Blog Feed
Comic stories #4
Three phrases causing panic: It will not hurt. I want to talk to you seriously. Incorrect login or password. Do you want to hide important information on your computer? Place it in the folder named “Read. Me!” or even better “license...
read moreMobile Trojan Virus Android.Bankosy Intercepts One-Time Passwords
We store a lot of important information in the network: personal correspondence, photos, documents. For the most part, these are spiritual values – precious memories and the fruits of hours-long labor. But the Internet also stores rather concrete financial ‘matters’: our money. Today many people use online banking, as it is convenient to transfer funds, to pay for the services, and to control your accounts online. It is no wonder that the fraudsters of all sorts pay special attention to the bank online resources and tirelessly attack them, constantly coming up with something new. Not so long ago, a new version of the mobile trojan called Android.Bankosy was discovered. What is dangerous in the trojan virus Android.Banksy This virus intercepts one-time passwords used in banking applications for two-factor authentication (2FA). A temporary OTP passwords used for the two-step authentication of the user are often sent via the text messages. Earlier, different versions of the banking trojan viruses, with Android.Bankosy being among them, have learned to intercept the authentication code sent this way. In response to this threat, the cyber security specialists have developed and introduced systems that send one-time passwords via voice calls from the bank. It seems that a reliable data protection was ensured. But as it has turned out even an advanced one-time passwords delivery means are not a barrier for hackers. The creators of the mobile trojan virus Android.Bankosy taught it to overcome this new type of protection. The current version of this virus is capable of intercepting calls from the bank server. Moreover, Android.Bankosy can turn off the sound on your phone, and lock the device’s screen if there is a call from the bank number. Thus, the client even won’t find out he received a code, and the fraudsters will carry out further actions on the account on behalf of the client. How to protect data from the banking trojan Android.Bankosy What can a regular user of online banking oppose to the hackers armed with the most modern tools? As is known, the best tools are usually the simplest. But sometimes we either forget or are too lazy to use them. Perhaps, considering them not effective enough. But they work. And work quite reliably. Keep your smartphone secure from viruses. To get the control over the victim’s phone, the trojan virus should, first of all, penetrate in it. This can be done in a standard for all viruses way: as part of a harmless and even useful application. The official stores carefully control their software. The applications they offer are rarely infected with viruses. Thus, we must resist the temptation, and do not download programs from the doubtful websites. This is especially true for the charged software. Do not forget about free cheese in a mousetrap. If you install the virus like the Android.Bankosy on your gadget, you can lose a lot more money than you need to buy the app you liked. Use strong authentication. The example of the virus Android.Bankosy proves that even 2-factor authentication cannot always protect you from the intruders. Indeed, the familiar methods of obtaining OTP passwords via text messages (and even voice calls) are not completely reliable. That happens because modern hackers are able to get into the mobile phone network and transfer the call in the desired...
read moreNew Vulnerability of the LastPass Unveiled
Any active Internet user has many accounts on different websites. And each of them requires a username and password. Since it is impossible to keep everything in your head, a regular user usually writes them on a piece of paper. And puts it somewhere not far from the computer (we have already written why it is not recommended to do so here). An advanced user, in turn, uses password managers to store this information. But, even the best password manager sometimes cannot prevent accounts from being hacked. Let’s recall, for example, how the world community was stirred up by the news about the vulnerability of the KeePass password manager. Recently, another popular password manager LastPass has found itself in the center of the scandalous online chronicles. Moreover, it is not the first failure of the LastPass. It was hacked last summer, and as early as in November 2015 few bugs have been found in it again. This time, the analyst Sean Cassidy created a tool, which he jokingly called the ‘LostPass’. This tool under the guise of the LastPass allows collecting passwords in the automatic phishing attack mode. The essence of the LastPass vulnerability Ironically, a ‘disservice’ is the desire of the software developers to make a communication session between the user and the Internet resource more secure. The thing is that the LastPass requires the user to re-enter the password several times during the session. This is where a loophole for the hackers hides. It turned out that at this moment it is possible to palm off a phishing page for re-authorization. This page looks like the real one with almost no differences in the address. Once the unsuspecting user enters his email and password, all his confidential information stored in LastPass becomes available for fraudsters. The worst thing is that the hackers get not only one password but all the data the password manager stores! So far, the LostPass operates only in the Chrome browser. But Cassidy is working hard to prove that the same tool can be made for the Firefox as well. Of course, the LastPass developers will make changes to the code and patch up the gaps found in the safety of their product. But what should the users do now? While the protection level of password managers isn’t 100% reliable yet. And is there any guarantee that some vulnerabilities won’t pop up in the future? The author of the tools himself recommends using the LastPass app instead of the browser extension. It deprives the hackers of the possibility to use the phishing page. But this method is quite time-consuming and inconvenient. The user needs to copy all passwords from the LastPass web page, and enter them manually. Maybe 2FA (two-factor authentication) can protect users from the new threat? Alas, Cassidy argues that one-time passwords can also be intercepted with the help of his tool. But, apparently, the researcher means the traditional version of 2FA with OTP passwords delivered to the user via text messages or emails. After all, there is nothing to be afraid of if to use the hardware or software tokens. They generate OTP passwords for two-factor authentication offline. Moreover, if the token supports the data signature function CWYS (Confirm What You See), it becomes even more reliable. CWYS function allows taking into account certain...
