This is “crazy stuff!!” See the Motherboard article here Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’
While there is no single mitigation strategy to guarantee the prevention of cyber security incidents it’s fair to say the basics of securing a network and its resources were most likely not covered off appropriately by these two organisations.
W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins. Major browsers and platforms have built-in support for new Web standard for easy and secure logins via biometrics, mobile devices and FIDO security keys.
A friendly solution to password theft, phishing and replay attacks – W3C says “It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.
With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem. FIDO2 addresses all of the issues with traditional authentication:
- Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
- Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
- Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.
- Scalability: websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.
“Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.”
Read more –
W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins
Google Chrome – Enabling Strong Authentication with WebAuthn
Microsoft Edge – Web authentication and Windows Hello
Firefox – Using Hardware Token-based 2FA with the WebAuthn API
Google say they can keep your account safe from hijacking with a defense in depth strategy that spans prevention, detection, and mitigation.
To quote Google “As part of this, we regularly reset the passwords of Google accounts affected by third-party data breaches in the event of password reuse. This strategy has helped us protect over 110 million users in the last two years alone. Without these safety measures, users would be at ten times the risk of account hijacking.
We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe.
Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure. Since Password Checkup is an early experiment, we’re sharing the technical details behind our privacy preserving protocol to be transparent about how we keep your data secure.”
Read the full article at – https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html
The Google Chrome extension can be found at – https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno
Internet Explorer is no longer a web browser anyone should rely on.
Chris Jackson is a Principal Program Manager in the Experiences and Devices Group specialising in cybersecurity, application compatibility, and modernizing software assets. He specialises in Windows and browser internals. Read Chris’s article “The perils of using Internet Explorer”