TIME Security

Google Now Supports USB Security Keys for Two-Step Verification

Most security experts agree that you should secure all your online accounts with two-step verification when you can. It’s an important additional security feature that requires you to have access to a physical item (typically, a mobile phone) to gain access to your online accounts.

After entering your password, you enter a second code from your smartphone to double-verify your identity. With two-step verification enabled, even if someone steals your current password through a hack, they won’t be able to enter your accounts unless they also steal that physical item – a requirement that stops most bad guys in their tracks.

Of course, there are always situations where you may not want to use – or simply don’t have access to – a mobile phone. That’s why Google announced the launch of Security Key. It enables two-step authentication for your Google accounts through the use of a physical USB stick.

“Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google,” the company explains on its official UK blog. “Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.”

Security Key requires a USB drive to work, so it’s not compatible with most mobile phones and tablets. Security Key also requires you to use the Chrome web browser (version 38 or newer) to complete verification. And, of course, there are questions about just how secure the USB format is in general due to the recently discovered BadUSB vulnerability.

If you want to give Security Key a try, you’ll need to purchase a FIDO U2F-certified key to use with the feature. You can buy a basic USB security key on Amazon for $5.99, or something slightly sturdier with a button for $17.99. You can learn how to register and add a Security Key to your Google account by visiting the Google Help page.

This article was written by Fox Van Allen and originally appeared on Techlicious.

More from Techlicious:

TIME Security

China iCloud Attack Could Be State-Sponsored Hacking

Apple Inc. Launches iPhone 6 And iPhone 6 Plus In China
A Chinese man sets up his new iPhone 6 inside an Apple store on October 17, 2014 in Beijing, China. Feng Li—Getty Images

The iCloud attack coincided with the iPhone 6 releases in China

Chinese users recently attempting to access Apple’s iCloud online data storage service may have had their personal information stolen in what one cybersecurity firm claims was a high-level cyberattack backed by Chinese authorities.

GreatFire, an independent Chinese censorship watchdog, said the hack was a “man-in-the-middle” attack, in which hackers get access to users’ files by getting them to enter their login information into a fake login site. The hackers then set in “the middle” of users and the service, grabbing data at it’s transmitted between the two.

Apple confirmed the attack Tuesday, stating that it is “aware of intermittent organized network attacks using insecure certificates to obtain user information.” The firm added that the attacks “don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.”

GreatFire said the hackers involved with the iCloud breaches used servers accessible by only state-run organizations and Chinese authorities, a sign the attacks had the blessing of such authorities. The hack came just as the iPhone 6 was released in China after a delay over the government’s security firms.

The iCloud attack follows a report earlier this month that “a very large organization or nation state” was putting malicious spyware onto iPhones and iPads belonging to Hong Kong’s pro-democracy protestors. GreatFire also previously reported that Chinese authorities had launched attacks on GitHub, Google, Yahoo and Microsoft in an apparent effort to censor those services.

“This is what nation states do to ‘protect’ their citizens. There is nothing surprising or unexpected in this revelation,” said Phil Lieberman, president of cybersecurity firm Lieberman Software. “It would not be hard to find other countries doing similar things.”

TIME Security

Experts Warn Corporate Boards Aren’t Protecting Us From Hackers

A shopper walks past a large Home Depot logo inside a store
A shopper walks past a large Home Depot logo inside a store in New York,Tuesday, May 16, 2006. Bloomberg—Bloomberg via Getty Images

In the wake of hacks against Target, Home Depot and JPMorgan, analysts say companies' boards need to be more vigilant on cybersecurity

As an increasing number of major retailers and financial institutions are falling victim to hacks like those against Target, Home Depot and JPMorgan, many experts say corporate boards aren’t doing enough to protect customers from cybersecurity breaches.While corporate boards are a step removed from companies’ day-to-day operations, the increasing risk of data breaches means that boardmembers need to be more involved in cybersecurity, observers say, whether by pushing for security oversight or reshuffling executives who don’t react properly to crises.

“We live in the post-Target era,” said John Kindervag, security analyst at Forrester. “There’s a moral obligation to consider firing an executive team because of a data breach. It’s a huge business failure.”

Corporate boards rarely review cybersecurity plans or involve themselves in the particulars of data protection, traditionally viewing security as an information technology problem. According to a PriceWaterhouseCoopers report released last month, just 42% of 9,700 executives in over 150 countries said their boards are involved in security strategy; just 25% said their boards are involved in reviewing security and privacy threats.

“They’ll say to the CEO, what are we doing about security, and then don’t get involved at all until they get breached,” says Avivah Litan, security analyst at Gartner. “Most companies don’t communicate at that level with the board. They’re out of touch and they’re totally clueless about information security.”

Securities and Exchange Commissioner Luis Aguilar put it more gingerly to board directors earlier this month at a New York Stock Exchange cybersecurity conference. “There may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks,” Aguilar said. There’s a discrepancy, too, between what shareholders demand of boards and what they’re actually doing — a survey published by Institutional Shareholder Services (ISS) last month shows that nearly 70% of shareholders view board oversight actions prior to hacking incidents as “very important.”

Negligent boards may find themselves facing questions from angry shareholders and customers after a cyber breach. In June, ISS made the unusual recommendation that Target shareholders oust seven out of 10 members of its board after credit card information belonging to 40 million customers was compromised, laying blame on two board committees in particular.

“The data breach revealed that the company was inadequately prepared for the significant risks of doing business in today’s electronic commerce environment,” ISS advised. “The responsibility for oversight of these risks lies squarely with the Audit Committee and the Corporate Responsibility Committee.” Shareholders re-elected the board, but ISS’ condemnation was a wake-up call for retailers. Target is now facing an investigation from the Federal Trade Commission into the details of the breach.

Home Depot, meanwhile, was a founding member of a threat-sharing group of major retailers earlier this year, and its board received regular updates on cybersecurity, according to a spokesman. “IT and IT security have regularly been items on our board meeting agendas for several years now, and the board has received regular updates on the breach since it occurred,” said that spokesman. But the hardware retailer was caught flat-footed by a data breach this year that jeopardized 56 million customers’ credit cards, and managers ignored weaknesses in cyber defense before the attack, the New York Times reported last month.

Analysts say a strong board of directors should know how to ask management the right questions about cybersecurity. “The board is not responsible for identifying risk, but it sure as hell needs to know that management understands that responsibility and knows how to respond to it,” said Rick Steinberg, former governance practice leader at PricewaterhouseCoopers.

Ultimately, it might be a financial motivation that gets corporate boards to take a closer look at their firms’ cybersecurity standards. Target’s net income dropped more than $400 million in the quarter the breach was announced compared to the year before; the company said direct costs from the data breach would reach $148 million in the second quarter of 2014 alone. The total expense of any breach, including lost profits from nervous consumers, are often incalculable. “A data breach is the equivalent of an oil spill,” said Kindervag. “It’s a fundamental business issue.”

TIME Retail

Staples Investigates Reports of Possible Credit Card Data Breach

Staples To Close 225 Stores
A Staples store is seen on March 6, 2014 in Miami, Florida. Joe Raedle—Getty Images

Potentially the latest in a string of high-profile data thefts

The world’s biggest office-supply retailer is investigating reports of a possible data breach of Staples customers’ credit cards after banks detected a pattern of unusual charges concentrating on a group of shoppers.

Staples acknowledged on Tuesday that it had launched an investigation and requested assistance from law enforcement officials, Bloomberg reports.

Reports of fraudulent charges recently surfaced on an independent security blog, which noted that the bulk of the card data appeared to come from a group of stores clustered in the northeast, including seven in Pennsylvania, three in New York and one in New Jersey.

The security concerns come amid a wave of breaches in the past two years against retailers like Home Depot, Kmart and Target. The latter said in August that its breach was expected to cost some $148 million.

[Bloomberg]

TIME Security

Watch: What You Need to Know About the POODLE Bug

Third security flaw discovered this year, but researchers say it's not as powerful as Heartbleed

The POODLE bug may sound silly, but it can cause some serious damage.

POODLE, which stands for Padding Oracle on Downloaded Legacy Encryption, makes it possible for hackers to snoop on a user’s web browsing. The problem is an 18-year-old encryption standard, known as SSL v3, which is still used by older browsers like Internet Explorer 6.

SSL protects data exchanged between a website and user, indicated by a green pad lock icon. If you’re a home user, don’t panic — you’re not at high risk. But, just to be safe, one solution is to upgrade your web browser.

TIME Innovation

This $150 Device Just Made It Ridiculously Cheap to Crack Open a Safe

122343742
Combination lock Getty Images

The contraption fastens to a dial commonly used to lock ATMs and guesses the combination through trial and error

A pair of Australian-based security experts have developed a $150 safe-cracking device, making a technology normally reserved for defense department budgets accessible to anyone who can afford a smartphone.

The contraption, which was fashioned out of repurposed electronics and 3D-printed components, fastens onto a safe and spins the dial through a series of combinations, gradually cracking the code through trial and error, the Register reports.

Its inventors, Jay Davis and Luke Janke, say it typically takes four days to pop a standard 2-combination lock which is commonly used to secure ATMs, but they suspect that time could be shaved down to a matter of minutes by simply spinning a few of the default codes set by the lock’s manufacturer. Turns out a startling number of customers don’t bother to reset the code to something more personal and secure.

Another tweak would give the device some longer term memory to track untested combinations, “so if you get busted you can run away and come back and try later on,” Davis told the Register, “not that we condone that.”

[Register]

TIME Security

Microsoft Patches Computer Bug Linked to Russian Hackers

Microsoft's Windows 8.1 Goes On Sale
An attendant displays a Fujitsu Ltd. Arrows Tab tablet, running Microsoft Corp.'s Windows 8.1 operating system, during a launch event for the operating system in Tokyo, Japan, on Friday, Oct. 18, 2013. Bloomberg—Bloomberg via Getty Images

Microsoft has fixed a series of software bugs, at least one of which was exploited by Russian hackers, according to a new report

Microsoft on Tuesday issued bug patches Tuesday fixing 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net Framework, some of which fixed security holes exploited in attacks against Western targets linked to Russian hackers. The company’s patches fix more than a dozen vulnerabilities that allow remotely located hackers to take control of a target computer, according to a note from Microsoft.

The issues were first revealed by Dallas-based security firm ISight, which said Tuesday that Russia-tied hackers had been using a previously unknown bug in Microsoft Windows Vista through Windows 8.1 to attack NATO, the European Union and targets in Ukraine since September. ISight partnered with Microsoft to report the bug.

The hacks against Western targets are part of a growing wave of cyberattacks linked to Russia amid that country’s ongoing conflict with Ukraine. However, it’s unclear exactly what data hackers took as part of the attack.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” ISight said Tuesday.

 

TIME Security

Dropbox Denies Thousands of Accounts Were Hacked

Key Speakers At The Brooklyn Beta Conference
Dropbox Inc. signage is displayed at the Brooklyn Beta conference in the Brooklyn borough of New York, U.S., on Friday, Oct. 12, 2012. Bloomberg—Bloomberg via Getty Images

"Your stuff is safe," Dropbox tells users after hacking scare

Dropbox said Monday that a list of login credentials posted online early this week was not made public as the result of it being targeted by hackers, but rather because hackers stole usernames and passwords from other services and attempted to use those credentials to access Dropbox accounts.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” said Anton Mityagin of Dropbox’s security team in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.”

Hundreds of username and password combinations allegedly belonging to Dropbox users appeared early this week on the website Pastebin, a common dumping ground for hackers to post such information. An accompanying message alleged that 7 million Dropbox accounts were hacked in total, The Next Web reported Monday, and the hacker or hackers were asking for money before posting the rest of the information. However, Dropbox later said that a larger list of usernames and passwords posted online were “not associated with Dropbox accounts.”

Dropbox also said it recently reset passwords on accounts which showed suspicious login activity, a move it said prevented the service from being breached. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Mityagin wrote. Dropbox also emailed any affected users and advised them to change their passwords on Dropbox as well as other Internet services.

Hackers often target less secure platforms to steal login information they then use on other websites, as seems to be the case here. That’s why it’s a good idea to use different passwords on different websites as well as activate two-step authentication wherever available.

TIME Security

Snapchat Says Leak of Nude Photos Isn’t Its Fault

The logo of mobile app "Snapchat" is displayed on a tablet on January 2, 2014 in Paris.
Lionel Bonavent—Getty Images

Company says third-party applications were responsible for the breach of as many as 200,000 user accounts

Images from tens of thousands of Snapchat user accounts, many explicit, were leaked onto the internet late Thursday — but the messaging app said the hack wasn’t its fault.

Snapchat said that third-party applications were responsible for the breach of as many as 200,000 user accounts, and that their own servers were never compromised.

A 13GB database of Snapchat photographs taken over a number of years was leaked to online messageboards Thursday. It reportedly includes a large amount of child pornography, from teenage users.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” a statement read. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

The news comes just weeks after the release of nude photos of more than 100 celebrities in a massive hack of photos stored in Apple’s iCloud.

TIME Security

Malware Hack Dips Into Dairy Queen Customer Data

Two-Story Dairy Queen The First To Open In Manhattan
A S'mores flavored blizzard is seen at a Dairy Queen, the first to open in Manhattan, on May 29, 2014 in New York City. There are more than 6,300 Dairy Queens in the U.S. Andrew Burton—Getty Images

Hackers gained access to 600,000 cards

Dairy Queen announced on Thursday that its customer data had been compromised by malware.

The ice cream chain said the breach affected 395 of its over 4,500 locations in the United States. The hacked information contained the names and credit card information of past customers. Fewer than 600,000 cards were affected. Dairy Queen has provided a list of targeted locations.

The company will offer free identity repair services for one year to affected customers and franchise owners, including at Orange Julius locations, John Gainor, president and CEO of International Dairy Queen, said in a statement. “Our customers continue to be our top priority.”

The Backoff malware used to hack Dairy Queen has been used to attack more than 1,000 businesses, the Secret Service reports. Large retailers such as Target and Home Depot have been targeted for larger hacks. Last week, JP Morgan Chase announced a data breach in its system that affected over 76 million households and 7 million small businesses.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser