Monthly Archives: May 2015

In a bid to end years of Internet Explorer security woes, Microsoft is betting that its still-to-be-released Edge browser will meet the challenges of increasingly sophisticated online hacker attacks.

“With Microsoft Edge, we want to fundamentally improve security over existing browsers and enable users to confidently experience the web from Windows,” said Microsoft Edgesenior program manager Crispin Cowan in a blog post.

The software firm has set out to develop industry-leading sandboxing, compiler and memory management techniques for its new-generation browser.

Developers say Microsoft Edge includes a major overhaul of the document object model (DOM) representation in the browser’s memory, making the code more resistant to attacks that attempt to subvert the browser.

The browser’s security has also been improved by removing support for vulnerable extensions for VML, VB Script, toolbars, browser helper objects (BHOs) and ActiveX.

Microsoft believes there is no need for such extensions because of the rich capabilities ofHTML5, which makes sites interoperable across browsers.

“Browser extensions come at a cost of security and reliability: binary extensions bring code and data into the browser’s process, with no protection at all, and so anything that goes wrong or is vulnerable in the extension can also take down or compromise the browser itself,” said Cowan.

According to the software firm, Microsoft Edge is “rebooting” its browser extension model, allowing it to run its content processes in app containers all the time.

This means that every internet page that Microsoft Edge visits will be rendered inside an app container, which developers believe is the most secure client-side app sandbox in Windows.

Microsoft Edge is designed to run only 64-bit processes on 64-bit machines. According to Microsoft, 64-bit processes get significant security advantages by making Windows address space layout randomisation (ASLR) stronger.

Microsoft SmartScreen, originally introduced in IE8, is supported in Microsoft Edge and by the Windows 10 Shell. SmartScreen defends users against phishing sites by performing a reputation check on sites the browser visits, blocking those thought to be phishing sites

“Similarly, SmartScreen in both the browser and the Windows Shell defends users against socially engineered downloads of malicious software to users being tricked into installing malicious software,” said Cowan.

Finally, developers say the Microsoft EdgeHTML rendering engine in Microsoft Edge helps in defending against “con man” attacks using new security features in HTML5.

For example, support for the W3C standard for content security policy helps developers defend their sites fromcross-site scripting (XSS) attacks in a cross-browser manner, and support for HTTP strict transport security helps ensure that connections to sites such as online banking are always secured.

“This engine is focused on modern web standards, allowing web developers to build and maintain one consistent site that supports all modern browsers,” said Cowan.

“This greatly simplifies the hard work of building first class websites, allowing more time and energy for web developers to focus on reliability and security rather than the complexities of interoperability,” he said.

By working with the Windows team, developers have also worked to improve security of the browser through tighter integration with the operating system.

For example, Windows 10 includes Microsoft Passport technology with asymmetric cryptography to authenticate users to websites.

This approach is aimed at reducing phishing attacks that trick users into entering their password on a fake version of a website they trust.

Microsoft Passport helps defend Microsoft Edge users against phishing attacks by removing the need for users to enter plain-text passwords into websites.

“Windows 10 will also offer the most convenient way to unlock your device and access your Microsoft Passport, providing a truly seamless experience that is more secure than today’s world of complicated passwords,” said Cowan.

By building Microsoft Edge from the ground up, Microsoft has included security enhancements, new security features and made older opt-in features to be always-on.

“For this reason, we believe Microsoft Edge will be the most secure web browser that Microsoft has ever shipped,” said Cowan.

However, he said that despite all efforts, Microsoft recognises there will be security vulnerabilities in Microsoft Edge that are still unknown.

“To minimise customer impact, we will be offering a Windows 10 Technical Preview Browser Bug Bounty program, intended to incent security researchers to report browser vulnerabilities to Microsoft during the Technical Preview period rather than after Microsoft Edge ships as a general use product,” said Cowan.

Microsoft Edge is expected to debut alongside Windows 10 when it is released later this summer.

Via: computerweekly

Think you own your car? Think again.

How much do we truly “own” of our own lives, anyway?

With income taxes, property taxes on homes and property, manipulations and interventions of the markets, the food supply and health care, education and many other areas, we may ultimately own very little. For now, our souls remain out of reach.

