Hacking, Security & Privacy - Page 14

Even social media CEOs are susceptible to being hacked, it seems. Over the weekend, a couple of Facebook founder Mark Zuckerberg's social media accounts were compromised by Saudi Arabian hacking group OurMine Team.

OurMine is said to have found Zuckerberg's information in a recent LinkedIn dump, which they then used to gain control of his Twitter and Pinterest accounts. The group claims his password for both accounts was the surprisingly simple 'dadada', but there's reason to be skeptical of this as it also claimed it had overtaken his Instagram account, which Facebook has denied.

Both the Twitter and Pinterest account haven't been terribly active, at least not recently; Zuckerberg's Instagram account hasn't been too active either, although it has been used on a regular basis and multiple times in the last week.

Cellular networks are already pretty insecure as they are. Voice is sent unencrypted and in the clear despite having the necessary hardware to support even light encryption methods. Spoofing cellular towers, too, isn't exactly the most difficult thing to do either, but that's small potatoes compared to a vulnerability in the Signalling System No. 7 telephony protocol that can allow a potential malefactor to track you across the globe, with relative ease. Congress is now taking an interest and investigating these vulnerabilities.

The interest in the issue began with the airing of a 60 Minutes piece where Sharyn Alfonsi and a German computing enthusiast who specializes in nefarious programming techniques, showed off just how easy it is to exploit the SS7 protocol to track cellphone users. To demonstrate their point, the pair recruited US Representative Ted Lieu and asked him to use a new, not modified, iPhone when conducting staff phone calls. With just the phone number, they were able to pinpoint the location of the US Representative wherever he had the phone, and they were even able to record conversations he was having as well. It apparently didn't take much effort on the part of the researchers, either.

Mr. Lieu, following the demonstration he took part in, called for an official full investigation into the matter so that the vulnerabilities can be addressed. The flaw is something that potentially affects quite a few different markets, within the US and abroad, which could pose serious privacy issues. Not to mention if someone should use the flaw to target individuals as part of pre-meditated actions.

One month after publicly supporting Apple in its fight for encryption, chat app company WhatsApp now features end-to-end encryption in its client. In essence, whether you're calling someone, sending a file, messaging, hosting a group chat, or anything else, you can be rest assured it's completely private from hackers, WhatsApp, and anyone else you might be paranoid about.

"We live in a world where more of our data is digitized than ever before," company CEO and founder Jan Koum says of the change. "Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people's digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities."

"Encryption is one of the most important tools governments, companies, and individuals have to promote safety and security in the new digital age," he continues. "Recently there has been a lot of discussion about encrypted services and the work of law enforcement. While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cybercriminals, hackers, and rogue states."

We reported yesterday that the FBI had broken into the iPhone 5C used by the San Bernardino shooter, without Apple's help. It's now being reported that Appel can't force the FBI to disclose just how it broke into their smartphone.

The FBI reportedly tapped the help of an Israeli security firm, which broke into the iPhone 5C, and with Apple unable to force the FBI to show them how they did that, it could mean that other iPhones could be broken into. Why? Because Apple can't fix the security hole that the FBI went through - mainly for iPhone users, but it's obviously a hole that Apple don't know about, or at least they don't know which method the FBI used. It's quite scary there's an easy hole for a company that's not Apple, nor the FBI, can use to break into iPhones - quite easily, it seems.

Ars Technica talked with a law enforcement official, who said: "We cannot comment on the possibility of future disclosures to Apple. [There] are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," he said while explaining the Vulnerabilities Equities Process". So, there's no legal requirement of the FBI to disclose how it broke through Apple's much-touted security... well now.

Encryption is a very pertinent issue in the modern age. We're at an impasse where certain individuals and groups would rather encryption be the stuff of history, perhaps even segregating encryption strengths like was common during the 80's and 90's. Email encryption isn't exactly the easiest thing to setup and requires a bit of preparation to do right. It can be cumbersome even to those that know what they're doing. A group of tech companies and independent researchers have gotten together to help make encryption of your emails easier, and much more seamless.

The new protocol that has been proposed is called SMTP STS, or Simple Mail Transfer Protocol Strict Transport Security, and is designed to ensure a secure, encrypted connection with email servers. It's not a method of encrypting your emails themselves, which would be best served by any free, or paid, PGP solution, but it adds a measure of security to email that helps to make sure that you're messages are at leat going through real, authentic mail servers to get to their destination.

What it does is talk those email servers that it's traveling through to determine whether or not the connection is secure and that it's who they say they are. If the server can be authenticated (through the use of certificates and a TLS encryption-based connection), then your message will pass along, knowing that at least that server is legit. If no encryption can be used, then there's the option that the message won't be sent.

Last week it became apparent Amazon had not included support for local encryption with Fire OS 5, which would seem to contradict its support of Apple's fight for encryption. Asked for comment on exactly that and why they would drop support when it seems all the work is done by Google anyway, an Amazon spokesperson simply told us, "We will return the option for full disk encryption with a Fire OS update coming this spring."

Amazon initially said its customers "weren't using" local encryption, so it decided not to include support for it, which appeared flimsy reasoning. Whatever the case, the company has wisely decided to change course, likely in light of how it looks currently.

For what feels like forever, Windows users have been at the butt of attacks from Mac users when it comes to "but Windows is open, and gets hit by viruses, malware, and ransomware all the time". Well, that might be something of the past now.

Palo Alto Networks is claiming it's discovered the first known OS X-based ransomware, known as "KeRanger". How do you get it? You download software infected with the nasty code, with BitTorrent client Transmission, where it will encrypt your files after 72 hours, after which it'll demand that you hand over digital currency ransom to get your files back. Nice.

The latest version of Transmission, alongside Apple revoking a security certificate from another developer that KeRanger used to get past OS X's built-in defenses, should keep you safe. But, this should act as a warning: OS X isn't as safe as most people think it is, and this could be the tip of the iceberg in the months, and years to come.

The State of the Internet report has been released for the fourth quarter of 2015 and it highlights some of the more malicious trends coming from across the Internet. The short of it is, the volume of attacks against websites has increased through nearly every avenue than compared to the third quarter.

DDoS's in particular have seen quite the massive increase since last quarter, with a 148.85% increase in overall occurrences. The bright side is that duration seems to have been shortened, probably due to the pay-per-play nature of the services that seem to be the most used. But that didn't stop those sites from being targeted multiple times, up to 24 times in some cases. The good news is that the actual number of packets sent was lower. How very nice of these attackers.

Size of attacks seemed to be below 30Mbps, with only four that exceeded that amount and two that peaked even higher. The biggest were at around 309Gpps with 202Mpps (packets per second).That's actually a small decline in the number of big attacks, but 44.44%. But the interesting part is that the majority of attacks, some 54.45% of all the DDoS activity was focused on the gaming sector. People are getting more and more mad during and after online matches, preventing people, servers and games themselves from working right. Not to mention the massive attack on Xbox Live and the PlayStation Network.

Amazon's Fire OS 5 came out in September, but only now is it being discovered that the operating system no longer supports local encryption (which makes data accessible only with a passcode or key). Concerns have arisen as a result, given Amazon just filed a brief supporting Apple's defense of encryption.

Fire OS is built on Android's open-source code, which has offered local encryption for years. Fire OS 5 doesn't support the feature it turns out, and Amazon's statement on why doesn't help clear matters up much.

Yesterday, Twitter, Reddit, and 15 other tech companies collectively filed an amicus brief in support of Apple and its defense of smartphone encryption. For reason unclear, other giants like Microsoft and Facebook -- which have publicly announced their support -- were not included. However, they have filed their own separate brief with the same goal.

Microsoft President and CLO Brad Smith writes in a blog post of the case, "The fact that we're discussing the All Writs Act across the country is a telling indication of the urgent need to update antiquated rules that govern digital technology and privacy. If we are to protect personal privacy and keep people safe, 21st century technology must be governed by 21st century legislation. What's needed are modern laws passed by our elected representatives in Congress, after a well-informed, transparent, and public debate."

He later continues, "We've reached a critical moment in which a new generation of mobile and cloud-based technologies have far outrun the laws that protect our safety and preserve our timeless and fundamental rights. By standing with Apple, we're standing up for customers who depend on us to keep their most private information safe and secure."

Amazon seems to be moving in the opposite direction of the other big mobile companies that are looking to strengthen their devices security. The latest Fire OS is removing support for encryption starting with version 5.0.

The OS that Amazon uses is a fork of the Android Open Source Project, but it takes out any compatibility with Google's own apps even though it relies heavily on the underlying architecture. Notably missing now, is full device encryption, something that's been greatly improved (and mandatory on some classes of devices) with the release of Marshmallow. Apparently the option of encryption just wasn't used very much by their user-base.

What this means is that the anything that you put on it won't be automatically encrypted, making the storage open to attackers who wish to sync or connect directly to the tablet. To be clear, it only applies to anything on the tablet that's being stored. SSL/TLS connections and communication with Amazon's AWS for your cloud content is still just as safe as ever, and your content in the cloud is likely to be encrypted at rest on their servers, as well, which is quickly becoming the standard.

Not all figures within the US government oppose encryption, today shows.

Secretary of Defense Ashton Carter made his position on the matter clear today at the RSA 2016 security conference, stating, "I'm not a believer in backdoors. It's not realistic and it's not technically accurate," later continuing, "[The Department of Defense is] not in the executive branch seeking legislation of this kind. I don't think writing a law without an exploration of all the technical solutions out there [is a good idea]."

He also isn't a fan of implementing "a law written by people [without tech expertise] or written in an atmosphere of anger and grief" and feels that one case shouldn't "drive the solution."

Pirating just became a whole lot easier thanks to the Internet. A group of sea-going pirates were able to hack into the content management system of a shipping company to pinch the shipping manifests and schedule to better plan their brazen heists.

According to a new security report by Verizon, the Internet, and hacking in general, is becoming an ever increasing resource for the seafaring thieves. Based on the evidence, however, it appears that the pirates themselves are carrying out the attacks because of the sloppy way in which they're going about it. It's proven easy to trace the activity completely to its source.

Pirating is evolving. It once was a primarily physical activity, but now they're becoming more efficient and careful. Why waste resources physically looking for ships on the open sea when you can just track precisely where they'll be by taking a look at the schedule. It's a bold move, especially when they don't seem to care that they get caught. Their mobile nature makes that point moot anyhow

A landmark decision has been reached in the ongoing data encryption war. A US magistrate judge in New York, presiding over a drug trafficking case, has ruled Apple cannot be forced to unlock an iPhone by the US government, which has been using the more than 100 year-old All Writs Act (AWA) as part of its argument. While this doesn't directly involve the bigger San Bernardino terrorism case, it's a big win for Apple and smartphone users in general who support their right to encryption, and will certainly help its argument in that case.

"The established rules for interpreting a statute's text constrain me to reject the government's interpretation that the AWA empowers a court to grant any relief not outright prohibited by law," magistrate Judge James Orenstein stated in his order.

In other words, the government overstepped its bounds in its interpretation of the AWA. Orenstein went on to conclude this is a congressional issue.

Apple today asked a judge to throw out the order requiring it to hack the phone of an attacker in the San Bernardino case and followed it up with a request of its own: that its peers stand behind it to fight for privacy.

That's happened with Microsoft, whose President and Chief Legal Officer Brad Smith declared in a congressional hearing yesterday his company's "wholehearted" support of Apple's position, and that it would file an amicus brief next week to that end. (An amicus brief is a filing that allows those not directly involved in a case to have their say in it.)

Twitter has confirmed to us they "expect to be on a brief supporting Apple" and that the "filing deadline is Wednesday."

