"authentication" entries

Phished

As phishing improves and spreads, the importance of two-factor authentication grows.

Maybe I’m the last person to know this, but phishing has spread beyond email. And it’s not really pretty.

Here’s the story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a website that certainly looked legit, and I was foolish enough to login. Pwnd. A few minutes later, my Twitter account was spewing tweetspam about the latest pseudo-scientific weight loss fad.

It’s all fairly classic, except for a couple of things:

  • It happened via Twitter. I haven’t seen this before, but maybe I’m the last to know.
  • On the small cell phone screen, it was harder to notice that the fake login screen wasn’t right.
  • The guy who sent me the DM had exactly the same story: he was victim of a phish, didn’t notice because of the smaller cell phone screen, and evidently his account was used to forge the DM that was sent to me. So phishes are being chained.
  • While we’re used to distrusting messages from companies, we aren’t used to distrusting messages from friends.

Yeah, I was being a bit clueless. And I ignored (though I noticed) the odd, atypical phrasing of the original DM from my “friend.” Changing technology doesn’t make the bad guys learn grammar. But still, wishing I had acted on my instincts is pointless. As a security researcher told me a couple of years ago, highly targeted phishing attacks are going to look so real that you really won’t be able to tell whether or not a message is legit. Read more…

Comments: 7
Four short links: 2 September 2011

Four short links: 2 September 2011

AutoUpdater, Extrapolation Apocalypse, C Compilers, and Authentication

  1. Invisible Autoupdater: An App’s Best Feature — Gina Trapani quotes Ben Goodger on Chrome: The idea was to give people a blank window with an autoupdater. If they installed that, over time the blank window would grow into a browser.
  2. Crackpot Apocalypse — analyzing various historical pronouncements of the value of pi, paper author concludes “When πt is 1, the circumference of a circle will coincide with its diameter,” Dudley writes, “and thus all circles will collapse, as will all spheres (since they have circular cross-sections), in particular the earth and the sun. It will be, in fact, the end of the world, and … it will occur in 4646 A.D., on August 9, at 4 minutes and 27 seconds before 9 p.m.” Clever commentary and a good example when you need to show people the folly of inappropriate curve-fitting and extrapolation.
  3. clang — C language family front-ends to LLVM. Development sponsored by Apple, as used in Snow Leopard. (via Nelson Minar)
  4. OmniAuth — authenticate against Twitter, GitHub, Facebook, Foursquare, and many many more. OmniAuth is built from the ground up on the philosophy that authentication is not the same as identity. (via Tony Stubblebine)
Comment
Four short links: 16 December 2010

Four short links: 16 December 2010

Compressing Graphs, Authentication Usability, Extreme Design, and Rails Geo

  1. On Compressing Social Networks (PDF) — paper looking at the theory and practice of compressing social network graphs. Our main innovation here is to come up with a quick and useful method for generating an ordering on the social network nodes so that nodes with lots of common neighbors are near each other in the ordering, a property which is useful for compression (via My Biased Coin, via Matt Biddulph on Delicious)
  2. Requiring Email and Passwords for New Accounts (Instapaper blog) — a list of reasons why the simple signup method of “pick a username, passwords are optional” turned out to be trouble in the long run. (via Courtney Johnston’s Instapaper feed)
  3. Extreme Design — building the amazing spacelog.org in an equally-amazing fashion. I want a fort.
  4. rgeo — a new geo library for Rails. (via Daniel Azuma via Glen Barnes on Twitter)
Comment: 1