Posts

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's "Smart Lock"?

When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device.



Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it appears to h…

An Important Way to Step Up Your Online Security Game

Image
In one of my previous posts I discussed cloud services and some steps you can take to help remain secure while online. The goal of today's discussion is to select and emphasize one particular step: two-factor authentication.

Whoa, "two-factor authentication" sounds like too much for you to handle? Don't run away just yet. Two-factor authentication, hereafter referred to in this post as "2FA", is a simple concept. First observe the list of "authentication factors" below.
Something you knowSomething you haveSomething you are We are used to authenticating ourselves with one thing - a password. Passwords are (usually) memorized and therefore are considered something we know. The downside to this approach of using a single factor is that anyone who can guess what you know can pretend to be you.
What if instead of just a password, you had to prove that you are in possession of something or that you are physically who you say you are? Many online service…

Botnets and DDoS attacks - What are they?

Image
Around this time last year DDoS attacks were all over the news. Dyn DNS and KrebsOnSecurity both were hammered by record-size attacks. See these two articles for a rundown of what happened:

https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/ Recently more news of a botnet called "Reaper" or "IoTroop" has surfaced.  In summary, experts believe this botnet is intended to be used as a part of a DDoS-for-hire service. Let's dive in and see how DDoS works and why it's effective.
DDoS and Botnets
So what is a DDoS attack? You may have heard the term before (especially those who keep up with the video game industry). DDoS is an acronym which stands for "Distributed Denial of Service", and the purpose of DDoS is to take down a website or service on the Internet. What this means is that on a normal day the website will be up and available for you to use, but under a…

Spam: Fighting the Machine

Image
Spam is defined as "a canned meat product made mainly from ham."
Hm. Did you come here to read about ham?
Spam is also defined as "irrelevant or inappropriate messages sent on the Internet to a large number of recipients." That’s probably the definition we should discuss.
While spam is usually delivered via the Internet, it can also be distributed via traditional phone systems and cellular networks in the form of texts and phone calls.
Generally, spam refers to unsolicited: EmailSMS messages (texts)Social media messagesPhone calls How do “they” get to me? Several avenues are available for acquiring your contact information.
You gave them the information directly.It is freely available on your social media profile.It was leaked in a breach.It was voluntarily shared by a 3rd party that you may or may not have authorized to sell/share your information. But who are "they"? Is it an individual person trolling me? Most likely not. It’s usually one of two situati…

Passwords - Complexity < Length

Image
I'm revisiting the topic of password security today because it's essential to understand why passwords exist and how having a weak password can bring a world of pain.

Many services that you have signed up for have password complexity requirements. Something to the effect of:

At least 8 characters1 Uppercase1 Lowercase1 Numeric1 Symbol
Why the complexity? In short, the service is following a password "standard" by not allowing you to create an utterly useless password. However many services aren't doing very complex checks to see if your password is actually secure. Guess what password meets the above requirements: "Password123!" While a computer can generate words very very quickly (we're talking in the order of millions of words per second), a computer with no knowledge of the English language could theoretically take somewhere around 34 thousand years to crack that password.
But wait a minute, theoretically - is that what happens in the real world…

Password Manager - Yay or nay?

Image
What is a password? It’s that thing you must type to get into your stuff; It’s the bane of the Internet civilization.
Per Dictionary.com, a password is a secret word or expression used by authorized persons to prove their right to access, information, etc. Passwords were created with good intentions, but they quickly became one of the weakest forms of security in existence on the Internet. Simply having a password is better than not having one, but pretty much no service will allow you to have an account without setting a password.
Where did we go wrong? Imagine if all someone had to do to gain access to your bank account and siphon money out before you had a chance to notice was to know the name of your favorite childhood pet or your birthday or anniversary? That kind of knowledge would come with relatively minimal effort on the part of the attacker. Most people have their date of birth (DOB) publicly available through one means or another. 
On another note, maybe you weren’t even …

How someone tried to phish me

Image
A couple of weeks ago I received an email that looked like this.



This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email.



I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station.




Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict here.



So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server.

Let's dig some more. This requires viewing the ac…