TweakTown NewsRefine News by Category:
A hacker by the name of Avinash discovered Vine's source code is publicly available, and for his efforts, parent company Twitter has paid him $10,080.
The news is only coming out now, but Avinash presented his findings to Twitter about two months ago, at which point they fixed the issue within five minutes.
Tech giants paying hackers for bug bounties is a standard practice; bug bounty hunter Anand Prakash has earned roughly $1 million to date.
Even social media CEOs are susceptible to being hacked, it seems. Over the weekend, a couple of Facebook founder Mark Zuckerberg's social media accounts were compromised by Saudi Arabian hacking group OurMine Team.
OurMine is said to have found Zuckerberg's information in a recent LinkedIn dump, which they then used to gain control of his Twitter and Pinterest accounts. The group claims his password for both accounts was the surprisingly simple 'dadada', but there's reason to be skeptical of this as it also claimed it had overtaken his Instagram account, which Facebook has denied.
Both the Twitter and Pinterest account haven't been terribly active, at least not recently; Zuckerberg's Instagram account hasn't been too active either, although it has been used on a regular basis and multiple times in the last week.
Cellular networks are already pretty insecure as they are. Voice is sent unencrypted and in the clear despite having the necessary hardware to support even light encryption methods. Spoofing cellular towers, too, isn't exactly the most difficult thing to do either, but that's small potatoes compared to a vulnerability in the Signalling System No. 7 telephony protocol that can allow a potential malefactor to track you across the globe, with relative ease. Congress is now taking an interest and investigating these vulnerabilities.
The interest in the issue began with the airing of a 60 Minutes piece where Sharyn Alfonsi and a German computing enthusiast who specializes in nefarious programming techniques, showed off just how easy it is to exploit the SS7 protocol to track cellphone users. To demonstrate their point, the pair recruited US Representative Ted Lieu and asked him to use a new, not modified, iPhone when conducting staff phone calls. With just the phone number, they were able to pinpoint the location of the US Representative wherever he had the phone, and they were even able to record conversations he was having as well. It apparently didn't take much effort on the part of the researchers, either.
Mr. Lieu, following the demonstration he took part in, called for an official full investigation into the matter so that the vulnerabilities can be addressed. The flaw is something that potentially affects quite a few different markets, within the US and abroad, which could pose serious privacy issues. Not to mention if someone should use the flaw to target individuals as part of pre-meditated actions.
Encryption is a very pertinent issue in the modern age. We're at an impasse where certain individuals and groups would rather encryption be the stuff of history, perhaps even segregating encryption strengths like was common during the 80's and 90's. Email encryption isn't exactly the easiest thing to setup and requires a bit of preparation to do right. It can be cumbersome even to those that know what they're doing. A group of tech companies and independent researchers have gotten together to help make encryption of your emails easier, and much more seamless.
The new protocol that has been proposed is called SMTP STS, or Simple Mail Transfer Protocol Strict Transport Security, and is designed to ensure a secure, encrypted connection with email servers. It's not a method of encrypting your emails themselves, which would be best served by any free, or paid, PGP solution, but it adds a measure of security to email that helps to make sure that you're messages are at leat going through real, authentic mail servers to get to their destination.
What it does is talk those email servers that it's traveling through to determine whether or not the connection is secure and that it's who they say they are. If the server can be authenticated (through the use of certificates and a TLS encryption-based connection), then your message will pass along, knowing that at least that server is legit. If no encryption can be used, then there's the option that the message won't be sent.
The State of the Internet report has been released for the fourth quarter of 2015 and it highlights some of the more malicious trends coming from across the Internet. The short of it is, the volume of attacks against websites has increased through nearly every avenue than compared to the third quarter.
DDoS's in particular have seen quite the massive increase since last quarter, with a 148.85% increase in overall occurrences. The bright side is that duration seems to have been shortened, probably due to the pay-per-play nature of the services that seem to be the most used. But that didn't stop those sites from being targeted multiple times, up to 24 times in some cases. The good news is that the actual number of packets sent was lower. How very nice of these attackers.
Size of attacks seemed to be below 30Mbps, with only four that exceeded that amount and two that peaked even higher. The biggest were at around 309Gpps with 202Mpps (packets per second).That's actually a small decline in the number of big attacks, but 44.44%. But the interesting part is that the majority of attacks, some 54.45% of all the DDoS activity was focused on the gaming sector. People are getting more and more mad during and after online matches, preventing people, servers and games themselves from working right. Not to mention the massive attack on Xbox Live and the PlayStation Network.
