mcyork.com

Category: Security

  • Your passwords sux!

    I have facebooked that LastPass is the tool everyone needs to be using.  I am not always clear as to why I select the tools that deserve your attention.  Every week I get some news and security tidbits from the below podcasts.  What I love about this particular source of information is that Steve Gibson provides ALL the details, dives deep and leaves no stones unturned.  I know this is the second post in a row about Steve’s stuff – but I really did get a Facebook message from a cousin today asking why he should trust LastPass with his passwords.

    The short answer is that LastPass does not get your passwords (not exactly).  All that is sent to them is your encrypted stuff.

    Most if not all of the password decryption runs in your browser – but it may look like it is on their site.  I am no longer 100% clear on this but myself I will have to re-listen to the first podcast below.

    Lastpass and why you can trust it:
    Text http://www.grc.com/sn/sn-256.htm Audio http://media.grc.com/sn/SN-256.mp3

    Lastpass and why you should use it:
    Text http://www.grc.com/sn/sn-366.htm Audio http://media.grc.com/sn/SN-366.mp3

    There are some password recovery items the paranoid should look into and disable (but think, know, trust, what you are doing when you do so).

    Always Swim Up

  • Math is fun, yes indeed.

    I love to listen to these guys chat, Leo and Steve.  Recently I needed to get a friend up to speed on a secure key exchange. Not the simplest topic on the roster.  Just how do we share a secret over the Internet?  While we know others are watching and intercepting our communications.  We do it with math.  Math, when used like this, forces you to want to learn even more math.  Really, math is fun and you will be smart if you learn math.

    The first 15 minutes of this podcast prove to me that the more math you can take in the better off you will be in life.

    http://media.grc.com/sn/SN-034.mp3 100% relevant regardless of when it was recorded.

  • Who did not see thing one comming? Verified by…

    Visa and others.  The first time the page came up “verified by Visa” you said “cool this is a very good thing Visa is making the web safer”.  If you thought that you can now go to the back of the class.  You should have been thinking what sort of phishing scam is this?  Where is the URL bar for this popup and why would I sign up for this service from this little dialog on some site?  Does Visa even have a website?  Does my bank know about this?

    Now for those of you at the back of the class, the zbot botnet has been augmented to shoot phish in a barrel.  You are the phish, unfortunately.  Thank you, Visa for the swimming lessons (NOT).

    Click to read more news on the zbot botnet and how it is mimicking the Verified by screens.

    http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=56#sID301