Information Security News
For quite a while now, we provide the option to use a time-based one-time password as a second factor to authenticate to your ISC account. The implementation we picked was RFC 6238 as it is also implemented by Googles popular Authenticator app. But so far, we havent had a good solution for the lost authenticator problem. It required an administrator to manually reset the particular account.
To help with password and authenticator resets in the future, we are now also supporting SMS and Voice Call based authentication. To enable this feature, you will need to provide one or more phone numbers that can be used to authenticate you. If you lost your authenticator app (e.g. if you get a new phone), or if you need to reset your password, this number is used to authenticate you.
This *should* work with phone numbers globally, not just US numbers. But of course, we can only test a couple of countries. Please let us know if you run into any problems.
At this point, I dont think it makes sense to make two-factor authentication mandatory for our site. Many users do not have any personal information stored with us. But I think it does make sense to provide the option and allow users to decide if they feel it is necessary or not.
To configure your phone number, see http://isc.sans.edu/pwresetinfo.html (you will have to log in first of course)
Apple has purged its iOS App Store of several titles that it said had the ability to compromise encrypted connections between end users and the servers they connect to. The company advised users to uninstall the apps from their iPhones and iPads to prevent potentially harmful monitoring, but it has yet to name any of the offending titles.
"Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data," company officials wrote in an advisory posted Friday. "This monitoring could be used to compromise SSL/TLS security solutions. If you have one of these apps installed on your device, delete both the app and its associated configuration profile to make sure your data remains protected."
Apple representatives didn't respond to an e-mail seeking the names of the offending apps and an explanation of why they weren't identified. This post will be updated if they reply later.