Tag Archives: internet-security

Connected Mom 2020 with Carley Knobloch

Connected Mom 2020 with Carley Knobloch

**Sponsored Content** With school back in session in some form, families might be feeling a bit overwhelmed. But there are ways that technology services and products can help! Tech Lifestyle Expert Carley Knobloch and the website TechForMoms.com teamed up with some favorite brands to share a few “smart” ideas that …

Read More »

Here’s how to set up a VPN and protect your data – Mashable

Mashable Here's how to set up a VPN and protect your data Mashable Mashable has recently reviewed IPVanish, NordVPN, and TunnelBear. All VPNs have pros and cons, but at the end of the day, a lot of it comes down to personal preference ... app, but just how many features translate to mobile will vary depending on both ... and more »

Read More »

Facebook awards $200K to Internet Defense Prize winners

Facebook announced today the winners of its annual Internet Defense Prize and awarded first-, second- and third-place winners a total of $200,000 for research papers that addressed topics of internet security and privacy. Combined with $800,000 in Secure the Internet Grants  awarded to security and privacy researchers earlier this week, the company has now completed its 2018 goal to invest $1 million toward securing the internet. The Internet Defense Prize first started in 2014, but this year the prize quadrupled from its original $50,000 award to $200,000 spread across three groups. In a statement announcing the winners, Facebook said that the increase of this year’s prize money reflected not just the company’s ongoing (and in light of the its privacy catastrophes this year , seemingly increased) interest in security and privacy, but also the quality of work submitted. “Over the years we’ve gotten higher and higher quality of submissions,” Pete Voss, Facebook’s Security Communications Manager told TechCrunch. “But the criteria has always been the same, and that’s making practical research. Making this go beyond theory and making it so you can actually apply security in real life.” The first prize, $100,000, was taken home by a team from Belgium for a paper entitled “Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies” that proposed improvements to browser security that would make users less susceptible to having their internet trail tracked from site to site. Second- and third-place prizes (for $60,000 and $40,000 each) were awarded to research teams in the U.S. and China, respectively, for papers focusing on proper use of cryptography for app development and for strengthening the algorithm behind single sign-on security systems. Voss says the entries this year are a great example of the award’s mission to fund research that benefits not just Facebook’s interests in security and privacy, but the internet’s as a whole. “We’re investing in not just Facebook security but in public security for the entire internet,” said Voss. “We want to keep the internet strong and the only way we can do that is by making it secure.” As for the recipients of the Secure the Internet Grants, the $800,000 was divided between 10 teams whose research ranged from sociological approaches (like “Understanding the Use of Hijacked Facebook Accounts in the Wild” and “Enhancing Online & Offline Safety During Internet Disruptions in Times of War”) to more technical ones like improving the strength of encryption methods. Voss told TechCrunch that Facebook has no plans to announce at this time regarding its next steps toward providing funding for researchers in this space (unlike last summer when the company laid out its $1 million goal), but says that the company is “always looking at incentivizing this kind of research” and providing support.

Read More »

Firefox now supports the newest internet security protocol

Last Friday, the Internet Engineering Task Force released the final version of TLS 1.3 . This is a major update to TLS 1.2, the security protocol that secures much of the web by, among other things, providing the layer that handles the encryption of every HTTPS connection. The updated spec promises improved security and a bit more speed, thanks to the reduced need for round trips as the browser and server negotiate the security settings. And the good news is, you can already use it today, because, as Mozilla today  announced , Firefox already supports the new standard out of the box. Chrome, too, started supporting the new protocol (based on earlier drafts) in version 65. TLS 1.3 has been a few years in the making and it’s been 10 years since the last version launched. It’s no secret that TLS 1.2 had its share of problems — though those were mostly due to its implementations, which are obviously a favorite target for hackers thanks to their ubiquity and which opened up bugs like the infamous Heartbleed vulnerability. But in addition to that, some of the algorithms that are part of TLS 1.2 have been successfully attacked. It’s no surprise, then, that TLS 1.3 focuses on providing access to modern cryptographic methods (the folks over at Cloudflare have a more in-depth look at what exactly that means). For users, all of this ideally means that they get access to a more secure web, as well as a slightly faster one, as the new protocol allows the browser and server to quickly negotiate which encryption to use without lots of back and forth. Some of the companies that already support TLS 1.3 include Facebook (which says that it already serves almost half of its traffic over the new protocol ), as well as Google and Cloudflare

Read More »

Heads-up: 2FA provider Duo Security to be acquired by Cisco (ugh)

