Homepage
Author: Michael Terlich

Author: Michael Terlich

Gmail confidential mode launching on by default on June 25 2019

Confidential mode provides built-in information rights management controls in your emails by allowing senders to create expiration dates and revoke previously sent messages. Because a sender can require additional authentication via text message to view an email, it’s also possible to protect data even if a recipient’s email account has been hijacked while the message is active. Additionally, with confidential mode, recipients don’t have the option to forward, copy, print, or download their content or attachments.

References:

Google Announcement

Protect Gmail messages with confidential mode

Send & open confidential emails

Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’

This is “crazy stuff!!” See the Motherboard article here Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’

While there is no single mitigation strategy to guarantee the prevention of cyber security incidents it’s fair to say the basics of securing a network and its resources were most likely not covered off appropriately by these two organisations.

Hardware Token-based 2FA with the WebAuthn API

W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins. Major browsers and platforms have built-in support for new Web standard for easy and secure logins via biometrics, mobile devices and FIDO security keys.

A friendly solution to password theft, phishing and replay attacks – W3C says “It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.

With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem. FIDO2 addresses all of the issues with traditional authentication:

Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.
Scalability: websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.
“Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.”

Protect your accounts from data breaches with Google Password Checkup

Google say they can keep your account safe from hijacking with a defense in depth strategy that spans prevention, detection, and mitigation.

To quote Google “As part of this, we regularly reset the passwords of Google accounts affected by third-party data breaches in the event of password reuse. This strategy has helped us protect over 110 million users in the last two years alone. Without these safety measures, users would be at ten times the risk of account hijacking.

We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe.

Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure. Since Password Checkup is an early experiment, we’re sharing the technical details behind our privacy preserving protocol to be transparent about how we keep your data secure.”

Read the full article at – https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html

The Google Chrome extension can be found at – https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno

Microsoft really doesn’t want you to use Internet Explorer anymore

Internet Explorer is no longer a web browser anyone should rely on.

Chris Jackson is a Principal Program Manager in the Experiences and Devices Group specialising in cybersecurity, application compatibility, and modernizing software assets. He specialises in Windows and browser internals. Read Chris’s article “The perils of using Internet Explorer”