Categories ArchivesConsumer Security

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

Equifax is only half the problem, your SSN needs a redesign! standard

The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared. Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit. Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like ...

Continue Reading

More EMV Bypass Fun standard

So I’m sitting here in San Diego, which we all know is German for… never mind. As I pay for my lunch, I present my chip card and there is some kind of error. I know I entered my PIN correctly, but it immediately came back as failed. The bartender taught me a neat trick that I am sure we all need to be aware of as people capture magstripes and write them to new cards. “Oh, no problem on bypassing that. Just turn the card around and insert it, it will fail, and you can swipe!” The Verifone VX-675 terminal this place used detected that a card was inserted without a valid chip read, and immediately told me to ...

Continue Reading

Netgear (In)Security and their Failed Remote Management standard

I’ve been having issues with some home networking equipment and decided that after a couple of years, I needed to make some updates. I did my research and ultimately settled on the Netgear R8000. Not just because it looks dead sexy or because it’s called the Nighthawk, but because it had really great reviews and I’ve generally been on board with Netgear’s product quality and technology. That is, until today. One of my biggest complaints about today’s networking equipment is that it really wants to be the only router in your house. It wants to be the command center. So if you have a couple of pieces of networking equipment, they both want to be in charge. I get it, ...

Continue Reading

Does Age Determine How Quickly Shoppers Return? standard

Here’s another visualization to consider based on demographic data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did age matter when it came to how quickly shoppers returned to a breached merchant? The data seemed to have a couple of stand-out bumps. Below is a graph that shows, on average, how quickly consumers returned to stores after a breach, grouped by age. The trend seems to be such that, in general, the youngest groups are more likely to return to a breached merchant before the older groups.  The middle two age groups are virtually identical up to the fourth digit past the decimal point—enough to consider them equal. What this means for management, is that younger generations ...

Continue Reading

Secure SSH, Go Beyond the Defaults standard

Secure Shell, or ssh, quickly became the replacement for telnet, rlogin, and rsh once system and network administrators realized how easy it was to capture credentials and modify traffic in flight. It’s the stuff out of movies. An administrator is logging into a system with an elevated account (such as root) while a bad guy is snooping all of the traffic and displaying the stream on his screen. He’s got all the credentials and can see everything that administrator is doing. Or worse, he’s sitting in between the administrator and his equipment and modifying the keystrokes from the administrator before forwarding them to the device. Cue the dramatic music. After its release over twenty years ago, it has seen near ...

Continue Reading

What an IRS Scam Sounds Like standard

Like many of you, I have come to the realization that people not in my contact list who actually use their voices to communicate with me over this texting machine usually want something from me—many times, a sales pitch. I’ve given up on answering most of these calls. For the few that leave a message, I will return it if it’s important. Hopefully people have figured out by now that written communication is preferred in many instances. I recently got one of those robo-dialers to leave me a generic, threatening message (which you can listen to here) that meets many of the requirements of good social engineering. The transcript is below (apologies for the bad copy in two areas, the ...

Continue Reading

Does Income Matter for Awareness? standard

Here’s another visualization to consider based on demographical data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did income levels matter in breach awareness? It appears to have mattered, yes, but not in the way you might expect. Below is a graph that shows how consumers reported their awareness of breaches as separated by income level. When we add weights to our responses to make sure we are comparing apples to apples. What’s interesting here is that the smallest two and largest two income levels were the most aware of the breaches, while the middle three were much less aware. Do lower income segments watch their dollars more closely? Are higher income segments more likely to be ...

Continue Reading

Gender Differences in Breach Awareness standard

Over the next few posts, I’m going to show you a few more visualizations that didn’t make it in my Consumer Attitudes Toward Breaches report (sponsored by MAC). Most were omitted for brevity as they didn’t add anything material to the content already presented. Below is a graph that shows how consumers reported their awareness of breaches as separated by gender—pink for female, baby blue for male. What made this interesting to me was that even though males were generally more aware of breaches than females, but the two breaches where females were more aware (Michael’s and Target) seem to target that demographic. The respondents split the gender line at almost 50/50 (11 more females responded than males of the 1031 responses). ...

Continue Reading

WiFi Risks and Travel standard

Holiday travel is about to be in full swing for the holidays, and we’re all going to be wading in dangerous waters as we seek WiFi to keep ourselves and our kids occupied while we move around. Paul Ducklin just put together a great blog post on Naked Security about a risk you should be aware of when connecting to these networks. He specifically talks about unsecured requests for information before you are allowed to reach the Internet. There are a couple of other scary things you should be aware of: Don’t forget that open, free, and no-password-required WiFi is about as wild west as you can get. When you connect to these networks, anything you do that is not encrypted ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!