Who doesn’t have an Amazon account? If you do it may be worth changing your password as Amazon recommends users take the precaution after it discovered that some of their Amazon accounts could be found online.
Amazon discovered the leaked passwords were contained within a password list online, and while not exclusive to Amazon services, it has recommended that users change their passwords, even more, so if they use the same password on several sites. If your accounts email address was found to be on any of the lists then Amazon has taken the precaution to force a password reset on your account.
While many recommend against it, it’s common practice for people to use the same password and email combinations on several sites, thus increasing the chance that if one account is hacked, others will be compromised alongside.
The technology, currently named Chronos, is capable of allowing a single wireless access point to detect the location of networked users to tens of centimetres in accuracy. This immediately has a number of possible applications, one of which could allow wi-fi networks to be limited in access to only those within the building, as well as smart home applications such as tracking people’s movement and adjusting temperature and lighting as they move.
Chronos works by computing the “time of flight” of a wireless signal with an average error of just 0.47 nanoseconds according to MIT, which when multiplied by the speed of light allows Chronos to accurately detect not only the angle from the access point a user is at, but also their distance from it. Comparatively, existing wi-fi devices lack the bandwidth to accurately measure the time of flight of a signal, so in order to detect the locations of users, multiple access points were required for triangulation.
It was discovered after MIT Ph.D. student Deepak Vasisht observed that the signals travel through the air at a different frequency than within a Wi-Fi device that is being detected. He and his team were then able to exploit this difference in signals, testing their new algorithm in a two-bedroom apartment containing four people, where Chronos could accurately detect the room a user was in 94% of the time. When tested in a cafe, the detection rate of in-store customers compared to out-of-store hijackers was 97% accurate, which could allow wireless passwords to be rendered redundant in such cases, as only those in the store can connect to the network.
Whether this will truly be the end of the wireless password is unlikely, as there will always be a call for a higher level of security on many networks. For lightly restricted public networks, though, this technology could be a godsend, without requiring businesses set up a complex multi-access-point solution. A paper summarizing the study of the technology was presented last month by Vasisht at the USENIX Symposium on Networked Systems Design and Implementation.
Apple vs the FBI may be over but that doesn’t mean the question about decryption and the law is over. In the most recent case to catch our ears a suspect from the UK being asked to decrypt his devices for the US authorities.
Lauri Love is a British computer scientist, who is a suspect in the breach of US government networks, which are claimed to have caused “millions of dollars in damage”. After being initially arrested in 2013, and then released, Love was re-arrested back in 2015 and is facing extradition to the US for the suspected crime. While he has not been charged with any crimes, Love has been asked as part of a Section 49 RIPA notice (doesn’t sound that bad does it?) to decrypt his devices by providing them with the passwords and keys required to unlock his devices.
With his devices confiscated, something that Love is now fighting in a counter-sue in civil court, the authorities want to access the data on his devices which include, a Samsung Laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card and a Western Digital hard drive. Alongside this, the National Crime Authority, the UK branch that has demanded the devices be decrypted, are interested in files located on the SD card and external drive that are encrypted using TrueCrypt.
What is most worrying is that if Love was to provide the keys, and this evidence is used against him in the US, then it would breach his fifth amendment rights within the US. The fifth amendment can be described as allowing someone to present evidence against themselves, meaning that you can’t be forced to prove your guilt, by unlocking a computer for example.
In his argument, Love states that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt”. An argument that if extended to other circumstances, could be seen as worrying for any groups that share information and protect journalists, whistleblowers and anyone within the legal profession.
Everyone uses passwords, for your emails and computers to even gaining access to your phone to play flappy birds. With so many systems at risk, we have to make sure our passwords are secure. CNBC wanted to help out with a lesson in password security, except their lesson turned from “do this” to a prime example of how not to handle passwords.
Originally the tool (which can still be found at this web archive link) requested you entered your password before checking to see just how strong your password was. Originally spotted by Google’s one and only Adrienne Porter Felt, the “secure” password checker did a little less than handle your password securely.
First up was the fact that it sent your password to google docs, meaning that not only you were seeing your password but as it was being sent in an unencrypted format, anyone watching your network traffic or in between you and the document had full access to the password.
Obviously, some people are quite upset by this, with the site not only outright lying (it has now been updated to deal with things in a more secure matter) but to also trick people into entering passwords under the illusion that the site would help you secure your account.