Automobiles, our ability to legally drive and our inherent freedom to travel are all under systematic attack.

Buying a car no longer means that you have own it, use it, alter it or modify it. Restrictions on drivers and advanced traffic monitoring are being met with the trickle down effects on auto manufacturers – the rules for emissions, safety standards and environmental regulations are being used to prevent individuals from tampering with computer-regulated motor technology.

It puts a whole new spin on the concept of the engine governor.

In a forward thinking post, auto/libertarian blogger Eric Peters wrote:

The government wants to control your car – how it’s made, what it comes equipped with and (of course) how you’re allowed to drive it. Now comes the other half of the pincers:

The car companies want to prevent you from working on the thing.

Modifications – performance enhancements – and even routine maintenance are to become illegal via the application (and enforcement) of the Digital Millennium Copyright Act (DMCA) to cars.

They are claiming propriety rights to the software embedded in the computer – technically, the Electronic Control Unit or ECU – that pretty much runs a modern car. They claim – and you knew this was coming, right? – that saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafety is threatened by people doing their own maintenance or tweaking/tuning as such might affect how the various saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafety systems embedded in the car and controlled by the ECU operate.

Safety.

The straight jacket is slowly tightening – and, as usual, it is in the name of safety, security and peace of mind.

Your rights of mobility have been restricted by the rules placed on state-licensed vehicles, on environmentally regulated engine parts, and by computer-monitored sensors that act as a black box for authorities, and check for vehicle compliance on these and other matters.

Peters points to a statement from the Alliance of Automobile Manufacturers (a group to which all the major brands belong) arguing against allowing customers to “jailbreak” vehicles as they have done mobile phones:

Automobiles are inherently mobile, and increasingly they contain equipment that would commonly be considered computing devices.Proponents did not mention in – vehicle telematics systems (or any other aspect of motor vehicle systems) when describing the proposed class, and no commenter has submitted evidence in the record that would support an exemption that covers such systems. Nonetheless, Auto Alliance urges the Copyright Office to ensure that vehicles are not inadvertently swept into the exemption.

The security implications of action in this proceeding to permit the circumvention of access controls on vehicle electronic control units (“ECUs”) is particularly troubling. Many of the ECUs embodied in today’s motor vehicles are carefully calibrated to satisfy federal or state regulatory requirements with respect to emissions control, fuel economy, or vehicle safety.

Allowing vehicle owners to add and remove programs at whim is highly likely to take vehicles out of compliance with these requirements, rendering the operation or re-sale of the vehicle legally problematic. The decision to employ access controls to hinder unauthorized “tinkering” with these vital computer programs is necessary in order to protect the safety and security of drivers and passengers and to reduce the level of non – compliance with regulatory standards

Vehicle telematics, by the way, literally involved tracking and diagnostics in the vehicles equipped with computer ECU units. That’s what it is all about. As Wikipedia notes, the major application of vehicle telematics centers around vehicle tracking – “monitoring the location, movements, status and behaviour of a vehicle or fleet of vehicles.”

Now, DMCA copyright laws will compound the already strict requirements on car manufacturers to hamstring the ability of an individual to work on or modify their own vehicle.

Doing so would be noticed by the vehicle tracking systems, and would violate these regulations – prompting fines, legal action or even vehicle kill switches, disabling the car and preventing the owner from using it at all.

And now – drum roll, please – government (egged on by the car companies, which are big cartels and becoming indistinguishable from the government) has the right to criminalize any “meddling” by you with the car that could even theoretically compromise the saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafety of the vehicle.

Or its emissions output.

Or its gas mileage.

It will be become an actionable offense to use more gas than you’re allowed. Notwithstanding you paid for it. High-flow injectors? A conical air filter? $500 fine. Or maybe they just seize the car.

Or, just turn it off – remotely.

Essentially, you are free in so far as you are under their thumb and in compliance with any number of regulations.

You will make the payments – but you will only be allowed to use the car as decreed. And the enforcement mechanism is already in place.

It is already in the car.

Maybe time to get back to that classic car in the garage… just needs a couple of basic parts and some tweaking.

Start now to make sure you are staying prepared.

Via: shtfplan

A new Apple iPhone 6 case harvests energy from the smartphone’s radio transmissions and use it to charge the battery, its developers claim.

