“10 Don’ts” author to speak at @secureworldexpo Philadelphia

10 Don’ts co-author Eric Rzeszut will be speaking tomorrow (March 19) at SecureWorld in Philadelphia. If you’re at SWE Philly, please join Eric at 11:15 for “Lessons from ’10 Don’ts’ — Getting Your Users to Care About Security.”  Several copies of the book will be available as door prizes!

SecureWorld Philly Agenda

Why Yahoo’s new on-demand password system is no two-factor authentication killer (@macworld)

In Chapter 2 of 10 Don’ts, we tell readers: “Don’t Give up Your Passwords.”  We discuss methods for improving password security, including the use of “two-factor authentication,” which uses two forms of credentials instead of one.  The two factors can be drawn from something you know (a password or PIN); something you have (your cell phone or an identity token); and something you are (a fingerprint or retinal scan).

Yahoo! already had optional two-factor authentication for users of its online services, similar to offerings from Google, Microsoft, Apple, and others.  This week, they introduced a new form of authentication, which seems to take a step backwards:

In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones…

The new system offers better security than static passwords, which can be stolen in a variety of ways, but it’s not as effective as two-factor authentication because it depends solely on how secure the user’s phone is…

In addition, if a phone is lost or left unsupervised, it could be used to generate a password for the phone owner’s Yahoo email account. As many incidents have shown, a person’s email account can be a gateway for further compromises, because it can be used to reset the password for the user’s accounts on other websites.

MacWorld’s article recommends (and we agree) that users stick with two-factor authentication if seeking a more secure form of password management.  This “reset-by-phone” method introduces additional vulnerability.

Full story: MacWorld

Consumer Alert: Virginia @AGMarkHerring Warns of Phishing Scam (@nbc29)

As we point out in the very first chapter of 10 Don’ts, “Don’t Get Phished,” criminals are getting more sophisticated when they craft phishing scams.  They’ll use real terminology, correct English, and proper company/organizational logos to increase the number of people fooled by these malicious emails.

Today, Virginia’s Attorney General Mark Herring (@AGMarkHerring) released a warning about a phishing scam being perpetuated via email, phone, and even social media:

Attorney General Mark R. Herring today warned Virginians to be vigilant for a major, ongoing “phishing” scam involving emails, phone calls, and social media messages purporting to be from the Attorney General and his office. The emails claim to be a “Final Legal Notification” from Attorney General Herring or his staff regarding debt owed to “Cash Advance, Inc,” or some variation thereof, or claim that an “arrest warrant” has been taken out on the recipient. The emails demand payment from the recipient to resolve the issues. In some cases, recipients may receive follow-up phone calls from the scammers perpetuating the fraud. The Attorney General’s Office does not operate in such a manner and the recipient should not respond to the emails or phone calls.

Full story: NBC 29

What To Do If You Lose the Master Password to Your Password Manager (@lifehacker)

In Chapter 2 of 10 Don’ts (“Don’t Give Up Your Passwords”), we discuss the use of password managers in lieu of remembering multiple complex passwords.  Password management applications use a master password to secure complicated logins.

Obviously, you should never forget your master password.  But what if you do?

If you lose or forget your master password, getting in usually isn’t as simple as just clicking a “forgot password” button, like you would for any other account on the web. In most cases, you have to jump through a few hoops—or you can’t get it at all. In this post, we’ll look at some of the popular password managers out there and what you can do to avoid getting into this sticky situation.

Full story: Lifehacker

How Adopting BYOD Can Actually Make a Workplace More Secure (@techvibes)

“There’s one major difference between companies that adopt BYOD policies and those that don’t: those that don’t are far more vulnerable to attacks.

Now, that may seem counterintuitive—after all, aren’t BYOD programs supposed to open the door to greater security risks? That’s what everyone says, and there’s certainly new complications that come with BYOD programs.

However, companies need to realise employees are connecting their phones and tablets at work, regardless of whether there’s a BYOD policy or not. So with that in mind, companies that make efforts to regulate the devices on their networks are far more likely to be protected than those who don’t.”

Full story: Techvibes

Anthem hack: Seven ways to protect yourself right now (@zdnet)

The records of as many as 80 million customers of Anthem Health Insurance were breached last week.  Hackers may have obtained names, addresses, birthdates, medical histories, and other personal data of Anthem subscribers (or former subscribers), and are using this data in phishing attempts to further violate subscribers’ privacy.

So, if you’re one of the affected people, what should you do?  ZDNet writer Violet Blue has put together a list of seven helpful steps to take to protect your data.  Many of these precautions (such as two-factor authentication, password managers, etc.) are good ideas for everyone — not just Anthem victims — and we recommend many of these in 10 Don’ts on Your Digital Devices.

Full story: ZDNet

Phishers Pounce on Anthem Breach (@briankrebs)

“Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.

The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.”

Full story: Krebs on Security