Tag Archive | Google

Passwords are Losing Trust; Hello Fingerprints, Hashes, Unique Codes

One of the biggest vulnerabilities in computer security is the password. Let’s face it. Something’s got to give! What exactly will it take to authenticate somebody with their own personal information or data without being discovered or hacked?

There are many companies attempting to implement new changes in the way that users authenticate themselves. The best example is Google’s 2-step authentication. This system allows a user to log into their Google account like normal when they access it on their common browser/app…however, whenever they log in elsewhere, it requires an access code specialized for that given with a name.

Google has come up with other ideas such as having a smartcard embedded finger ring or using a smartphone to authorize a new device/computer to add to your account.

More companies are attempting hardware-based authentication. Most companies attempting such measures only have prototypes, and are awaiting the ability to beta the use. Most of these types of measures are called security or hardware tokens.

A pin or password is usually needed for devices…right? However, depending on the type of device will show what other forms of authentication are needed in addition to that. For example, a one-time password may be in order, similar to the Google access code as a second step in authentication, which would be too hard to hack. Others would take a challenge code, which would prove that your a human in public, instead of a hacker/robot on a different network trying to hack.

Many networking authentication proposals for authentication would only allow a certain unique IP address to access the login section or be able to enter a password. Some require a smart card or fingerprint. All of these are good ways to help authentication become more physical and legitimate.

Proving possession is everything in the computer security world now, but this type of authentication has been proposed for around ten years, at least. It’s time tpo get serious about authentication, and develop better solutions. This is the call to action.

Will 2013 Be a Challenging Year for Computer Security?

Much of the attention in 2013 in computer security will be mainly focused on industrial control systems (ICS), Android, and the all new Windows 8 OS. With the dealings of malware like Stuxnet and other government threats, to the normal hackers and attackers on consumer devices – it will be a challenge in both business and consumer markets.

Supervisory software runs on dedicated workstations and programmable hardware devices, and this is called a control system. They’re used to monitor and control many different operations, such as power grids, trains, airplanes, water distribution systems, military installations, and many more. Many times, control systems are used in critical infrastructures, especially systems for big populations that depend on electricity, clean water, transportation, etc.

Many worries that we’d be watching in 2013 that other security authorities are watching as well include the rise of more government malware. Especially, when it comes to control systems, which are believed to be widely targeted and surveyed.

For other problems to be faced include intense rises of mobile malware, particularly in the Android marketplace. The problem is that Android malware is becoming more widespread. It looks like hackers are retrying some old methods of Windows operating system exploitation on Android devices. This can prove to become a big problem to watch out for.

The big issue with Android attacks also seems to point at privilege escalation attacks, which like to work through malicious apps installed by the user to gain root access and take control of the device. With hundreds of millions of Android devices already infected since its birth, the size of botnets have gotten to be big, and there may still be a lot of devices infected.

Also, keep in mind that when you use a smartphone, you’re leaking a lot of information. This is mainly through App usage, which most of them collect a bit of data from your phone. It isn’t exactly personally-identifiable information, however, it’s enough to make some people nervous.

Android is very open, and you can download apps from almost anywhere for Android. This is much like Windows OS has been. But, that’s a whole different long story.

Windows 8 will be a challenge for security, because researchers, hackers, security experts, etc. want to get in on testing just how secure it is.

Read more about threats in 2013

Many Cybercriminals Hack/Deface International Homepages of Google, Yahoo, MSN

As of recent problems lighting up with PKNIC vulnerability (PKNIC is the Pakistani (.PK) domain name registry), allowed hackers from Turkey to hack into the Pakistani versions of Google, Yahoo, and MSN, plus nearly 300 other webpages. The Turkish hackers also defaced the Pakistani Google homepage. Now, if that isn’t bad enough, an Algerian hacker decides to deface Google and Yahoo in the Romanian versions.

For the Pakistani .PK domain registry, a vulnerability in SQL could allow for injection to exploit it. Therefore, that’s exactly what happened when Turkish hackers hacked into somewhere near 300 .PK domains and defaced at least Google’s .PK site, and maybe a few others. Apparently, during this even, some users were redirected to a webpage showing two penguins and the slogan “Pakistan Downed”.

Defacement pages of Google/Yahoo

Screenshot of Romanian defacement page for Google & Yahoo

For the defacement of the Romanian versions of Google and Yahoo (.RO), an Algerian hacker changed the DNS records of those search pages for the sites to a recently hacked server in the Netherlands. It is likely changed DNS records, or some have stated a DNS poisoning attack is also possible.

It is contested on whether the same hacker(s) did both jobs, or if this was two different parties that coincidentally did the same type of work at the same time.

Due to the (once again) uprising of conflict in the Middle East, newer digital attacks are likely, also. It is no surprise to see these issues light up again.

If the attackers had other malicious intents, these hacks could have been worse!

Is Microsoft Overconfident? Ballmer Calls Android “Wild” and iOS “Highly Controlled”

Steve Ballmer may be the most audacious techie, well at least at Microsoft. He sure has his ways of expressing the opinions he has, which also reflect on the company. But, at least he did it professionally. Anyway, during his interview the other night with Reid Hoffman from LinkedIn, he stated some significant views on the mobile market.