read moreThe Worst Passwords of 2015
It is not a secret that the Internet users tend to choose weak and unreliable passwords. And even more! People use this weak password in almost all their accounts. And the list of the worst passwords of 2015, which was recently published by SplashData, proves that all the efforts to convince people of the importance of using strong passwords were vain. For several years, the palm belongs to the notorious “123456” and “password”. Such loved by many key sequences as “qwerty”, “12345678“, and “1234567” didn’t lose their ground and even made some progress, becoming more popular. Moreover, there is a new variation – “qwertyuiop“. A popular password containing both letters and numbers “pasword1” was extruded with “passw0rd“, which not a bit more reliable than the first one. It is interesting that the popularity of a new episode of the cult saga “Star Wars” caused the appearance of the new group of popular passwords. The list of 25 worst passwords of 2015 includes such words as “princess“, “solo” and “starwars“. The list of 25 worst passwords of 2015 was formed after the analysis of more than two million passwords that appeared in the public access as a result of various leaks and hacker attacks during the year. The list of all the passwords is presented below. Remember, all these passwords are not secure. Here you can read how to choose a strong password, which will be easy to remember, but difficult for a hacker to guess or to pick up. But any password, whether weak or reliable, should not be the only obstacle to the intruder to your confidential data. Your account should be protected from cracking with two-factor authentication and one-time passwords. Here is an article on the principles of the two-factor authentication work and one-time passwords generation. The worst passwords of...
read moreComic stories #3
The Photoshop is 25 this year. Well, actually it is 38 but looks 25. A man comes home. Sits at the computer and starts shouting at his wife: – Did you do this? – No, how could I? – Did you? – With whom? – Tell me, did you do this? – Well, it was just once with the neighbor… – I asked if you changed the password to the...
read moreStrong Authentication Methods in 2016
At the beginning of the new year, everyone is trying to predict what it will bring: what trends will prevail in the economy and politics, what outfits will be the most fashionable, what books will possess the minds and souls, how inventors and developers will surprise and delight fans of technological progress. Let’s try to predict how the technologies and strong authentication methods would develop in 2016, what new things are waiting for us, and to what extent they are better than those already familiar to everybody (and whether they are better at all). One main trend immediately catches the eye: many large companies, dictating fashion in the IT-market, strive to create such means of strong user authentication that will provide a high level of data protection, and at the same time simplify the authentication procedure when logging in. For example, it suffices to mention only such names as Pay Pal (the largest international money transfer system) and Google. Now these companies are actively working to ease multi-factor authentication process for their users. Developers offer different, often quite exotic strong authentication methods that, according to their authors, will help to unite the reliability and ease of use. It is quite natural that every developer defends the prospects of his own method. Perhaps, the only thing that unites them all is awareness of the need to change something in the traditional multi-factor authentication procedure. Today, it is most often based on 2-factor authentication (2FA) with one-time passwords (OTP). But what alternatives are available? 1. Avoiding use of a static password as the first factor. This is one of the most promising variants at this moment. If it is used competently, we can get easy-to-use and reliable two-factor authentication at the same time. For example, almost any token is additionally protected with the PIN-code you need to enter before starting work with a device. Why not use this PIN-code as the first step of two-step authentication – the factor of knowledge? While a smartphone with software token or a hardware OTP token can easily serve as the second factor of authentication – the factor of ownership. Moreover, both the software and hardware tokens may support CWYS function (data signature), that further enhances the level of protection. 2. One-time passwords – into the dustbin of history. Many users don’t want to waste their time entering one-time passwords to log into this or that account. Especially if during a single session they need to enter the OTP password several times (such precaution is practiced when it is especially important to protect the connection). The developers are constantly looking for new ways to avoid this inconvenience. Not so long ago, they have come up with such strong authentication method as the background noise. Google is working on the authentication method that allows sending signals to the smartphone via GCM (Google Cloud Messaging). Another interesting way of 2 step verification with the help of smartphone has been presented by the Clef Company. 3. New types of hardware tokens, immune to viruses. Contemporary USB-tokens may be vulnerable to viruses located on the computers they are connected to. But not so long ago the improved USB-tokens Yubikey have been presented to the world. Yubikey OTP tokens generate one-time password only after the user clicks a special button on it....
read moreComic stories #2
Criminal Chronicle: – Yesterday a famous spammer was killed. 300 million addresses are in the list of suspects. A coder is standing by the window and closes and opens it. Closes and opens. Another one comes up and asks: – What are you doing? – Well, see: I can close it, I can open it, but I cannot minimize...
read moreWill Google’s Authentication without Passwords Be Safe?
