STE WILLIAMS

Podcast

Amy Lewis, Eddie Saipetch and Dom Delfino, the go-to-market team lead for Software Defined Data Center at VMware, stir it up in this week’s nerdcast. The trio discuss the edge of cloud, HBO, WannaCry and more.

The details…

• (0:00) Dinner with Greg Knieriemen
• (2:42) Parking the Geek Whisperers
• (5:29) Pushing cloud out to the fringe
• (17:13) HBO out of bitcoins?
• (18:50) Standing up to ransomware
• (21:57) IT’s bad security posture
• (30:28) EMEA Hotel Guests WannaCry

Listen with the Reg player below, or download here.

Speaking in Tech: Episode

Podcast Subscriber Links

Subscribe through iTunes

Subscribe through Stitcher

Feed URL for other podcast tools – Juice, Zune, et cetera: http://nekkidtech.libsyn.com/rss

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/16/speaking_in_tech_episode_274/

Researchers at Kaspersky Lab have found a well-hidden backdoor in NetSang’s server management software.

The secret access route, dubbed Shadowpad by its discoverers, lurks in the nssock2.dll library within NetSarang’s Xmanager and Xshell software suites. It pings out every eight hours to a command-and-control server with the identity of the compromised computer, its network details, and user names.

The backdoor is activated as follows: the .DLL generates a domain name based on the month and year, and performs a DNS lookup on it. A specially crafted DNS TXT record for the domain triggers the opening of a channel to the control server, a decryption key is downloaded by the software, and its next stage is decrypted. This section provides a full backdoor for an attacker to run code and exfiltrate data.

If you can setup a domain name for a particular month and year, and mimic the control servers, you too can commandeer organizations infected with the compromised NetSarang tools.

The affected packages are:

• Xmanager Enterprise 5.0 Build 1232
• Xmanager 5.0 Build 1045
• Xshell 5.0 Build 1322
• Xftp 5.0 Build 1218
• Xlpd 5.0 Build 1220

It is assumed someone managed to hack into NetSarang’s operations and silently insert the backdoor, so that the backdoor code would stealthily propagate to test and production environments via legit cryptographically signed software updates.

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be,” said Igor Soumenkov, from Kaspersky’s global research and analysis team, on Tuesday. “Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.”

Kaspersky picked up on the malware when investigating suspicious DNS requests from a financial client’s network in Hong Kong – basically, those eight-hour pings. The team found that when Shadowpad was activated it would download more code from a command-and-control server, and hide it in a virtual file system inside the registry.

NetSarang has now pushed out an update to kill the loitering software nasty, and is examining how the code got into its software. It first appeared on July 13, this year, and was shipped to customers five days later on July 18. If you have the dodgy version, patch now. Antivirus tools have been updated to be on the look out for the hacked .DLL.

Kaspersky said that the malware bears certain resemblance the PlugX and Winnti attack code used by Chinese hacking groups.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” NetSarang said in a statement.

“The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/netsarang_software_backdoor/

WebEx on Firefox is among the targets of a new exploit kit that’s started circulating on Russian nastyware exchanges.

The Disdain-based exploit kit is described here by security services outfit IntSights, which says the exploit kit is offered by someone using the handle “Cehceny”.

David Montenegro (@CryptoInsane) says Disdain is a copy-paste of the open source BEPS exploit kit.

This is a Copy Paste of BEPS Exploit Kit( Open Source ) .. 🤔🤔 pic.twitter.com/ROWd3YH5Tf

— David Montenegro (@CryptoInsane) August 9, 2017

IntSights says the kit includes:

Disdain is rented on a daily, weekly, or monthly basis at US$80, $500, and $1,400 respectively. Victims who hit the exploit are scanned, and the kit tries to attack a number of known vulnerabilities from between 2013 and this year.

That’s where the Cisco WebEx plug-in comes in: CVE-2017-3823, which landed in January this year, is an API error that exposes an unpatched user to remote code execution.

The other 14 CVEs the kit tests for are browser bugs (Internet Explorer, Firefox and Edge) and three Flash bugs. The other vulns probed are below.

All vectors have patches available. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/16/disdain_exploit_kit/

The infamous EternalBlue exploit that fuelled the WannaCry and NotPetya attacks earlier this summer has been spotted being used as part of a campaign targeting European hotel visitors.

As an exploit said to have been leaked from the NSA, EternalBlue’s reappearance would be story enough on its own. The fact that infamous Russian hacking group known as Fancy Bear is said by security company FireEye to be the author of the attack, gives the tale added spice.

The attack itself is basically an attempt to gain persistence on hotel networks, presumably for the purposes of carrying out surveillance on the high-value guests using them.

It’s textbook APT28, aka Fancy Bear, from the use of a boobytrapped Word documents sent to hotels as a way of spreading the group’s favourite Gamefish malware to the way EternalBlue is wielded to spread via unsecured SMB.

One unusual element is NetBIOS Name Service poisoning using the open source Responder tool, which allows the attackers to respond and spoof NBT-NS broadcasts from WINS (Windows Internet Name Service) servers.

Because this is a legacy service, removed from Windows as of Server 2012 R2, this suggests the attackers have knowledge of the unsurprising fact that hotels are using old software.

Hotel networks are not a new interest for hacking groups, as the unconnected 2014 “Darkhotel” attacks, which targeted CEOs, underlines.

From Fancy Bear’s perspective, Eternal Blue is being used here as a means to an end, and one that has clearly had some success.

We’ve covered the group (aka APT28, Sofacy, Strontium) on numerous occasions, usually in connection with attacks alleged to be the work of the Russian state.

A few weeks ago, it emerged that, without mentioning it, in 2016 Microsoft started legal proceedings to seize 70 domains used by the group in an effort to curtail its phishing campaigns.

Coincidentally (or not), in mid March, the company patched the vulnerability exploited by EternalBlue, MS17-010, weeks before a group called the Shadow Brokers made it public. How did Microsoft know about it? Speculation pointed to the possibility that it had been tipped off by the NSA which knew attacks with its leaked tools were likely.

The company’s president and chief legal officer Brad Smith later very pointedly described WannaCry as “yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.

EternalBlue, Fancy Bear, Shadow Brokers: joining the dots here is like unravelling the plot “MacGuffins” made famous by film director Alfred Hitchcock, where the audience thinks it knows what’s important in a story when in fact it’s being craftily misled.

Not knowing what’s going on can be confusing but also pleasurable, as long as everything is explained at the end. It’s where that end will actually end that remains the disconcerting bit.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bQsnFH4O2lI/

Your daily round-up of some of the other stories in the news

Teen has the winning formula

Most of us have a love-hate relationship with Microsoft Excel, or possibly even a hate-hate relationship with Excel. For those of us in the latter category, it’s hard to imagine the skill and dedication you’d need to match the achievement of 17-year-old John Dumoulin, who, having won an international competition in California, can rightfully claim to be the King of Excel.

Dumoulin, an Eagle Scout from northern Virginia, who works part time in a fast-food joint where presumably there isn’t much call for his spreadsheet skills, was one of 150 participants from 49 countries who had made it to the final round of the competition, whittled down from more than 560,000 would-be champions from 122 countries.

CNN reported that the 17-year-old, who won a $7,000 prize, had started building spreadsheets to track his favourite baseball team. He told Fortune: “I’m a huge numbers guy”, and added that he prefers Excel to Google Sheets.

Four arrested over GoT episode leak

Four people have been arrested in India in connection with the leaking online of a stolen episode of Game of Thrones, the BBC reported on Tuesday.

The four alleged thieves work for a Mumbai company that stores and processes HBO TV programmes for an app, which filed the case.

This arrest isn’t apparently connected to the ongoing data breach at HBO, which has seen the apparent hackers make extravagant claims of what they’ve managed to steal, and extravagant demands for cash.

Deputy commissioner of police Akbar Pathan told AFP: “We investigated the case and have arrested four individuals for unauthorised publication of the fourth episode from season seven.” The four will be held until August 21, he added.

Web host fights DoJ ‘overreach’

The US Department of Justice has demanded that Dreamhost, a US web-hosting company, hand over the details of millions of people who visited a website that helped co-ordinate the protests on the day of Donald Trump’s inauguration as president in January.

Dreamhost has refused to comply, pointing out that the search warrant covers 1.3m visitor IP addresses “in addition to contact information, email content and photos of thousands of people – in an effort to determine who simply visited the website”.

The search warrant was served on July 17, and Dreamhost said on Monday that it would challenge the government’s demands in court. Dreamhost said that it had handed over “limited customer information about the owner of the website”, disruptj20.org.

However, said Dreamhost, the search warrant “is a strong example of investigatory overreach and clear abuse of government authority”, adding that its general counsel, Chris Ghazarian, had “taken issue with this particular search warrant for being a highly untargeted demand that chills free association and the right to free speech afforded by the Constitution”.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/72IsBpyWRDk/

Updated A booby-trapped .RTF file is doing the rounds that combines two publicly available Microsoft Office exploits.

Opening the document in a vulnerable installation of Office is supposed to lead to arbitrary execution of any malicious code within the file.

Cisco’s security outfit Talos believes “the attackers used the combination to avoid Word displaying [an on-screen] prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems.”

In other words, crooks mashed two exploits together to stop a dialog box appearing mid-attack, which may tip off savvy users, and to confuse and evade antivirus packages. The combo-exploit leverages CVE-2017-0199 and CVE-2012-0158, patched by Microsoft in April.

The code doesn’t work properly, though, indicating “poor testing or quality control procedures”, Talos said. However, this does show a level of experimentation by crims seeking to use the Ole2Link bug CVE-2017-0199 as a means to launch additional weaponised files and avoid user prompts.

“This attack may have been an experiment that didn’t quite work out, or it may be indication of future attacks yet to materialise,” Cisco Talos warned on Monday.

A Microsoft spokesperson told us: “We released a security update in April. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

So, make sure you’re patched. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/combo_office_exploits_attack/

Uber and America’s trade watchdog have reached a settlement following claims the taxi app maker lied about the extent to which its staff can mine customers’ personal info for fun.

The Federal Trade Commission’s formal complaint [PDF] against the troubled San Francisco biz slammed the upstart’s God View – a program that displayed every driver’s and passenger’s movements live during a party – and its staff for allegedly looking through user accounts for no good reason. Pop siren Beyonce was among the celebs and normal folk who had their records pried up by nosy Uber workers, it is claimed.

“Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data,” the biz said in response to the claims. “The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors.”

Uber said it had set up a system to detect unauthorized accesses to ensure customers’ data remained out of the hands of prying staff, and the FTC notes it did so in December. However, this monitoring system was never finished nor staffed, the FTC found, and in August 2015 Uber stopped using it altogether and didn’t install a new one until May 2016.

As well as this lapse in customer privacy, Uber was also slack with security, according to the watchdog. Despite repeated statements on its website claiming to protect people’s information, the FTC found that Uber wasn’t doing so – and so did at least one hacker.

On May 12, 2014, an Uber engineer uploaded to GitHub the keys to an Amazon S3 bucket containing internal records on thousands of drivers. Someone spotted the key and used it to access over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers from the AWS bucket.

Uber didn’t even discover the mistake until September 2014 and was tardy in warning its cabbies, the FTC found. Some drivers didn’t get a warning letter about the break-in until July 2016, after it found the intrusion was more widespread than first thought. It was initially thought that 50,000 drivers were exposed by the Git cockup – the real number turned out to be double that.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC acting chairman Maureen Ohlhausen today.

“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

As part of the settlement [PDF] Uber promises to protect its customer and driver data more carefully, and will hire a third party auditor to check that it’s doing so every two years for the next two decades. It can be fined $40,654 per offense if it breaks the settlement. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/uber_ftc_settlement/

How much has “Mr Smith” really stolen from HBO?

So far, only he (actually “they” – “Smith” has said he speaks, “on behalf of my colleagues”) knows for sure.

But, a couple of weeks since the announcement of the hack landed in the inboxes of an unknown number of selected entertainment reporters, everybody now knows what they want: money. Somewhere in the $6m to $7.5m range, if you believe their claim that this is what they usually make for six months of “work”.

And while HBO’s initial response included some pleasantries and an offer of $250,000 (not even close to the ransom demand) as a “bug bounty”, that was before the leaks continued.

After the latest, on Sunday, which included several episodes of a new season of Curb Your Enthusiasm, not due to air until October, plus episodes of Ballers, Barry (not set for release until next year) and The Deuce (set for September) its rhetoric became much more openly hostile. A portion of a statement to the press after that leak declared:

We are not in communication with the hacker and we’re not going to comment every time a new piece of information is released … The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.

Quite a change in tone from a July 27 email from HBO executive John Beyler, thanking the group and offering the “bug bounty for making us aware” of previously unknown security vulnerabilities.

Which likely means HBO is spending its money and time trying to find and shut down the hackers rather than negotiate – not that the two sides were even in the same ballpark. HBO’s “offer”, which reportedly was more of a stalling tactic, was about 4% of the hackers’ minimum demand, which they have said is non-negotiable.

So HBO’s next move, if there is one, will probably depend on how much damage the company thinks Smith and Co. can do. And that remains hazy.

The hackers have made extravagant claims. A July 23 video message to HBO CEO Richard Plepler that Mashable posted last week, of scrolling text accompanied by background music from the network’s super-hit Game of Thrones (GoT) soundtrack, is a grammarian nightmare of disjointed, rambling detail. They said they have:

… highly confidential Documents, IT related data, Scripts and etc. these data dump, as you will see, contains HBO’s Various Contracts, Mutual Agreements, Human resources, internal structure, International affiliates, Business strategies, international Marketing, IT infrastructures, producing films Series (with very detail info!), budget detail for major operations, how you sell and how much!, various strategic insights in every aspects, confidential research, internal letters Tax Evading Proofs! Nielsen’s Dirty Job! etc.

Also, we obtained full scripts and cast list of your (and our) very popular TV series; Game of thrones S7 … we obtained enormous amount of Full scripts and full length films and series which will be broadcast in upcoming months!

But, as various observers have noted, the material posted so far is vastly short of the 1.5 terabytes of data they claim to possess – a single terabyte can hold an estimated 500 hours of video.

Not that it is trivial. Besides Sunday’s leak, it includes multiple scripts from upcoming GoT episodes, pending episodes of other shows like Ballers and Room 104, a month’s worth of email from the account of HBO’s vice president for film programming, and internal documents including marketing spreadsheets, media plans for GoT, a report of legal claims against HBO and job offer letters to top executives.

What it hasn’t included is the kind of information that inflicted such damage on Sony when it was hacked, allegedly by North Korea, in 2014 – personal information including salaries and Social Security numbers of nearly 50,000 current and former employees, contact information for Hollywood stars, plus a trove of thousands of embarrassing executive emails along with several unreleased movies. That led to a multi-million-dollar settlement with Sony employees.

The views of how much trouble this is for HBO are mixed. The Wall Street Journal called it a“prolonged crisis … Hanging over HBO now is the daily threat of leaks of sensitive information …”

But Deadline suggested the piddling $250,000 offer to the hackers means there is “more smoke than fire,” to their claims.

Indeed, Plepler continued to insist last week that “we do not believe that our e-mail system as a whole has been compromised, but the forensic review is ongoing”.

Amid the speculation, however, for a while the correspondence, from both sides, sounded a bit like a script from an alternate reality show. In what was obviously a ransom note, “Mr Smith” overflowed with compliments to Plepler, saying HBO was “one of our difficult targets to deal with,” called the network, “pioneering in TV programming worldwide,” and declared, “we are your fans as are many other ordinary people”.

Smith said his is a group of “white-hat hackers … (who) don’t want to endanger HBO’s situation nor causing to lose its reputation. We want to be your partner in a tiny part of HBO’s huge income.”

He then demanded that “You pay our 6 month salary in bitcoin and we get away from your map,” which they should simply consider compensation for “a huge pentest” by a group of “IT professionals.” While he listed the demand as “XXXX dollars,” he claimed – without offering a shred of evidence, of course – that the group generally makes $12m to $15m a year. He also claimed HBO is the group’s 17^th target, that only three of their previous victims have refused to pay, and said the group spends up to $500,000 a year on zero-day exploits.

Beyler’s response was eerily polite as well, taking the tone that these are indeed white-hat hackers and not common criminals. Along with the “good faith” offer of the “bug bounty” of $250,000, he wrote, “You have the advantage of having surprised us. In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

Variety and others reported that a href=”http://variety.com/2017/tv/news/hbo-hacker-leaks-message-from-hbo-offering-250000-bounty-payment-exclusive-1202522897/quot; rel=”nofollow”the offer wasn’t considered serious – that it was just a stalling tactic.

All of which means, by the time the dust (and the money) settles, this could be considered a candidate for a few episodes of yet another HBO show – Silicon Valley.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gKGbwkC-lgI/

Android users know the routine: download an app and a box appears asking for permission to talk to other apps. Knowing that the app needs that access to work properly, the user clicks “OK” without a second thought. But what happens when one app abuses that access to tamper with another?

The answer, according to Oxford University researchers Vincent Taylor, Alastair Beresford and Ivan Martinovic, is that the Android device itself can be compromised and the user’s data stolen. They call this kind of attack intra-library collusion (ILC) and describe it this way in a paper they published on August 11:

This attack occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data. The possibility for intra-library collusion exists because libraries obtain the same privileges as their host app and popular libraries will likely be used by more than one app on a device.

The researchers say they used a dataset of more than 30,000 smartphones and found that many popular third-party libraries have the potential to aggregate significant sensitive data from devices by using intra-library collusion. Several popular libraries already collect enough data to facilitate this attack, they wrote, adding:

Individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted.

They also analyzed 15,000 popular apps (those with more than a million downloads each). Among other things, they found that the .com/facebook library was most popular – used in 11.9% of the apps they reviewed. Libraries for Google Analytics (9.8 %) and Flurry (6.3 %) were widespread as well.

Also see: SophosLabs report examines Top 10 Android malware

They also found that in general, advertiser libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day.”

Who benefits?

What to do?

The ultimate question is how to protect oneself from this threat. The researchers admitted there are no easy answers. Simply revoking privileges won’t solve the problem because advertisers will have more trouble targeting ads, making them less likely to use libraries. App developers also stand to lose revenue, making it highly unlikely they’d do such a thing.

Governments could also enact legislation to force ethical behavior, or major app providers could sharpen their developer policies. But those are limited options because, as the researchers noted, the bad guys work around the rules as a matter of routine.

Our advice, for now: when you download an app and it seeks permission to access certain phone features and libraries, think hard about whether it’s an app you truly need.

Also, the continued presence of malicious Android apps demonstrates the need to use Android antimalware such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, whether it’s intra-library collusion or something else. But they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:

• Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
• Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
• Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RTXBXSHOQ_I/

Bad passwords, we are told with exhausting regularity, are where users consistently mess up their online security. But might big companies also be at fault for designing weak password behaviour into their websites?

As assessment of the password design of 37 well-known big online websites and apps by password manager company Dashlane ventures an answer: many sites are quite good, a few are improving, and a hard core that includes some of the web’s biggest brands, remain surprisingly sketchy.

Dashlane, it should be said, has something to gain by pointing out lousy password design because its business model is built around offering software, secure password management, that claims to be the answer.

This doesn’t disqualify the company’s findings however, which were measured against five criteria: minimum password length, the enforcement of alphanumeric passwords, whether a strength assessment is offered, resistance to brute-forcing (in other words, locking accounts after too many incorrect answers), and whether or not multi-factor authentication is available.

There’s quite a lot going on here, but let’s start with the juicy naming and shaming bit because there are some real surprises.

Scoring a fat zero out of five were Uber, Spotify, Pandora and Netflix, with Walmart, Instagram, Pinterest, SoundCloud, Evernote, Macy’s and Dropbox on 1/5. Turning to enterprise sites, things improved slightly but even here Amazon Web Services (AWS), Freshbooks, scored 1/5. With MongoDB and DocuSign on 2/5.

This means that a user can sign up for many of these sites by entering a simple password below eight characters (“aaaaaaa”, say), and it won’t object. Should an attacker try to brute-force this, failed attempts won’t necessarily prompt intervention.

There’s nothing stopping users creating long, complex passwords and using these sites more securely. The issue is these sites don’t care either way.

This sharply contrasts with GoDaddy (5/5) and Apple, Best Buy, Home Depot, Microsoft, PayPal, Skype, Toys ‘R’ Us and Tumblr (all 4/5) which enforced all or most of the criteria.

Users should be vigilant about passwords, conceded Dashlane CEO Emmanuel Schalit. Nevertheless:

Companies are responsible for their users, and should guide them toward better password practices.

He’s right, of course – sites should care when users enter weak passwords. Given how simple some of this would be to implement, it’s surprising it’s an issue at all.

Some of the sites rated weak will doubtless object that website security is more complex than these criteria suggest. They, too, are right. Multi-factor authentication, for example, is an essential layer these days but some sites implement it more securely than others. It’s not a simple tick box.

One might also quibble about the importance of whether a site tells its users that a password is or isn’t secure when this is already enforced by policy.

Some will suspect companies’ weak password policies simply betray a lack of faith in good choices, which get re-used, phished and breached. Alternatively, they just think being fussy about passwords is a barrier to attracting users to sign up for and use their services, particularly those based around mobile apps.

This is short-sighted. Good security is communicated precisely by a fastidiousness about passwords. Even as their significance as a primary security mechanism declines, deep down, people know that passwords still say an awful lot about users and the companies they are drawn to.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xtDY9EEvKxE/