Posts tagged Secure

Your Nosy Little Brother Will Love Yahoo’s “Secure” Disposable Passwords

Yahoo just launched a new login process that does away with static passwords in favor of single-use versions sent to smartphones on the fly.

The company says its new approach, which is similar to two-factor authentication, is designed to boost ease and security. When it comes to strangers, it just might. But it could also give anyone in your life—like roommates or family members—some souped-up snooping powers.

See also: Meet Yahoo’s Play To Help App Developers Make Loads Of Money

Are Disposable Passwords More Secure?

Instead of relying on a fixed password, Yahoo’s system sends a temporary access word or code on demand to your smartphone. This should bypass the use of easily guessable passwords or hard-to-memorize character soup like “K7jl3nwes0f.”

The on-demand passwords are also disposable; once they’re used, they won’t work again. That should be comforting for the large swaths of people who ignore security experts and use the same login across multiple accounts. In other words, attackers can’t get their hands on a single key that could unlock your whole kingdom.

The premise relies entirely on you having your smartphone by your side. In that way, it’s similar to two-factor authentication protocols that kick into action when you try to log in (first factor) and text you an unlock code (second factor). Numerous services—including Gmail, Facebook and Twitter—offer two-factor options.

Yahoo itself also offers two-step verification, but to use the new on-demand system, you must disable it. Once you do, you forego the secondary layer of protection for your Yahoo Mail (and presumably Flickr and Tumblr accounts, too). Now, anyone with your phone may see your on-demand password, and unlocking the device won’t even be necessary in most cases. 

Text messages, after all, are often set to show up directly on phones’ lockscreens.

Dogging Snoops

Of course, the system still requires you to enter your Yahoo username. That may make it more tempting for the prying eyes of the people you already know—those loved ones likely in view of your smartphone and who already know your username—more so than strangers.

According to a recent survey of 13,132 respondents conducted by anti-virus software company Avast, one in five men and one in four women confessed to checking their partner’s smartphone. Those are merely the participants who admitted to spying. Add in attentive parents, prying roommates or nosy siblings, and you might wind up with a whole lot of unauthorized access.

Whether the threat comes from strangers or loved ones, password management applications and services still seem like the best bet. Users have plenty of options now, including those from LastPass, Dashlane, 1Password and others. These can act like iron fortresses for your logins, without clamping them down so tightly that you can’t share some when need be.

See also: How To Safely Share Passwords With Others Who Need Them

You can’t blame Yahoo for trying to improve email security. The company, which serves more than 80 million users in the U.S. and more than 270 million users worldwide, announced these changes following a well-publicized email security breach last January.

Last year, Yahoo announced that it was working with Google on an end-to-end email encryption plugin, and it just showed off the fruits of its labor at SXSW. Like with its new on-demand passwords, the company hopes to make email encryption more commonplace by making the process simpler.

Featured photo by Karen Roe

View full post on ReadWrite

Twilio Acquires Authy For More Secure Mobile-App Development

It just got a little easier for developers to improve the security in their coding projects. Twilio, a developer-friendly set of tools for creating SMS, voice, and voice-over-IP applications, has acquired Authy, a developer tool for implementing two-factor authentication.

Twilio claims to have more than 500,000 registered developers using its tools, and says that more than a million individual software applications use its platform in some way. As interest in mobile development soars, Twilio’s tool suite has become an SMS, MMS, and VoIP solution for enterprise and novice developers alike.

See also: My Fish Just Sent Me A Text Message

It’s no surprise that such a mobile-focused company has opted for a highly mobile security solution. Authy’s two-factor authentication works by sending a token—typically a six or eight digit number—to a secondary device (mobile or desktop); the user must input both his or her password and the token to access to an account. Authy aims to make it easy for developers to integrate two-factor authentication into their apps.

Previously, Twilio users who wanted additional security in their apps needed to build their own two-factor authentication around Twilio’s SMS and voice services. Moving forward, Twilio users can do away with that hassle and choose Authy as a product option.

See also: Friday Fun: Build A Drinking Game With Twilio MMS And Flickr API

This is Twilio’s first company acquisition, and neither CEO Jeff Lawson nor Authy CEO Daniel Palacio are revealing the financial details behind it. The entire Authy team, however, is coming on board as Twilio’s new authentication team, effective immediately.

Screenshot courtesy of Authy

View full post on ReadWrite

Browsing In Privacy Mode Isn’t As Secure As You Think

Your browser’s incognito mode might not be a secure as you think. A researcher has come up with a proof of concept for Super Cookies, a type of data retention that could turn one of your browser’s biggest security features into its biggest privacy hazard.

See also: The Real Lesson From Recent Cyberattacks: Let’s Break Up The NSA

Cookies are messages between a web server and web browser that get exchanged when a user requests an Internet site. Then, when the user returns to the same site, the website will recognize the user from the cookie it has stored. Essentially, cookies allow websites to fingerprint users and keep tabs on them—when they’re not in incognito mode. Presumably, the difference in incognito mode is that cookies are never exchanged.

Now Sam Greenhalgh, a technology and software consultant, has developed a proof of concept for HSTS Super Cookies, which can fingerprint users even in incognito mode. In order to show he has this capability, his site sets a tracking ID for each visitor. Visit the site as many times as you like in as many browsers and browser settings as you want; you’re still vulnerable to Super Cookies if the tracking ID remains the same.

HSTS stands for HTTP Strict Transport Security, a security protocol that ensures users only interact with a website via a secure HTTPS connection. For a more detailed explanation, check out Ars Technica’s thorough description.

Greenhalgh noted that he is aware of only one browser version that is invulnerable to HSTS Super Cookies: the latest version of Firefox, 34.0.5. Internet Explorer isn’t vulnerable for a different reason—it doesn’t support HSTS security in the first place.