If you’ve ever used an online tool like this, we would recommend changing your password as there is no guarantee that the system or even the site was secure and protected your details.
When it comes to crime, the digital world is the new battlefront for government agencies and the police but one police officer doesn’t think that victims of online fraud should be “rewarded”.
Sir Bernard Hogan-Howe is the Metropolitan police commissioner and made some comments regarding victims of online fraud, in particular, those who lose money as a result of the crime. Speaking the UK newspaper outlet, The Times, he commented saying that people should be more responsible for updating their anti-virus and improving their passwords. With Which?’s executive director, Richard Lloyd, stating that when the group investigated last year they “found too often that banks were dragging their feet when dealing with fraud. The priority should be for banks to better protect their customers, rather than trying to shift blame to the victims of fraud”.
A particular comment Hogan-Howe made was that “if you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing your behaviour”. He goes on to suggest that if you hadn’t updated your software recently they could offer you back only half of what was taken.
The Met have clarified that the comments shouldn’t be read as a proposal for victims of fraud to not receive full compensation but that customers need to ensure that basic protection is carried out, with anti-virus software and passwords checked and updated on a regular basis.
Amazon is known for their increased use of technology. Keen to use drones in their delivery process and even leasing out a new set of jets in order to speed up their delivery processes, the company seems to be stopping at nothing to control the delivery market. The next step may be something a little closer to home though with the pay-by-selfie technique to introduce selfie-pose authentication.
The new patent filed by the company reveals a process in which shoppers would be able to forgo the use of their password to instead have them take a photo or video of themselves. The technology would use a similar system to the MasterCard selfie system which means that you would be prompted to perform an action, such as blink or pose in order to confirm that it isn’t just a photo being held up by someone else.
Can you see yourself buying a product and then paying by blinking at the camera on your phone? While it stops you from having to remember your password or getting your phone and laptop from saving them, am I the only one who suddenly see people in public winking at their phone every five minutes in order to purchase that new DVD you’ve wanted to see for so long?
An Indian hacker has found a remarkably simple way to access any Facebook user account. Thankfully, Anand Prakash, a security engineer from Bangalore, is a “white hat” hacker and immediately contacted Facebook about the loophole, granting him a $15,000 reward.
In a blog post – with the provocative title “How I could have hacked all Facebook accounts” – Prakash explained the process he used, including a proof-of-concept video. Effectively, he brute-forced the password reset code – a six-digit number which is sent to the user’s phone or e-mail – on Beta version of Facebook, which allowed him unlimited input attempts without locking him out. He was then able to set his own password with which he could fraudulently access other user’s accounts.
“Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110 ,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password,” Prakash wrote. “I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.”
“Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints,” he added. “I tried to takeover my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.”
According to his blog, Prakash discovered the vulnerability on 22nd February, and received his $15,000 reward from Facebook on 2nd March. Facebook is yet to confirm the veracity of Prakash’s blog post.
Apple is everywhere in the news these days. From the rumoured features of their next generation of phones to the courtrooms. In a case that recently came to light in New York, the judge ruled that Apple could not be forced to unlock an iPhone by the All Writs Act. This didn’t sit well with the DOJ who are now appealing the order.
The case in New York features another iPhone, again locked by a passcode. Repeatedly trying different passcode risks the data on the phone, thanks to a security measure put in place that states when you fail to put in the passcode 10 times, it will erase the phone. With so many combinations, the FBI are looking to enlist Apple’s help to type in passcodes through software, without the data being erased.
I say looking to enlist, but the act used (the All Writs Act) has been deemed as some as an order from a judge where no legal precedent is available for the request. A judge in New York recently ruled that Apple couldn’t be forced to remove these settings or extract the data by use of the All Writs Act.
Digital security is important in this day and age, with access from across the world to your information meaning not only you can access all that information. With big companies like TalkTalk finding out the hard way that even a single breach can cause your company untold harm to both your image and credibility. The issue is only made worse though when the information relates to the young.
VTech found out the hard way when it was revealed that their hacked data included photos and chat logs. This time up it’s the software firm known as uKnowKids. uKnowKids is a subscription-based service designed to help parents track their children’s online activity. The supposed hack is the work of none other than security researcher Chris Vickery. Vickery states that all he did was use the search engine Shodan and he managed to locate millions of text messages and images, amongst the data was around 1,700 “detailed child profiles”.