Sources close to the company and security experts are saying Apple is currently working on upgrading its iPhone security measures, which would shield them from potential win by the government in the ongoing encryption war. It's said they've been working on it since before the San Bernardino attack.

The new security would be configured in such a way that a backdoor couldn't be created for it at the government's request (as is currently the case). Specifically, it addresses the vulnerability introduced by the troubleshooting system that allows Apple to update system software without a password. Once the new security in place, the government could request all it likes: Apple wouldn't be able to oblige even if it wanted to.

Experts believe Apple will be able to go through with it. Should the government win the fight, it's expected a new round of court battles would begin, at which point Apple may introduce yet more security measures, and round and round we go. In other words, Apple currently has the upper hand and will for the foreseeable future, barring Congress involvement.

Last week, Facebook joined the ranks of Google, Twitter, and Apple in publicly supporting one's right to smartphone encryption amidst the San Bernardino terrorist case. This left some to wonder where Microsoft was in all of this, so we inquired with the tech giant, who pointed us to a tweet by Microsoft President and CLO Brad Smith (retweeted by CEO Satya Nadella), indicating it does indeed support encryption (via the Reform Government Surveillance coalition).

The full statement reads as follows: "Reform Government Surveillance companies believe it is extremely important to deter terrorists and criminals and to help law enforcement by processing legal orders for information in order to keep us all safe. But technology companies should not be required to build in backdoors to the technologies that keep their users' information secure. RGS companies remain committed to providing law enforcement with the help it needs while protecting the security of their customers and their customers' information."

The plot has thickened in the San Bernardino terrorist case, as it's been revealed the FBI ordered the Apple ID password on the attacker's phone be reset. The order has given rise to questions about the FBI's competence.

It started when Apple urged authorities to plug the phone of the attacker (Syed Farook) into an outlet in his office, thus triggering an iCloud backup and providing access to the desired data. However, prior to this, the FBI ordered the Apple ID password be reset.

Apple confirmed this in a new FAQ on its website, which addressed the incident as well as other questions that have arisen about the case and the company's stance on encryption.

The DNS system that forms the backbone of the Internet, resolving those names into the numbers that correspond to the actual websites we visit, has a critical flaw that effects nearly all DNS servers. That is, any server that runs Linux and relies on the GNU C standard library. A flaw in that library could case a buffer overflow, which might allow an attacker to take full control over someone's PC.

The flaw itself is actually from 2008, where it was discovered that overly long DNS names being replied to requests from those servers could result in a tragic buffer overflow in the victims browser, potentially letting an attacker execute code remotely. It's even possible to perform a full-blow man-in-the-middle attack, taking over a machine completely. It can be triggered by already malicious DNS servers.

Thankfully a fix is already ready fro most distributions of Linux, which requires only a quick update to fix. If your server distro isn't running one, then you can configure your firewall to drop long DNS responses altogether, so no overflows happen. So the majority of the Internet is largely safe, but it still might effect smaller connected and embedded devices that have Glibc that likely won't see any updates with the patched version. Routers, DVR's, some TV's and even NAS devices might still and continue to be at risk.

Synaptics has a new fingerprint sensor that could make it that much more useful and widespread. They've been able to shrink the dimensions so much that it can be placed on side-mounted buttons or any tiny area on any device. And it's accurate too.

The minuscule Natural ID FS4304 touch-based fingerprint sensor is a scant 3.5mm wide allowing it to be placed on nearly anything. Imagine a more natural interaction with your phone, putting your fingers where they naturally lay, such as on the side of the device, and being able to unlock it more convenient. That might seem silly, but it leads to making biometrics something that can secure anything.

It also has the potential to make fingerprint readers more discreet, drawing attention away from attempting to spoof and bypass them, which is possible with enough resources (though not always successful unless under the right conditions). As we've explained here before, as part of a multi-factor authentication scheme, using your fingerprint as a biometric is one of the better and more convenient options. Unfortunately facial recognition and iris scanning isn't commonplace enough yet.