Photo by Jeramey Jannene

View full post on ReadWrite

Your Messaging App Probably Isn’t As Secure As You Think

More than a few messaging apps aren’t doing everything they can to keep your nude photos from leaking on to the Internet or The Man from eavesdropping on your personal conversations, the Electronic Frontier Foundation reports.

In fact, after  evaluating three dozen communication tools for its new Secure Messaging Scorecard, the EFF found that there there are only a handful of truly secure messaging apps. And odds are good that most people aren’t using them. 

You might not be familiar with the top scorers, which include ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure. These are the six apps that met the EFF’s seven-point criteria for secure messaging:

  1. Messages are encrypted in transit
  2. Messages are encrypted so the service provider can’t read them
  3. Contacts’ identities can be verified
  4. Past communications are secure if keys are stolen
  5. Code is open to independent review
  6. Security design is properly documented
  7. The code has been audited

Apple’s iMessage and FaceTime products stood out as the best of the mass-market options, although neither currently provides complete protection against sophisticated, targeted forms of surveillance. Many options—including Google, Facebook, and Apple’s email products, Yahoo’s web and mobile chat, Secret, and WhatsApp—lack the end-to-end encryption that is necessary to protect against disclosure by the service provider. Several major messaging platforms, like QQ, Mxit and the desktop version of Yahoo Messenger, have no encryption at all.

Apple’s iMessage and FaceTime did best among mainstream apps, “although neither currently provides complete protection against sophisticated, targeted forms of surveillance,” the EFF said in a statement

If you’re looking to keep your service provider out of your communications, forget about Secret, SnapChat and WhatsApp, as well as Apple, Google and Facebook’s email services and Yahoo’s mobile and Web chat. None offer end-to-end encryption necessary to keep your conversations from being accessed by the company sending them. 

Of course, it could be worse. According to the EFF,  QQ, Mxit and the desktop version of Yahoo Messenger, “have no encryption at all.”

Lead illustration courtesy of Shutterstock

 

 

 

View full post on ReadWrite

Snapchat Claims It Can’t Afford To Keep Your Photos Secure

Snapchat is valued at $10 billion, with its 24-year-old CEO Evan Spiegel paying himself a $10 million salary. Yet in the wake of a third-party breach which allowed hackers to post hundreds of thousands of private Snapchat photos on the Internet, the company now claims it has neither the time or money to keep its customers secure.  

“It takes time and a lot of resources to build an open and trustworthy third-party application ecosystem,” the company wrote in a Snapchat blog post. “That’s why we haven’t provided a public API to developers and why we prohibit access to the private API we use to provide our service.”

See also: Hacked Site Takes Blame For Snapchat Leak

Hackers dumped hundreds of thousands of user photos—about 13GB—onto Internet forum 4chan on Sunday, a breach Internet joke smiths call “The Snappening.” Snapchat traced the hack to a third-party app named SnapSaved, and promptly blamed the victims:

“Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

Snapchat blames users, but it’s hard to believe users realized that Snapchat’s third party apps were insecure in a time when third party apps for most social networks are not. Places like Twitter and Facebook, for example, provide a public API for developers interested in creating third party apps. When an API isn’t available, developers are forced to use a less secure workaround of accessing user credentials, and that’s what happened with SnapSaved.

See also: Snapchat Blames Victims In Nude Photo Leak

What’s especially interesting is Snapchat’s insistence that the company doesn’t have the time or resources to build a secure API, given the site’s current $10 billion valuation. Asked about his newfound wealth at a Vanity Fair event, CEO Evan Spiegel said:

“It’s all fake money still. We generally have the feeling there is a lot more work to do.”

It’s unclear what Spiegel meant, whether he was stating that going from rags to riches felt like monopoly money, or whether the money was somehow still inaccessible—another staggering leap of illogic given that he gave himself a $10 million salary last year.

Don’t listen to Snapchat’s victim blaming. The company indeed has the resources to ensure a hack like this doesn’t happen again, and it ought to begin taking responsibility.

Lead photo by Snugg LePup.

View full post on ReadWrite

Navigating Secure Search: From Keywords to Content [BrightEdge Share 14]

In a session at BrightEdge’s Share 14 event, brands discussed how they’ve shifted their approach in a keyword “(not provided)” world.

View full post on Search Engine Watch – Latest

Live @ SMX East: How To Secure Your Site For Google’s HTTPS Algorithm

Google wants everyone to secure their websites, to make the browsing experience on the web safer for everyone. Google has even gone so far as to say that sites that implement HTTPS — adding an SSL 2048-bit key certificate on your site — will give it a minor ranking boost. What’s not to like…



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

HTTPS Sites Secure Ranking Boosts in Google

Google announced HTTPS would be used as a signal in its search ranking algorithm. Starting it as a “lightweight” signal, affecting fewer than 1 percent of global queries to give sites “time to switch,” Google said the signal may strengthen over time.

View full post on Search Engine Watch – Latest

Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites

Google To Give Secure Sites A Ranking Boost Google has announced (the blog post hasn’t gone live yet, actually) that going HTTPS — adding a SSL 2048-bit key certificate on your site — will give you a minor ranking boost. Google says this gives websites a small ranking benefit,…



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Russian Search Engine Yandex Goes 100% Secure Search, Referrer Data Now “Not Provided”

Yandex announced (in Russian) today that they have now went 100% secure, encrypting all search queries, resulting in a huge jump in the [not provided] count. This was first reported by Anna Oshkalo who shared a screen shot of her analytics detailed the bulk of her Yandex keyword data now shows [not…



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Go to Top
Copyright © 1992-2015, DC2NET All rights reserved