The information was apparently obtained from a database which hadn’t been password protected, meaning that it was freely accessible from the web. uKnownKids disagrees and says that the “vulnerability” was patched within 90 minutes of Vickery notifying them. The worse part is that they claim they haven’t been able to identify him as a “white hat” security researcher, someone who will identify a vulnerability and then report them and help fix the issues they find.
Steve Woda is the chief executive of uKnowKids and posted a blog stating that one of their databases “was breached by a hacker” and that “Twelve minutes after the final breach… and after taking screenshots of our intellectual property, business data, and customer data, Mr Vickery notified uKnow of his breach of our private systems”.
uKnowKids tracks youngsters online activity from text messages to social media, letting parents keep close tabs on their activity and be aware of any alerting content that could be upsetting or dangerous. It comes as no surprise then that the BBC reports that the data included a family photo, usernames and email address.
Vickery was surprised when they responded in such an aggressive way, saying that other firms would thank you for alerting them to these issues or even hire you to help fix and make sure their security was up to date.
We all hear about how we need to keep our accounts safe, but who remembers all their passwords to all their different accounts? Who can say that they haven’t used the same password for several websites before? Even with password managers apparently making passwords redundant according to GCHQ, we still use them for everything from logging into your phone to filing your bank returns. So what about when it comes to your money? A four digit pin? Why not use an iris scanner to access your bank account.
Jordan is the first country to deploy iris scanning technology, with help from the United Nations Refugee Agency (UNHCR), to help users access their bank accounts, with the system being used to help refugees access their bank accounts without a bank card or pin. With around 23,000 families using the system to receive aid, the system is working well.
By removing the need for a person to check details before handing out the cash the UNHCR feels like this is a step in the right direction, giving both the refugees and the UNHCR a feeling of control and freedom. With the hopes that the system could be deployed to all of UNHCR’s current cash assistance programmes, you have to wonder how long before typing in a password becomes a thing you’ll tell your grandchildren about.
Eight months ago we started discussing a new system the credit card company MasterCard were looking to trial. Now it would seem that the system is going live with MasterCard confirming the new system will be used in the future.
The new system in question is a way to do away with the age-old hassle of passwords, saving you from remembering that 8-16 digit and character password that you have to create every time you sign up for a new site or service. The new service will be rolled out in the UK, the U.S, Canada, the Netherlands, Belgium, Spain, Italy, France, Germany, Switzerland, Norway, Sweden, Finland and Denmark.
When you make a payment, if there may be something up with the payment, something unusual or maybe it’s a little more than you normally spend, you could be asked by your phone to provide either a scan of your fingerprint or a selfie. Now I know what people are thinking? Well if it’s a selfie I can just hold up my friends photo and get them to pay for me. Sorry but they’ve thought about this and if you are taking a selfie for your ID, you have to blink into the camera to prove that you are a real person.
While no security measures are perfect, forcing someone to try copy your face or your fingerprint is a little harder than guessing your mothers maiden name or your favourite pets name.
The security of devices that are internet accessible has become more and more critical in recent years. Recently cheap unsecured webcams have come under fire after many such devices were exposed by the Shodan search engine. Now as many as 46000 users of digital video recorders (DVRs) manufactured by Zhuhai RaySharp Technology may actually be making their property less secure, with it coming to light that the Chinese manufacturer has been using hard-coded unchangeable passwords for the highest user privileges in their software.
The vulnerability was discovered by security researchers from vulnerability intelligence firm Risk Based Security (RBS), who examined the software that the DVRs’ interface runs on. RaySharp’s DVR products have a web interface through which a user can view the camera feeds, manage settings and recordings and operate any pan or zoom features on the cameras. These web interfaces all run on a Linux OS based firmware, which on examination of the CGI scripts that manage the user authentication of the web interface a routine was found that checks to ensure the user-supplied username is “root” and the password is “519070”. Using these credentials to log into the web interface would provide full system access.
Using hard-coded passwords for small-scale systems used to be an accepted practice, where physical access to the system would generally be required regardless. Such things are now considered to be unacceptable by most, with many vendors developing secure systems and working to ensure vulnerabilities that do pop up are patched. That RaySharp still use hard-coded root passwords would be bad enough, but the Chinese firm also manufacture DVR products and provide firmware for a number of other companies worldwide with RBS researchers finding that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender and LOREX Technology, contain the same hard-coded root password. Another CGI script found in RaySharp firmware listed 55 vendors that apparently use the same firmware, so the impact could be much greater.
