Tag Archives: google

How Google Took on Mirai, KrebsOnSecurity

February 3, 2017

The third week of September 2016 was a dark and stormy one for KrebsOnSecurity. Wave after wave of huge denial-of-service attacks flooded this site, forcing me to pull the plug on it until I could secure protection from further assault. The site resurfaced three days later under the aegis of Google’s Project Shield, an initiative which seeks to protect journalists and news sites from being censored by these crippling digital sieges.

Damian Menscher, a Google security engineer with whom I worked very closely on the migration to Project Shield, spoke publicly for the first time this week about the unique challenges involved in protecting a small site like this one from very large, sustained and constantly morphing attacks.

Akamai on the Record KrebsOnSecurity Attack

November 22, 2016

38 Comments

Internet infrastructure giant Akamai last week released a special State of the Internet report. Normally, the quarterly accounting of noteworthy changes in distributed denial-of-service (DDoS) attacks doesn’t delve into attacks on specific customers. But this latest Akamai report makes an exception in describing in great detail the record-sized attack against KrebsOnSecurity.com in September, the largest such assault it has ever mitigated.

The Democratization of Censorship

September 25, 2016

196 Comments

John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it”. This notion undoubtedly rings true for those who see national governments as the principal threats to free speech.

However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely powerful cyber weapons with transnational reach.

The Limits of SMS for 2-Factor Authentication

September 7, 2016

80 Comments

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

United Airlines Sets Minimum Bar on Security

August 24, 2016

52 Comments

United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes — moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers — may seem like a security playbook copied from Yahoo.com, circa 2009. Here’s a closer look at what’s changed in how United authenticates customers, and hopefully a bit of insight into what the nation’s fourth-largest airline is trying to accomplish with its new system.

Expect Phishers to Up Their Game in 2016

December 23, 2015

45 Comments

Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.

New authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.

Critical Flaws in Apple, Samsung Devices

June 17, 2015

51 Comments

Normally, I don’t cover vulnerabilities about which the user can do little or nothing to prevent, but two newly detailed flaws affecting hundreds of millions of Android, iOS and Apple products probably deserve special exceptions.

Adobe, Microsoft Push Critical Security Fixes

January 14, 2015

51 Comments

Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.

Lizard Stresser Runs on Hacked Home Routers

January 9, 2015

102 Comments

The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, KrebsOnSecurity.com has discovered.

Google Accounts Now Support Security Keys

October 22, 2014

100 Comments

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.