Hacking, Security & Privacy - Page 15

Tech giants Google, Twitter, and Apple have publicly denounced the FBI's fight to get around phone encryption, favoring the privacy rights of their users instead. Now Facebook is hopping on board, too.

"We will continue to fight aggressively against requirements for companies to weaken the security of their systems," a Facebook spokesperson told Reuters yesterday. "These demands would create a chilly precedent and obstruct companies' efforts to secure their products."

That makes four for four. Microsoft is the biggest tech company to not yet comment on the issue; to that end, we've put in in an inquiry, and will report if we hear back.

Yesterday, Apple CEO Tim Cook published an open letter to the company's customers, explaining why Apple feels so strongly about supporting one's right to data encryption and privacy. Shortly afterward, Google CEO Sundar Pichai chimed in on Twitter, describing the letter as "important" before siding with Cook.

"Forcing companies to enable hacking could compromise users' privacy," he writes. "We know that law enforcement and intelligence agencies face significant challenges in protecting the public against crime and terrorism. We build secure products to keep your information safe and we give law enforcement access to data based on valid legal orders, but that's wholly different than requiring companies to enable hacking of customer devices & data. Could be a troubling precedent. [I'm] looking forward to a thoughtful and open discussion on this important issue."

As the phone encryption debate rages on, Apple CEO Tim Cook has published an open letter to the company's customers, detailing in full its stance on the personal right to privacy. The letter comes shortly after the US government has ordered Apple unlock phones at its discretion for criminal and intelligence purposes, which Apple has opposed.

Disconcertingly, the feds are employing the use of the 227 year-old All Writs Act -- which says courts can "issue all [written orders] necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law" -- in a bid to win its case.

"We were shocked and outraged by the deadly act of terrorism in San Bernardino last December," writes Cook. "We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government's efforts to solve this horrible crime. We have no sympathy for terrorists.

Passwords are quickly becoming an archaic creation in the minds of many a security researcher. There're definitely better, more secure and easier to use ways to authenticate yourself and login to your favorite sites. The World Wide Web Consortium (W3C) wants to change with a new open standard to help make the Internet just a little bit more secure. And not too terribly more complicated either.

The password itself is usually the weakest link in any secure system. Most people don't want to put int the required effort to create a properly complex password, or they don't follow proper password etiquette and change them, substantially enough, at regular intervals. And really, who wants to have a super long password anyway. Sometimes even strong passwords get exposed and added to rainbow tables, rendering them absolutely useless anyway. So what does one do?

Make multi-factor authentication a thing, and a common, easy to use thing at that. That's what the W3C intends to do with their FIDO 2.0 based authentication standard. They want to make an API easy for web developers to implement that can allow for many different types of authentication.

A scammer has stolen $15 million worth of Bitcoins from one of the internet's most 'un-loved' celebrities, pharmaceutical man Martin Shkreli. Contacting Shkreli and pretending to be part of Kanye West's entourage, a scammer promised an early release of West's new album 'Life of Pablo' to Shkreli personally, setting the price at a hefty 37,000 Bitcoin.

Taking to Twitter in order to voice his frustrations over getting scammed, Shkreli claims to now have "quit rap," stating that "This is the worst day of my life. My mom said don't deal with these kinds of people. Nothing good comes from rap music."

Seemingly having some friends in high places, Shkreli told all of his followers that they are 'idiots' and he has "gotten in touch with Sitoshi (Bitcoin's creator) and he's agreed to help me get my money back. I always win." He ended his Tweet tirade by announcing that "And second of all I can make the money back faster than anyone so the joke is on YOU if you think I even care."

Believed to be 'ROR[RG]', this hacker has been named by Anonymous as a person to successfully infiltrate Turkish national police servers, stealing private information that includes a multitude of database files.

The files have been explained as related to MySQL by International Business Times, known to be so as they are mostly presented in .myd, .myi and .frm file extensions. Available as a 2GB torrent file online, once extracted the data becomes a large 17.8GB cache of illegally-gathered information.

This breach was announced by 'TheCthulhu', further using its official Twitter account to announce "Hey #Turkey, I have something to show you tomorrow. See, if you fight your citizens, they will bite back. #standby." This isn't ROR[RG]'s first operation, being known as the hacker to infiltrate Adult Friend Finder back in 2015, releasing personal information regarding four million members.

RFID is a cheap and convenient way to communicate information between devices. The problem is that it's also incredible insecure, and easily hacked by a number of ways. But researchers from Texas Instruments and MIT have come together to make a chip that won't be so easy to steal information from.

The implications for such a development are tremendous, with the idea that the public will finally start to trust the technology for more applications. Specifically they're being designed to be nearly impervious to a common attack on RFID devices, the side-channel attack. Those work by analyzing actual power fluctuations or memory access patterns in order to determine what the cryptographic key is, to break in and steal your precious information.

The new chip doesn't prevent the reading of those physical properties, because that would mean it doesn't work at all, but instead uses a a special ferroelectric crystal material that can self-power the chip, and store small amounts of information, to prevent people from cutting the power right before a cryptographic key exchange, which can reveal that key if done properly and the right equipment and software. They'll also incorporate a random number generator on-board to use a new secret key for each transaction, meaning that each one is completely unique, and thus far safer and more secure than ever before.

