Everyone uses passwords, for your emails and computers to even gaining access to your phone to play flappy birds. With so many systems at risk, we have to make sure our passwords are secure. CNBC wanted to help out with a lesson in password security, except their lesson turned from “do this” to a prime example of how not to handle passwords.
Originally the tool (which can still be found at this web archive link) requested you entered your password before checking to see just how strong your password was. Originally spotted by Google’s one and only Adrienne Porter Felt, the “secure” password checker did a little less than handle your password securely.
worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR
First up was the fact that it sent your password to google docs, meaning that not only you were seeing your password but as it was being sent in an unencrypted format, anyone watching your network traffic or in between you and the document had full access to the password.
If this wasn’t embarrassing enough the tool also seemed to share your password with 3rd parties, all the while the site claimed that “no passwords are being stored”.
Obviously, some people are quite upset by this, with the site not only outright lying (it has now been updated to deal with things in a more secure matter) but to also trick people into entering passwords under the illusion that the site would help you secure your account.
If you’ve ever used an online tool like this, we would recommend changing your password as there is no guarantee that the system or even the site was secure and protected your details.
When it comes to crime, the digital world is the new battlefront for government agencies and the police but one police officer doesn’t think that victims of online fraud should be “rewarded”.
Sir Bernard Hogan-Howe is the Metropolitan police commissioner and made some comments regarding victims of online fraud, in particular, those who lose money as a result of the crime. Speaking the UK newspaper outlet, The Times, he commented saying that people should be more responsible for updating their anti-virus and improving their passwords. With Which?’s executive director, Richard Lloyd, stating that when the group investigated last year they “found too often that banks were dragging their feet when dealing with fraud. The priority should be for banks to better protect their customers, rather than trying to shift blame to the victims of fraud”.
A particular comment Hogan-Howe made was that “if you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing your behaviour”. He goes on to suggest that if you hadn’t updated your software recently they could offer you back only half of what was taken.
The Met have clarified that the comments shouldn’t be read as a proposal for victims of fraud to not receive full compensation but that customers need to ensure that basic protection is carried out, with anti-virus software and passwords checked and updated on a regular basis.
Eight months ago we started discussing a new system the credit card company MasterCard were looking to trial. Now it would seem that the system is going live with MasterCard confirming the new system will be used in the future.
The new system in question is a way to do away with the age-old hassle of passwords, saving you from remembering that 8-16 digit and character password that you have to create every time you sign up for a new site or service. The new service will be rolled out in the UK, the U.S, Canada, the Netherlands, Belgium, Spain, Italy, France, Germany, Switzerland, Norway, Sweden, Finland and Denmark.
When you make a payment, if there may be something up with the payment, something unusual or maybe it’s a little more than you normally spend, you could be asked by your phone to provide either a scan of your fingerprint or a selfie. Now I know what people are thinking? Well if it’s a selfie I can just hold up my friends photo and get them to pay for me. Sorry but they’ve thought about this and if you are taking a selfie for your ID, you have to blink into the camera to prove that you are a real person.
While no security measures are perfect, forcing someone to try copy your face or your fingerprint is a little harder than guessing your mothers maiden name or your favourite pets name.
If you thought that was weird, wait until companies start reading the veins in your fingers before letting you withdraw money from an ATM.
Security and privacy are words were all too familiar with in the digital age. It seems not a day goes by where we don’t hear about some kind of hacking, data theft, unauthorised access and so much more. With that in mind, it makes sense that consumers would be seeking the next step in protecting their data and today, we get to take a look at the latest prototype product from Synaptic, who have backwards engineered their latest IronVeil security technology into the TteSports Black V2 Laser Gaming Mouse. Now, it’s worth pointing out that this may not be a product that comes to market, as what we’re looking at today is really the sensor. If you keep the mindset that this sensor could be integrated into a mouse, keyboard, a flash drive, your monitor, or virtually anything else in a desktop environment for that matter, this whole concept will make a lot more sense.
We’ve already seen a few examples of other products featuring IronVeil when we visited Synaptics at CES 2016, but this mouse is the first prototype we’ve been able to take away and test ourselves.
For the sake of this review, let’s take a quick look at the stock specifications of this mouse. They’re all unchanged, and the Synaptics and TteSports engineers literally carved out a home for the IronVeil in the mouse, just to prove how easy it would be for new and existing products to adopt such features.
