Remember "cybersecurity"?
Mysterious hooded computer guys doing mysterious hooded computer guy .. things! Who knows what kind of naughty digital mischief they might be up to?
As I understand it, the âbig winâ of going to U2F is that your key will only respond to the challenge after the browser verifies that itâs talking to the same site that was used for initial setup. You initialize a key for facebook.com, then it will never be used to answer a challenge for facabook.com. The thing is, password managers already solve this problem for your first factor. If I clicked on one of the phishing examples in the post, got a Google login prompt, then didnât see at least my username auto-filled, warning bells would be going off because the browser doesnât think it should populate form fields with the values Iâve used previously on google.com. Of course, passwords can still get phished, doesnât address second factor, etc etc, but itâs definitely worth educating users about this â if your browser doesnât treat the site like âreal Googleâ, notice the signs!
Somehow we also need to stop âexpertsâ from disabling paste to password entry fields so that they are âmore secureââŚ
Iâm going to be pedantic, so feel free to skip ahead, but he actually got TWO words wrong and that makes me think his defence might be a bit suspicious.
This is a legitimate email.
This is an illegitimate email.
Or
This isnât a legitimate email. - But you wouldnât write it like this, for obvious reasons.
Iâll give him the benefit of the doubt, though.
Even better than enabling 2FA, which you absolutely totally should do, where possible enable authentication using an app.
Microsoft sites let you log in using the Microsoft Authenticator app, which Iâm not going to say itâs impossible to subvert, but, for now, makes simple phishing attacks all but impossible.
It would be interesting to see the reasoning to some of the advice given here.
etc.
Of course using a U2F key involves putting a USB stick into your computer, which can lead to an instant compromise of the whole device. Counterfeit keys seem an easy attack vector.
This stunk to me too. It doesnât pass the âsmell testâ at all. I donât give Delevan the benefit of the doubt at all and call total BS. Given the basically career-ending mistake he made, I canât say I blame him for lying though.
I would also be interested in learning more about their reasoning. Since they are listed " for non-profits and journalists," these strike me as the kind of rules that you give non-tech people to make sure they donât do something wrong.
In that case, there are some Android phones that are secured, with os encryption on out of the box (Pixel line for sure, likely other high-end phone makes), but plenty of the budget phones are not sacrificing the horse power to encrypt. I would see advice of âiPhone or nothingâ as a security shield against cheap managers. If you crack open the door to Android, youâre much more likely to get something massively insecure if you cheap out, but not so with an iPhone. And I say this as an Android or bust kind of guy.
The guide was last updated in May of 2017, so Firefox Quantum wasnât out yet, which might receive a different mark from them than previous versions.
Those things and a couple of others made the whole list feel a bit like an ad to me. Calling out specific products just smelled a little off to me.
It kinda did, but it makes sense. If one product is inherently better at the thing that is your top priority, then you should probably use it.
Ah, okay, if Iphones are encrypted by defaul than that makes a lot of sense, I did not know that. It is a much easier advice to give rather then âHere is the list of specific Android models that you can buyâ
I think that was done for the benefit of simple users who donât know what to select or what to trust. Still, adding more than one choice would have been good then.
What does that encryption do, actually? Mine is encrypted by default too, but I donât know what benefits I get from that, since it can be turned on without any codes anyway.
funny that your email was marked as spam (even if you have DMARC), and your blog link is marked as suspicious⌠
nice post, very much agree!
Ummm " Uninstall all anti-virus software" WTF
I see your point, since the app would only talk to the real website, and not the fake phishing one, this could be a practical alternative. Interesting.
Right but this is the same argument for using an iPhone (or any device) that you did not open from a visibly sealed box as shipped from the manufacturer. One of the creepy things about the Snowden docs was Cisco routers shipping from the factory pre-compromised.
So TL;DR as long as you buy them from a reputable source and they are in sealed boxes, you have to assume they are not compromised. Or else you no longer live in a sane world.
I have seen several reports of that, and it smells like CDN issues to me. The blog is behind cloudflare which is automagically doing DNS based CDN routing to the images.
There are too many third-party fingers in the Android pie for it to be secure. And Apple SoCs have been way ahead on hardware security (as well as general performance) for many years now. Your best security value at the time of writing is a certified refurbished iPhone 7 direct from Apple.
Youâre right, if you have no login security theyâd just pick up your phone and physically look at it. Most people have some form of login security, though, which is why youâd try to bypass that by poking through the storage system directly. Thatâs what default filesystem encryption solves for you.
Also interesting! I didnât consider that he possibly screwed up and was trying to hide that fact by claiming he mistyped a word.
The thing is, password managers already solve this problem for your first factor.
Yes, I was going to say the same thing. Besides taking care of storing and generating unique, strong passwords they also have this nice side effect that they are so much better than humans, even trained ones, to separate the correct domain from phising attempts. This is rarely mentioned as much as it should be, IMO.
Personally I would like to see the URL shorteners like bitly and goo.gl to be outlawed. And notice that this phising attack used one. I tell everyone do not click on a URL in an email but go to the website directly and navigate within the website to get what you need.
Almost as bad is the âsafelinks protectionâ that outlook.com is now using on links. The links are rewritten to go through a web service to check against a blacklist. It makes the URL almost impossible to read.