While security has never been more important than it is today, the fastest way for an IT professional to become the most despised person in the company is to start enforcing a strong password policy. A policy perceived as overbearing may cause people to write down their passwords on a sticky-note near their computers, circumventing its very purpose. Your policy will be ineffective if your users don’t know how to create strong passwords that are easy to remember. Read the full story [computerworld.com]
Browsing Category: Social Engineering
It seems that hackers have not been taking the move to two-factor authentication lying down. Instead, they have been hard at work figuring out a method for siphoning off the one-time passwords generated by devices such as the RSA SecurID token and using them immediately to steal money from victims’ bank accounts.
This video is a demonstration of an attack exploiting a vulnerability in Facebook. It is a companion video to this blog post [quaji.com] that describes and discusses the hack. In a nutshell, a Facebook user’s personal is stolen. The only thing he does is view a regular, legitimate forum site.
By Dmitry Bestuzhev
The credit crunch means we’re all increasingly aware of bank charges, interest rates, and how we can save a few extra pennies. Financial advisors have written pages on how transferring an existing credit card balance to another card issuer could save you money, and most people are shopping around for the best offers.
Of course, the APR and other rates don’t worry cybercriminals. All they want to do is get their hands on credit card numbers and then use them or sell them on. Who cares if the card owner gets stung with additional charges? Read the full story [Viruslist].
A huge number of Web sites are employing a little-known tracking mechanism to gather information on visitors and are failing to disclose the practice in their privacy policies, according to a new paper from a group of university researchers. The technique employs cookies generated by the Adobe Flash software and the cookies often have the same value as HTTP cookies, the researchers report.
Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy.
From IDG News Service (Juan Carlos Perez)
Members of the eBay Developers Program must change their account passwords because the e-commerce company recently discovered a way in which account information could be accessed by malicious hackers.
This requirement comes “out of an abundance of caution” on the part of eBay, which hasn’t detected any suspicious activity in developer accounts, the company said Monday evening. Read the full story [cio.com] See the eBay warning [ebay.com]
Two of the largest U.S. banks – Bank of America and Citigroup — have issued new credit and debit cards to Massachusetts customers after running into data-safety concerns.
Bank of America and Citigroup each recently issued replacement cards to consumers, telling them in letters that their account numbers may have been compromised. Read the full story [bizjournals.com]
[img_assist|nid=8327|title=|desc=|link=none|align=right|width=100|height=100]Dennis Fisher talks with researcher Moxie Marlinspike about the innovative research on attacking the inherent weaknesses in the SSL infrastructure that he presented at Black Hat, and the tools he has released to demonstrate the attacks, SSLSniff and SSLStrip.
The cryptographic underpinnings of the Internet are beginning to show some serious wear, and the outlook for better days ahead is not particularly rosy. In just the last week there has been news of major new attacks on perhaps the two most widely used encryption technologies: SSL and AES. We’ve heard talk of cracks in both protocols before, but this time, even the most conservative observers are worried.