Fingerprint sensors are nothing new, Synaptics have been making them for years now and fitting them into various devices. Notebooks, mobile phones, tablets and more have various fingerprint sensors these days that allow you to unlock them quickly and safely, without the need for a password and providing a virtually foolproof block for anyone who tries to access your devices without your permission; so why haven’t we been using this technology on desktops? With Windows 10 Hello, Microsoft Passport and FIDO 2.0, desktop security features are making big advances, and IronVeil looks to be the perfect addition to that.
It’s no secret that Google hates passwords, as a result, they are now trialling a new system that allows you to log in to your Google account without the password. The only requirement is the use of your phone.
In a post on the Android subreddit, user ‘rp1226’ posted about his experience as part of the test group for this new system. The concept is incredibly simple, on a computer, you simply input your email address as you would normally in the login process, after that, instead of inputting the relevant password, you instead accept the login request from an authenticated phone. Instead of a password, the only challenge appears to be accessing the device and correctly selecting the number displayed on the computer screen from a multiple choice selection on the phone.
Whether this method of authentication is more secure than a password remains to be seen. If a user’s phone were to be lost, stolen or otherwise compromised, the user’s accounts could be accessed with ease, as the only challenge could be unlocking the device. And while it removes the ability for a password to be guessed or cracked, tieing account access to a physical item has its own risks. After all, unless you write down a password it’s very hard for it to be physically ‘stolen’.
Whether or not this authentication method catches on remains to be seen, but it is definitely nice to see Google are willing to try out new ways to implement security on accounts and data.
Security is important in modern times, with hacks such as VTech and Talk-Talk exposing just how vulnerable data connected to the internet can be. What about those closer to home, though? How about on the very device you’re reading this on? If you are a Linux user you may want to check for updates for a very simple hack that could give someone unwanted access to your machine.
Two researchers at the University of Valencia in Spain have found an age old way of breaking through the login screen that is so simple, someone might even do it by accident. As revealed by them, the hack is performed by simply pressing the backspace key no more than 28 times. No more, no less, in doing so you open up the Grub2 (the bootloader software that initializes Linux) rescue shell which can be used to access the system completely unrestricted.
While this may not seem too big a problem, the issue has been found on Ubuntu, Debian and Red Hat variations of Linux and is quite widespread. While a hotfix has been pushed out to address the issue on these versions it is slightly worrying that such as a simple hack has been available for anyone to use.
Ransomware is a term we’ve heard a lot in recent years, no thanks to the starter of the craze, Cryptolocker. Previously viruses and malware infected a system and caused damage either for a strategic purpose or because someone thought it would be fun. Ransomware is a little mix of the two, by encrypting people’s files and then selling them the key to unlocking the files people are charged hundreds of pounds just to retrieve those family photos and essays that you’ve spent months working on. Sometimes people get paid, sometimes people reuse a backup and sometimes people miscode the malware and ruin lives. The latest ransomware though combines several pieces of malware together to create a rather nasty conclusion.
First your system is infected with Pony, a nasty piece of malware that harvests usernames and passwords from your system, effectively giving the creator access to your online accounts. Paypal, eBay, that blog site you write for occasionally, all gone in a matter of seconds.
The second part of the plan uses those log in details to access servers and systems to inject the malware into their systems, meaning your log in details could be spreading the very same software you’re a victim of.
The next part of the plan is a redirect, going to google? Not anymore, you find yourself going to this search page we’ve created that involves some rather nasty code called the Angler exploit kit.
As with most things with the word exploit in their name, this is not a good thing. By scanning for security flaws in your software and even your built-in Microsoft processes, you quickly find CryptoWall 4.0 injected into your system. Cryptowall then avoids your antivirus software and quickly decimates your system by encrypting your files and even goes so far as to rename files and move them around, making it difficult to even understand what you’ve lost.
We recommend updating your system on a regular business, including the software you use and making sure that you complete regular virus scans. Remember to keep a back-up of important files, both offline and online so if something happens you’ve never truly lost it.
The United States government spent approximately $610 billion funding military defence in 2015, Cyber security? Well this is nearer 99p according to the latest revelations which have been exposed by online threat company Recorded Future, who has found login details of 47 United States Government agencies which are spread over 89 unique web domains.
The logins were found to be connected to the departments of Defence, Justice, Treasury and Energy as well as the CIA and the director of National Intelligence. There is nothing more comforting than a person who has been appointed the director of National Intelligence who could now find all of his documents at risk of being transferred by a Mr China, Mother Russia or Aunt Gladys from 21 Shepherds’ Bush.
