What is strong authentication?Strong authentication – sometimes called 2-step verification, multi- or two-factor authentication, or login approval – provides an extra layer of security beyond your username and password to protect against account hijacking. Many online services, including email and social networks, offer this free extra security protection to help ensure it’s actually you trying to access your account – not just someone who stole or guessed your password.

How does it work? Strong authentication requires you to have more than just your password to sign into your account. Strong authentication tools are widely available on major email and social networking sites. Here are the most common methods you can choose from:

Here’s how to turn on strong authentication:

Instagram Two-factor authentication is a security feature. When two-factor authentication is on, every time you log into Instagram from an unknown device you'll be asked to enter an SMS security code or backup code in addition to your username and password. Find out more from Instagram here.

Facebook As more individuals and businesses turn to Facebook to share and connect with others, people are looking to take more control over protecting their account from unauthorized access. Login approvals is a Two Factor Authentication system that requires you to verify your identity via a code sent to your mobile device or by using a physical security key (yubikey) whenever you log into Facebook from a new or unrecognized computer. Once you have verified your identity, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins. Find out more from Facebook here. Yubikeys were first introduced in 2017. The function allows you to register the physical security key to your account so that the next time you login after enabling login approvals, you'll simply tap a small hardware device that goes in the USB drive of your computer. Security keys can be purchased through companies like Yubico, and the keys support the open Universal 2nd Factor (U2F) standard hosted by the FIDO Alliance.

Twitter Login verification is an extra layer of security for your Twitter account. Instead of only entering a password to log in, you’ll also enter a code which is sent via text message to your mobile phone. This verification helps make sure that you, and only you, can access your account. After you enable this feature, you will need both your password and your mobile phone to log in to your account. When you login to twitter.com, Twitter for iOS, Twitter for Android, or mobile.twitter.com, you will receive a text message with a six-digit login code to enter (see our list of supported carriers here). Find out more from Twitter here.

Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients' claims.

"I think we have those facts now," he said. "It's really mind-numbing when you think about it."

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said "recently obtained new intelligence" showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

"This is a bombshell," said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo's former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo's users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo's core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers' tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to."

Passwords can be inconvenient, but they’re important if you want to keep your information safe. Protecting your personal information starts with STOP. THINK. CONNECT.: take security precautions, think about the consequences of your actions online and enjoy the Internet with peace of mind. Here are some simple ways to secure your accounts through better password practices. MAKE YOUR PASSWORD A SENTENCE

A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!

UNIQUE ACCOUNT, UNIQUE PASSWORD

Having separate passwords for every account helps to thwart cyber criminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.

WRITE IT DOWN AND KEEP IT SAFE

Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternately use a service like a password manager to keep track of your passwords.

LOCK DOWN YOUR LOGIN

Fortify your online accounts by enabling the strongest authentication tools available, such as bio-metrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.

Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 06 Sep 2017 - VU#112992 - Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data.

In Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses XStreamHandler with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application.

A remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application.

Solution: Apply an update. The vendor has released version 2.5.13 to address this vulnerability. No workaround is possible according to the vendor, so patching is strongly recommended.

08 Sep 2017 - VU#166743 - Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities.

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.

Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

An attacker with physical access to the device may be able to decrypt the device's contents.

Solution: The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.

12 Sep 2017 - VU#240311 - Multiple Bluetooth implementation vulnerabilities affect many devices.

A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. For more details, please read Armis's BlueBorne disclosure website and Technical White Paper.

An unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device.

Solution: Apply an update. Patches are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin).

13 Sep 2017 - VU#101048 - Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability.

The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.

This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible.

By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document.

Solution: Apply an update. This issue is addressed in CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability

After Equifax Breach, Wealthy Consumers Present Alluring Targets For Hackers - Here’s how to protect yourself from email and medical fraud schemes.

Of the 143 million U.S. consumers whose personal information was potentially exposed in the Equifax data breach, the wealthy could face their own particular set of vulnerabilities.

Would-be criminals could use customers’ stolen names, Social Security numbers, birth dates and addresses—information exposed in the Equifax breach—to target those who may have bigger bank accounts, larger lines of credit and more assets, experts say.

A relatively easy way crooks could target the wealthy is by sorting the Equifax information by ZIP Codes that are associated with wealthy areas such as Beverly Hills, Calif., or Greenwich, Conn., some cybersecurity experts say.

“Hackers get the most bang for their buck by focusing on wealthy,” says Roderick Jones, chief executive of Rubica Inc., a cybersecurity firm that works with wealthy individuals.

Here are weaknesses wealthy Americans should watch out for:

Email Vulnerabilities

Fraudsters may use the compromised Equifax data to not only open high-limit credit cards or take out loans in victims’ names, Mr. Jones says, but also to hack into their email accounts to gather information so they can commit other crimes.

Using the details gathered from the breach, experts say hackers are likely to launch “phishing” attempts on their targets. With knowledge of a loan at a certain bank, for example, a hacker could craft an email about that loan that sounds believable and encourages the victim to either click a link that may infect their computer or sends them to a malicious website that gathers even more data that could be exploited.

Another example: After infiltrating a victim’s email and learning his or her writing style, a hacker could email that person’s financial adviser and request a wire transfer, experts say. If the adviser doesn’t have the proper security procedures in place and doesn’t at least verify a wire-transfer request with a verbal confirmation from the client, that money could end up in a fraudster’s account.

How to respond: Use different, complex passwords for each of your accounts, security experts say. Don’t use your Social Security number as any part of an online password or username. While such tips aren’t new, experts say they bear repeating because the security gaps they address are among the most frequently exploited.

Also, take caution with emails that appear to be from a legitimate financial institutions. When in doubt, call that provider directly or log on to their website from a secure connection to check your accounts, security experts say.

Medical Fraud

Equifax victims may be at particular risk for medical fraud, too, says Michael Kaiser, executive director at the National Cyber Security Alliance. That’s because they often have strong medical insurance and prescription-drug coverage.

A crook could use the information stolen in the breach to impersonate a victim and seek treatment from various doctors or specialists, potentially running up high medical bills.

Meanwhile, the opioid epidemic raises the stakes for prescription-drug fraud.

Crooks could sell the information to individuals addicted to prescription drugs, including opioids, says Eva Velasquez, president of the Identity Theft Resource Center, a nonprofit group that helps victims of identity theft.

That person would then use the stolen information to buy prescription drugs under the victim’s name using their health insurance. The victim will often get the bill for any unpaid expenses and crook’s use of the drug will be recorded into the victim’s health records, she says.

Ms. Velasquez says that once an individual provides proof of identity theft, he or she generally is no longer held responsible for debts incurred by a fraudster. In the interim, however, a victim may be held responsible and this can have an impact on credit scores.

And in cases where insurance was used fraudulently, plan caps and thresholds can be met or exceeded, making it difficult for victims to obtain necessary medical services, she says.

How to respond: If you get bills or explanation-of-benefits forms that you don’t recognize, call the billing office of the medical provider and your insurance company to challenge the charges, Mr. Kaiser says. Keep copies of any documents you receive and keep notes on your conversations.

And ask your providers about any extra layers of security they have, including two-factor authentication, personal identification numbers and biometrics such fingerprint readers, and take advantage of those features, Ms. Velasquez says.

“Yes, more security adds a layer of inconvenience, but that’s OK if it protects you in the long run,” she says.