Sunday, January 01, 2017

"True Key" from Intel, provided facial recognition sign-on, seems to come with a recent Windows 10 update

I recently had problems with an install of a Microsoft update KB3206332 of Windows 10 after the cumulative upgrade last August, on a Toshiba satellite that had been converted from Windows 8.1,

I kept getting repeated errors "0x80070564" after very slow installs ("preparing to install, 1%, then 20%.  Also, when booting up, Trend Micro would take a long time to start, prompting warnings.

Geek Squad got it installed, but said it found malware (with Webroot) that Trend Micro had missed. It thought the errors were due to the malware.

But the adobe flash, which had updated before, now offers a "True Key" option rather than password for log on.  (It has not done this on my HP Envy with the same update.) I tried to use it, and I could not get it to take my picture properly.  Maybe my Comcast Internet wasn't strong enough (it has been shaky recently).  Eventually I had to opt out and go back to regular log on.  True Key will tell you to use your Microsoft password, but actually you have to use the password for that computer, which can be different.

Here's the link for True Key. But curiously that site (which displays the Intetl trademark has a gray rating from Trend, but there is another green link on Intel's site here.  Bleeping Computer says the original link is OK (answer to question here),

Tuesday, December 27, 2016

Security odds and ends for Christmas week

Here’s a few odds and ends during Christmas week.

Trend Micro has flashed that it now offers password encryption on all your major sites (which might include websites or blogs you own, as well as social media).  This is another feature besides two-factor identification, and I haven’t looked into it much. It also offers endpoint encryption for business, here.  It’s your own private “ransomware”.

Watch out for some new phishing scams.  There’s a new one for rental house and putting homes on the market.

Webroot reports on a ransomware scam attracting victims with fake credit reports.  Webroot also reports on a new scheme for stealing cars with keyless ignition.  Car thieves also use radio signals to keep car doors from locking.

I had a situation where a garage door got stuck on open.  The garage contractor reprogrammed it.  I think it timed out because I didn’t close it in time, and that there is a firmware issue (in my specific case).  But this sounds like another possibility for hacking and a possible home security issue.

Friday, December 09, 2016

"12 Days of 2FA" from EFF (two-factor authentication)

Electronic Frontier Foundation has a valuable summary by Gennie Gebhart on “2FA” systems – “two factor authentication”, link.
The authentication is based on a password, where you are, and what you have.  (That's really three factors.) Sites that make you re-authenticate when on a different computer (even in your own home) are using this practice. 

EFF is sponsoring a “12 Days of 2Fa” event.


EFF prefers the use of hardware tokens like Yubikey when possible, as it would be harder for a totally fake copy of a regular site to trick you, and as governments could not track your smartphone use into metadata. 

Update: Dec. 23

Apple says it has turned on 2 factor identification with the IOS 10.2 release.  But Forbes says there are other problems (especially with power shutoff issue at 30%, here). 

Friday, December 02, 2016

Wordpress wants all bloggers on https by the end of 2017

Wordpress (Automattic) has announced that it sill step up work on implementing SSL, with the hope that all blogs will eventually use it (https) by the end of 2017, post here.

Since SSL works by domain name, that means accounts with multiple domains, with an owner and subdomains that actually have their own URLs, would have to be set up in single domains as subdirectories.  This would be a lot of work for a hosting provider like Bluehost and its customers to implement smoothly.

That's also the reason why Google can offer https now on blogs addressable only under "blogspot" but not to custom domains equated to blogs.  People tell me the latter can be done, but it will be a lot of work.

With Trump coming to the Whitehouse, many service providers are on edge now about "national security".

I wonder why Trend Micro has Automattic's rating as gray.  

Thursday, December 01, 2016

FBI gets authority to hack into citizens' computers and phones with much simpler warrant procedures

As of midnight this morning, the FBI gained authority to hack into computers, networks, and phones with simple blanket federal warrants, as explained this morning in a typical story in New York magazine here.

The Senate did not stop this authority.  Previously, multiple local warrants would have been necessary.

It’s not likely that this could affect most users (“if you aren’t doing something you shouldn’t be doing”).   It’s unclear if major computer security firewall products will prevent the hacking.  The FBI may want this capability particularly to counter terrorism and recruitment by foreign enemies (ISIS) which Trump is likely to continue.

Friday, November 25, 2016

Fake apps are like to pester companies that don't create their own; stolen identities can use fake social media accounts (esp. less popular ones)

Tonight, on Black Friday, several media sources noted that companies (selling in major box stores) that don't have their own smart phone apps are likely to find that crooks will create phony apps in their name.

The advice is to download the app from the vendor or possibly the retailer but not from an app store.

Another risk is that individuals who do not sign up for a particular service may learn that others have created accounts in their name.  This could happen with Snapchat and Instagram.  When I signed up for Instagram, I found a bogus account in my name with nothing in it, but it had to be removed first.  

Thursday, November 24, 2016

2-step verifications can now use thumb drives as security keys

Google is recommending that users of Google accounts on true laptops or desktops with USB ports, now consider getting security key thumb drives for use in 2-step verification of their Google accounts, rather than use pin codes by smartphone or pre-print.  They also recommend financial institutions offer similar products, which can work with Google Chrome.  The writeup is here.
Although the 2-step process now available pretty much stops password cracking, it’s possible for a hacker to entice a user with a duplicate built to look exactly like the original (and presumably use phishing to entice clicks, or misspellings, that today lock up browsers with scare ware.