Can it be any worse? Why yes, yes it can; when it’s revealed that 12 of these agencies including the department for State and Energy have allowed a minority of users to log into the network without any form of two-factor authentication, this leaves said department open to a variety of attacks including Phishing. I can just imagine it now, Mr let’s call him Mike from the office of State and Energy receives an email promising a free magazine subscription, he clicks on the link and next thing we know, 350 million Americans favourite new gadget is a torch.
I do find it insulting to my intelligence; yes I do have a bit, to lambast the average consumer for not taking care with their details only to find government officials sensitive information has also walked off. I also find the recent announcement that all US government sites will have HTTPS as standard to be far too late in the day. If it becomes any worse then your favourite gadget will be batteries.
Scammers will never stop finding ways to try to steal your accounts and money. The latest points to a method involving Facebook messages sent out to random users, stating that their account will be disabled if they don’t log into their account and re-enter their payment information.
Clicking the link provided will inevitably redirect users to a scam web page that looks similar to the look and feel of Facebook’s theme, but as far as I’ve seen, it is easily distinguishable by its link. I mean Facebook staff will never ever ask for your login information and payment credentials in the first place and secondly, the page has a lot of grammatical errors.
As you can see from the pictures below, someone with more advanced experience of Facebook or websites in general will clearly identify the pages as being fake. However, there are still inexperienced users out there who might fall for this scam.
Even if the pages are not clearly recognizable as being fake, though they are at first sight, another key element is the bad English. I mean who expects a company such as Facebook to allow such bad grammar to be used on their official web pages? Would you fall for it?
Thank you BGR for providing us with this information
Security experts are said to have found a new type of malware that attacks routers and injects unwanted ads and pornography into websites by modifying the router’s DNS settings.
While the malware can hijack nearly every website on the internet, it is said to be mostly used to peddle porn sites. The malware has been discovered by Ara Labs, which states that it intercepts the Google Analytics code found in most websites and redirects requests to the attacker’s server and sends back ads and porn in response.
Due to the nature and way of injecting itself into websites, the malware is the perfect target for a vast pool of websites on the internet. Almost every website out there uses Google Analytics for traffic statistics, which makes it the perfect target for this sort of DNS attack.
The hackers are said to install the malware by (yet again) exploiting the fact that people don’t change their router’s default login credentials. Ara Labs did not specify what routers are being affected by the malware, but recommends users update to the latest firmware from the manufacturer’s website and change the default login credentials. This apparently is enough to keep users and their systems protected.
Also, anti-virus software will not pick up the router-based malware since it will not install anything on an end-user’s PC or laptop, making it the perfect silent stowaway.
Thank you Fudzilla for providing us with this information
There have been a number of unusual hacking techniques employed in Brazil recently. A group of hackers have used a “novel approach” to pull off a pharming attack by using phishing emails, as stated by security firm Proofpoint.
A pharming attack usually requires access to an ISP’s or organisation’s DNS servers, which are typically well-protected. However, home routers are not. Still, there is a matter of getting the right IP address of a user or group of users. This problem appears to have been solved with the help of 100 phishing emails targeting mostly Brazilian users, allegedly stated to come from Brazil’s largest telecommunications company.
“This case is striking for several reasons, not the least of which is the introduction of phishing as the attack vector to carry out a compromise traditionally considered purely network-based,” the company wrote, adding that it showed “the continued pre-eminence of email as the go-to attack vector for cybercriminals.”
The content of the emails has been said to have a malicious link which would redirect a user to a server that attacked their router, having it set up to exploit cross-site request forgery vulnerabilities in routers. A successful attack would have granted the hacker access to the router’s administration panel, where he could enter the default login credentials and change the router’s DNS. Victims could then be redirected to fraudulent websites, while hackers could even perform a man-in-the-middle attack, such as intercepting email, logins and passwords for websites, and hijacking search results, among other things.
Though some users change their login credentials once they set up their router, most users who are not well acquainted with technology might not, making them more vulnerable to attacks such as the above.
Thank you Computer World for providing us with this information
Some Australians and New Zealanders who own iPads and iPhones received a rude awakening from an online attacker. When they powered up their iOS devices, their home screens were locked on a nefarious message. “Device hacked by Oleg Pliss,” says the message. “For unlock device YOU NEED send voucher code by $50 one of this (Moneypack/Ukash/ PaySafeCard) to _____ for unlock.”
In most cases, Mr. Pliss asked for US$50 or €50. In other cases, he got more greedy, demanding US$100 or €100 via PayPal. Although it looks like ransomware to the user, security analysts discovered that no one’s iPad or iPhone actually had malware on it. The mysterious Oleg Pliss had actually taken control of the users’ iCloud accounts.
