info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Multifactor Authentication

8/5/2016

 

Multifactor Authentication - Why you should use it
MP3 - Multifactor Authentication

 
 


Multifactor authentication is available most everywhere and you should be demanding it.

MFA is already available on these platforms and hundreds more:

  • Office 365
  • LinkedIn
  • Twitter
  • On-premise AD logins are MFA capable
  • Social Security Administration - As of 8/1/2016, SMS-based MFA is required on all SSA accounts. Go get your account setup with MFA.
Corey Nachreiner did a good video contrasting the relative security of SMS-based versus SSL app based MFA.

https://www.secplicity.org/2016/07/28/secure-sms-2fa-daily-security-byte/

I agree with him that SMS-based MFA is not as secure as other methods, but it is more secure than not using MFA.

Office 365 and Twitter accounts hacked due to lack of MFA being used (among other lack of security issues)

Last week I assisted a new contact with un-hacking their Office 365 account. This was now the THIRD time that his account had been compromised and used to send massive amounts of spam and malicious emails. Microsoft recently published a statistic that 75% of all compromises are done using stolen credentials. You have to realize that you have no limits or awareness of where that account can be logged on to in the world. As a result, it's entirely possible that anyone from any country can logon to your account if they know the username and password combo. The username is easy to guess.

Only with an E5 subscription and a lot of complex security setup and monitored by an enterprise security consultant like myself will you have visibility into where your account is being logged on. So unless you have that level of protection and security complexity, what can you do? Well you can use MFA everywhere you can. This really is not hard. You just need to work up the guts to turn it on and work through it instead of feeling like you are being inconvenienced.

To me, having a slightly longer authentication process that dramatically increases security and introduces MY PRESENCE required as part of the authentication process is not an inconvenience. An inconvenience would be having your stuff hacked and then having to deal with that. I can tell you from experience that if your stuff is hacked, it can take months and months to dig out of it.

Websites hacked and hardening them

I learned the hard way how to harden websites and secure them from being hacked. It is something that the vast majority of web developers really do not understand. I know they don’t understand it because they aren't using GeoIP blockers, they aren't making site admins MFA, and many other basic security features. Most web developers still use FTP which sends credentials in clear text across the internet. As a result of my experience, I now do all the management for my website because I could not find a web developer that understood security as well as I did. And my website had been hacked previously due to a lack of knowledge of how to protect the site by the person I hired to do so. I also hired another developer to un-hack the website. They were not able to actually fully unhack the website.

Only months of my persistent work was able to resolve the issue. The bad guys had intentionally hacked my website for the purposes of trying to use it to infect my internal systems. But I have so many layers of protection in place that technique was not successful. So ask yourself, what do you have time for? Would you like to spend months and months as well as thousands of dollars getting unhacked, or would you opt to have a slightly longer authentication process?

The Florida person I worked with told me that their Twitter account had also been compromised, and the security logs in Twitter showed that someone in Sweden had logged onto his account. That could be a Tor masked authentication location where the hacker was not really in Sweden. Regardless, it means that unauthorized parties were logging onto his accounts. It also pointed VERY strong evidence to a keystroke logger on his system. When I investigated the situation, he had no host-based security product on his system and had no perimeter security appliance. No wonder he had been compromised. His computing was flying wide open with no protections. He also was not installing software patches on his system in a timely fashion. Working with him on his computer for a while demonstrated that multiple browsers were misbehaving suggesting that they were compromised.

Massive 3 GB update for Windows 10 actually fixes OneDrive issues

Various OneDrive components, flavors, and what they are for is discussed.

 
Linkedin