Tuesday, December 27, 2016

Security odds and ends for Christmas week

Here’s a few odds and ends during Christmas week.

Trend Micro has flashed that it now offers password encryption on all your major sites (which might include websites or blogs you own, as well as social media).  This is another feature besides two-factor identification, and I haven’t looked into it much. It also offers endpoint encryption for business, here.  It’s your own private “ransomware”.

Watch out for some new phishing scams.  There’s a new one for rental house and putting homes on the market.

Webroot reports on a ransomware scam attracting victims with fake credit reports.  Webroot also reports on a new scheme for stealing cars with keyless ignition.  Car thieves also use radio signals to keep car doors from locking.

I had a situation where a garage door got stuck on open.  The garage contractor reprogrammed it.  I think it timed out because I didn’t close it in time, and that there is a firmware issue (in my specific case).  But this sounds like another possibility for hacking and a possible home security issue.

Friday, December 09, 2016

"12 Days of 2FA" from EFF (two-factor authentication)

Electronic Frontier Foundation has a valuable summary by Gennie Gebhart on “2FA” systems – “two factor authentication”, link.
The authentication is based on a password, where you are, and what you have.  (That's really three factors.) Sites that make you re-authenticate when on a different computer (even in your own home) are using this practice. 

EFF is sponsoring a “12 Days of 2Fa” event.


EFF prefers the use of hardware tokens like Yubikey when possible, as it would be harder for a totally fake copy of a regular site to trick you, and as governments could not track your smartphone use into metadata. 

Update: Dec. 23

Apple says it has turned on 2 factor identification with the IOS 10.2 release.  But Forbes says there are other problems (especially with power shutoff issue at 30%, here). 

Friday, December 02, 2016

Wordpress wants all bloggers on https by the end of 2017

Wordpress (Automattic) has announced that it sill step up work on implementing SSL, with the hope that all blogs will eventually use it (https) by the end of 2017, post here.

Since SSL works by domain name, that means accounts with multiple domains, with an owner and subdomains that actually have their own URLs, would have to be set up in single domains as subdirectories.  This would be a lot of work for a hosting provider like Bluehost and its customers to implement smoothly.

That's also the reason why Google can offer https now on blogs addressable only under "blogspot" but not to custom domains equated to blogs.  People tell me the latter can be done, but it will be a lot of work.

With Trump coming to the Whitehouse, many service providers are on edge now about "national security".

I wonder why Trend Micro has Automattic's rating as gray.  

Thursday, December 01, 2016

FBI gets authority to hack into citizens' computers and phones with much simpler warrant procedures

As of midnight this morning, the FBI gained authority to hack into computers, networks, and phones with simple blanket federal warrants, as explained this morning in a typical story in New York magazine here.

The Senate did not stop this authority.  Previously, multiple local warrants would have been necessary.

It’s not likely that this could affect most users (“if you aren’t doing something you shouldn’t be doing”).   It’s unclear if major computer security firewall products will prevent the hacking.  The FBI may want this capability particularly to counter terrorism and recruitment by foreign enemies (ISIS) which Trump is likely to continue.