Some of the views of Steve Ballmer included that the Android OS is “wild” and “uncontrolled”; further prone to malware infestations. But, answer this Ballmer…what was Microsoft’s excuse for years in its game of malware infestations? He has no room to talk, as his involvement with Microsoft has existed since 1980, being the 30th employee of the company (according to biographical reports). Microsoft had plenty of time to heal their security problems, but just ignored them for years.

Secondly, he called the iOS, Apple’s forefront mobile product, “highly controlled” and “quite high priced”. Of course, now he’s picked Microsoft as being the middle party operating system maker. As Microsoft’s products are not very well controlled or evenly controlled, and okay pricing. Our perspectives see Ballmer’s point. The question remains, however, was Ballmer just picking on the competition?

It can be sure that Ballmer just wants the middle-ground, as many people seem very comfortable there. Just to hope that mediocre tactics don’t set in, and Microsoft’s mobile line doesn’t go down the tube.

Government Surveillance Increasing, Google Transparency Reports Released

Google’s recent release of its transparency report, which they announced Tuesday, details much more government take-down requests (content removal) for violation of copyright, defamation, privacy, or security purposes.

Google’s transparency report details a lot of information on how Google collects data, what it does with the data, what governments are asking to take-down, as well as other requests by companies and the like for content removal.

A couple of examples of take-down requests include the following:

  • Removal of 360 some search results in India, which may have violated privacy for some people.
  • Removal of 160 some YouTube videos (asked by the Russian Ministry of the Interior) that supposedly contain extremist content.
  • Removal of content because of a politician’s wife in Germany being violated or defamed.

Much more information is available in the Transparency Report, but does only include limited information:

“The information we disclose is only an isolated sliver showing how governments interact with the Internet, since for the most part we don’t know what requests are made of other technology or telecommunications companies,” Google senior policy analyst Dorothy Chou said in a blog post. “But we’re heartened that in the past year, more companies like Dropbox, LinkedIn, Sonic.net and Twitter have begun to share their statistics too.”

 

 

Want to give your PC a boost? Boost software launch speed with Uniblue's Powersuite 2013 and discover what is slowing down your PC. Download Now.

All about TPM Chip in Windows 8 – Microsoft is Many Years Late

What is the TPM Chip?

  • Microsoft released Windows 8, and with it came the Trusted Platform Module (TPM Chip) is a chip that allows a certain operating system to recognize a chip to verify the operating system and its modules. This provides even better security, so that Windows can only be installed on hardware that is verified through the TPM Chip.
  • Now, it is unclear whether or not it will be required for Windows 8, however, it is in testing mode at this point. In future versions of Windows, it will probably be required. Which also makes it difficult for those using Windows on a virtual machine, and will probably require people to acquire a specific compatibility license to run Windows on virtual machine, or dual boot with a Mac-based computer.
  • Confused yet? Apple was one of the first, if not the first, to introduce an OEM chip, which required people to have if they wanted to run Mac operating systems. Which meant, for example, Mac OS X couldn’t be installed onto a normal computer, it had to be on “Mac-branded hardware” as they state in their terms-of-use on Mac OS X.
  • What does this bring to the security of operating systems necessarily? It provides very low level security, and will be just another possibility to block bootkit attackers and other boot-based viruses/rootkits.
  • Some experts say that TPM will probably be included in new PCs, tablets, and other Windows-branded devices. There’s no current way to just “install it”, however, Windows 8 is engineered to be able to recognize the TPM Chip.
  • When did this idea come about? Probably the late-1990s was when this idea came about, because security experts were realizing the issue that software antivirus/firewall was not strong enough to block the threats. It would take more than just software-based protection programs.
  • What other implementations (other than Apple’s chip) are in place?The Google Chromebook is a good example of implementation, because when it boots, the TPM chip object in there checks the modules on the system. If one is bad, it automatically replaces it with its “last known good module” (in its comprised library of last known good modules), keeping itself protected.

 

For the future of TPM technology

  • It’s possible the makers of the TPM technology would be working with security/OS vendors to create antivirus that can be built over top of the TPM chip, which would scan the operating system and kernel before it starts up.
  • What’s different than boot-time scanners offered by companies like Avast, for example? Boot-time scanners offered by software companies still use Windows modules to help scan the whole computer. However, since the modules are part of the operating system, the boot-time scan cannot get to the OS kernel deep enough. Although, it can scan the system before it loads services/drivers, it cannot necessarily get a good look at all of the drivers/services or the MBR/BIOS for that matter.
  • By allowing antivirus to scan computer before operating system starts (at all), it will also keep on top of things so malware cannot hinder or suppress the scan.

 

This is just one of the many security features included in Windows 8. Take a look!

Fake Windows Update emails attempt to steal Yahoo!, Gmail, and Outlook mail passwords

It is now known that emails that apparently come from “privacy@microsoft.com” are fraudulent, especially if they involve subjects such as Microsoft Windows Update. Lately, there has been a rise in the email spam targeting vulnerable users of very popular companies, we reported about Chase bank.

The attack from the “privacy@microsoft.com” is an attempt to try to steal Yahoo!, Gmail, AOL, or Outlook.com (Windows Live formerly) passwords.

The body text:

Dear Windows User,
It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to confirm your records.

VERIFY

Thank you,

Microsoft Windows Team.

To see an actual image, see the one from Naked Security.

More on this, see the post from Naked Security.

%d bloggers like this: