How risk-based authentication has become an essential security tool

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplify a patchwork of numerous legacy banking technologies.

IT teams’ security fears should resonate strongly with the C-suite

Despite recurring headlines reporting high-level cyber attacks on organisations of various sizes, businesses are failing to protect themselves from escalating threats. The latest industry survey by ManageEngine, exploring UK-based IT professionals’ outlook on cyber security and cloud adoption, has revealed startling levels of disregard towards IT security, with almost half of the respondents reporting that they install security updates and patches rarely, only occasionally, or never at all.

masscan, macOS, and firewall

One of the more useful features of masscan is the “–banners” check, which connects to the TCP port, sends some request, and gets a basic response back. However, since masscan has it’s own TCP stack, it’ll interfere with the operating system’s TCP stack if they are sharing the same IPv4 address. The operating system will reply with a RST packet before the TCP connection can be established.

Bail reform has a complex relationship with tech

On any given day in the United States, more than 450,000 people are behind bars awaiting their constitutionally mandated fair trial. None of them have been convicted of a crime — they’ve been accused of committing a crime, but no formal ruling of guilt or innocence has been made. That means these hundreds of thousands of people are incarcerated simply because they don’t have the financial means to post bail. 

A simple solution to end the encryption debate

Criminals and terrorists, like millions of others, rely on smartphone encryption to protect the information on their mobile devices. But unlike most of us, the data on their phones could endanger lives and pose a great threat to national security.

Application Security Weekly for May 20

0Comments

Pretty big encryption news this week.  A well known flaw in HTML emails that are encrypted with S/MIME or PGP was “discovered” by some researches, and given the full name, website, and logo treatment.  Even the EFF chimed in and astonishingly suggested people uninstall their encryption tools. The risk was largely overblown; take a look at the #efail tag on Twitter.  Here are a few links that give part of the story.

40 Cellphone-Tracking Devices Discovered Throughout Washington

The investigative news “I-Team” of a local TV station in Washington D.C. drove around with “a leading mobile security expert” — and discovered dozens of StingRay devices mimicking cellphone towers to track phone and intercept calls in Maryland, Northern Virginia, and Washington, D.C. An anonymous reader quotes their report: The I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City… The I-Team’s test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours. “I suppose if you spent more time you’d find even more,” said D.C. Councilwoman Mary Cheh. “I have bad news for the public: Our privacy isn’t what it once was…”

The good news is about half the devices the I-Team found were likely law enforcement investigating crimes or our government using the devices defensively to identify certain cellphone numbers as they approach important locations, said Aaron Turner, a leading mobile security expert… The I-Team got picked up [by StingRay devices] twice off of International Drive, right near the Chinese and Israeli embassies, then got another two hits along Massachusetts Avenue near Romania and Turkey… The phones appeared to remain connected to a fake tower the longest, right near the Russian Embassy.

This Week in Security News: Hackers and Cyber Attackers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Chili’s parent company – Brinker International – announced that consumer credit and debit card information had been compromised at some locations. In addition, Trend Micro helped the FBI takedown hackers behind the notorious malware, Scan4You.

Siempo’s new app will break your smartphone addiction

A new app called Siempo wants to un-addict you from your smartphone and its numerous attention-stealing apps. To do so, Siempo replaces an Android device’s homescreen, while also taking advantage of a number of design principles to push distractions further away, and give you more control over your notifications.

FCC Investigating LocationSmart Over Phone-Tracking Flaw

The FCC has opened an investigation into LocationSmart, a company that is buying your real-time location data from four of the largest U.S. carriers in the United States. The investigation comes a day after a security researcher from Carnegie Mellon University exposed a vulnerability on LocationSmart’s website. CNET reports: The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart’s case was being handled by its Enforcement Bureau. Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies. On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart.

“The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk,” Wyden said. “I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans.” He is also calling for FCC Chairman Ajit Pai to recuse himself from the investigation, because Pai was a former attorney for Securus.