FwRe MUST READ: NYTimes: Cyberwar for Sale

["Dave Farber" <dave () farber net>]

---------- Forwarded message ---------
From: Lance Wiggs <lance () lancewiggs com>
Date: Wed, Jan 4, 2017 at 6:13 PM
Subject: Re: [IP] Re MUST READ: NYTimes: Cyberwar for Sale
To: <dave () farber net>
Cc: ip <ip () listbox com>


Obviously we need more than just MFA. But MFA stops a lot of attack
vectors, and as you say, mobile phones make it far less annoying than
carrying a fob. So why not use it?


Because MFA is very painful to use, and there are so many apps with so many
devices that we would be overwhelmed. Companies like Thisdata.com (our fund
is an investor) are trying to solve some of the issue, and aim for a
login-free future where the security layer has enough context to be able to
authenticate.


*Lance Wiggs*
@lancewiggs, lancewiggs.com
+64 21 526239








On Jan 5, 2017, at 11:43 , Dave Farber <dave () farber net> wrote:


---------- Forwarded message ---------
From: Patrick W. Gilmore <patrick () ianai net>
Date: Wed, Jan 4, 2017 at 5:19 PM
Subject: Re: [IP] Re MUST READ: NYTimes: Cyberwar for Sale
To: Dave Farber <dave () farber net>, Roger Bohn <Rbohn () ucsd edu>
Cc: Patrick W. Gilmore <patrick () ianai net>


There is no silver bullet, no one magic way to fix all problems. Defense in
depth is required to stop determined attackers - in “cyberwarfare” or any
other area.

Multi-factor authentication (“MFA”) is a good part of a defense in depth
strategy.

If Podesta had MFA, but entered his one-time MFA key (plus user/pass,
obviously) into the phish link _and_ the phish server was sending that to
Google _at the same time_, then the miscreants had one-time access to his
email. They could have absolutely downloaded everything at that time.
However, if they tried to store the user/pass/MFA key and use it later, it
would not have worked. Or even if they tried to come back and get new
emails after the first attempt, it would not have worked. Etc. Plus he
might have gotten notified that someone was attempting to access his
account.

Obviously we need more than just MFA. But MFA stops a lot of attack
vectors, and as you say, mobile phones make it far less annoying than
carrying a fob. So why not use it?



-- 
TTFN,
patrick





On Jan 4, 2017, at 5:02 PM, Dave Farber <farber () gmail com> wrote:




Begin forwarded message:

*From:* "Roger Bohn" <Rbohn () ucsd edu>
*Date:* January 4, 2017 at 4:28:30 PM EST
*To:* dave () farber net, ip <ip () listbox com>
*Cc:* lauren () vortex com
*Subject:* *Re: [IP] MUST READ: NYTimes: Cyberwar for Sale*

I don’t think there is any doubt about the need for 2-factor
authentication. Some organizations have been using it for a decade, and
with ubiquitous cell-phones its more convenient than before, as mentioned.

But, I ask from ignorance, how does this help with the main problem
discussed in this article, namely installing malware *inside* a system?
That malware can still be sent by any of the 3 methods. Where 2-factor does
help is “daisy chaining” attacks that use logins from one phishing victim
to get into multiple sites. But that’s not what happened to Podesta, for
example.

Roger Bohn


Professor of Technology Management


School of Global Policy and Strategy


UC San Diego


+1 858 381-2015 cell/text Blog: Art2science.org <http://art2science.org/>

On 4 Jan 2017, at 9:28, Dave Farber wrote:




Begin forwarded message:

*From:* Lauren Weinstein <lauren () vortex com>
*Date:* January 4, 2017 at 11:57:55 AM EST
*To:* nnsquad () nnsquad org
*Subject:* *[ NNSquad ] MUST READ: NYTimes: Cyberwar for Sale*


MUST READ: NYTimes: Cyberwar for Sale

http://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html

     There are three methods, Scarafile explained, for getting the
   Remote Control System onto a target's device.  Customers can
   gain physical access to the device and then infect it with a
   USB stick or memory card. They can beam the R.C.S. in over a
   Wi-Fi network. Or they can send the customer an email and get
   him to click on an infected attachment -- usually a file from
   a brand-name program like Microsoft Word or PowerPoint ...

- - -

I am increasingly considering the possibility that 2-factor
authentication systems will need to be made mandatory for all users,
not just optional as is usually the case today at least in
non-corporate environments. Of course 2-factor isn't foolproof, and
there is some user hassle factor involved in using 2-factor (though a
well designed 2-factor system, such as Google's, reduces the hassle
notably). But it's just too easy to phish accounts that are only
protected by a simple password. It's probably time to bite the bullet
on this one.

--Lauren--
REPORT Fake News Here! - https://factsquad.com
CRUSHING the Internet Liars - https://vortex.com/crush-net-liars





















Archives <https://www.listbox.com/member/archive/247/=now>

<https://www.listbox.com/member/archive/rss/247/125844-f026bc08>

| Modify
<https://www.listbox.com/member/?&;>

Your Subscription | Unsubscribe Now
<https://www.listbox.com/unsubscribe/?&&post_id=20170104174409:4C21B9C6-D2CF-11E6-A654-9D81489E89AF>



<http://www.listbox.com/>



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170104181619:CA3E525C-D2D3-11E6-8F30-B290B9952D2D
Powered by Listbox: http://www.listbox.com