Category Archives: Best Practices

A Warning About Two Factor Authentication

I have been a strong advocate for two factor authentication and still am, but I ran across a situation yesterday that made me realize that there is something that you need to consider when you implement two factor.

The situation that I encountered was a user that was using text messages for two factor authentication and those text messages were going to his cell phone.  Without understanding the implications, the user cancelled that cell phone and lost control of the phone number.  When that happened, the user lost the ability to sign into the account protected by that phone number.

This is very similar to forgetting your password, but most vendors have made recovering your lost password easy – too easy in my opinion, but we are used to it.  I have to admit, I have used it.  Typically they send an email to the registered email address and you can reset your password.  If a hacker gets into your email they too can reset any password, which is why I say that it too easy.

The problem/question is if you lose access to your phone number (and notice I didn’t say your phone, but rather your phone number because if you lose your phone but still control the number, you can move that number to any new phone and still get those text messages), does the vendor have a mechanism to recover access to the account.

Lets say you protect your bank account with two factor.  Likely, you can go into the bank in person, show a banker your government issued picture ID and they can remove the two factor requirement or change the phone number.  MAYBE.  Worst case, you can go into that same bank and close your account, take your money and open a new account.

But what if the account is Facebook.  There is no Facebook store to go into to do the same thing and closing your Facebook account will cause you to be disconnected from everyone.  Of course, possibly, losing access to Facebook might give you a lot of time back in your day.

OK, so now I scared you out of using two factor authentication.  Let me see if I can make you OK with two factor.

First, if the web site allows it, you should create a backup authentication option.  For example, many companies will allow you to get your second factor via text message OR phone call. Or possibly via text message OR email.  If they allow that, then make sure that you set that up.  That way, if you lose access to your phone number, you can still log in after receiving the code via phone call or email.  DO NOT make the phone number the same phone number that you get your text messages from.  Remember that the issue is that you lost control of that phone number.  Use a home phone or work phone or spouse’s phone or just something different.

Next, make sure that you keep track of what those second methods are.  Sometimes a web site will display an option showing you how you can receive the second factor.  If it does, pay attention and make sure that you still have access to it.

Do not release your phone number unless you are sure that anything that you are using it for has been accounted for.  If you have to change your phone number for some reason, look at all the accounts that use it to protect and disable two factor before you get rid of that number and then turn it back on with the new number.

Talk to your phone carrier and add a password to your mobile phone account.  While hackers can sometimes social engineer their way around that, it makes it more difficult.  That will reduce the odds that you will lose access to that phone number.

Finally, ask the vendor what their policy is for resetting two factor authentication.  Even Google has a method to do this.  It is a bit of a pain and it can take a couple of days, but it is possible.

As two factor becomes more popular, vendors are going to have to deal with this  new reality, but it will take some time.

Finally, if you use two factor authentication apps like Facebook Authenticator, those are more portable.  As long as you don’t lose access to your Facebook account, you can still access authenticator – from any phone – as long as your access to Facebook is not protected solely by a two factor authentication to that lost phone NUMBER.

I know, something else to worry about.  I think as long as you set up two different methods to receive that second factor, you are pretty safe.  Just keep it in mind.


Facebooktwitterredditlinkedinmailby feather

Open Source is NOT Bug Free


There are those in the open source software fan world that suggest that open source (and typically free) software is best because since the source code is available, people can look for bugs and fix them, resulting is bug free software.

The reality is not quite so simple.

While this statement is technically true, it is not true in practice.  Time and time again we run into very popular open source software with bugs – software like Open SSL which is installed on millions of computers.

That also does not mean that open source software is bad or overly buggy. It just means that it is software and all software needs to be validated.

AND, it also means that even if software is tested, it is not bug free.

OK, with that preamble, what are we dealing with today?

Google has an internal hacking team called Project Zero and they try to hack all kinds of software – including but not limited to Google’s own software.  This week team member Andrey Konovalov was playing with the USB drivers in the Linux kernel.

When someone mentions the words BUG and KERNEL in the same sentence, it should get your attention.  The kernel is the most privileged and most sensitive part of any operating system.

Andrey identified 14 bugs in the USB drivers that have been assigned bug ID numbers so far.  He has also requested another 7 numbers for additional vulnerabilities that he has identified.  On top of this, he says there are probably another 20 that have not been fully researched yet.  That puts the number of likely bugs in a very sensitive part of the Linux OS at around 40.

And remember, this is just in one part of the operating system.

So the next time someone tells you that open source means bug free, you can pull out a copy of this post.

Also, it is important to remember that Linux is an INCREDIBLY popular piece of open source software, used by hundreds of millions of people (It is the core of all Android phones).  If it is not bug free, is it reasonable to think that some other piece of open source software used by 10s of people IS bug free?  I don’t think so.

So, like with everything else, Caveat Emptor is appropriate response.

Information for this post came from Bleeping Computer and The Register.

Facebooktwitterredditlinkedinmailby feather

PwC Study Shows Firms NOT Prepared for Cyber Attacks

Despite the constant news reports of cyber breaches, PwC says that business leaders are not taking this to heart, which means that your data is still at risk.

Price Waterhouse Coopers surveyed 9,500 executives in 122 countries and came up with the following –

  • 44% – almost half  – say that their firms have not created an overall cyber security strategy.
  • 54% – more than half – do not have an incident response program.  This means that they likely will look a lot like Equifax after their breach – a bit of a pinball in a pinball game as they bounced from one screw-up to another.
  • 48% have no employee awareness training.  This stat is amazing.  Given that people are at the root of most breaches and the affordability, even for small companies of cyber security training, that almost half of the companies do not train their employees is unbelievable.
  • 39% are very confident in their cyber attack attribution capabilities.
  • 40% say that an attack against their automation and robotics would disrupt operations and 39% say it would result in the loss of company or sensitive data.
  • 32% say an attack would produce a decline in product quality
  • 29% say an attack would result in a damage to physical property
  • 22% are concerned about harm to human life.  While this seems alarming, we have seen this when an attack takes out infrastructure.
  • Only 44% – less than half – say that their boards actively participate in their overall security strategy;  the rest still think it is an IT problem.
  • For consumers, more think that their email will be hacked (45%) than a flight will be cancelled (36%).
  • And, last (there are more in the report) 10% think that their information is secure.

What is your response to these questions?  Are you and your company ready for an attack?



Information for this post came from Mediapost.

Facebooktwitterredditlinkedinmailby feather

Trouble in Paradise

A couple of weeks ago I wrote about yet another breach at a law firm.  This time the firm was Appleby, a law firm based in Bermuda and home to the rich and famous – especially those that are looking for tax shelters and the similar.  Most of these tax shelters are legal but the optics of using them are terrible.  For many of the rich and famous, they don’t want the NOT rich and famous to know what they are doing.

So imagine what happens to a law firm (or any firm) that caters to those people who is hacked and threatened with disclosure.  They likely have some unhappy soon-to-be-ex-clients.

Well at least some of the 13 million plus hacked documents are now public and it paints an unflattering picture.  Likely legal, but very unflattering.

The hack is being called the Paradise Papers.  In sheer size, it is the number two breach, only surpassed by the Panama papers hack in 2016, which revealed 2.6 terabytes of data.  The Paradise Papers hack revealed 1.4 terabytes of data.

Among what was disclosed is:

  • Millions of Pounds from the Queen of England’s private estate has been invested in a Cayman Islands fund which makes questionable investments.
  • Extensive offshore dealings by Donald Trump’s cabinet members, advisors and donors, including substantial payments from a firm co-owned by Vladimir Putin’s son-in-law to the shipping group of US commerce secretary Wilbur Ross.
  • How Twitter and Facebook received hundreds of millions of dollars in investment that can be traced back to Russia.
  • The tax avoiding Cayman Islands Trust managed by the Canadian Prime Minister Justin Trudeau’s chief moneyman.
  • A previously unknown $450m offshore trust that has sheltered the wealth of Lord Ashcroft.
  • Aggressive tax avoidance by companies like Nike and Apple.

And on and on.

