Google offers USB security key to make bad passwords moot

A new security feature for Google’s services will help users better protect their data by requiring that they insert a USB security key to log in to their account.

Announced on Tuesday, the optional Security Key technology requires that a Chrome user take two additional steps to sign in to their Google account: plug a small key into the USB port on their computer and tap a button. The process is a simpler and more secure version of the 2-Step Verification process that Google offers to security-conscious users. With 2-Step Verification, users receive a code from Google on their phone or in e-mail that they must enter into Google’s site to complete the login process.

Users that opt for the Security Key technology will have to purchase a special USB key, which typically costs less than $20.

Read 10 remaining paragraphs | Comments

Defence-in-depth, more than a buzzword

Beyond the relentless headlines of data breaches, credit card theft, and many other cybersecurity related stories lies a very simple explanation.  Sometimes it’s as simple as an employee clicking onto a link within an email, or a user of a popular cloud service using 123456 as their password.  So with recent headlines reporting the widespread theft of ‘millions’ from ATMs infected with Tyupkin malware we undertook analysis in an effort to understand the simple explanation behind the attack. A clue to this simple explanation is of course in the title of this post.  Simply put, the attackers were able to gain physical access to the ATMs and rebooted using a Live CD, they would then follow-up with directly manipulation of security controls and follow up with installation of the malware executable onto the machine.   Not only could the attackers infect the system, and then ultimately steal the millions we all saw across the 140 characters that inevitably follow such stories, but the malware was also able to delete itself, and clear all logs in an effort to cover the tracks of the criminals. Herein lies the nub of the issue.  There are solutions that can greatly reduce ths risk of malware attacks.  However, there is not just ONE solution that will accomplish this.  ATM security must be implemented in a layered approach.  The layers create barriers of protection to make the criminals job more difficult.    Changing the boot order sequence, would go far in preventing the attacks..  Eliminating the capability to boot from external media would also be effective as another layer of protection.To add more protection, consideration needs to be given to how ATMs are deployed.  Some models are designed to be used in certain settings.   Additional physical protection to make access to the ATM CPU need to be implemented.  In such circumstances there are approaches that should be considered that not only include physical security controls (e.g. alarms, CCTV) but also considering tamper-proof security controls.  Best practice recommends a layered approach to security so that there are lots of hurdles to jump and not just one. A weakness in one layer is mitigated by security provision elsewhere. A combination of physical, process and logical controls provide a robust environment. Determining the level of security for such environments means that in future risk assessments should not assume that all devices will be in physical environments that are controlled, and that today criminals are becoming more brazen in mixing physical and cyber with modern-day crimes. We would like to thank the team at Kaspersky in providing their analysis into the criminal campaign to our research team.

The post Defence-in-depth, more than a buzzword appeared first on McAfee.

Pipal – Password Analyzer Tool

Pipal is a password analyzer tool that can rapidly parse large lists of password and output stats on the contents. Pipal will provide you with stats on things like the most frequently used password, password lengths, dates (months/days/years) or numbers used, the most common base words and much more. It also makes recommendations based on...

Read the full post at darknet.org.uk