26.5.18

Facebook refines 2FA setup, adds authenticator app support




Do try this at home! If you haven’t taken advantage of the extra protection that two-factor authentication offers, now is a great time to do so. And you don’t even need to hand over your phone number.
Facebook has eliminated the need for users to register a phone number in order to set up two-factor authentication (2FA) in a move intended to get more users to add in another layer of security, according to a press release by Facebook’s product manager Scott Dickens.
To authenticate logins, the social network now enables users to employ a third-party app such as Google Authenticator or Duo Security on both desktop and mobile. The company has also revamped its 2FA feature with a “streamlined setup flow that guides you through the process”.
“Two-factor authentication is an industry best practice for providing additional account security and we just made it easier to set up,” wrote Dickens.
Text messages are the most common second factor although, due to the vulnerability of text messages to a number of threats, security professionals have been advising against using SMS for verification for a long time. Facebook has been offering SMS-based 2FA for a while now and will continue to do so, but using other means such as a hardware device or an authenticator app is generally viewed as safer.
There is no word on how many Facebook users actually use 2FA. On Google accounts, for example, the data are rather grim, as fewer than one in ten Google account holders utilize 2FA.
What to do?
To enable two-factor authentication on your Facebook profile, navigate to “Settings”, then to “Security and Login”, and then to the “Use two-factor authentication” section, where you can choose and set up your 2FA method of choice. While you’re at it, you may also want to peruse your other privacy and security settings.
Many online services, including the biggest players, nowadays offer at least one of the 2FA methods. The availability of 2FA on various online services can be checked on this site.
While not a cure-all, the extra authentication factor offers a valuable additional layer of protection in exchange for very little effort. It is safe to say that 2FA would have prevented countless account break-ins over the years had the legitimate account holders turned it on.
That said, it should not detract from the importance of having a strong and unique password or, even better, passphrase.

25.5.18


Google déploie des domaines .app avec HTTPS intégré

Google a déployé .app, un nouveau domaine de premier niveau (ou TLD, pour top-level domain) qui est le premier à exiger des connexions HTTPS cryptées pour tous les sites Web.app, selon une annonce faite par Ben Fried, directeur des systèmes d’information (DSI) de l’entreprise. Le 1er mai dernier, la société a ouvert des domaines .app
Google a déployé .app, un nouveau domaine de premier niveau (ou TLD, pour top-level domain) qui est le premier à exiger des connexions HTTPS cryptées pour tous les sites Web.app, selon une annonce faite par Ben Fried, directeur des systèmes d’information (DSI) de l’entreprise.
Le 1er mai dernier, la société a ouvert des domaines .app pour l’enregistrement dans le cadre du Programme d’accès hâtif (Early Access Program) sur Google Registry. Les domaines seront accessibles au grand public par l’intermédiaire d’autres bureaux d’enregistrement à partir du 8 mai.
« L’un des principaux avantages du domaine .app est que la sécurité est intégrée pour vous et vos utilisateurs. La grande différence est que HTTPS est nécessaire pour se connecter à tous les sites Web .app, ce qui contribue à la protection contre les logiciels malveillants et l’injection de suivi par les FAI, en plus de la protection contre l’espionnage sur les réseaux WiFi ouverts », peut-on lire dans le communiqué de presse.
Le domaine s’adresse en particulier aux développeurs d’applications. Néanmoins, Domain Name Wire cite un représentant de Google, qui déclarait en mars que ce domaine ne leur était pas réservé exclusivement. Certains des premiers adoptants des domaines .app sont présentés sur get.app.
 « Même si vous passez vos journées de travail dans le monde des applications mobiles, vous pouvez toujours bénéficier d’un repère sur le Web. Avec un nom de domaine .app mémorable, il est facile pour les gens de trouver et d’en savoir plus sur votre application. Vous pouvez utiliser votre nouveau domaine comme page d’atterrissage pour partager des liens de téléchargement fiables, tenir les utilisateurs à jour et des liens profonds vers le contenu de l’application », selon l’annonce.
Google, qui a déboursé 25 millions de dollars pour .app en 2015, contrôle un total de 45 TLD, y compris .comment, .papa, .eat, .soya ou .google. Selon l’autorité mondiale en matière de noms de domaine ICANN, l’Internet comptait 1543 TLD au 4 mai.
Le changement participe à la vision HTTPS de Google : partout dans le monde pour l’Internet. En février, par exemple, la société a annoncé que Chrome 68, prévu pour juillet de cette année, marquera tous les sites Web HTTP comme étant « non sécurisés ».
Petite note en terminant : le HTTPS (ou Hypertext Transfer Protocol Secure) chiffre le trafic Web, en s’assurant que les données soumises sont à l’abri des regards indiscrets pendant la transmission. Il est donc important, lorsque nous soumettons des données sensibles sur un site Web, de vérifier la présence de HTTPS dans la barre d’adresse du navigateur. Cependant, la présence du protocole à elle seule ne garantit pas automatiquement la sécurité contre un certain nombre d’autres menaces. Même un site qui affiche le HTTPS peut être malveillant : les sites d’hameçonnage, par exemple, ont de plus en plus adopté HTTPS.