Hijacking iCloud
iCloud is the hub that connects an Apple user’s devices. Macs, iPods, iPhones and iPads upload files to iCloud, and those files are pushed to other devices. It’s the reason that something downloaded to iTunes on an iPhone also appears on the user’s Mac without requiring USB sync. It’s also the tool that lets iPhone and iPad users locate their devices remotely or wipe them if they’re lost or stolen.
Oleg Pliss didn’t develop malware, which could have been easily detected and erased by antivirus for Mac software. He hijacked Aussie and Kiwi iCloud accounts by somehow obtaining login credentials. Security researchers have several hypotheses for how attackers stole the information:
Recent data breaches. Some researchers wonder whether Oleg Pliss used data from a recent breach, like the eBay breach, to hack into people’s iCloud accounts. In many cases, people use a single password for all of their accounts, or they use just a handful of passwords for multiple accounts.
Man-in-the-middle attacks. Some experts suggest that an iTunes or iCloud bug could have rerouted devices to a fake iCloud login site. When users logged into the fake site, attackers gained access to their passwords. Another hypothesis is that attackers rerouted ISP traffic within a vulnerable Australian network. iCloud users had no idea that they were visiting malicious servers.
“Joe Job” attack. A Joe Job attack is the online equivalent of writing “For a good time, call ____” in a bathroom stall and scribbling in the number of someone the graffiti artist doesn’t like. In other words, someone could have posted someone else’s iCloud login credentials as an act of retribution against the account holders.
What to Do
So far, experts have no idea how Oleg Pliss obtained iCloud login information. However, they do have some suggestions about how users can keep their iCloud login information safe.
Enable two-factor authentication (2FA). iCloud users should set up 2FA with their Apple ID, which won’t allow them to login to iCloud and other Apple services without entering a second login code. Users can receive codes via text message, or they can get codes on any iOS device.
Backup all iOS devices. Anyone who owns an iPod, iPad or iPhone should save a backup copy on either their Mac or an external hard drive. If they find their devices locked or remotely wiped, they can perform a recovery mode reset of their iOS devices and recover the backup copy using iTunes.
Change all duplicate passwords. Apple users should change all passwords so that they avoid using the same password on more than one account. A password manager can generate random passwords, which contain tough-to-crack combinations of numbers, letters and symbols. Then, password managers store the passwords and auto-fill them into different login fields with a single click.
A Tempting Target
The Australian and New Zealand iCloud attacks aren’t the only known hacks of iCloud accounts. The Russian Interior Ministry also recently reported that it had seized computers, SIM cards and phones used by a pair of Russian hackers. The hackers had obtained iCloud credentials using phishing emails directed at Apple users. They had also created new Apple accounts locked to victims’ iOS devices. Once they had created the new accounts, they sold the Apple credentials so that buyers could obtain apps, music and other assets stored in iCloud by the person who owned the device.
As Apple devices become more popular, attackers will look for more ways to disrupt their operations. Antivirus programs and smart device management techniques, in most cases, should help Apple users protect their accounts.
A team of researchers at the University of Oxford claim that our physical behaviour could be use as a secure way of logging into our computers and smartphones.
The researchers are said to have identified that every person creates a unique pattern of physical behaviour, including the speed at which they type, the way they move a mouse or the way they hold a smartphone. They say that around 500 different behaviours are unique to every individual and form a so-called ‘eDNA’, or electronically Defined Natural Attributes. It is said that changes in the string of physical behaviour could indicate when an individual has taken drugs, had sex, or even if they might be susceptible to a heart attack in the near future.
“Electronic DNA allows us to see vastly more information about you,” says Adrian Neal, the man who made the technology, a former MSc student at the university and actual chief executive of Oxford BioChronometrics. “Like DNA it is almost impossible to fake, as it is very hard to go online and not be yourself. It is as huge a jump in the amount of information that could be gathered about an individual as the jump from fingerprints to DNA. It is that order of magnitude.”
eDNA is said to eventually make its way to the commercial market and would allow individuals to log into any computer or mobile device. David Scheckel, president of Oxford BioChronometrics, says that eDNA could even differentiate if a click on an advertisement has been performed by a bot or a real human being. Their own research suggests that around 92% of advertisement clicks and 95% of logins are actually from bots.
Perhaps all the increasing discussions and ramifications about the NSA have prompted your concern, or maybe you’ve noticed that when you search for something, email a friend about a topic, or send an IM, you’re suddenly receiving ads and spam messages eerily geared toward the subject at hand. Whatever the case, a growing number of people have serious concerns about both their privacy and their security over the Internet. Big Brother is certainly watching, but so are many thieves ready to swoop in and take money and identities, so you might wonder if you have reason to worry, too.