Enlarge / Artist's impression of how this deal feels from this author's chair. (credit: Getty Images / Gary Hanna / Lee Hutchinson) US-based two-factor authentication provider Duo Security announced this morning that it is in talks to be acquired by networking giant Cisco. According to Duo’s press release , Duo will become a “business unit” under Cisco’s Security Business Group, and current Duo CEO Dug Song will become the unit’s general manager. Ars is a happy Duo customer, and we use the product extensively to apply 2FA to a variety of our internal services; beyond that, several Ars staffers (myself included) use Duo’s free tier to wrap 2FA around our own personal stuff, like Linux PAM authentication and Mac/Windows logins. Duo’s flexibility and ease of use has been a huge driver of success for the company, which says it has about 12,000 customers. But the worry here is that Cisco is going to murder the golden goose—and, as a former Cisco customer, I’m struggling to feel anything but dread about all the ways in which this acquisition might kill everything that’s good about Duo. Read 18 remaining paragraphs | Comments

Read More »

1Password nets partnership with ‘Have I Been Pwned’

A little over a month since 1Password incorporated a pwned password check feature developed by Have I Been Pwned ‘s Troy Hunt, the password manager service has now netted what’s being described as “a partnership” with the popular breach monitoring service. Essentially this boils down to a commercial arrangement between 1Password and the free-to-use breach check service, with HIBP now recommending users sign up to 1Password’s service at the point when they learn their information may have been involved in a data breach. In a blog post explaining why he feels it’s the right time to accept a sponsor for the service, Hunt writes that one of the reasons he feels comfortable taking money in this way is that users want “actionable steps once they’ve found themselves pwned” — so being able to point them to a specific, named and, in his view, trusted password manager makes sense for him. “I also could have listed just a few of the industry leaders but people being as they are and the whole  paradox of choice  problem… they need more,” he adds. It’s a major win for 1Password of course, whose brand will now be in front of people at the point when they are likely to be most motivated to pay to tighten the security screw. And for Hunt it’s understandable that he wants to gain a bit more financial reward for his efforts running the now popular and high profile service  (he has accepted donations before), although it’s a move that will undoubtedly face some criticism — given the core issue (which he himself flags): “There’s no way to sugar-coat this: HIBP only exists due to a whole bunch of highly illegal activity that has harmed many individuals and organisations alike.” You can say the same for security products in general, of course. But moving from the goodwill of offering a free breach check — with the stated aim of helping raise the general standard of security among web users — to accepting money from a company to encourage people to subscribe to its (security) service is a new, more clearly commercial direction. Hunt says he’s had lots of such offers before and rejected them — and says he picked 1Password specifically because of having a “long-standing history with them”. “This is a product I was already endorsed in by my own free volition and from the perspective of my own authenticity, that was  very  important,” he writes, noting that he recommended the service in another post, last October , and signed up as a subscriber himself just last month. He also says 1Password’s decision to integrate his pwned password check into their product last month impressed him, and that he’s found them good people to work with. Beyond the fact the company’s product will now appear in step 1 (and step 2) of the “3 security steps” HIBP recommends to people whose emails are confirmed been involved in a breach, Hunt hasn’t provided many details about the terms of the partnership. Nor is he saying how much money he’s getting — aside from quipping that “it’s not quite $120M”. But he does claim it’s a “partnership” — “rather than just a one-way relationship where their name appears on HIBP”, flagging up continued product integrations (of pwned passwords) by 1Password as an example. So there looks to be more coming on that front too.

Read More »

Let’s Encrypt takes free “wildcard” certificates live

Enlarge / Now everyone can have this in front of all the sites in their domain with one step, for free. (credit: Sean MacEntee / Flickr ) In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains . Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests. ACME version 2 "has gone through the IETF standards process," said Josh Aas, executive director of the Internet Security Research Group (ISRG), the group behind Let's Encrypt, in a blog post on the release . ACME v2 is currently a draft Internet Engineering Task Force standard, so it may not yet be in its final form. But the current version is the result of significant feedback from the industry. And its use is required to obtain wildcard certificates. In addition to the ACME v2 requirement, requests for wildcard certificates require the modification of a Domain Name Service "TXT" record to verify control over the domain—a similar method to that used by Google and other service providers to prove domain ownership. But much of this can be automated by hosting providers that provide DNS services. A single Let's Encrypt account can request up to 300 wildcard certificates over a period of three hours, allowing a hosting provider to handle requests for customers who may not have shell access to their sites. Read 1 remaining paragraphs | Comments

Read More »