Google offers new two-factor authentication option

You Can Now Protect Your Google Accounts With a Physical Key - Eric Limer - GIZMODO

I've never had a problem with how Google's two-factor authentication works. There are two options, receive a text message with the two-factor code or install an app that syncs with the Google account. Both methods are fairly easy to use and add a significant amount of security to Google accounts. Now, though, it appears there is a third option, which includes hardware. The hardware will have to be purchased and then enabled for a Google account, but it makes it much easier to interact with a Google account via Chrome or Chrome OS.

I'm a little concerned at the fact that it's a hardware option, because it could be lost or stolen. I imagine that you can disassociate the device from the account if it's lost, but if it's used sparingly there could be a large period of time between the lost device and discovery. And if someone steals the device and happens to have the password to my account it seems like it would be much easier for them to get into my account with hardware that supposed to make it more convenient for me to login. Sure my phone can be lost or stolen, but I'll know about it pretty quickly and it does have a lock on it. And yes, my phone passcode could be cracked, but it is adding another barrier to someone getting into my account vs. a piece of hardware that's triggered by the push of a button. That's not to say that I think this option is bad; it's just that I don't find the current process all that annoying. Regardless, I think a third option is a good thing, because more options for security is a very good thing.

This post first appeared on Exploring Information Security.

Public infosec links July 21, 2014

How to remove your house from Google Street View - Graham Cluley - welivesecurity

Google is mapping the world, which does come with privacy concerns. However, there is a way for someone to request that their home be blurred on Google Maps street view.

The Rise of Thin, Mini and Insert Skimmers - Brian Krebs - Krebs on Security

There are devices that can be attached to an ATM that can grab your credit card information and pin number. The stuff is meant to look like it’s part of the ATM. If you can wiggle something loose at an ATM it’s probably not meant to be there. Look for anything that appears to be out of place on an ATM.

Beware Keyloggers at Hotel Business Centers - Brian Krebs - Krebs on Security

Malware on a public machine is not all that surprising. Using a public computer for personal accounts is never a good idea. I would recommend avoiding public computers all together, but if you must I would be very careful what information you access on that machine.

This post first appeared on Exploring Information Security.

InfoSec links July 18, 2014

It Is Idiotic To Hand Out Your Twitter Password to Prove Passwords Are Dead - Kashmir Hill - Forbes

How a journalist distributed denial-of-service (DDoS) his account in one easy step. He tweeted out his Twitter password with two-factor authentication on. He wanted to prove that two-factor authentication was a fantastic security measure. To my knowledge no one has gotten into his Twitter account yet, however, he has had to switch phone numbers.

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet - Mohit Kumar - The Hacker News

I can’t help but get a little giddy about this. Sounds very Avengers like and a new way to think about information security. I have on my board at work “Hunt Teams,” which is an idea I heard on a podcast. The team essentially tries to prove that the organization hasn’t been hacked yet.

Meet Google's Security Princess - Clare Malone - Elle

A wonderful read on Google’s Security Princess (her title choice) Parisa Tabriz. She’s the hacker hired by Google to break into Google. The article talks about her background and rise to a security manager of 30 people at Google. It’s Friday, take about 15 minutes through this article. You won’t be disappointed.

This post first appeared on Exploring Information Security.

Infosec scam links July 3, 2014

Duo Security Researchers Uncover Bypass of PayPal's Two-Factor Authentication - Zach Lanier - Duo Security

I love two-factor authentication. I turn it on just about everywhere that I can. It’s a real easy way to secure your online account. Well, unless it’s not implemented properly and that’s what it looks like PayPal did. Lot of technical details to dive into this one.

Google's Famous Security Guru Found An Embarrassing Hole In Microsoft's Products - Julie Bort - Business Insider

Microsofts nemesis, Tavis Ormandy, who works for Google found a vulnerability in their security software. The word skirmish is used in the article, which just makes this little battle between tech giants all the more juicy. Way better than Jersey Shore.

Redmond's EMET defense tool disabled by exploit torpedo - Darren Pauli - The Register

In other not-good news for Microsoft. It appears that some researchers have found a way to disable their Enhanced Mitigation Experience Toolkit. This doesn’t make the tool useless, but it does mean Microsoft has it’s work cut out for it strengthening the tool. Currently Tech Preview 5.0 is unaffected by this. Researchers are working on 5.0 and will have details regarding those attempts at Black Hat in Las Vegas in August.

This post first appeared on Exploring Information Security.

Information Security Link March 7, 2014

Surveillance by Algorithm: https://www.schneier.com/blog/archives/2014/03/surveillance_by.html

Bruce Schneier is one of industry leaders in information security and more specifically cryptographer. He is a very very intelligent individual and you will become smarter reading his works, guaranteed. In this particular blog post he takes some quotes made by the NSA and Google to task, in regards to how they handle people’s personal data.

The TL;DR version is:

The NSA version of the term ‘collect’:

“So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.”

Google says it’s algorithms, that read your email, is like your dog
“To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. “

This post first appeared on Exploring Information Security.