Dropbox employee’s password reuse led to theft of 60M+ user credentials
Kate Conger, reporting at TechCrunch:
Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.
Don’t reuse passwords folks. Find a password manager and learn to love it. There’s 1Password, LastPass, Dashlane and many others. That means there’s no excuse for you to keep using your dog’s name combined with your college graduation year or whatever terrible password you’re using for everything.
Apple users targeted in first known Mac ransomware campaign
Jim Finkle reports for Reuters:
Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.
The cynical part of me wonders whether this is a clever move by one or more media companies to discourage the use of BitTorrent clients.
I know, maybe I need to order a tin-foil hat. But when even Kanye is pirating stuff it’s really time to bust out some innovative new tactics.
China hack attacks on US continue despite commercial spying pact
If this surprises you, I’ve got a real-life, fully functional totally Back to the Future hoverboard to sell you…
Hackers Can Silently Control Siri From 16 Feet Away
Well this is concerning:
A pair of researchers at ANSSI, a French government agency devoted to information security, have shown that they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has Google Now or Siri enabled, if it also has a pair of headphones with a microphone plugged into its jack. Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone. Without speaking a word, a hacker could use that radio attack to tell Siri or Google Now to make calls and send texts, dial the hacker’s number to turn the phone into an eavesdropping device, send the phone’s browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.
You can disable Siri whenever your iOS device is locked by going to Settings > Touch ID & Passcode > Allow Access When Locked and toggling the Siri switch to the “off” (as in not green) position. This doesn’t guarantee a hack like the one deascribed above won’t work on your device, but it does guarantee you’ll see Siri doing something weird and can thus be alerted to the hackery.
Heartbleed: When no encryption is better than bad encryption
Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:
servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.
How? The bug allows access even to information the encryption wasn’t protecting.
Obama May Back F.B.I. Plan to Wiretap Web Users
Charlie Savage of The New York Times:
the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work. Under the new proposal, providers could be ordered to comply, and judges could impose fines if they did not.
Concerns that this would prompt similar measures from repressive governments abroad are not overblown. If we expect foreign companies to submit to these procedures, their governments will expect US companies to do the same. I’m surprised this article doesn’t mention anything about what the Obama administration’s diplomats and international law folks think about all of this.
China is very serious about cyberespionage
Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”
China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.
The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:
The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”
They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.
This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.
Facebook is buying your loyalty card history
Cotton Delo of Ad Age:
The targeting would hypothetically enable Coca-Cola to target to teenagers who’ve bought soda in the last month, or Pampers to show ads to North Carolina residents who’ve recently bought baby products, since Facebook’s own array of demographic and interest-based targeting options can be added to further refine audience segments. But adoption will be contingent on acceptance by corporate legal departments wary of becoming embroiled in a consumer privacy scare.
It’s not something I would rush into if I was one of those “corporate legal departments.” It’s not that I have some conspiracy theory about Facebook, or those data banks. I don’t. We give data to those data banks willingly when we use those discount cards. Shame on us for not reading the fine print.
And Facebook? They’re the same: the fact that nothing private is guaranteed to stay that way on the internet is common knowledge these days, and those who don’t know should know.
What would worry me as in-house counsel is what hackers will find when they inevitably get their hands on some of this data. In other words, Facebook and data banks are the devils we know. I would keep clients out of this plan because of the devils we don’t know.
US suspects Iran behind DDoS attacks on banks
These look a lot like “feeler” operations, meant to gauge the reaction attackers can expect from victim institutions and nations. The United States (read: Congress) must act immediately to ensure that we’re ready when attackers stop slowing down or blocking bank websites and start trying to steal customer data en masse.
Keycard: A neat little Mac app that secures your computer by detecting the proximity of your mobile device – The Next Web
Matt Brian writing at The Next Web:
In our tests, I had mixed results. Initially, my iPhone continued to remain in range, meaning that if I was to walk around the office or different rooms in the house, my Mac remained awake and usable. However, if I went outside a range of around 10-15 meters, Keycard did its thing without an issue.
I’m not sure $6.99 is a viable price for 1.0 app whose developers are still perfecting activation range and that is suffering from “random screen locks when the device is still in range,” but it’s a neat concept. I’d find it especially useful in an Apple-focused office environment or a co-working space. Here’s a direct link to the iTunes store if you want to check it out.