbed by Hold as CyberVor (‘vor’ means ‘thief’ in Russian), to employ botnets to find SQL vulnerabilities: […]

What’s wrong with writing passwords down?

Posted by Kevin on July 21, 2014

A new research paper from Microsoft Research (Redmond) and Carleton University (Canada) takes a scientific look at the problem of maintaining multiple strong passwords. The issue is simple and well-known. Users now have so many online accounts that it is impossible to remember strong individual passwords for all of them. The result is that many […]

More on the Avast breach and the hash used

Posted by Kevin on May 29, 2014

My understanding is that the hash formula used by Avast to store its forum users’ passwords was $hash = sha1(strtolower($username) . $password); This is the formula built into the SMF open source forum software used by Avast. It is both good and bad. It confirms that the hash was salted (with the user’s username); but […]