Pete Recommends – Weekly highlights on cyber security issues August 26 2018

Subject: Judge Rips Newspaper For Reporting Confidential Parkland Shooting Details
Source: HuffPost via Yahoo

Those details were to be kept private under the state’s public records laws and were blackened out electronically by the school board. Reporters at the paper, crediting a tip from the public on social media, found that they could easily remove the bars blocking the redacted content, leading to the publishing of the details on Aug. 4, the Sun Sentinel reported.

Subject: Move Google Authenticator from one Android device to another
Source: TechRepublic

But what happens if you lose your phone or upgrade to a new device? You install the Google Authenticator on the new device and continue on… right? Wrong. There are specific steps you must take, otherwise the barrier to entry to your Google accounts could become rather challenging. Let me walk you through the process of migrating the Google Authenticator to another device.

Subject: How to Protect Your Phone Against a SIM Swap Attack
Source: Wired

A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. “In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” she says.

That’s because ultimately, the machinations behind SIM swaps are largely out of your control. Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

Stick a PIN in It

Every major US carrier offers you the option of putting a PIN or a passcode on your account. Take them up on it. Having one adds another layer of protection, another piece of information an attacker needs before they can compromise your identity. That won’t help against an insider threat, but it’s much better than nothing.

tagged: security:

RSS for security articles:

Subject: Between You, Me, and Google: Problems With Gmail’s “Confidential Mode”
Source: EFF via beSpacific

EFF: “With Gmail’s new design rolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security. With its new Confidential Mode, Google purports to allow you to restrict how the emails you send can be viewed and shared: the recipient of your Confidential Mode email will not be able to forward or print it. You can also set an “expiration date” at which time the email will be deleted from your recipient’s inbox, and even require a text message code as an added layer of security before the email can be viewed. Unfortunately, each of these “security” features comes with serious security problems for users. It’s important to note at the outset that because Confidential Mode emails are not end-to-end encrypted, Google can see the contents of your messages and has the technical capability to store them indefinitely, regardless of any “expiration date” you set. In other words, Confidential Mode provides zero confidentiality with regard to Google…”

Subject: How’s that encryption coming, buddy? DNS requests routinely spied on, boffins claim
Source: The Register

Most people’s DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.

And that’s because, you may not be surprised to know, the proposed standards to safeguard DNS traffic – such as DNSSEC and DNS-over-HTTPS – have yet to be fully baked and aren’t yet widely adopted.

DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can’t snoop on what sites you’re visiting.

Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.

The paper, “Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path,” describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.

Subject: Government Leads Industry in Anti-Spoofing Email Protection, Report Finds
Source: Nextgov

The federal government is leading major industries in setting up anti-spoofing email security features, according to an industry report released Wednesday. More than 70 percent of federal government email domains are protected by the tool known as Domain-based Message Authentication, Reporting and Conformance, or DMARC, according to the report from the company ValiMail.

That’s compared with just about 40 percent of the highest value U.S. tech companies, highest value U.S. banks and companies in the Fortune 500, according to the report. The federal agency adoption rate has surged from under 20 percent in October, when the Homeland Security Department first ordered agencies to adopt DMARC.

DMARC must be installed on both the sending and receiving email services to work. So, if a government agency has properly implemented DMARC but a contractor or other industry partner hasn’t, that agency will still be vulnerable to malware-laden spoofed emails that appear to be from the company but are actually from someone else.


Subject: Doorbell camera videos create dilemma for police, neighborhoods
Source: Detroit Free Press via USA Today

DETROIT – As doorbell cameras and other smart home surveillance systems become more common, experts are urging homeowners: Don’t rush to post that video of the suspected burglar on your front porch until you’ve talked to police.

“We like to be notified first so we can start our investigation prior to the public starting their investigation,” Berkley, Mich., Public Safety Director Matt Koehn said.

An uptick in interest in home security systems, particularly affordable and easy-to-monitor doorbell cameras, and social media platforms, such as Nextdoor and Facebook, make it easier than ever for homeowners to share videos and photos of suspicious activities in their neighborhoods.

Posted in: Cybercrime, Email, Email Security, Firewalls, Gadgets, Privacy