Interesting People mailing list archives
Re MUST READ: NYTimes: Cyberwar for Sale
From: "Dave Farber" <dave () farber net>
Date: Wed, 04 Jan 2017 22:43:51 +0000
---------- Forwarded message --------- From: Patrick W. Gilmore <patrick () ianai net> Date: Wed, Jan 4, 2017 at 5:19 PM Subject: Re: [IP] Re MUST READ: NYTimes: Cyberwar for Sale To: Dave Farber <dave () farber net>, Roger Bohn <Rbohn () ucsd edu> Cc: Patrick W. Gilmore <patrick () ianai net> There is no silver bullet, no one magic way to fix all problems. Defense in depth is required to stop determined attackers - in “cyberwarfare” or any other area. Multi-factor authentication (“MFA”) is a good part of a defense in depth strategy. If Podesta had MFA, but entered his one-time MFA key (plus user/pass, obviously) into the phish link _and_ the phish server was sending that to Google _at the same time_, then the miscreants had one-time access to his email. They could have absolutely downloaded everything at that time. However, if they tried to store the user/pass/MFA key and use it later, it would not have worked. Or even if they tried to come back and get new emails after the first attempt, it would not have worked. Etc. Plus he might have gotten notified that someone was attempting to access his account. Obviously we need more than just MFA. But MFA stops a lot of attack vectors, and as you say, mobile phones make it far less annoying than carrying a fob. So why not use it? -- TTFN, patrick On Jan 4, 2017, at 5:02 PM, Dave Farber <farber () gmail com> wrote: Begin forwarded message: *From:* "Roger Bohn" <Rbohn () ucsd edu> *Date:* January 4, 2017 at 4:28:30 PM EST *To:* dave () farber net, ip <ip () listbox com> *Cc:* lauren () vortex com *Subject:* *Re: [IP] MUST READ: NYTimes: Cyberwar for Sale* I don’t think there is any doubt about the need for 2-factor authentication. Some organizations have been using it for a decade, and with ubiquitous cell-phones its more convenient than before, as mentioned. But, I ask from ignorance, how does this help with the main problem discussed in this article, namely installing malware *inside* a system? That malware can still be sent by any of the 3 methods. Where 2-factor does help is “daisy chaining” attacks that use logins from one phishing victim to get into multiple sites. But that’s not what happened to Podesta, for example. Roger Bohn Professor of Technology Management School of Global Policy and Strategy UC San Diego +1 858 381-2015 cell/text Blog: Art2science.org <http://art2science.org/> On 4 Jan 2017, at 9:28, Dave Farber wrote: Begin forwarded message: *From:* Lauren Weinstein <lauren () vortex com> *Date:* January 4, 2017 at 11:57:55 AM EST *To:* nnsquad () nnsquad org *Subject:* *[ NNSquad ] MUST READ: NYTimes: Cyberwar for Sale* MUST READ: NYTimes: Cyberwar for Sale http://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html There are three methods, Scarafile explained, for getting the Remote Control System onto a target's device. Customers can gain physical access to the device and then infect it with a USB stick or memory card. They can beam the R.C.S. in over a Wi-Fi network. Or they can send the customer an email and get him to click on an infected attachment -- usually a file from a brand-name program like Microsoft Word or PowerPoint ... - - - I am increasingly considering the possibility that 2-factor authentication systems will need to be made mandatory for all users, not just optional as is usually the case today at least in non-corporate environments. Of course 2-factor isn't foolproof, and there is some user hassle factor involved in using 2-factor (though a well designed 2-factor system, such as Google's, reduces the hassle notably). But it's just too easy to phish accounts that are only protected by a simple password. It's probably time to bite the bullet on this one. --Lauren-- REPORT Fake News Here! - https://factsquad.com CRUSHING the Internet Liars - https://vortex.com/crush-net-liars Archives <https://www.listbox.com/member/archive/247/=now> <https://www.listbox.com/member/archive/rss/247/925887-6c12c015> | Modify <https://www.listbox.com/member/?&> Your Subscription | Unsubscribe Now <https://www.listbox.com/unsubscribe/?&&post_id=20170104170235:7D489C82-D2C9-11E6-B87E-C8A89EB7A54A> <http://www.listbox.com/> ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170104174409:4C21B9C6-D2CF-11E6-A654-9D81489E89AF Powered by Listbox: http://www.listbox.com
Current thread:
- Re MUST READ: NYTimes: Cyberwar for Sale Dave Farber (Jan 04)
- Message not available
- Re MUST READ: NYTimes: Cyberwar for Sale Dave Farber (Jan 04)
- Message not available
- FwRe MUST READ: NYTimes: Cyberwar for Sale Dave Farber (Jan 04)
- Message not available
- Re MUST READ: NYTimes: Cyberwar for Sale Dave Farber (Jan 04)
- Re MUST READ: NYTimes: Cyberwar for Sale Dave Farber (Jan 04)
- Message not available