The Failure of Two-Factor Authentication

Schneier on Security

“Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.

The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. People send them in e-mail, and that e-mail is intercepted. People use them to log into remote servers, and their communications are eavesdropped on. They're also easy to guess. And once any of that happens, the password no longer works as an authentication token because you can't be sure who is typing that password in.

Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don't provide adequate security, and are hoping that two-factor authentication will fix their problems.

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.…”

http://www.schneier.com/blog/archives/
2005/03/the_failure_of.html

Adobe Pushes DNG Image Format

By Kathy White

“Many photographers work in RAW-format files from their
digital cameras and are frustrated by the many versions out
there—varying not just from manufacturer to manufacturer but also from
camera to camera. But Adobe is trying to solve that problem with its
Digital Negative Specification.

Adobe Systems Inc. in September 2004 introduced DNG, a public format
for RAW digital camera files, along with a free software tool, Adobe
DNG Converter, which translates many of the RAW photo formats (images
before any in-camera processing) used today into the new DNG file
format.

Adobe is also letting any manufacturer that wants to use the format in
its cameras, printers and software applications do that for free
without any limitations in the hopes of encouraging them to accept it
as the standard.

Shooting RAW images means photographers can avoid dealing with the
compression and loss of image quality involved with shooting JPEGs.
But with that change comes the problem that Adobe has addressed: Each
manufacturer uses a proprietary format that is specific to its cameras
and might not be compatible with Adobe's Photoshop or other editing
software.

The Digital Negative Specification, Adobe hopes, will become the
single format, allowing users to store information from a diverse
range of cameras.…”

http://www.publish.com/article2/0,1759,1776862,00.asp

Alternative Browsers and Java Lead Spyware to IE

By Michael Myser

“Windows and Microsoft products are going to be the first targets because they're so ubiquitous. Other applications will become targets as they become more popular.”

According Christopher Boyd, the Vitalsecurity.org researcher, versions of alternative browsers including Firefox, Mozilla, Netscape and Avant all allow the execution of code within IE.…

“A malicious batch of adware and spyware has appeared that can use Firefox and other alternative browsers to infect Microsoft's IE.

According to a researcher at Vitalsecurity.org in the United Kingdom, if a user visits a site hosting the malicious code and agrees to install the applications despite security warnings, Internet Explorer will automatically run and deluge the computer with pop-up ads and offers, regardless of IE security settings.

While the security and infection threat is relatively low—in addition to the security warnings, the code only affects users of Sun's JRE (Java Runtime Environment), and so far is only found at a Neil Diamond lyrics site—it illustrates the continued expansion of malicious code targeting alternative browsers, as well as a unique cross-browser capability.…

"Firefox will retain an edge in security for some time, but the notion that you'll be impervious to threats due to using Firefox is an illusion," said Jim Slaby, a senior analyst with the Yankee Group.

"The criminal element has decided that it's profitable enough to write malware that targets it."

This code, however, doesn't work only through Firefox to get at IE.…”

http://www.eweek.com/article2/0,1759,1776347,00.asp

How to Record a Podcast

by Glenn Fleishman
“Podcasting involves two distinct tasks. First you have to record the audio and prepare it for listening. Then you need to syndicate it via RSS so others can subscribe to your programs. In this tutorial, Glenn Fleishman shows you some nifty tricks for recording your audio, especially if you want to capture phone interviews for syndication.”

http://www.macdevcenter.com/pub/a/mac/2005/01/25/podcast.html

Frequently asked questions about the automated portion of the Microsoft Protect Your PC Web site

“This article contains a list of answers to frequently asked questions (FAQ) about the automated portion of the Microsoft Protect Your PC Web site.”

•	Q1: What is the automated portion of the Protect Web site?
•	Q2: How do I access the automated portion of the Protect Your PC Web site?
•	Q3: What versions of Windows does the automated portion of the Protect Your PC Web site Support?
•	Q4: Who should use the automated portion of the Protect Your PC Web site?
•	Q5: What credentials must my account have to use the automated portion of the Protect Your PC Web site?
•	Q6: How does the automated portion of the Protect Your PC Web site work?
•	Q7: What does each step of the automated portion of the Protect Your PC Web site Do?
•	Q8: After I turn on ICF/WF, some of my games and other programs do not work correctly. How can I work around this?
•	Q9: Where can I find more information about the automated portion of the Protect Your PC Web site?

http://support.microsoft.com/default.aspx?scid=kb;en-us;828931