Amazon seems to be moving in the opposite direction of the other big mobile companies that are looking to strengthen their devices security. The latest Fire OS is removing support for encryption starting with version 5.0.
The OS that Amazon uses is a fork of the Android Open Source Project, but it takes out any compatibility with Google's own apps even though it relies heavily on the underlying architecture. Notably missing now, is full device encryption, something that's been greatly improved (and mandatory on some classes of devices) with the release of Marshmallow. Apparently the option of encryption just wasn't used very much by their user-base.
What this means is that the anything that you put on it won't be automatically encrypted, making the storage open to attackers who wish to sync or connect directly to the tablet. To be clear, it only applies to anything on the tablet that's being stored. SSL/TLS connections and communication with Amazon's AWS for your cloud content is still just as safe as ever, and your content in the cloud is likely to be encrypted at rest on their servers, as well, which is quickly becoming the standard.
Pirating just became a whole lot easier thanks to the Internet. A group of sea-going pirates were able to hack into the content management system of a shipping company to pinch the shipping manifests and schedule to better plan their brazen heists.
According to a new security report by Verizon, the Internet, and hacking in general, is becoming an ever increasing resource for the seafaring thieves. Based on the evidence, however, it appears that the pirates themselves are carrying out the attacks because of the sloppy way in which they're going about it. It's proven easy to trace the activity completely to its source.
Pirating is evolving. It once was a primarily physical activity, but now they're becoming more efficient and careful. Why waste resources physically looking for ships on the open sea when you can just track precisely where they'll be by taking a look at the schedule. It's a bold move, especially when they don't seem to care that they get caught. Their mobile nature makes that point moot anyhow
The DNS system that forms the backbone of the Internet, resolving those names into the numbers that correspond to the actual websites we visit, has a critical flaw that effects nearly all DNS servers. That is, any server that runs Linux and relies on the GNU C standard library. A flaw in that library could case a buffer overflow, which might allow an attacker to take full control over someone's PC.
The flaw itself is actually from 2008, where it was discovered that overly long DNS names being replied to requests from those servers could result in a tragic buffer overflow in the victims browser, potentially letting an attacker execute code remotely. It's even possible to perform a full-blow man-in-the-middle attack, taking over a machine completely. It can be triggered by already malicious DNS servers.
Thankfully a fix is already ready fro most distributions of Linux, which requires only a quick update to fix. If your server distro isn't running one, then you can configure your firewall to drop long DNS responses altogether, so no overflows happen. So the majority of the Internet is largely safe, but it still might effect smaller connected and embedded devices that have Glibc that likely won't see any updates with the patched version. Routers, DVR's, some TV's and even NAS devices might still and continue to be at risk.
Synaptics has a new fingerprint sensor that could make it that much more useful and widespread. They've been able to shrink the dimensions so much that it can be placed on side-mounted buttons or any tiny area on any device. And it's accurate too.
The minuscule Natural ID FS4304 touch-based fingerprint sensor is a scant 3.5mm wide allowing it to be placed on nearly anything. Imagine a more natural interaction with your phone, putting your fingers where they naturally lay, such as on the side of the device, and being able to unlock it more convenient. That might seem silly, but it leads to making biometrics something that can secure anything.
It also has the potential to make fingerprint readers more discreet, drawing attention away from attempting to spoof and bypass them, which is possible with enough resources (though not always successful unless under the right conditions). As we've explained here before, as part of a multi-factor authentication scheme, using your fingerprint as a biometric is one of the better and more convenient options. Unfortunately facial recognition and iris scanning isn't commonplace enough yet.
Passwords are quickly becoming an archaic creation in the minds of many a security researcher. There're definitely better, more secure and easier to use ways to authenticate yourself and login to your favorite sites. The World Wide Web Consortium (W3C) wants to change with a new open standard to help make the Internet just a little bit more secure. And not too terribly more complicated either.
The password itself is usually the weakest link in any secure system. Most people don't want to put int the required effort to create a properly complex password, or they don't follow proper password etiquette and change them, substantially enough, at regular intervals. And really, who wants to have a super long password anyway. Sometimes even strong passwords get exposed and added to rainbow tables, rendering them absolutely useless anyway. So what does one do?
Make multi-factor authentication a thing, and a common, easy to use thing at that. That's what the W3C intends to do with their FIDO 2.0 based authentication standard. They want to make an API easy for web developers to implement that can allow for many different types of authentication.