Invasive Targeted Advertising
While it’s debatable that simply talking to someone about, say, making a dentist appointment or buying a new car will lead to an influx of Internet ads geared toward dentists or cars, that debate only applies to spoken conversations. Pose a question on Facebook, discuss a topic in your email messages, or send an IM to a friend, and you will notice a frankly spooky abundance of advertisements and spam messages aimed at the topic you’re discussing. It’s creepy and unfortunately real. Some people have even noticed they’re receiving targeted ads after they’ve sent text messages about a certain topic. That’s a bit creepier, simply because of the sheer amount of information most people have on their mobile phones. This is more prevalent when your phone is somehow connected to your Internet logins, such as through Google or Chrome, and you can fix it. It simply takes some fancy encryption skills.
Massive Military Concerns
Many military bases are increasingly (and understandably concerned) about privacy and security. Even training bases have reasons to keep things on the down low. For bases from which troops are most often deployed, the need for security is even more important. People in the military aren’t allowed to share information about deployments, whereabouts, or missions on Facebook, so certainly they don’t want information getting out over the Internet by accident or security breaches. That’s why so many military outposts use VPN, or virtual private networks.
Cybercrime is a growing concern. Ranging from annoying to serious, cybercrimes really run the gamut. Common Internet crimes include:
Spam, an annoying problem that doesn’t often cause problems but can become dangerous when spam messages include links or attachments
Credit fraud, which can occur through spam messages, computer viruses, and dangerous downloads that incorporate programs which pick up your keystrokes, thereby unlocking passwords and PIN numbers from credit cards and online banks
Drug trafficking, which is actually becoming a serious problem online, ironically thanks to the use of email encryption and fully protected websites and message boards
Cyberbullying, an increasingly serious and even lethal cybercrime that largely targets teens and young adults, leading to depression and a tragically growing number of suicides
Piracy, the so-called “victimless crime” wherein movies, music, videos, and similar forms of media are illegally downloaded for free
Cyberterrorism, which ranges from hackers who try to break into banks, credit card companies, and government sites to vigilante groups who try to shut down various websites for political or independent reasons
As you might expect, many of the largest cities in the United States report higher instances of cybercrimes. Washington, D.C. is an understandable target, but Boston, Atlanta, Austin, and even Sacramento also have serious problems with Internet-based crimes. Not surprisingly, many of these cities are, per capita, making use of VPN themselves as a way to battle these crimes and increase security.
Many of the cities with highest VPN usage are those with a higher risk of identity theft, in addition to some of the other biggest cybercrimes. For example, Florida has one of the highest rates of identity theft in the country; 5 out of the top 25 cities that rely on VPN the most are in Florida. People, businesses, and corporations in the state understand the importance of using private networks to keep their information safe. After all, erasing the effects of identity theft is a long, arduous process, even given the seriousness, growing awareness, and prevalence of the crime. However, Florida is hardly the only state experiencing problems with identity theft. The problem is widespread, affecting Southern states such as Georgia and Alabama, as well as New York, California, Michigan, Texas, and even Maryland. Internet users in these states need to stay aware of their security and do everything possible to keep their privacy intact.
Greater Government Security
Capital cities also understand the greater need for VPN, privacy, and security over the Internet. With Washington, D.C. itself threatened by every type of cybercrime, even the nation’s security is theoretically at risk. Government centers in Virginia, Illinois, Ohio, Utah, Georgia, Colorado, and California all recognize how essential it is to encrypt their data, provide secure connections within capitol buildings, and protect the IP addresses of everyone who works within the government. You may not think your state has any secrets to keep, but don’t you feel better knowing that any secrets are fully secure?
Tourists and tourist destinations, from Florida to Dallas to Chicago, also recognize the importance of protecting privacy and increasing security. There are many reasons for this, such as the fact that if a popular place has a high number of cybercrimes, tourists would more likely to shy away — and their valuable tourist dollars will disappear with them. That could affect the economy of even the most widely visited destinations, leading to a total collapse of infrastructure. Tourists themselves are more concerned, not just because they don’t want to become victims while on vacation, but because a slip in security might lead to potential thieves knowing when they’re gone. Worse yet, they might find their identities stolen while they’re far from home. The far-reaching impact of that might become enough to keep travelers at home, instead of risking danger on vacation. There are growing numbers of reasons why citizens throughout the U.S. need to pay closer attention to Internet privacy and security, as people and as groups. Are you worried about your security when you surf the Internet, at home or out and about?