For those in possession of a DVR system from Raysharp or one of the other affected firms, RBS researchers chose to release information on the vulnerability, so that they can check for themselves whether their system possesses the issue. They recommend that any DVR that uses the username and password combination of root and 519070 should not be accessible on the internet and if access is required, it should be done by first logging into a VPN.
With the recent revelation that many webcams had been unwittingly exposed publicly online, it is likely that the same may occur for these DVRs. Hopefully, those with vulnerable DVR systems will discover the issue and take precautionary steps to avoid unwittingly sabotaging their own efforts to make their property or possessions safer.
Security provider SplashData has released its annual “Worst Password List” for 2015, and the results are as depressing – and predictable – as ever. While last year’s entries boast some of the longest bad passwords ever featured during SplashData’s five years of compiling its worst password lists, they are certainly no more secure.
The top-25 worst passwords have not changed much in the last 12 months, though the revised list – which has lost “batman” and “superman”, but gained “starwars”, “solo”, and “princess”, which could delight J.J. Abrams at the expense of Zack Snyder – does offer an interesting glimpse into the cultural zeitgeist. Though, “trustno1” has faded from view since last year, which surprises considering the recent revival of The X-Files.
The reigning champions, in first and second place, respectively, are “123456” and “password”, retaining their positions from 2014, while new, terrible entries include “welcome”, “1qaz2wsx” (the first two lines of keyboard characters, vertically), and “login”. While “dragon” has dropped 7 places, it remains curiously popular.
Change from 2014
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” Morgan Slain, CEO of SplashData, said. “As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”
DayZ see’s players fight off and survive in a harsh apocalyptic world where zombies are the second most dangerous thing, only after the other players that want all your stuff. Seems someone took that one step further and have taken people’s login details for the DayZ forums.
With reports that it was hacked as early as last week, Bohemia Interactive (the creators of the standalone game, based on the popular mod) have sent an email round to their forum members stating the extent of the hack and the details that were obtained during the hack.
A security incident occurred on forums.dayzgame.com recently. According to our investigation all usernames, emails and passwords from forums.dayzgame.com were accessed and downloaded by hackers.
While the passwords were not stored in plain text, but in a more secure form, it is highly recommended that if you have used the same password elsewhere you change it immediately on all applicable websites and services.
We would like to apologize for the inconvenience caused, and share with you one of the major changes planned in order to mitigate similar risks in the future. We will be replacing the IPBoards login system with Bohemia Account within the next two weeks. As Bohemia Account is a separate custom-built service currently used by Bohemia Interactive Forums and Store, it offers much better security and its use should prevent similar incidents going forward.
We ask for your patience over the next few days and weeks as we implement this and other security overhauls, as there are likely to be service interruptions and forum unavailability from time to time. In particular, the forums will be down until migration to the Bohemia Account is complete. We will keep you up to date on vital info and scheduled down-time on the site itself and via our Twitter.
While everything from usernames and emails was taken, the passwords were luckily encrypted in some way. We highly recommend that you change your password for the DayZ forum and any other sites or services that you use that password for (recommended that everything has a unique password in future, helps prevent breaches like this affecting other accounts).
While hacks are becoming more and more common, sites like these need to respond quicker and alert their users as soon as they detect the hack, a whole week is a lot of time to have access to people’s emails and social media accounts (all of which could be done using your email and potentially your password).
Security and privacy are words were all too familiar with in the digital age. It seems not a day goes by where we don’t hear about some kind of hacking, data theft, unauthorised access and so much more. With that in mind, it makes sense that consumers would be seeking the next step in protecting their data and today, we get to take a look at the latest prototype product from Synaptic, who have backwards engineered their latest IronVeil security technology into the TteSports Black V2 Laser Gaming Mouse. Now, it’s worth pointing out that this may not be a product that comes to market, as what we’re looking at today is really the sensor. If you keep the mindset that this sensor could be integrated into a mouse, keyboard, a flash drive, your monitor, or virtually anything else in a desktop environment for that matter, this whole concept will make a lot more sense.
We’ve already seen a few examples of other products featuring IronVeil when we visited Synaptics at CES 2016, but this mouse is the first prototype we’ve been able to take away and test ourselves.
