two-factor

security, security breach, Spam & Phishing June 13, 2016

How clever social engineering can overcome two-factor authentication… or not?

If you have a Google account you must have two-factor authentication enabled in order to prevent anyone to use your account by just having your username and password. If you don’t know how to do that, check my free eBook here. 2FA requires something that you know (username and password) and something that you have (smartphone) in order to allow access to your account.Unless somebody gets all of them, they simply can’t steal your account. Until now… Alex MacCaw has published screenshots from a new scam appeared that is targeting Google users who have two-factor authentication enabled (2FA). It works like this: You receive an SMS pretending to come from Google requesting you to reply via SMS immediately with the code you receive from the real Google. Or, if you were not convinced, there is even a better version available:   I will try to hack my own GMAIL account, just to see how hard it is.   This is how Google tries to help to get your password reset: Select option 1 2. Select a recovery email address to receive a code: 3. Click on “Verify your identity” above Whoa… I don’t remember the second one …  But the first one is definitely…

No Image

security, security breach October 14, 2014

Dropbox hacked?

You probably have read on news portals that Dropbox was hacked and that some user accounts were compromised. Here is the alleged list of leaked user information. Dropbox is saying that the data is not valid. Apparently, Dropbox was not hacked. The company is clearly stating this on their blog. Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens. Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.   I can only confirm and support this suggestion. In the “Improve your security” free eBook is explained how to enable two-factor authentication for several services, including Dropbox and Google Mail.  

No Image

raspberry pi, security April 9, 2013

Enable two-factor authentication for the SSH on your Raspberry PI

I am a big fan of RPi and I allowed one of my RPis (I have 3) to be accessible from the Internet via SSH. But, I was stressed because somebody might do a DoS on my device with the intent to hack into it and this way would prevent me to access it. So, wanting to secure it, I researched a bit how to enable two-factor authentication for SSH. I don’t want expensive SMS services, actually I don’t want to pay anything at all. I found some great tutorials on the net, and here is my take on how to enable this great service via Google’s open-source Authenticator. Google provides the necessary software to integrate Google Authenticator’s (GA) time-based one-time password (TOTP) system. You can couple GA with an SSH server. After this, you’ll have to enter the code from your phone when you connect additional to the username and password. GA doesn’t connect to Google as far as I can see in the code https://code.google.com/p/google-authenticator/. You will have to use the PAM module which is available in Raspbian’s repository. The PAM module can add a two-factor authentication step to any PAM-enabled application. It supports: Per-user secret and status file…

%d bloggers like this: