Microsoft is trying to kill passwords. It can’t happen soon enough. Microsoft called passwords a “relic from the early days of computing” that “has long outlived its usefulness.”

password-security

Microsoft Corp. is trying to kill the password, and it’s about time. This month, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords too, by default. If you go through setup as recommended, you’ll never get a password option.
Los Angeles Times

But killing the password altogether will take more work and time — and the problem may get worse before it gets better.

That’s a shame. Passwords are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80% of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol. Or when, say, a missile alert has gone out to your entire state and you can’t find your password to give an all-clear.

Passwords have amassed their share of enemies. Microsoft’s latest move follows pushes from Apple, Google and others to shake up the old passcode and password system with fingerprint scans, face scans or temporary codes. There’s no question passwords aren’t adapting to a modern age. “It’s quite clear to us, that the era of the password is passing. Based on the significant amount of accounts that now exist, it doesn’t scale as a system,” said William Beer, a principal at business management consultancy EY.

Microsoft has been waging a war on passwords for a while. Like others, it has poured effort into other types of authentication, namely biometric scans of your face or fingerprints — it introduced facial recognition unlocking for Windows PCs in 2015. It also has built a smartphone app to provide an ever-changing code to act as your password.

“This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay,” an official blog post from Microsoft said in December.

Now Microsoft is edging even closer to pushing passwords off a cliff, at least in its lighter version of Windows — though not every feature that gets tested in early versions of operating systems makes it to consumers.

But we don’t have a lot of time to work on a slow revolution. The way we handle security is about to hit an even bigger test.

One reason passwords are awful is that there are so many of them. Dashlane, a password manager company, found in a survey of its own customers that they have an average of 130 accounts with passwords.

And password overload is poised to get worse before it gets better. Tech companies are pushing into more areas of our lives by giving “smarts” to any item that can accommodate a chip — toilets, car, beds. Securing all of those gets messy, and it’s not remotely feasible to create a secure, unique password for every home appliance, even though those appliances collect very personal data.

Another big issue: Finding the perfect password is difficult, as it requires a unique balance of “easy to remember” and “hard to hack.” And since you need more than one password, you have to find that sweet spot over and over again. In the pursuit of safety, companies often require passwords to have a complex combination of capital letters, symbols and other requirements. But those requirements can actually cause people to reuse their complex passwords or refuse to change them once they’ve committed them to memory. In 2016, Britain’s National Cyber Security Centre recommended simplifying password requirements to encourage people to change them.

All of these issues point to a system that doesn’t work, and it makes sense for companies and people to get on the bandwagon to replace it.

Yet passwords they linger like roaches in the corners of our digital lives. Alternatives such as fingerprint scans, retinal scans, voice recognition and other technologies can be hard for companies — particularly non-tech companies — to implement well. Those solutions are also imperfect, as some pairs of twins can tell you. If something requires new costs to implement and is still flawed, many companies may stick with the devil they know. (Even Microsoft is simply proposing getting rid of passwords, and only on a light version of Windows, instead of replacing it with another security alternative.)

Plus, even when companies offer something more, it’s often difficult for people to get used to a new routine, Beer said.

Changing habits will require more effort such as those from Microsoft, and a slow introduction to different methods to change people’s habits. Beer said that many of the businesses he looks at are now at least combining the old username and password combination with something else — a fingerprint scan, voice print or temporary code for those cagey about sharing biometric info (or for companies unwilling or unable to secure them).

Ultimately, Beer said, the real path to killing the password is not technology, but education.

“We’re putting all the focus on technology and not thinking about explaining to people,” he said. “I would suggest that while technology is great, it needs to be accompanied by a significant awareness campaign to explain and support users as they go through these changes.”

Tsukayama writes for the Washington Post.

157 new emoji coming to #iOS, #Android . Are you ready for a ton of new emoji? If not, you better hurry to prepare yourself and your phone.

180208091102-new-emojis-780x439

New year, new emoji.
Kaya Yurieff | CNN

The Unicode Consortium — a nonprofit that sets the global standard for emoji — announced on Wednesday 157 new emoji options would be coming later this year. The latest collection includes a cupcake, lobster, pirate flag and more expressive smiley faces.

Emoji will soon have a variety of new hairstyles, such as curly or bald, and more hair color options such as red and white.

There will also be more animals, such as a kangaroo, llama, swan and mosquito. More fun smiley faces include a “cold face” with dangling icicles, a partying face and a “woozy” emoji.

New superheros and villains join the lineup, and popular activities like lacrosse, knitting, sewing and skateboarding are also represented.

After Unicode releases its guidelines, software makers such as Apple and Google design versions for their respective platforms. That’s why emoji on iPhones look different than those on Android phones.

180208113832-new-emojis-2-b-780x439

The new emoji usually begin appearing on mobile phones later this year. Apple typically previews its versions in June and releases them in the fall with the next iOS update. Android will release its emoji later this year.With the latest additions, the total number of approved emojis will total 2,823. In recent years, Unicode has made a bigger effort to include more diverse skin tones, occupations and flags.

 

Dark Caracal Targets Thousands in Over 21 Countries. The Electronic Frontier Foundation and Lookout Security released a report detailing several active Dark Caracal #hacking campaigns that successfully targeted mobile devices of #military personnel, medical #professionals, #journalists, #activists, and others in over 21 countries.

the

Dark Caracal: Hackers Spied on Targets in Over 21 Countries and Stole Hundreds of Gigabytes of Data

International Business Times UK | By India Ashok

A new and massive cyberespionage campaign, believed to be the work of Lebanese hackers linked to Lebanese General Security Directorate (GDGS) in Beirut, has been uncovered.

A new report by the Electronic Frontier Foundation and Lookout Security revealed that the cyberespionage group, dubbed Dark Caracal, has conducted numerous attacks against thousands of targets in over 21 countries in North America, Europe, the Middle East, and Asia.

The hacker group successfully targeted mobile devices of military personnel, medical professionals, journalists, lawyers, activists and more. It has stolen hundreds of gigabytes of data, including photos, text messages, call records, audio recordings, contact information and more.

The cyberespionage group stole this massive trove of information using its custom-developed mobile spyware called Pallas. The spyware, which Lookout discovered in 2017, is found in malware-laced Android apps — knock-offs of popular apps like WhatsApp, Telegram and others that users downloaded from third-party online stores.

“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” EFF director of Cybersecurity Eva Galperin said in a statement. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

According to the report, Dark Caracal has been active in several different campaigns, running parallel, with its backend infrastructure also having been used by other threat actors. For instance, Operation Manul, which according to the EFF targeted journalists, lawyers and dissidents of the Kazakhistan government, was launched using Dark Caracal’s infrastructure.

According to Galperin, the Dark Caracal group may be offering its spyware services to various clients, including governments, The Register reported.

Dark Caracal hackers also make use of other malware variants such as the Windows malware called Bandook RAT. The group also uses a previously unknown multi-platform malware dubbed CrossRAT by Lookout and EFF, which is capable of targeting Windows, Linux and OSX systems. The report states that the APT group also borrows or purchases hacking tools from other hackers on the dark web.

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, VP of security intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF staff technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”