Personally I would like to see the URL shorteners like bitly and goo.gl to be outlawed. And notice that this phising attack used one. I tell everyone do not click on a URL in an email but go to the website directly and navigate within the website to get what you need.
Almost as bad is the “safelinks protection” that outlook.com is now using on links. The links are rewritten to go through a web service to check against a blacklist. It makes the URL almost impossible to read.
I thought about that, and I bet I was a careless re-edit. He may have written “this is not a legitimate email” then gone back over it and thought he’d better make it clearer and say “is an illegitimate”. But he he deleted the “not” and forgot to update to “illegitimate.” I’ve ended up with tweets that mean the exact opposite of what I mean because of that.
However, when it’s something that important, you should not rely on single-factor reading comprehension either. When I have something that important to communicate, I lead with something like “DO NOT OPEN THIS” and then explain. I’ve found you can’t expect busy clients to read every email thoroughly or parse for apparent contradictions, so the important message should be front-loaded, bold/italic, or called out as a bullet point. Sentences in paragraph form are rarely read closely.
we need to change how TLS certs are verified, currently there’s no way to say “is the CA signing cert valid for domain”, nor is there a way to say, “is the CA valid for company, and not misleading as to which company”. The former could be done with DNS, the latter, I’m not sure how it could be done, and even if it could I’m not sure how to make it relevant to the every day user without destroying the freedom of the internet. OpenDNS did, does have a good idea of allowing DNS filtering and categorization. I have no idea how we could say this url looks like who it claims to be. Of course companies like facebook aren’t helping by using a different root domain to send email… I also got an email from amazon? yesterday that looked like a phishing email… using a.co links, but when I looked at the headers everything checked out to be from amazon. So yeah… as long as companies are using phishy looking emails for real…this is an impossible problem.
oddly enough, lastpass and other website specific password managers have this same benefit, since it will only autofill the real domain… of course then there’s the screwy number of websites that have weird valid alt domains, like my insurance provider… making this not work for those sites.
This particular piece smells to me like a bit of paranoia. First of all, if you think that some of those third-party fingers have deliberately sabotaged your device in order to do illegal things to you, then you no longer live in that sane world you mentioned before. They might do greedy things to you (like adverts everywhere and pushing their own software and stuff), but not illegal. They’re not your adversaries, they’re annoyances.
It could be that they have made the phone insecure by accident/stupidity, but AFAIK that happens pretty rarely. In addition, there are zillions of different android phones, each with different system images and drivers. Even if there is a vulnerability in one of them, it still covers far too few people for any mass-market hacker to bother making an exploit for that. If you’re afraid of this, then maybe just stay away from the most popular makers - Samsung and Apple. The rest are just too varied to be worthwhile.
The same applies to hardware hacks that require physical access to your device (like compromised public chargers in the airport and the like). Perhaps someone might bother doing this for an iPhone (since it’s one of the most common phones out there), but most Android brands should be safe simply because any such hack would not generate enough returns.
Now, if you’re worried that someone might be targeting you specifically, then we’re talking a whole different level of paranoia. But 99% of people should not have to think about that.
Yeah, agreed. I do exactly the same. TLDR; followed by the details.
I like almost everything about this post, except the line:
You either have it, or you don’t.
This plays into the idea of “100% secure” sites, which always makes me laugh.
Right but just a password alone is clearly insufficient. That’s my point when I say “you either have [security], or you don’t”. If you are currently using more than a password alone to log in (as long as SMS isn’t allowed), you’re probably difficult enough to attack for now.
I wonder how is Chrome’s built-in password manager rated?
Wait, why would John need to change his password if the mail was fake?
The point Jeff was making in the article is that the rest of the email was ignored. As 'mistake’s go, it’s almost perfect, if, say, you were a mole for the Russians 
But, like I say, I was being pedantic. I favour Aaron_Morey’s point that it’s most likely an edit that was only partially completed.
Making ever-longer and complex passwords isn’t the solution. A relatively short password of five to eight characters padded with an easy-to-remember string of characters that make the password a non-dictionary sequence of 12 to 14 characters is just as effective and far easier for the user to remember. See Steve Gibson’s white paper on the topic, “How Big is Your Haystack? … and how well hidden is YOUR needle?” Using Gibson’s “Password Haystacks” concept, you can forget about password manager services, master passwords, YubiKey, etc.
You are assuming the error was between the brain and the keyboard.
To use a programing analogy.
TypeKeyboard("an illegitimate") output “a lehitimate”
Or did MakeSenstance("bad email") call TypeKeyboard("a legitimate")
I think Mr. Delavan made the mistake of being fooled into believing the phishing attempt. Everything in his email points to full-on panic mode ‘John needs to change his password immediately…’
‘…imperative that this is done ASAP’
If it was recognised as a phishing attempt then the advice would be something like: Do not under any circumstances click on the link. Delete the email. Your password does not need to be changed, but if you do go though your normal log on procedure and then use their interface to change your password. I would recommend activating 2-factor authentication.
He then compounded that error by not categorically stating that you NEVER click a link in an email and then give your password/details. You should know how to log in to your account, so do that and then go to the password reset section. Pretty simple rule to learn and follow: assume every email is fake - one day you will be right and glad to be safe.
One thing I should have been more clear about in the article is to make sure your telephone number is not even listed in the records for your auth provider. I did say “don’t use SMS” but you have to be absolutely sure that SMS can’t ever be used – and the best way to do that is to remove the phone number entirely.
Many reasons for this, here’s another if you need one:
Back in 2004 Bruce Schneier wrote on his blog
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, “Nothing–you’re screwed.”
Then going with
But that’s not true, and the reality is more complicated. You’re screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
However, I think first statement is actually true and not only for average users, but especially for average users. Some people here doubted that it was just a typo from Mr. Delavan, if true, it could be a great example that even non-average users can be outsmarted & screwed.
For sure, using just passwords for authentications is like keeping door closed, but not locked. The difference is you can live in a good neighborhood and never mind, but internet is a district you usually try to avoid IRL.
You can do a lot to protect yourself, things like 2FA/U2F make you way more protected, but it’s still “a modicum of security”.
The only thing I disagree with this article is part about password managers. I don’t trust them. As for me, they’re SPOFs I better avoid. However, I don’t have that big of experience using them and this can be my prejudice. You’re welcome to change my mind.
Here comes a case were 2FA utterly fails: traveling abroad. Imagine making a trip to Mexico. 4 days into your lovely beach vacation in Cancun you realize that your mobile phone is missing. You may have lost it or it got stolen. What a pity - now someone has the device with all your 2FA apps on. Worst of it all: you can´t just go the another device, log into your Google account and change passwords. Or retrieve a copy of your flight tickets in your email. Nope. There is something that you don´t have - your phone. And you need either a 2FA App or a verification code to a given phone number to get access to your data.
I´m not making this up. A swiss travel blogger already wrote about losing his phone in Mexico city in 2015: https://weltreiseforum.com/blog/handy-sicherheit-so-minimierst-du-die-folgen-eines-diebstahls/ (german language only). I myself did a lot of traveling myself and my backup was - so far - having my data on a cloud account. This used to be a good fallback. All your physical stuff might be gone (so much for a local backup on a flash drive) but you basically still have access to your data: flight tickets, credit card number, PayPal account.
Just to sum this up: we might be moving away from a universal internet that can be used on any device towards a device centered internet. 2FA is a catalyst in this development. I´m wondering if the idea of a shared computer with multiple users will exist in 10 years from now. Or if you can do anything with it except visiting some basic websites. You might not be able to use most services without a personal device.
Don´t get this wrong: 2FA might do a lot of good in many cases. But in this case: you´re going to have problems.
Wait, why don’t you have any kind of backup auth with you? Printed backup codes? 2fa hardware key? Granted, I’ll agree that when I go on vacation those wouldn’t be first on my list of things to take but they exist. So when I get home I could deal with it at worst.
How is this a risk, because … how would they log in to your device to do anything? Of course you have a long PIN (6+ digits) and/or fingerprint and face id set up, right? Factory reset won’t work since any remotely modern phone requires the associated username/password to factory reset.
In the long term, two factor through an app isn’t quite secure enough due to the very real (and growing) specter of real-time phishing. Authentication apps offer timed keys that expire after a minute or two, but if the attacker can get you to type an authentication key and relay it to the target site fast enough, they can still log in as you.
TL;DR real time phishing is becoming more common.
I used to use padding but that didn’t help because I want a different password for every site I have a login account for. I also tried to use a password scheme with padding but then it occurred to me that if someone found one of my passwords, they could maybe figure out my scheme. For example, %%Twitte1,.,.,.,.,.,.,. has a lot of entropy but if someone found this password they might then think that my paypal password is %%Paypa1,.,.,.,.,.,.,.
So I use a password manager primarily to remember hundreds of unique passwords. Password strength is the secondary benefit.