For the sake of this review, let’s take a quick look at the stock specifications of this mouse. They’re all unchanged, and the Synaptics and TteSports engineers literally carved out a home for the IronVeil in the mouse, just to prove how easy it would be for new and existing products to adopt such features.
Fingerprint sensors are nothing new, Synaptics have been making them for years now and fitting them into various devices. Notebooks, mobile phones, tablets and more have various fingerprint sensors these days that allow you to unlock them quickly and safely, without the need for a password and providing a virtually foolproof block for anyone who tries to access your devices without your permission; so why haven’t we been using this technology on desktops? With Windows 10 Hello, Microsoft Passport and FIDO 2.0, desktop security features are making big advances, and IronVeil looks to be the perfect addition to that.
It’s no secret that Google hates passwords, as a result, they are now trialling a new system that allows you to log in to your Google account without the password. The only requirement is the use of your phone.
In a post on the Android subreddit, user ‘rp1226’ posted about his experience as part of the test group for this new system. The concept is incredibly simple, on a computer, you simply input your email address as you would normally in the login process, after that, instead of inputting the relevant password, you instead accept the login request from an authenticated phone. Instead of a password, the only challenge appears to be accessing the device and correctly selecting the number displayed on the computer screen from a multiple choice selection on the phone.
Whether this method of authentication is more secure than a password remains to be seen. If a user’s phone were to be lost, stolen or otherwise compromised, the user’s accounts could be accessed with ease, as the only challenge could be unlocking the device. And while it removes the ability for a password to be guessed or cracked, tieing account access to a physical item has its own risks. After all, unless you write down a password it’s very hard for it to be physically ‘stolen’.
Whether or not this authentication method catches on remains to be seen, but it is definitely nice to see Google are willing to try out new ways to implement security on accounts and data.
Security is important in modern times, with hacks such as VTech and Talk-Talk exposing just how vulnerable data connected to the internet can be. What about those closer to home, though? How about on the very device you’re reading this on? If you are a Linux user you may want to check for updates for a very simple hack that could give someone unwanted access to your machine.
Two researchers at the University of Valencia in Spain have found an age old way of breaking through the login screen that is so simple, someone might even do it by accident. As revealed by them, the hack is performed by simply pressing the backspace key no more than 28 times. No more, no less, in doing so you open up the Grub2 (the bootloader software that initializes Linux) rescue shell which can be used to access the system completely unrestricted.
While this may not seem too big a problem, the issue has been found on Ubuntu, Debian and Red Hat variations of Linux and is quite widespread. While a hotfix has been pushed out to address the issue on these versions it is slightly worrying that such as a simple hack has been available for anyone to use.
Another day another hack. After the likes of VTech and TalkTalk, it was only a matter of time before hackers did the truly unthinkable, they started targeting your games (again)!
While not strictly targeting your games they are looking to target Nexus mods, one of the most popular sources for people to post and download files to augment your experience with a variety of games. Similar to how Steam workshop works, nexus mods lets you upload, download and endorse people’s adjustments meaning you can do everything from upgrading the graphics in Oblivion to wearing Buzz Lightyears armour in Fallout 4 if the developers don’t break mods.
The breach is reported to have affected users registered before mid-2013 but as a general rule of thumb, if someone is hacked you change your details quick. While being hacked is one issue there has been another one which is slightly more worrying, the mods have been changed.
Popular mods Higher Settlement Budget, Rename Dogmeat and the BetterBuild have found that someone other than their creators made changes to the above-mentioned mods. The addition of “dsounds.dll” to the files have been sent off to a malware research team to check and act upon the file should it appear to be dangerous.
As a precaution, if you own a Nexus Mods account you should change your password and if you are a mod creator, check your mod’s not been altered, reporting any suspicious action if you believe your account or mod have been compromised.
Ransomware is a term we’ve heard a lot in recent years, no thanks to the starter of the craze, Cryptolocker. Previously viruses and malware infected a system and caused damage either for a strategic purpose or because someone thought it would be fun. Ransomware is a little mix of the two, by encrypting people’s files and then selling them the key to unlocking the files people are charged hundreds of pounds just to retrieve those family photos and essays that you’ve spent months working on. Sometimes people get paid, sometimes people reuse a backup and sometimes people miscode the malware and ruin lives. The latest ransomware though combines several pieces of malware together to create a rather nasty conclusion.
