security

Aug 31, 2016 ∞

Dropbox employee’s password reuse led to theft of 60M+ user credentials

Kate Conger, reporting at TechCrunch:

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

Don’t reuse passwords folks. Find a password manager and learn to love it. There’s 1Password, LastPass, Dashlane and many others. That means there’s no excuse for you to keep using your dog’s name combined with your college graduation year or whatever terrible password you’re using for everything.

Mar 7, 2016 ∞

Apple users targeted in first known Mac ransomware campaign

Jim Finkle reports for Reuters:

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

The cynical part of me wonders whether this is a clever move by one or more media companies to discourage the use of BitTorrent clients.

I know, maybe I need to order a tin-foil hat. But when even Kanye is pirating stuff it’s really time to bust out some innovative new tactics.

Oct 19, 2015 ∞

China hack attacks on US continue despite commercial spying pact

If this surprises you, I’ve got a real-life, fully functional totally Back to the Future hoverboard to sell you…

Oct 14, 2015 ∞

Hackers Can Silently Control Siri From 16 Feet Away

Well this is concerning:

A pair of researchers at ANSSI, a French government agency devoted to information security, have shown that they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has Google Now or Siri enabled, if it also has a pair of headphones with a microphone plugged into its jack. Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone. Without speaking a word, a hacker could use that radio attack to tell Siri or Google Now to make calls and send texts, dial the hacker’s number to turn the phone into an eavesdropping device, send the phone’s browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.

You can disable Siri whenever your iOS device is locked by going to Settings > Touch ID & Passcode > Allow Access When Locked and toggling the Siri switch to the “off” (as in not green) position. This doesn’t guarantee a hack like the one deascribed above won’t work on your device, but it does guarantee you’ll see Siri doing something weird and can thus be alerted to the hackery.

Apr 8, 2014 ∞

Heartbleed: When no encryption is better than bad encryption

Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:

servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.

How? The bug allows access even to information the encryption wasn’t protecting.

May 8, 2013 ∞

Obama May Back F.B.I. Plan to Wiretap Web Users

Charlie Savage of The New York Times:

the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work. Under the new proposal, providers could be ordered to comply, and judges could impose fines if they did not.

Concerns that this would prompt similar measures from repressive governments abroad are not overblown. If we expect foreign companies to submit to these procedures, their governments will expect US companies to do the same. I’m surprised this article doesn’t mention anything about what the Obama administration’s diplomats and international law folks think about all of this.

Apr 1, 2013 ∞

China is very serious about cyberespionage

Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”

China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.

The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:

The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”

They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.

This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.

Feb 23, 2013 ∞

Facebook is buying your loyalty card history

Cotton Delo of Ad Age:

The targeting would hypothetically enable Coca-Cola to target to teenagers who’ve bought soda in the last month, or Pampers to show ads to North Carolina residents who’ve recently bought baby products, since Facebook’s own array of demographic and interest-based targeting options can be added to further refine audience segments. But adoption will be contingent on acceptance by corporate legal departments wary of becoming embroiled in a consumer privacy scare.

It’s not something I would rush into if I was one of those “corporate legal departments.” It’s not that I have some conspiracy theory about Facebook, or those data banks. I don’t. We give data to those data banks willingly when we use those discount cards. Shame on us for not reading the fine print.

And Facebook? They’re the same: the fact that nothing private is guaranteed to stay that way on the internet is common knowledge these days, and those who don’t know should know.

What would worry me as in-house counsel is what hackers will find when they inevitably get their hands on some of this data. In other words, Facebook and data banks are the devils we know. I would keep clients out of this plan because of the devils we don’t know.

Jan 10, 2013 ∞

US suspects Iran behind DDoS attacks on banks

These look a lot like “feeler” operations, meant to gauge the reaction attackers can expect from victim institutions and nations. The United States (read: Congress) must act immediately to ensure that we’re ready when attackers stop slowing down or blocking bank websites and start trying to steal customer data en masse.

Jan 7, 2013 ∞

Keycard: A neat little Mac app that secures your computer by detecting the proximity of your mobile device - The Next Web

Matt Brian writing at The Next Web:

In our tests, I had mixed results. Initially, my iPhone continued to remain in range, meaning that if I was to walk around the office or different rooms in the house, my Mac remained awake and usable. However, if I went outside a range of around 10-15 meters, Keycard did its thing without an issue.

I’m not sure $6.99 is a viable price for 1.0 app whose developers are still perfecting activation range and that is suffering from “random screen locks when the device is still in range,” but it’s a neat concept. I’d find it especially useful in an Apple-focused office environment or a co-working space. Here’s a direct link to the iTunes store if you want to check it out.

Dec 19, 2012 ∞

Tor: An Anonymous, And Controversial, Way to Web-Surf

Tor gets a headline at WSJ.com.

Dec 9, 2012 ∞

96.36 billion cyberattacks against the US Navy each year

The Next Web's Emil Protalinski, quoting HP's head of enterprise services Mikle Nefkens:

“This means the attacks average out at about 1,833 per minute or 30 every second.” Those figures are simply astonishing. Extrapolating the other way, it means the US Navy is attacked some 96.36 billion times every year.

If you ever doubted the importance of cyber-preparedness, this should go a long way toward assuaging those doubts.

Nov 8, 2012 ∞

Twitter and Two-Factor Authentication

Two-factor authentication is a pain in the ass. Just ask my Google account or my Dropbox account. But it’s a no-brainer. Savvy users will flock to it, seeing the value in the headache. Less-than-savvy users don’t need to be forced into it, but Twitter is as good a platform as any to explain to folks why it’s worth the additional steps to log in sometimes.

Oct 22, 2012 ∞

Sloppy SSL implementation begets Android app vulnerabilities

Dan Goodin at Ars Technica explains how researchers found that 8% of apps in a 13,500-app sample were susceptible to man-in-the-middle attacks. Hopefully developers will revisit their SSL implementations or, better yet, Google will update future versions of the Android SDK to disallow some of the poor coding decisions that cause these vulnerabilities.

Oct 18, 2012 ∞

Wireless attack could fatally turn pacemakers against patients

Patrick Gray, writing at The Register:

Jack also warned of a worst-case scenario in which a worm could infect multiple devices, spreading from patient to patient, re-flashing the devices with malicious code as it foes. This code could be programmed to deliver fatal shocks to patients implanted with vulnerable implants at a scheduled time.

So many lives depend upon the safe operation of a device like a pacemaker, including some of my dearest family. The good news here is that the researcher who discovered the vulnerability is ready and willing to work with manufacturers to design around the security weaknesses in these devices.

But perhaps more importantly, what about devices that have already been implanted in patients? I hope the corrections can be made via a software update so that even current patients can receive the fixes.

As an aside, this technology could also be used in the cyberwarfare arena for exceptionally clandestine assassinations.

Oct 18, 2012 ∞

White House review: no active spying by Huawei

Joseph Menn, quoting an anonymous source for Reuters:

We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there.

I don’t know enough about this specific issue and the problem of cyberwarfare threats generally. My time in International Law this semester and previous courses like Cyberlaw and Cyberprivacy are coalescing in my mind into a strong area of interest, though, so I expect to follow this and similar issues closely and (hopefully) develop more substantive opinions about them over the next two months.

Sep 19, 2012 ∞

Virgin Mobile USA's inadequate response to a good-faith vulnerability disclosure

Virgin Mobile USA’s inadequate response to a good-faith vulnerability disclosure

Developer Kevin Burke describes in damning detail how easy it is to brute force Virgin Mobile USA account PINs, as well as the company’s incompetent and opaque handling of the situation.