If you get infected with Malware today, it's a very serious issue that could potentially compromise and complicate your life. Back in the day before the rise of botnets and ransomeware, viruses were quite cheeky and sometimes very bizarre. The Internet Archive is letting you explore what those antiquated infections could do, without the danger of course.

malware_HYMN.COM

The collection is a whimsical exploration of virii from the 1980's and 1990's that was curated by Jason Scott from Internet Archive and Mikko Hypponen, a chief researcher from F-Secure. Click on any of the examples and you'll be greeted with the animations and messages that tended to be the end result. They're safely contained within a DOS box emulator, but are without their destructive powers anymore anyway.

Biometrics are something we've been using to uniquely identify other humans since the 13th Century, but the current methods are flawed and can be spoofed with enough creativity and time. So now researchers have found another novel way to uniquely identify people: With "Brainprints".

A brainprint is the unique way in which your neurons fire when reading, or doing anything. It's a distinct and consistent way to identify people. New research by the Basque Center for Cognition and Binghamton University into the brainprint has been able to show just how unique our thought patterns actually are. They were able to identify people with 97% accuracy just based on them thinking about a particular word that flashed on a monitor in front of them for a half of a second.

That's good news for the coming robot revolution, because until brain thought patterns can be faked, we'll at least be able to know whose who, and not human. But in more practical terms it could be another piece to the puzzle of authentication. As a means to make a password it's horrible, but in a multi-factor authentication scheme, it could be used to identify that you're actually who you say you are and present at the time of entering your pin or password.

The darknet, or dark web, is a conglomeration of hidden services and websites that are accessible only through the Tor network. And as it would turn out, recently published research shows that over 57% of those hidden websites also happen to have some kind of illegal content on them.

The researchers, Daniel Moore and Thomas Rid from King's College London, created a custom script that parsed through some 5,025 live .onion based websites and found that 1,547 hosted some kind of material that's criminal in nature. The leading activity seems to surround drugs, with financial related criminal enterprises taking in a close second.

It's not necessarily a surprising finding, given that the idea of privacy and security tend to attract the unsavory types by their very nature. But the researchers do note that it doesn't have to be that way. And that perhaps removing hidden services from Tor could help, somehow.

It looks like the NSA wants to do some spring cleaning, where it wants to combine its intelligence gathering and cyberdefense groups. But, this creates its own issues, as the intelligence group might be using security flaws to spy on people, and governments, that its cyberdefense team don't even know about - leaving critical systems open to various attacks.

The US spy agency is now reportedly preparing a reorganization that would combine its offensive and defensive capabilities, a move that would help them better coordinate its fight online. The NSA isn't talking specifics just yet, but we should hear more about it this week. The Washington Post reports that it could be more of a cultural shift, versus a technical one. The two divisions already share similar processes, but this move would create a better line of communication between the divisions.

The OpenSSL project has found, and patched, an issue that was fairly serious though it likely didn't effect very many people, or businesses for that matter.

The problem seems to have stemmed around how the open-source implementation of SSL and TLS reuses prime numbers while the Diffie-Hellman key-exchange protocol is used, making it far easier for a would-be attacker to decrypt your information. The good news is that in order for that to happen, a particular setting has to physically be set on, because it's not on by default.

Even better is that in order to have enough information to actually crack the encryption, there the attacker would have to connect (and reconnect via separate handshakes) several times. So it's not something that's of too much concern, certainly not at the same level of the Heartbleed vulnerability of 2014.

This is the second full week using the Thermal Take Black V2 gaming mouse infused with Synaptic's IronVault optical fingerprint reader, and it's been a mostly great experience, when it comes to the fingerprint reader that is.

To be fair, the particular mouse that it's embedded in isn't quite my cup of tea, but that isn't what's being evaluated here, aside from the positioning of the sensor itself. So let's get that little hiccup out of the way from the beginning. The mouse just isn't quite comfortable for my hand and everyone has their own preferences when it comes to their HID's, but let's move on to the important bits.

The sensor itself has proven to be an accurate and surprisingly useful device. Enrolling your fingerprints is as easy as with any other capacitive sensor you might be used to (read: iPhone or any mobile phone for that matter). Just follow the instructions on the application that interfaces, and you're in business, able to use that stored fingerprint to be the basis for logging in to websites. It's almost magical, and much more so than when it was first introduced to the greater consumer by Apple.

In a freshly unsealed court case from October 2015, a judge asked Apple why it ignored requests to unlock the iPhone of a methamphetamine dealer. Turns out it didn't, the device (an iPhone 5s with iOS 7), was simply set to erase all data if someone attempted to unlock it 10 times in a row unsuccessfully (an unlocking device will try every possible code in quick succession). Presumably, this was by Apple design.

"In most cases now and in the future, the government's requested order would be substantially burdensome, as it would be impossible to perform," Apple stated, going on to say iOS 8 and above are designed to be unhackable by even Apple itself.

