One of the biggest vulnerabilities in computer security is the password. Let’s face it. Something’s got to give! What exactly will it take to authenticate somebody with their own personal information or data without being discovered or hacked?
There are many companies attempting to implement new changes in the way that users authenticate themselves. The best example is Google’s 2-step authentication. This system allows a user to log into their Google account like normal when they access it on their common browser/app…however, whenever they log in elsewhere, it requires an access code specialized for that given with a name.
Google has come up with other ideas such as having a smartcard embedded finger ring or using a smartphone to authorize a new device/computer to add to your account.
More companies are attempting hardware-based authentication. Most companies attempting such measures only have prototypes, and are awaiting the ability to beta the use. Most of these types of measures are called security or hardware tokens.
A pin or password is usually needed for devices…right? However, depending on the type of device will show what other forms of authentication are needed in addition to that. For example, a one-time password may be in order, similar to the Google access code as a second step in authentication, which would be too hard to hack. Others would take a challenge code, which would prove that your a human in public, instead of a hacker/robot on a different network trying to hack.
Many networking authentication proposals for authentication would only allow a certain unique IP address to access the login section or be able to enter a password. Some require a smart card or fingerprint. All of these are good ways to help authentication become more physical and legitimate.
Proving possession is everything in the computer security world now, but this type of authentication has been proposed for around ten years, at least. It’s time tpo get serious about authentication, and develop better solutions. This is the call to action.
Much of the attention in 2013 in computer security will be mainly focused on industrial control systems (ICS), Android, and the all new Windows 8 OS. With the dealings of malware like Stuxnet and other government threats, to the normal hackers and attackers on consumer devices – it will be a challenge in both business and consumer markets.
Supervisory software runs on dedicated workstations and programmable hardware devices, and this is called a control system. They’re used to monitor and control many different operations, such as power grids, trains, airplanes, water distribution systems, military installations, and many more. Many times, control systems are used in critical infrastructures, especially systems for big populations that depend on electricity, clean water, transportation, etc.
Many worries that we’d be watching in 2013 that other security authorities are watching as well include the rise of more government malware. Especially, when it comes to control systems, which are believed to be widely targeted and surveyed.
For other problems to be faced include intense rises of mobile malware, particularly in the Android marketplace. The problem is that Android malware is becoming more widespread. It looks like hackers are retrying some old methods of Windows operating system exploitation on Android devices. This can prove to become a big problem to watch out for.
The big issue with Android attacks also seems to point at privilege escalation attacks, which like to work through malicious apps installed by the user to gain root access and take control of the device. With hundreds of millions of Android devices already infected since its birth, the size of botnets have gotten to be big, and there may still be a lot of devices infected.
Also, keep in mind that when you use a smartphone, you’re leaking a lot of information. This is mainly through App usage, which most of them collect a bit of data from your phone. It isn’t exactly personally-identifiable information, however, it’s enough to make some people nervous.
Android is very open, and you can download apps from almost anywhere for Android. This is much like Windows OS has been. But, that’s a whole different long story.
Windows 8 will be a challenge for security, because researchers, hackers, security experts, etc. want to get in on testing just how secure it is.
As of recent problems lighting up with PKNIC vulnerability (PKNIC is the Pakistani (.PK) domain name registry), allowed hackers from Turkey to hack into the Pakistani versions of Google, Yahoo, and MSN, plus nearly 300 other webpages. The Turkish hackers also defaced the Pakistani Google homepage. Now, if that isn’t bad enough, an Algerian hacker decides to deface Google and Yahoo in the Romanian versions.
For the Pakistani .PK domain registry, a vulnerability in SQL could allow for injection to exploit it. Therefore, that’s exactly what happened when Turkish hackers hacked into somewhere near 300 .PK domains and defaced at least Google’s .PK site, and maybe a few others. Apparently, during this even, some users were redirected to a webpage showing two penguins and the slogan “Pakistan Downed”.
For the defacement of the Romanian versions of Google and Yahoo (.RO), an Algerian hacker changed the DNS records of those search pages for the sites to a recently hacked server in the Netherlands. It is likely changed DNS records, or some have stated a DNS poisoning attack is also possible.
It is contested on whether the same hacker(s) did both jobs, or if this was two different parties that coincidentally did the same type of work at the same time.
Due to the (once again) uprising of conflict in the Middle East, newer digital attacks are likely, also. It is no surprise to see these issues light up again.
If the attackers had other malicious intents, these hacks could have been worse!
Google’s recent release of its transparency report, which they announced Tuesday, details much more government take-down requests (content removal) for violation of copyright, defamation, privacy, or security purposes.
Google’s transparency report details a lot of information on how Google collects data, what it does with the data, what governments are asking to take-down, as well as other requests by companies and the like for content removal.
A couple of examples of take-down requests include the following:
- Removal of 360 some search results in India, which may have violated privacy for some people.
- Removal of 160 some YouTube videos (asked by the Russian Ministry of the Interior) that supposedly contain extremist content.
- Removal of content because of a politician’s wife in Germany being violated or defamed.
Much more information is available in the Transparency Report, but does only include limited information:
“The information we disclose is only an isolated sliver showing how governments interact with the Internet, since for the most part we don’t know what requests are made of other technology or telecommunications companies,” Google senior policy analyst Dorothy Chou said in a blog post. “But we’re heartened that in the past year, more companies like Dropbox, LinkedIn, Sonic.net and Twitter have begun to share their statistics too.”
It is now known that emails that apparently come from “firstname.lastname@example.org” are fraudulent, especially if they involve subjects such as Microsoft Windows Update. Lately, there has been a rise in the email spam targeting vulnerable users of very popular companies, we reported about Chase bank.
The attack from the “email@example.com” is an attempt to try to steal Yahoo!, Gmail, AOL, or Outlook.com (Windows Live formerly) passwords.
The body text:
Dear Windows User,
It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.
This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to confirm your records.
Microsoft Windows Team.
To see an actual image, see the one from Naked Security.
More on this, see the post from Naked Security.