GDPR: One rule to rule them all – legally


It’s here but what are the legal ramifications of the new legislation for businesses
There is a certain similarity between J. R. R. Tolkien’s The Lord of the Rings trilogy and General Data Protection Regulation (GDPR) coming to force tomorrow, May 25 2018. As weird as it may sound, the regulation puts in place standards identical to those of the One Ring – GDPR is here to rule the world of data protection the same way the One Ring ruled the others.
In real life, this could be directly linked to unifying the different levels of the data protection legislation in each of the European Union (EU) countries. Except in this case, the One Ring is replaced by the single set of data protection rules across the EU. Thus, the regulation aims to protect any information that relates to “an identified or identifiable person” – addressing the export of personal data outside of Europe as well.
WeLiveSecurity spoke with Tomáš Mičo, ESET Data Protection Officer, to clarify the essentials the regulation brings to businesses. “In Slovakia, where the cybersecurity firm ESET is based, we’ve already had, by law the possibility to appoint a Data Protection Officer, so applying GDPR for businesses inside countries with similar requirements of legislation shouldn’t have any significant impediments,” he says.
According to Mičo, businesses have already invested significant time and energy into mapping all the processes and reviewing all the agreements as recommended by data protection professionals. “Moreover, as GDPR has so-called ‘downstream’ effect, businesses need to apply the same principles to all their arrangements including those with third-party processors and sub-contractors,” explains Mičo.
The main purpose of the new regulation is to minimize the unnecessary collection of personal data, including steps that prevent storing data that does not need to be stored, and securing the entire journey of the personal data in the company. However, the biggest challenges for businesses lie with the requirements for Privacy by Design, Privacy by Default, Right to Erasure, Right to be Forgotten and Breach Notification.
The computer security companies around the globe are rightfully using this opportunity, offering solutions to mitigate the main risks connected to the regulation – selling encryption, two-factor authentication and other solutions to close any possible path for cybercriminals to get to the personal data that must be protected under GDPR.
That’s not all. Although businesses are successfully deploying cybersecurity solutions to make sure personal data are properly processed and protected inside your company, there are other legal responsibilities that must be completed. One of them is to offer an easy-to-understand explanation of data processing, so customers are transparently informed about their rights resulting from this new regulation.
“Businesses have to make sure they have consent, contract or other legal basis for processing all of the personal data protected by the regulation, for all their end users. For a middle size business, it can as well mean spending countless hours retroactively contacting all of them if their legal basis is not GDPR valid – including end users that businesses gained through third parties or sub-contractors,” adds Mičo.
In addition, individuals have as well the right to request a detailed listing of all their personal data that is being processed, and request it from any vendor that works with the personal data of EU located customers, even if the company is not physically located in the EU. This is especially hard for all the e-commerce businesses and businesses that work with cloud services. And that is the reason why the majority of newsletters in last couple of weeks start with We have updated our privacy policy.
Moreover, businesses must have the information about the individual available at any time and keep it protected – encrypted – to be GDPR compliant. “This way the personal data, even when the company suffers a breach or is hacked, stay protected,” says Mičo. Perharps the greatest onus in the Breach Notification requirement, which forces businesses to have processes in place that will ensure the information about the data breach will make it to the appropriate data protection authority within 72 hour after it was discovered.
If nothing else, penalties for non-compliance are quite a bite to swallow – looking at 2% to 4% of the company’s global annual turnover, which is an expense no company can afford to take lightly. A recent survey by IDC, however, reveals that for noncompliance, “regulators are more likely to focus on progress toward the goal than penalizing those not quite finished with GDPR conformity”.
In time, we’ll see if the famous one rule to rule them all will find them all and and bind them as the legislators have predicted, or if everyone will meet in an unfulfilled GDPR Land of Mordor.
For more information on GDPR, ESET has a dedicated page to help ensure that you have all the information needed to cope with GDPR. To read more articles like this one, please follow WeLiveSecurity.

