There are limits to 2FA and it can be near-crippling to your digital life

A video demonstration of the vulnerability here, using a temporary password. (credit: Kapil Haresh)

This piece first appeared on Medium and is republished here with the permission of the author. It reveals a limitation in the way Apple approaches 2FA, which is most likely a deliberate decision. Apple engineers probably recognize that someone who loses their phone won’t be able to wipe data if 2FA is enforced, and this story is a good reminder of the pitfalls.

As a graduate student studying cryptography, security and privacy (CrySP), software engineering and human-computer interaction, I've learned a thing or two about security. Yet a couple of days back, I watched my entire digital life get violated and nearly wiped off the face of the Earth. That sounds like a bit of an exaggeration, but honestly it pretty much felt like that.

Here’s the timeline of a cyber-attack I recently faced on Sunday, July 23, 2016 (all times are in Eastern Standard):

That’s a pretty incidence matrix

That’s a pretty incidence matrix (credit: Kapil Haresh)

3:36pm—I was scribbling out an incidence matrix for a perfect hash family table on the whiteboard, explaining how the incidence matrix should be built to my friends. Ironically, this was a cryptography assignment for multicast encryption. Everything seemed fine until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said “Find My iPhone Alert” on the lock screen. That was odd.

Read 20 remaining paragraphs | Comments

DNC Breach extended to systems used by Clinton campaign

Enlarge / Hillary Clinton's campaign acknowledged systems used by the campaign, hosted at the DNC, had been hacked, allegedly by a group tied to Russian intelligence agencies. (credit: Clinton campaign.)

An analytical system hosted by the Democratic National Committee and used by Hillary Clinton's presidential campaign team was accessed by hackers. In a statement issued by the Clinton campaign, a spokesperson said that a network intrusion had exposed data on the system maintained by the DNC, but that the campaign organizations's own systems did not appear to have been breached. No financial or personal identifying data other than voter information was stored on the analytical system.

In a separate statement, a spokesperson for the Democratic Congressional Campaign Committee acknowledged that its network and systems had been hacked. Upon discovering the breach, "we immediately took action and engaged with CrowdStrike, a leading forensic investigator, to assist us in addressing the incident," said Meredith Kelly, a spokeswoman for the DCCC.

The New York Times cited information from an unnamed federal law enforcement official that both the breach of the Clinton campaign system hosted at DNC and the DCCC hack—which redirected would-be donors to a lookalike site that collected their personal data—were executed by groups of hackers affiliated with Russia's intelligence services. Both the DNC and DCCC attacks were attributed to the group behind the "Fancy Bear" family of malware and intrusions, which the official identified as being tied to the Russian military intelligence agency known as Glavnoye Razvedyvatel'noye Upravleniye (GRU), or Main Intelligence Directorate. "It's the same adversary," the official told the Times.

Read 2 remaining paragraphs | Comments

DHS Announces Cyber Incident Reporting Information

Original release date: July 29, 2016

The United States Department of Homeland Security (DHS) has released guidelines and points of contact for reporting cyber incidents to the Federal Government. This communication follows the recent release of Presidential Policy Directive 41 (PPD-41)—United States Cyber Incident Coordination—which outlines how the Federal Government will handle cyber incidents.

Users and administrators are encouraged to review these documents to learn when, what, and how to report cyber incidents to the National Cybersecurity and Communications Integration Center (NCCIC) and other entities.

This product is provided subject to this Notification and this Privacy & Use policy.

fping 3 – Multi Target ICMP Ping Tool

fping is a program like ping which uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding. fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. Instead of sending […] The post fping 3 –...

Read the full post at