Search This Blog
Wednesday, February 23, 2011
Come help us 'Keep Security Weird' !! FREE for attendees... Register at...
Saturday, February 19, 2011
Friday, February 18, 2011
Thursday, February 17, 2011
Google has added Multiple-Factor authentication for users of Gmail and Google Apps, other Google services too.
Using your Cell phone, Google will call your cell and read you a 6 digit code that you enter after you have already entered your username and password. This solution adds 'something you have' (your cell) to the ’something you know' (username and password) to improve your Google account from being attacked by brute force password guessing and any weak passwords you might be using.
Someone with your username and password would be unable to login to your Google account without your cell phone once activated.
Similar to Verisign/Symantec VIP solution for eBay & PayPal there is an App for your smart device as well. Check out Google Authenticator for your iDevice, BlackBerry and Droid.
Google Authenticator How to enable Help
SC Magazine article on Ggogle's new authentication method
Here are two websites for users interested in learning more about computer security that they may hear about or read about in Blogs such as mine. These sites do a good job explaining Internet Security related issues for the basic top advanced user to help protect you and your family.
OnGuard Online website
Wednesday, February 9, 2011
It seems many developers of mobile apps are not following best practice of securing your user information... Like banks.
Master card recently published some info about their API that clearly shows they store your username and passwords on your mobile phone.
Why should you care? Well because what if you lost your phone or iPad? Your information may be stored in such a way that a person can obtain it fairly easily...
Why do they need to store this information? Ease of use is what they will tell you. In reality you can store information on a device securely and still have ease of use, the developers just refuse to practice this art of coding, not because it is hard, but most likely because it is fast, easier and they may not care about security or think you don't.
I can tell you that Malware is coming to your mobile device and if these financial institutions don't care, you should. Would you feel OK about giving a stranger your Bank Account number? Why not? (assuming it was NO Fin WAY). Apps that store usernames and passwords should do so in a secure fashion and they don't.
I have seen Dan Cornell from Denim discuss iPhones, Eric Monti with Trustwave Spiderlabs also discuss iPhones and MJ Keith discuss Droids and I can tell you that simple code can sniff off what is coming and going or stored on your phone if the developers have not done it well and securely. Worse.. It is fairly easy...
I discovered my Bank stores my account number on my phone and so I did a test to get rid of it... I deleted the App, did a hard reset and reinstalled the App... My account number was still in the login field. But I uninstalled the app and revolted the device????
Clearly the developers did NOT do it correctly. I will write more as I investigate this and see how vulnerable my Bank App is and what they say when I call them.
Monday, February 7, 2011
Hurry and reserve your FREE spot(s) for BSides Austin March 11th-12th.
It is shaping up ! All registrants will get a YubiKey !!!
The schedule for the AppSec Guerilla Camp has also been posted.
AppSec Guerilla Camp info and schedule
BSides Austin Wiki site
Speakers and submitted papers page