First your system is infected with Pony, a nasty piece of malware that harvests usernames and passwords from your system, effectively giving the creator access to your online accounts. Paypal, eBay, that blog site you write for occasionally, all gone in a matter of seconds.
The second part of the plan uses those log in details to access servers and systems to inject the malware into their systems, meaning your log in details could be spreading the very same software you’re a victim of.
The next part of the plan is a redirect, going to google? Not anymore, you find yourself going to this search page we’ve created that involves some rather nasty code called the Angler exploit kit.
As with most things with the word exploit in their name, this is not a good thing. By scanning for security flaws in your software and even your built-in Microsoft processes, you quickly find CryptoWall 4.0 injected into your system. Cryptowall then avoids your antivirus software and quickly decimates your system by encrypting your files and even goes so far as to rename files and move them around, making it difficult to even understand what you’ve lost.
We recommend updating your system on a regular business, including the software you use and making sure that you complete regular virus scans. Remember to keep a back-up of important files, both offline and online so if something happens you’ve never truly lost it.
It’s that time of the year again, when everyone goes crazy and starts buying ready for all the events and gift giving that is come over the next few months (some even preparing so much as to get some ordered for next year). Black Friday, one of the busiest shopping days of the year is upon us and with it a lot of people are looking and watching online stores waiting for that juicy one time deal they could quickly scope up before it all goes. To no surprise, Amazon is one of these online stores, so what does it mean when people started receiving emails asking them to change their passwords? That’s right another potential breach.
As reported by ZDNet, a selection of their readers received emails asking them to reset their password (the email was also sent via Amazons message centre, confirming that it came from a legitimate source). The reason given was that your password could have been stored on your device or transmitted in a way that exposed it to third parties.
Amazon continued to state they had corrected the issue, but that temporary passwords were being issued as a sign of caution.
Given recent hacks and breaches, it’s not surprising that Amazon is airing on the side of caution when it comes to people’s accounts, especially around this time of year.
Consumers are exposed to a myriad of cyber threats which are intent upon harvesting as much information as possible, from bogus emails offering state cash refunds to spoofed pages which purport to be from a genuine vendors, but are in fact aiming to collect sensitive consumer details. Well known and popular browser Mozilla Firefox have recognised the importance of alerting consumers to the security of password submission by offering a simple yet important safeguard within the latest Firefox Nightly build.
The security measure in question is in the form of a faded crossed out padlock icon within the address bar of the browser, thankfully it’s more useful than simply a new icon. The aim of this new feature is to warn consumers if a password field is not submitted over HTTPS and thus regarded as insecure. If a consumer clicks on the icon it will provide further details as to why a particular site is considered insecure, below is an image to convey the change. This feature is currently “only in testing as part of Firefox 44 Nightly”.
This new yet simple feature is a good way of informing consumers as to the risks of submitting a password over an insecure method, cyber security is a hot topic and the more every individual knows the better. It will be interesting to note the rollout timescale of this feature once Firefox confirms it for its finished builds. On a side note, let’s hope consumers actually update their browsers in order to benefit from the latest security fixes, I bet many a reader knows someone who is running a version of Firefox that is at least 10 versions behind that of the currently available.
Malware. That one word which seems to inspire fear and dread in everybody who hears it, even more so when you’ve experienced it first hand on one of your many devices. Malicious Software, or Malware for short, is often used by people to spread itself over the internet or even WiFi in the hopes of creating openings for other malicious software, from a program that can redirect you when you go on the internet to one that encrypts your hard drive until you pay hundreds of pounds so that (if they are true to their word) they will release your files. The world has changed since those dark days, there is a new piece of software in the world; Wifatch is here.
Wifatch was found in late 2015 by Symantec and focuses on the bugs and security issues normally involved in routers (a piece of hardware we all use but rarely update). This malware doesn’t just infect your router and use it to spread to others, it closes off potentially dangerous loopholes and bugs on your router. That’s right, this malware, a piece of software that by its very nature breaches your security and trust, is trying to help stop you from being affected by … malware?
Not only does it block common points of danger for routers but it also tries to disinfect infected systems, even going so far as to reboot systems in the hopes of stopping any malware that is currently running.
The developer even left a funny message in its source code for those brave enough to browse it.
Is this the kind of software that we need? What do you think about this vigilante malware?