Nikola Labs, which touted the product at TechCrunch Disrupt on Monday – and which was selected to pitch to the crowd there “after being selected by the techCrunch editorial team and and the audience” – promised that the device would gulp down the wasted energy that escapes from an iPhone 6 when delivering a mobile signal.

That energy, the outfit somewhat wildly claimed, will be squeezed back into the phone and thereby power it for up to 30 per cent longer. [Which presumably means that another 30 per cent of that increased time can then be reaped and recycled by the case and so on in an asymptotic progression meaning that the phone can NEVER RUN OUT of power. -Ed.]

The company said:

Nikola Technology efficiently converts RF signals like Wi-Fi, Bluetooth, and LTE into DC power using its proprietary energy harvesting circuit.

The result is usable energy that can provide power to mobile devices wirelessly.

The case will be sold via Kickstarter next month at $99 a pop, apparently.

Were quite sure that our readers will really get behind this device and not pooh-pooh the mobe-charging claims one bit. Right?

Via: theregister.co.uk

Microsoft will add a couple of new emoji in its mid-2015 patch, and those include the middle finger – in all skin tones.

Emojipedia, which first spotted the change – hilariously describes the emoji as a “reversed hand with middle finger extended”.

They could have also named it a shovel.

The middle finger emoji was approved by Unicode, the computer industry standard responsible for emoji in 2014, but Microsoft is the first company to embrace the lewd gesture as part of its emoji keyboard, Mashable says.

As with Apple, Microsoft will also include racially diverse emoji, however its default skin tone is not the LEGO yellow (or Simpsons yellow, however you like it). Instead, the default skin tone will be alien grey.

“Taking on board the Unicode recommendation that the default skin tone of emoji people should be generic (nonhuman) in appearance, Windows now displays gray-skinned people as the race-neutral default,” Emojipedia writes. “This is used when no specific skin tone is chosen.”

Many human emojis in Windows use the bald-man character, which neatly avoids the issue of hair colour altogether.

Windows 10 will also include a few other changes to give emoji more cross-platform consistency. Most importantly, the “information desk” emoji will also be updated to resemble Apple’s version, but Windows 10 takes the sass a step further by adding a tiny wink to the left eye.

There’s still no flag support though, with Windows displaying a two-letter regional code for each country instead.

Via: itproportal

If you thought using the human body as a power source was something confined to movies like The Matrix, one Israeli artist is out to prove you wrong – and with a project that most definitely crosses the line from cool into creepy.

Naomi Kizhner, an Israeli graduate student, has designed a range of jewellery that interfaces intravenously with its wearer – that is, it sticks right into your veins and uses the movement of your blood pumping around your body to create charge. So next time you run out of battery on your mobile, you might not be asking around for a charger – you might be plugging your phone right into your veins.

The eerily beautiful and beautifully creepy devices work by pumping blood past a small wheel inside, generating charge and transferring it via a clip-on wire.

Rather than trying to make the public accept her creepy new idea, Kozhner is embracing the horrified reactions.

“I wanted to provoke the thought about how far will we go to in order to ‘feed’ our addiction in the world of declining resources,” she told reporters.

“There are lots of developments of renewable energy resources, but the human body is a natural resource for energy that is constantly renewed, as long as we are alive. I wanted to explore the post-humanistic approach that sees the human body as a resource. Will we be willing to sacrifice our bodies in order to produce more energy? My intention is to provoke a discussion.”

The jewellery is part of a project that Kizhner is calling “Energy Addicts”. The project includes three pieces: The Blinker, The E-pulse Conductor and The Blood Bridge.

wow, I’m thinking “Borg” here?

Via: itproportal

Microsoft is planning to take the human out of tech support with the launch of Windows 10. New reports suggest Cortana, the virtual assistant implanted into Windows Phone and coming to desktop, will be all the tech support users need.

Cortana is already capable of over viewing the entire Windows 10 operating system, capable of tapping into programs and finding out the root cause of the problem. It can also quickly shoot a search into Bing and see if any helpful information is available.

This would be a huge advancement in tech support if Cortana can find the root issues. Microsoft could also use its cloud system to continuously add relevant updates to the tech support, making sure Cortana is up to date with new issues.

Having the virtual assistant offer tech support could be one way for Microsoft to win users, who may otherwise not use the program. Apple and Google have both had trouble keeping users active on their own virtual assistant platforms, due to a lack of useful features.

Microsoft will start off with simple queries such as “how do I connect to the internet?” and “how do I run a program?”, moving onto more complex stuff in the next few years. It is a good base to start, although it might be harder for Microsoft to make sure users will go to the virtual assistant when they need help.

Cortana is already becoming its own virtual platform with unique features Siri and Google Now do not offer, but it lacks the information Google can gather through its own services, making it limited as an assistant keeping tabs on all incoming and outgoing messages.

Via: itproportal

We didn’t really want to get drawn into this one.

But it’s hard to avoid commenting on malware that has variously been described as a “terrifying ‘suicide bomber’” and as having a payload that “destroys computers.”

That’s the sort of computer security hyperbole that does nothing but harm.

The best outcome is that you end up being offensive, as you are when you insist on trotting out the phrase “digital Pearl Harbor” and expecting to be taken seriously.

The worst outcome is that you create an entirely false sense of security by describing a manageable, albeit serious, threat as though it were truly extreme.

By creating the impression that a manageable threat is “as bad as it gets,” you undermine your readers’ interest in bothering about less serious threats at all.

Introducing Rombertik

The malware in question has been nicknamed “Rombertik” (Sophos products will block it as Troj/Delp-AD).

SophosLabs first came across it in January 2015, one of some 300,000 new malware samples that we encounter each day.

→ The vast majority of the samples we get each day aren’t truly new. They’re unique only in the strictly technical sense that they consist of a sequence of bytes that we haven’t encountered before, in the same way that Good morning and GOOD MORNING are not literally the same. Most of the new samples that show up each day are merely minor variants that we already detect, or known malware that has been encrypted or packaged differently. Nevertheless, that still leaves plenty of samples worth looking at.

Rombertik’s primary purpose seems to be to hook itself into your browser so it can keep track of what you type in.

Make no mistake, credential stealing malware of this sort is serious, because it can lead to compromised bank accounts, hacked servers, stolen data, decrypted secrets and more.

But it won’t destroy your computer, or kill you along with itself.

The cause of the hype

Where the hype-making headlines come from is an anti-hacking trick that’s buried in the malware.

Many Trojans and viruses over the years have had some sort of tamper-detection or tamper-prevention built in, just like the security tools that try to detect them in the first place.

Some malware, like Dyreza, about which we wrote recently, tries to work out if it is being run inside a malware research environment, and behaves entirely innocently if so.

This is the low-key way of avoiding notice: give nothing away at all, so that the file gets overlooked and put to the bottom of the queue for attention.

Other malware, like Rombertik, takes a different approach.

If it detects that you have altered the malware in certain ways – for example, if you are another crook trying to repurpose it without paying for the privilege – it will overwrite vital information on your computer.

In all likelihood, you’ll lose your data and end up reinstalling your operating system and applications to get up and running again.

You can call it spite, call it revenge, call it retaliation, call it destructive to your data (that much is perfectly true)…

…just don’t say that it destroys the computer, and don’t even think of comparing it to suicide bombing.

How it works

For what it’s worth, Rombertik’s data-wiping techniques go something like this:

• Try to wipe out the MBR.

The MBR is the very first data sector on the hard disk, known as the Master Boot Record, and it maintains an index of how your disk is partitioned.

Wiping the MBR really is a spiteful way to proceed, because it leaves you so near, yet so far.

Technically speaking, all your data remains behind, so with the right expertise or recovery tools you may very well get it back, but almost certainly not without plenty of frustration along the way.

It’s like putting a vital document through a shredder and then handing back the strips and saying, “There you are. All present and correct! You only have to work out which pieces go where.”

Fortunately, writing to the MBR requires Administrator privilege on Windows, so a program run by a regular user can’t do it.

If trashing the MBR fails, Rombertik falls back on this:

• Starting in the home folder, overwrite almost all files.

In what is almost certainly a bit of gruesome humour from the crooks, Rombertik works just like ransomware, encrypting your files in place on the disk.

The malware chooses a random 256-byte encryption key for each file, but none of the keys is saved anywhere, so you end up with what is effectively random, shredded cabbage instead of your data.

Only files with the extensions .EXE, .DLL, .VXD and .DRV will survive.

What to do?

Ironically, getting hit right away by Rombertik’s data-wiping payload is probably a safer outcome than being infected for days or weeks without noticing.

Remember that the non-destructive part of the malware sets out, amongst other things, to snoop on your browsing and steal your data, perhaps even your identity.

Either way, as with any malware, your best bet is not to get infected in the first place:

• Keep your operating system and applications patched.
  
• Use an active anti-virus and keep it up-to-date.
  
• Avoid unexpected attachments.
  
• Try stricter filtering at your email gateway.
  

And these precautions will shield you against all sorts of catastrophes, not just destructive malware:

• Only logon with Administrator privileges when you genuinely need to.
  
• Take regular backups, and keep one backup set off-site.
  
• Remove unnecessary or unwanted software so there is less to go wrong.
  

Free Virus Removal Tool

The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Via: sophos

No doubt there has been much groaning going on at Lenovo’s PR department, as no sooner has the Superfish scandal been (kind of) forgotten, another major flaw with Lenovo’s machines has emerged.

Back in February, Superfish caused a major fracas as it turned out to be preinstalled adware that stole private information from Lenovo’s Windows laptops – and while the PC vendor initially denied the software was anything malicious, it quickly backtracked and ditched the program.

And now new flaws in Lenovo’s System Update – which provides patches, drivers and the like to users – have been pointed out. The vulnerabilities were discovered by IOActive (spotted by Gizmodo), and mean attackers could potentially hijack the update system and provide a laptop with ‘updates’ which are actually malware.

The central vulnerability is advisory CVE-2015-2233, an issue with signature validation checks which an attacker (local, or possibly remote) can bypass in order to replace trusted Lenovo apps with malicious software.

IOActive noted: “The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them.”

Apparently Lenovo failed to properly validate the certificate authority chain, allowing an attacker to create a fake certificate, signing off their malware-laden executable.

There are two further flaws to compound this that let even least-privileged users gain high-level access to a machine in order to execute malicious commands and the like.

Kevin Bocek, Vice President of security strategy & threat intelligence at Venafi said: “The system of trust that runs the Internet is very fragile. Failing to validate a certificate properly gives bad guys the powerful weapons they need to circumvent security controls.

“Lenovo joins many others in not being prepared to secure the trust that’s established by keys and certificates. Lenovo like Fandango, Kredit Karma, and an estimated 40 per cent or more of mobile application developers were not able to validate if certificates were from a trusted authority. With every Global 2000 organisation reporting attacks on keys and certificates, according to the Ponemon Institute, the Internet needs an immune system to evaluate what’s really trusted or not.

“Lenovo is certainly not alone in their inability to properly validate digital certificates – this is just the tip of the iceberg. And as this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected.

“Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”

The good news? These problems were actually found a few months back when Superfish first hit the limelight, and IOActive has only revealed them now, after Lenovo has patched its update system.

All Lenovo users need to ensure they update the Lenovo System Update to the latest version as a result – if you’re running version 5.6.0.27 or earlier, then you are at risk when it comes to these flaws.

UPDATE: Lenovo has issues a statement saying: “Lenovo’s development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of System Update on April 1st which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.

Via: itproportal

Post by KEN WESTIN

“The more I learn, the more I realize how much I don’t know.” – Albert Einstein

Being involved in information security is intimidating. Not just because you are dealing with complex technology with serious implications if you fail, but everyone around you is going to be smarter than you. Even your adversaries. Especially your adversaries. Get used to it.

By everyone being smarter, I don’t mean to say we are dumb but stating the fact that nobody knows everything when it comes to all the various segments of information security. The acronyms that follow your name, from degrees and certifications and the tools you master, are a testament to your dedication but are only letters without learning to be humble, acknowledging your weaknesses and appreciating others’ strengths.

Some of the most successful people I know in technology and security view “I don’t know” not as an admittance of failure, or giving up, or to get defensive, but as a challenge to learn and collaborate.

I always find the stereotype of the “lone hacker” in a basement not only a bit insulting but in many respects, a huge disservice to an entire industry, which is actually built on collaboration. “Hacking” is innovation in its purest form, it is where creativity and technology meet and this rarely occurs in a vacuum.

Those tools you so expertly use were developed by teams of people who came before you and will be improved by those that come after. Those vulnerabilities and exploits were not discovered and written by one person, but by a community primarily aimed at helping to make us all more secure.

We often hear about Infosec folks and developers being introverted. I find this to be untrue; we may just be more interested and passionate about things others don’t know or care about. Going to security conferences, I am always impressed by how inclusive and collaborative the community is and find myself more excited about the conversations with friends – old and new – than the actual talk tracks themselves.

After every conference I always feel exhausted and humbled, as the more you learn about infosec, the more you realize you can’t know everything and the more you respect people for their contributions in their areas of expertise and willingness to share it with the rest of us. Not everyone is the 1337 Haxor and frankly, it would be incredibly boring and a waste of time if everyone was.

I find Infosec to be the Renaissance profession requiring a wide range of disciplines across a number of industries. That might be why I find so many successful people involved in Infosec that don’t come from traditional technical backgrounds, but who are armed with liberal arts degrees and a passion for learning.

Infosec is based on a culture of learning and collaboration, not pretentiousness and exclusiveness. The next time you see someone struggling with a tool or technique, instead of calling them a “noob” try teaching or helping them, you may learn more about them, the tools and yourself in the process.

———-

All I can say to this is that it is right on the money.

Via: tripwire

The future of authentication could involve biometric identification enabled by tiny ingestible and embeddable devices, according to PayPal.

The firm’s global head of developed evangelism, Jonathan LeBlanc, claimed in an interview with the Wall Street Journal that traditional biometrics like fingerprints and iris scans have become “antiquated” and could be replaced by systems placed inside individuals to allow “natural body identification.”

Their batteries could be powered by stomach acid and could monitor unique traits like glucose levels or blood pressure, in order to verify a person’s identity and strengthen traditional passwords, he said.

Other solutions could involve wearable “tattoos” incorporating a computer chip placed under the skin, embedded wireless antenna to beam out information, and various sensors for temperature, ECG activity and so on.

Traditional biometrics trialed thus far have too many false negatives and positives, he argued.

However, not everyone agreed with LeBlanc’s vision for the future.

Matt White, senior manager in KPMG’s cyber security practice, argued that establishing consumer trust will be the biggest barrier to adoption of new biometric authentication methods.

“Trying to convince the average person to implant a piece of technology to increase security of their perceived already secure account is a battle unlikely to be won,” he added.

“Rather than spending money on developing more advanced biometrics, companies should look to invest that money in user awareness and training, which will provide their users with added security.”

In fact, PayPal also distanced itself from LeBlanc’s future gazing comments, confirming that it has no plans to develop injectable or edible verification systems.

“It’s clear that passwords as we know them will evolve and we aim to be at the forefront of those developments,” it added in a statement sent to Infosecurity. “We were a founding member of the FIDO alliance, and the first to implement fingerprint payments with Samsung.”

In related news, new research from Kaspersky Lab this week once again highlighted the problem of user education and awareness when it comes to log-in security.

Some one in five consumers surveyed said they saw no value in their passwords to cyber-criminals, while only a quarter (26%) said they create a separate password for each account.

Some 11% said they keep passwords in a file on the device, 10% leave them on a sticker next to the computer and 17% share passwords with family and friends.

Marta Janus, security researcher at Kaspersky Lab, argued that passwords are “severely flawed.” However, two-factor authentication systems using one-time generated passcodes sent to the user’s phone are not much more secure, she told Infosecurity.

“For service providers and device manufacturers the key is to provide mechanisms that improve security, but without making it too onerous to apply them. It’s also important that providers, security vendors and others highlight the need for such mechanisms to consumers,” she added.

“For example, one of the benefits of biometrics is that it increases security but without making access to the service harder. Take Apple’s Touch ID as an example: I suspect that relatively few people used to use a complex passcode, because it was too much effort; but I think that probably most people use the fingerprint scanner.”

LeBlanc’s presentation on authentication, Kill All Passwords, can be found here.

Via: infosecurity-magazine