As I said, I assume that most of this is legal, but as people like President Trump and Prime Minister Theresa May have been talking about closing tax loopholes, the optics of this could not happen at a worse time.

According to reports, this does not appear to be state sponsored; just a hacker out to do a little “social justice”.

The message is that any business that stores sensitive information (and apparently the information stolen goes back 70 years) probably ought to look at how you are protecting it and improve that security – unless you want to be the next P papers – Pentagon Papers, Panama Papers, Paradise Papers ……..

I assume that there will be a large exodus of clients from this firm.

Information for this post came from The Guardian.


Facebooktwitterredditlinkedinmailby feather

NY Introduces Tough New Cyber Security Bill

New York already has one of the toughest cyber security regulations in the country, but it only applies to financial services firms like banks, mortgage companies and investment advisors.

After the Equifax breach, New York Governor Andrew Cuomo proposed that they add credit reporting agencies to the list of companies covered by the New York regulation called DFS 500.

This week New York Attorney General Eric Schneiderman proposed tough new legislation that would increase the coverage of New York law to all companies who handle non-public information of New York residents.  Schneiderman says that the update is needed.

The Stop Hacks and Improve Electronic Data SecuritY or SHIELD Act was introduced in both legislative houses.

Schneiderman said that his office received notice of 1,300 breaches in 2016, a SIXTY PERCENT INCREASE over the previous year.

Some business officials wondered how it would be enforced on out of state companies, but a similar requirement currently exists in a number of other states.

The law has modest penalties – up to $5,000 per violations or $20 per failed notification, up to $250,000.  Compare this to the new data privacy law in Europe which allows for fines of 20 MILLION Euros or more.

For small businesses of less than 50  employees and some other requirements would only have to implement security appropriate for the size of the company and the risk.

The law also says that companies that obtain independent certification of their security practices and achieve high marks would be immune from enforcement actions.  This is a great incentive to conduct annual cyber risk assessments.

The Business Council of New York State, a trade group of over 2,000 businesses said that businesses are not bad actors and are interested in protecting their customer’s data.   If that is true, they should be conducting an annual independent third party risk assessment anyway and if their program comes away with high marks, they have immunity.  So, if the do protect their customer’s data effectively, they have nothing to worry about from this bill, even if they do get breached.

Schneiderman has a reputation of being tough on companies that get breached and hackers who breach companies, so this new bill is not unexpected.

Information for this post came from

The text of the bill can be found here.

Facebooktwitterredditlinkedinmailby feather

Alexa – What is My Credit Score?

WHAT. COULD. GO. WRONG???????????????????

Amazon is offering you a new feature;  you can ask Alexa what you credit score is.

Actually, it is not as bad as it sounds.  But it doesn’t seem like the most secure thing ever.

First, it is not really Amazon who is answering that question, it is Experian.  Alexa has what Amazon calls “skills”.  A skill, I gather, is a particular thing that Alexa can do, like, maybe, get you movie information.  Skills may be implemented by Amazon or they may be implemented by a third party.  In this case, the third party is Experian.

In order to use the credit score skill, you have to enable the Experian skill, then you have you enter the username and password for your Experian account (so if you don’t have an Experian account you are safe, I guess).  When you do this, the system creates a PIN for you.  I am guessing they create it rather than having you create it because they are scared people will use 1-2-3-4 or 1-1-1-1.  If the skill is inactive for 5 minutes you have to re-enter the PIN.

They also remind people that the information is sensitive so you might want to be alone when you ask Alexa.

If you have Experian’s credit lock product (for more $$$), you can also lock and unlock your credit file from your Alexa.  You can get other Experian services too.

Since most people very rarely check their credit score or even look at their credit file, I am not sure that this service will be super popular, but who knows; they could be on to something.

In fairness to Experian, it seems like they have tried to make it safe, but it also seems like it might be smarter to check your credit score on your tablet or phone (using your Wells, Capital One, Discover and other apps – which are free, unlike Experian). It’s not like you do this 3 times a day so it has to be super convenient.  If you check it a couple of times a year you would be above the average.

So just use your laptop. Or your phone or tablet.  Please.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather