Less than 10% of Gmail users have enabled two-factor authentication

Internet users are doomed.I don’t mean you or me, because the fact that we’re reading this article on the Tripwire State of Security blog means we at least have a passing interest in protecting ourselves online.No, I mean those folks who, like us, use the internet but don’t take the steps necessary to put in place the most rudimentary defences to prevent themselves from being hacked. Sadly, I suspect I’m talking about the vast majority of internet users.Most people don’t use password managers to generate hard-to-crack unique passwords, preferring to rely on their puny brains instead and inevitably reusing login credentials between multiple services. Most people don’t run a VPN, leaving themselves exposed to having their data grabbed when they use a public Wi-Fi hotspot. And, as a presentation by Google software engineer Grzegorz Milka this week revealed, hardly anyone is is using two-factor authentication (2FA).A well-implemented two-factor authentication system ensures that it’s no longer the case that the only thing stopping a hacker from being able to access your online account is whether they can determine your username (often just your email address) and password.Even if a hacker has managed to determine your password (perhaps because you chose a poor one, or perhaps because you made the mistake of using the same password on multiple websites) then the two-factor authentication check will request that they enter a one-time six-digit passcode generated by a tag on your keyring or an authentication app on your smartphone.

No one-time passcode? No entry.Clearly it’s a higher level of security, and one which is enough to encourage a typical hacker to look for someone else’s account to break into rather than yours.Two-step


And yet, Iain Thomson of The Register reports that Grzegorz Milka’s talk at Usenix’s Enigma 2018 security conference in California revealed that less than one in 10 Google users have enabled two-step authentication to lock down their accounts.That’s a depressing statistic for a security feature that Google introduced nearly seven years ago, and that most security professionals would describe as a “must-have” for anyone keen to keep unauthorised parties out of their accounts.Don’t delay. If you haven’t already done so, please enable Google 2-step verification. To help the over 90% of active Gmail users who have still not recognised the benefits of this additional security layer, Google has a simple step-by-step process that will hold your hand as you boost your defences.One step beyondSo, what if you have already protected your Gmail with two-step authentication but still want to go even further to keep hackers out of your account?Last year, Google unveiled an Advanced Protection feature for those users who felt that they might be especially at risk – such as journalists wishing to protect their sources or individuals in abusive relationships.Advanced Protection goes beyond Google’s existing authentication services, disabling the sending of authentication codes via SMS or usage of an authentication app, and instead demanding that a physical security key is inserted into your computer’s USB port instead.

Advanced Protection certainly isn’t for everybody, and my suspicion is that many users would find it too restrictive for use on their everyday accounts. For instance, it prevents you from using third-party apps to access your Gmail or data held on Google Drive. But it’s good to see Google offering these features for those people who do need heightened security.Now, if only we could see some more people recognise and adopt even the most basic form of two-step verification we would be making the work of malicious hackers so much more difficult.Do your bit to help your friends, family, and colleagues avoid having their accounts hacked. Explain to them the benefits of multi-factor authentication and help them to enable it for as many online services (not just Gmail) as possible. Because left to their own devices, many internet users surely are doomed. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Bug bounty program offers $100 million for ‘ethical hackers’ to earn by 2020

HackerOne has put $100 million up for grabs in bug bounty rewards for “ethical hackers” over the next two years, the bug bounty platform said in a press release announcing the results of its 2018 Hacker Report. Many other programs are also available, making ethical hacking a lucrative business for some.

Ethical hacking, formally described as “penetration testing” (or pen test), is the practice of waging authorized simulated attacks on a computer system to evaluate the system for weaknesses that bad actors could exploit.

The 2018 Hacker Report examines the geography, demographics, experience and tools used, as well as the motivations of nearly 2,000 bug bounty hackers across 100 countries. The results are based on the largest survey ever of the ethical hacker community.

Hacking more profitable than traditional engineering for some

The major takeaway from the report is that ethical hacking has become more lucrative than software engineering – at least for some. In other words, some researchers have found they no longer need a day job.

Platforms like HackerOne are undoubtedly a strong influence behind this trend. The company has announced a generous budget for the next couple of years in terms of rewards (emphasis ours):

“This new data comes on the heels of HackerOne’s fastest-growing year, with 1,000 customer programs and more than $23M in bounties awarded to the hacker community. The company plans to pay over $100 million in rewards to hackers by 2020,” reads the press release.

Apparently top-earning ethical hackers make up to 2.7 times the salary of a software engineer. In India, hackers are making as much as 16 times the median salary of their engineering counterparts.

At the same time, the data indicates that some hackers are becoming less motivated by monetary gain, with as many as 24 percent donating their bounty money to organizations like the Electronic Frontier Foundation (EFF), Red Cross, Doctors Without Borders, Save the Children and animal shelters.

Other findings include:

  • A quarter of hackers rely on bounties for at least 50 percent of their annual income
  • 14 percent say their bug bounty hunting generates 90-100 percent of their annual income
  • 12 percent make $20,000 or more annually from bug bounties
  • 3 percent make more than $100,000 per year and
  • 1 percent make over $350,000 annually
  • Over 90 percent of all successful bug bounty hackers are under the age of 35
  • 45 percent are between 18 and 24 years of age
  • 37 percent hack as a hobby in their spare time

No shortage of bug bounty platforms to choose from

Vulnerability coordination platforms leverage the findings of ethical hackers – essentially white hat hackers – to help make the Internet a safer place.

Search giant Google has been running such a program – the Vulnerability Reward Program (VRP) for Google-owned web properties – since November 2010.

Google also maintains a program dedicated to making Google Play Store a safer place. In October 2017, the company announced that the Google Play Security Reward Program will reward researchers who find and report security problems in Android apps sold on its app store.

Like HackerOne, Google is not stingy with its rewards – sometimes offerings tens of thousands of dollars per vulnerability found (depending on the severity of the flaw). For example, finding a single vulnerability that gives direct access to Google servers can pay anywhere from $100 to more than $30,000.

Other notable bug bounty programs include: “The Internet Bug Bounty,” a joint effort between Facebook and Microsoft; “Hack the Pentagon,” the U.S. federal government’s first bug bounty program; and “Open Bug Bounty,” a crowd-sourced program that discloses website security vulnerabilities and relies on the good will of the affected website operators to obtain rewards.

Aetna Accepts $17M Settlement Agreement for HIV Privacy Breach

Aetna has agreed to pay $17 million as part of a settlement agreement for a breach that might have compromised thousands of HIV patients’ privacy.On 16 January, the United States District Court for the Eastern District Court of Pennsylvania received a proposed settlement agreement (PDF). The arrangement stipulates that Aetna, Inc., Aetna Life Insurance Company, and Aetna Specialty Pharmacy, LLC will pay $17,161,200 to resolve the privacy breach claims of customers from 23 states. They will use those funds to send at least $500 to anyone affected by the incident as well as $75 to approximately 1,600 additional customers whose health information Aetna’s legal counsel and mail vendor might have accessed in some way.The disclosure occurred on 28 July 2017 when the American managed health care company sent out letters to 12,000 of its customers who had filled prescriptions for HIV. Aetna conduct the mailing using a vendor, a third party which sent each patient a notice inside a window envelope. The type of envelope chosen by the vendor sometimes allowed the recipient’s personal health information (PHI), including their HIV diagnosis, to shift into view, thereby compromising their privacy.

An Aetna mailer in which a reference to HIV medication is partly visible though the envelope window.As reported by NPR, the AIDS Law Project of Pennsylvania and the Legal Action Center issued a demand letter in late August demanding that Aetna stop the mailing. The health care company responded by setting up a relief program for affected patients in October. But upon learning of the scale of the mailing and its effect on patients’ privacy, the two organizations along with Berger & Montague PC filed a class-action lawsuit.Aetna is pleased by the settlement agreement, which responds to that same lawsuit. As it told CNN in a statement:Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.Towards that end, Aetna has created a “best practices” document and set up protocols to help better secure its electronic medical record systems along with its patients’ PHI.This settlement agreement currently requires court approval.

Is AI allegedly hacking users’ account?

Recently the leak of a few documents online seems to reveal
insight into the computer gaming industry’s use of Artificial Intelligence (AI)
to increase advertising revenue and gaming deals. The classified documents
showed up on Imgur two days back, and have been doing the rounds on Twitter.
The leaked documents, if genuine, uncover the startling lengths that the
computer game industry will go to with a specific end goal to snoop on gamers
using AI.
The archives state that reconnaissance data is accumulated
to order detailed profiles about users. As indicated by the reports AI focused
on the users’ smartphones and utilized inactive listening innovation/technology
to connect with the smartphone’s microphone, phones are checked to see whether
they (users) stay in a similar area for eight hours or more. On the off chance
that this is observed to be genuine the subject is set apart as “at
The unsubstantiated documents at that point go ahead to clarify the
detailed observing or monitoring that happens inside a user’s home:
 “When in home, monitor area of
common walking space. Pair with information about number of staircases gathered
from footfall audio patterns. Guess square footage of house.”

A part of the document marked “Example Highlight”
at that point goes ahead to clarify how it was chosen that “high bonus
gaming sessions during relaxing times are paradoxically not the time to
encourage premium engagement.”
Around then, users are focused with free rewards, bonuses
and “non-revenue-generating gameplay ads.” As per the leak, at these
circumstances “the AI severely discourages premium ads.”
As though this wasn’t sufficient, the AI additionally
listens in, for catchphrases as well as for “non word sounds.”
Examples include microwave sounds and notwithstanding biting and chewing
noises, which are utilized to figure whether packaged meals have been consumed.
A section marked “Calendar K” clarifies how psychological
manipulation is utilized to coerce users into making purchases. AI may sit
tight for players to be tired after long gaming sessions. Can turn around the
shade of free and paid game titles (generally blue and red), with a specific
end goal to “trick a player into making a buy unintentionally.”
though,it gets worse. As indicated by the leaked documents the gaming business
industry likewise utilizes hacked data dumps to gather additional information
about users. Also a segment marked “Schedule O” even clarifies how
the AI gathers side channel data.
For the
present however, it remains to be seen whether this information or data dump
will end up being genuine or not.
As is
dependably the case, we encourage smart phone users to be careful about the
applications they install. Continuously check for obtrusive authorizations
before consenting to install any application or game. On the off chance that a
game requests authorization to utilize the microphone, please remember that
this sort of reconnaissance might happen.
As per these
leaked documents, AI software may likewise be utilizing previously hacked
information and data to pick up passage to outsider or third-party administrations
and services. If it happens, at that point the gaming companies might break
into auxiliary services to put users under surveillance and develop a detailed
profile about them.

For now,
these serious allegations still can’t seem to be demonstrated valid. Be that as
it may, the users are reminded to dependably utilize solid one of a kind
passwords for the greater part of their diverse online accounts – to make it
substantially harder for organizations and companies to use such practices.