Apple lawyer Marc Zwillinger took it further at the hearing, noting, "Right now Apple is aware that customer data is under siege from a variety of different directions. Never has the privacy and security of customer data been as important as it is now. A hypothetical consumer could think if Apple is not in the business of accessing my data and if Apple has built a system to prevent itself from accessing my data, why is it continuing to comply with orders that don't have a clear lawful basis in doing so?"

Passwords are sometimes the first and last defense for your precious data. We probably mostly try to make them complex and full of symbols, numbers and non-words. But as it turns out, a lot of people still have easy to remember, and easy to hack passwords.

The top 25 passwords have been compiled by a company called SplashData to help show how insecure and unserious so many happen to be about password security. The list for 2015 is both surprising and also very sad. Despite the increase in security breaches and the ready availability of rainbow tables and brute force password lists, simple passwords still seem to persist.

So if you use one of the passwords listed below, you might want to consider changing it. Or you'll be extra vulnerable.

Securing your PC has always been a priority, and a challenge for Intel, especially in the enterprise sector. But vPro, a small co-processor that helps to secure your system in a variety of different novel ways, is a little long in the tooth even though it's still very relevant. So Intel is innovating on their vPro architecture by adding new functionality and making it a much better and more sophisticated in the wake of more refined attack methods.

Intel Authenticate is their new hardware-enhanced multi-factor authentication solution that'll make use of the existing vPro processor to authenticate users. It's able to verify your identity by using a combination of three things; something you have, which is a security token or even a smartphone or an app on that phone, something you know, such as a pin or password, and something you are, biometrics.

How does it work? In the hardware is a certificate that's completely separated logically and physically from the rest of the system, so this certificate is theoretically very secure and can't be spoofed. You're information is stored with that certificate and compared against it. It's actually a very good solution, and this hardware-assisted MFA is a step in the right direction. And with Synaptics making finger-print sensors easier to integrate into systems, and smartphone authentication apps becoming so ubiquitous, it's a natural evolution.

CES 2016 - If you're worried about someone whipping out a bobby pin and Fallout 4-style breaking into your luggage, Dog & Bone are now offering its LockSmart Travel product, a TSA approved, keyless, Bluetooth connected luggage padlock and app.

The app is compatible with Apple iOS and Google Android operated phones, functioning as a keyless and trackable way to keep your belongings safe. Access can be granted to additional smartphones by the owner, hopefully removing a flat battery issue. There isn't any override system as far as we know right now, so what's worrying is that you could be stuck in a foreign country with a flat phone, locked bag and the charger nestled safely within your locked baggage - unable to be taken out and used.

Set for availability in early 2016, the lock contains 128-bit encryption and will cost artound $100.

Samsung has just introduced a new three-layered approach to security for their SmartTV ecosystem to better secure any stored information, such as account details, payment details or any data being sent between it and the Internet.

This comes right after Samsung announced that they'd move more towards making their SmartTV's more of a hub for all of your IoT connected devices throughout your house. With that much data flowing between their TV's and being able to control your security system, lights and more, it's definitely a good idea to at least have a little encryption. Thankfully they're doing more than just a healthy dose of AES 256. Because of that centralized nature, security is important, Samsung said that "Protecting consumers' personal information is of the utmost importance to Samsung, both in terms of the company's values and what's needed for the continued growth and success of the IoT ecosystem."

GAIA works in three ways. First it separates the main operating system, the Tizen OS, from a secure space that can house all the important and personal bits of information and core services that's logically segmented in memory. This'll work in a similar way to how ARM's TrustZone and Intel's TXT works. The second piece is a built-in anti-malware service that can scan incoming and outgoing data, it'll also encrypt all traffic to and from the TV. The third part is much the same as the first, segmenting the OS in memory so that even if there is malware, it won't be able to touch the actual personal information.

One of AVG's Chrome addons, Web TuneUP had a security hole that your could drive a tank into, something that could potentially let websites with malicious code in their CSS take control of your PC, though only in a trivial manner.

The exploit was originally found by Google, who reported it to AVG to have fixed. The initial fix wasn't quite good enough, so they just pushed out a new fix that seems to solve the issue. That being said, it still seems to be vulnerable to XSS attacks, though that should be fixed soon as well.

One generally thinks that antivirus companies are a bit more scrupulous and careful when designing their applications, but this mistake, and a mostly glaring one, calls to question the type of quality control and examination goes on before things go live. But it's best to fly without any addons, because all addons can potentially be security risks. Browse safe!

It looks like some enterprising business people approached the Raspberry Pi Foundation with an odd business proposal, to pre-install their malware on the Raspberry Pi mini-computer.

In an email to the Foundation, a company, whose name was obviously redacted, was asking them to make available an exe file for installation (which wouldn't run on Linux anyway) in exchange for a sum of money for the amount of installations they detect.

This kind of tactic is surprising given the sheer audacity of asking a well-known organization, that prides itself on the many security applications of its minuscule box, outright to cheat its customers. It goes without saying that the Raspberry Pi Foundation didn't go along with their idea. It's even more hilarious that these peddlers of malware didn't seem to understand the platform being run on those devices. Maybe they'll ask Microsoft or Apple next?