Post has shared content
New password guidelines.

Forget enforced password complexity. Forget forced periodic password changes. These don't work! Do have passwords checked against a list of commonly "hacked" passwords that regularly show up in stolen account data troves.

https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/

Post has shared content

Post has shared content
People are the weakest link: Spearphishing is the most boring kind of hacking, but also the most dangerous

Spearphishing targets specific individuals and uses social engineering, not fancy hacks. And often it starts with what looks like an email from a friend, family member or even Google.

Reporter Sarah Jeong asked Electronic Frontier Foundation staff technologist Cooper Quintin to hack her, to see how it works. It was surprisingly (or maybe not so surprisingly) easy, just using publicly available information.

I got a taste of what might have tricked Andrea Manafort when an e-mail from my friend, Parker, inviting me to look at a Google Doc, landed in my inbox.

A thumbnail of his photo hovered next to a message. “Hey Sarah do you mind reviewing this blog post I’m writing about Oracle? Thanks!” A reassuringly familiar blue “Open in Docs” button lay beneath. I clicked.

The button took me to what looked like my Google Drive, except a login screen prompted me to type in my password again. The moment I did, a pop-up leapt out:

YOU HAVE JUST BEEN SPEARPHISHED

It did take some effort on Quintin's part, researching Jeong's information, choosing who the message should appear to be from, creating the payload and so forth. But that effort is worth it if you are a high profile target.

And a spearphishing attack is difficult to defend yourself against

Ironically, the more sophisticated forms of hacking are easier to address: a zero-day exploit (a vulnerability that exists in software from the day it’s deployed) can usually only be abused so many times before a company fixes it; viruses can be reverse-engineered and inoculated against; broken encryption can be replaced. For many problems in security, you can “sell a box”—a solution, a product—to fix it, says Quintin. And since there’s a market for boxes, money gets poured into studying those forms of hacking, instead of studying social engineering.

You can’t sell a box that stops people from trusting their daughters, from missing a typo in an e-mail address, from being a little too tired to check the URL of a link.

Jeong's article is well worth reading. Check it out at +GQ:
http://www.gq.com/story/getting-hacked-is-easier-and-dumber-than-you-think-it-is


Post has shared content

Post has shared content

Post has shared content

Post has shared content

Post has shared content
Wait while more posts are being loaded