I guess that’s not only me, who’s tired of passwords: we should remember them, they should be strong enough not to be guessed or brute forced, and even more, they should be different for each website. But it has recently turned out, that not only I think so. A few days ago I have come across the information that Google is testing a new system of authentication without passwords that will allow refusing the password entry when logging into the account. User authentication will be reduced to simply clicking ‘Yes’ button on a smartphone, thus confirming the identity and getting access to the account. Being a specialist in information security, I decided to share my opinion about this authentication solution. There are some doubts about its feasibility and security. Besides, I would like to find out what do you think about it. The data exchange is performed via GCM (Google Cloud Messaging). When the notification is sent to the user’s device, he or she should accept it to log into the account. According to the Rohit Paul, who have informed the world about this innovation, the system works according to the two-factor authentication principle. At first, the user needs to log into the smartphone (the first factor), and only then he will be able to accept the Goggle’s notification and enter the account (the second factor). But I dare to disagree as this scheme has a few ‘buts’: It would be a serious mistake to consider this method to be a real two-factor authentication. When clicking the button ‘Yes’, the user actually confirms only one factor – the factor of owning the phone. The second factor (knowledge) is not checked by the system. 2-factor authentication involves the use of two different factors at the same time – a knowledge factor + ownership factor or biometrics. The key idea of 2FA is that the advantages of one factor can overlap the downsides of another one. If your smartphone is locked, lost, or you simply cannot reach it, you can enter the account with the usual login and password. This means that the second factor is optional. What will prevent an attacker from taking advantage of this loophole? It is not a big problem for a hacker to get the password using phishing, social engineering, brute force, etc. In fact, such an innovation can even make the situation with the account protection worse. The attacker now will even have a choice – either to guess or steal the password or to infect the user’s smartphone with a virus. It is worth mentioning that 87% of Android smartphones are vulnerable. The bulletins about the iOS vulnerabilities also creep in from time to time. The new authentication without passwords system with signal transmission via GCM, which is being tested by Google, is obviously not designed to strengthen the data protection. Perhaps, such a scheme is suitable to simplify the login process as the user needs only to press a single button. In this case, I agree, it is convenient and pleasant for most users because all people are lazy by their nature. But if taking the data protection seriously, in my opinion, it is better to stay off the authentication without passwords method and use 2FA with one-time passwords instead. Today, there are...
read moreComic stories #1
Do you know why Bing is searching so long? – It is Googling! Wikipedia: I know everything! Google: I’ll find everything! Facebook: I know everyone! Internet: Without me you are nothing! Electricity: Well well! Perhaps one day Google will be improved so much, that on the request, “Where is the other sock?” you will get the answer: – Under the bed,...
read moreWill Passwords Survive?
In a rapidly changing world, even the things that seem unshakable and undeniable can change. One of such things is passwords. We got used to them so much that it is even strange to question their necessity. But, let’s try. Do we really need common reusable passwords? The network is overloaded with discussions about passwords’ downsides and low level of protection. Even the beginner at hacking can hack the majority of passwords. Besides, the owners of different accounts do not always use passwords in a proper way. They rarely change them, keep them in a place accessible for other people, and choose short and easy-to-guess combinations. How to Choose and Use Strong Passwords Meanwhile, there are more reliable multifactor authentication methods, which give much greater assurance that it is the user of the account who enters it. For example two-factor authentication with one-time passwords. It is successfully used by a growing number of websites. And talking about online resources, that deal with money (online banking or a payment system), 2-way authentication of clients is an undisputed standard. 2-factor authentication works on the basis of simultaneous testing of two components that can confirm the legitimacy of the user: the knowledge and ownership. Knowledge factor is either a reusable password that the user enters when logging in the account or a PIN-code of OTP token. And the second factor – the ownership – can be a mobile phone, which gets SMS messages with one-time passwords, or a hardware or software OTP token. Thus, the process of sending one-time passwords to these devices is this second factor confirming the ownership. How does 2-factor authentication work? Practice shows that the use of hardware OTP tokens as the means of user authentication provides a higher degree of protection than the well-known SMS delivery method. What are the advantages of OTP tokens? OTP tokens work autonomously without using open communication channels and Internet connection. To use OTP token, as a rule, you need to enter a PIN-code. This further protects the account from unauthorized access. The token generates passwords using the most modern data encryption algorithms. For example, Protectimus OTP tokens use three different generation algorithm: TOTP, HOTP, and OCRA. In the case you need an even higher degree of protection, you can use a strong authentication system with ‘challenge-response’ algorithm. In this case, each party of the authentication process has a predetermined secret key. Its values are taken into account when creating a temporary password and decoding it during the authentication. The reliability of 2FA is based on the fact that flaws and vulnerabilities of one factor may be offset by the advantages of another factor. So, if the attacker knows the password or the PIN-code, the absence of the one-time password will prevent him from entering your account. And vice versa, if somebody gets your phone or OTP token he or she cannot confirm the user’s legitimacy without entering the PIN-code to unlock the device or without the ordinary password. Will the reusable passwords survive? After all, they, in spite of all the downsides, remain an essential element of two-factor authentication. Won’t 2FA lose all its power if the passwords are ‘canceled’? I think it is possible to do without passwords if 2FA keeps its much-needed first factor – the knowledge. After all,...
read more