23.5.18

Amazon Rekognition a possible threat to the civil rights of citizens




Use of software by law enforcement as a surveillance tool is a real concern for groups
Amazon has come under fire from civil rights groups in the US that say their online service that identifies faces in images could be abused by law enforcement.
The American Civil Liberties Union (ACLU) released a statement on Tuesday asking the tech giant to refrain from selling Amazon Rekognition to law enforcement agencies as they fear it will be used to unfairly target protesters along with individuals that the police view as suspicious.
The ACLU is leading a group of more than two dozen other civil rights organizations that are worried that the product will be used by law enforcement as a surveillance tool.
This claim was reinforced on Tuesday when the ACLU released a collection of public records that detailed how Amazon has been selling the software to those law enforcement agencies.
The statement released on the ACLU website stressed how the software threatens the freedom of citizens to go about their daily lives, “People should be free to walk down the street without being watched by the government”.
“By automating mass surveillance, facial recognition systems like Rekognition threaten this freedom, posing a particular threat to communities already unjustly targeted in the current political climate. Once powerful surveillance systems like these are built and deployed, the harm will be extremely difficult to undo”.

In a letter addressed to Jeff Bezos, Amazon’s chief executive, the group outlined its fears about the misuse of the software and also their concern that “Amazon Rekognition is primed for abuse in the hands of governments”.
They also implored the company to move fast, stating, “Amazon must act swiftly to stand up for civil rights and civil liberties, including those of its own”.
Police in Orlando, Florida and in Oregon’s Washington County are currently using Rekognition.
A report by the The Washington Post has stated that the Washington County Sheriff department pays something in the range of $6 and $12 a month for the service.
Amazon spokeswoman Nina Lindsey did not directly address the concerns outlined by the civil rights groups stating that Amazon would require all customers to “comply with the law and be responsible when they use AWS services.”
She also said that the software could be used for many positive purposes, including finding abducted people and could also help locate children that become separated from their parents in crowded areas.
The product was introduced by Amazon as part of Amazon Web Services in late 2016 and claimed it “can process millions of photos per day”.
This concern by citizens over the use of Artificial Intelligence (AI) as a surveillance tool by government agencies was also highlighted recently when it was reported that thousands of Google employees signed an internal petition requesting that the company end its controversial contract with the Pentagon. A partnership with the US Department of Defense, named Project Maven, that promised to speed up the analysis of drone footage by assessing images for photos or objects.
Google were quick to downplay any fears of misuse, “the technology flags images for human review, and is for non-offensive uses only,” a Google spokeswoman said. “Military use of machine learning naturally raises valid concerns. We’re actively discussing this important topic internally and with others as we continue to develop policies and safeguards around the development and use of our machine learning technologies.”
https://www.welivesecurity.com/2018/05/23/amazon-rekognition-threat-civil-rights/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29