Any Android Lollipop device that is not using the latest build of the mobile operating system is vulnerable to having its lock screen bypassed by inputting a long string of characters as password. The bypass was discovered by researchers from the University of Texas this week and can be applied to any Android 5 device that does not have the latest security updates, released last week.
“A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device,” the researchers wrote on the University of Texas blog. “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen.”
The Texas researchers also included a proof-of-concept video, tested using a Nexus 4 with an Android 5.1.1 factory image:
Google has patched the flaw, but in the meantime it is advised that Android Lollipop users that do not have the latest updates use either a PIN or pattern lock, since neither are vulnerable to the above exploit.
Thank you The Register for providing us with this information.
GCHQ is a government body which monitors communication in the UK and protects the security of its citizens. While the organization remains fairly aloof, it has come under a great deal of scrutiny in lieu of the Edward Snowden revelations. GCHQ and the Centre for the Protection of National Infrastructure compiled a report entitled “Password guidance: simplifying your approach”. This piece of documentation recommends users to opt for a password manager instead of long and overly complicated passwords:
“Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users.”
Although, professional hackers are still capable of infiltrating any kind of software:
“like any piece of security software, they are not impregnable and are an attractive target”.
Nigel Hawthorn from security company Skyhigh Networks argued:
“The security industry is awash with password advice, but much of it is contradictory or simply not suited to modern working. The result – passwords still puzzle many. GCHQ’s latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today.”
The question is, do you trust GCHQ’s advice given their less-than-admirable behaviour in recent years? Ideally, you should set a different password for each service to avoid every aspect of your being disrupted during a hack. Although, it can be quite difficult to remember passwords as various sites set specific stipulations for the characters used. Hopefully, fingerprint recognition and other methods will replace passwords in the near future.
Thank you The Guardian for providing us with this information.
The Massachusetts institute for technology (known as MIT) is known throughout the world for its technological prowess and skills. Producing proud graduates, it is known for being at the forefront of the information technology that we as a world use on an everyday basis. Once again it has scored first, this time, however, this is not good news.
Conducted by Security Scorecard, an information security assessment company, the company tested an assessment for several high-value universities and nearly gave MIT a failing grade. MIT scored low in several areas, including; hacker chatter (this measures the number of times the school was mentioned in online forums used by hackers and the amount of user details that were revealed online on these forums), patching cadence (how quickly reported patches were applied to deal with the vulnerabilities reported during the scan’s period) and IP reputation (the amount of malware communications that were coming from IP’s registered with the school).
MIT did score high in several areas, though, such as its Web Application Security, the health of its DNS records and finally the quality of its security at its endpoints. As with all things security is not something that can be considered fixed and left alone, it should always be considered and updated.
Signing up to a dating site which offers the platform for affairs while expecting all your data to remain safe looks to be rather stupid, after the many revelations which have been exposed concerning the Ashley Madison website. If the owners thought it could not be embarrassed any further, a cracking team by the name of Cynosure prime, not affiliated with Amazons video service, has cracked roughly 11 million passwords in just 10 days.
They managed this with help from an error implemented by Ashley Madison themselves, this involved breaking the passwords which were secured using MD5 (Message Digest Algorithm) which is a faster algorithm but far less secure than others. Using the second leak of data as a study group, cynosure prime attacked the md5 tokens, the passwords were set to bcrypt which is much more secure and therefore should have been harder to crack. Problem is, cynosure prime found that the commit was changed on the 14th June 2012 to 1c833ec7, this meant accounts could be cracked which had been created prior to this date with “simple salted MD5”.
What was expected to take years to solve only took 10 days to expose such naïve security protocols within Ashley Madison’s tech structure. The era of basic security has long since ended and businesses need to understand the scale of threats which are targeting their valuable data, Mrs Madison won’t be the last to experience such data loss. This should also be yet another warning against the crusade to ban effective encryption which is an essential tool to protect consumers from web-based data theft.
If you have a spare few minutes then by all means take a look at the full detailed explanation of the techniques used to crack the passwords, its worth a read.
Using data and information obtained through another hack, hackers were able to target Mozilla Firefox users through vulnerabilities in the popular browser. What is most interesting about this whole debacle, however, was that the attackers first hacked Bugzilla, Mozilla’s bug and vulnerability tracking system to find working exploits.
Bug trackers and vulnerability databases serve important roles in maintaining secure software. As researchers and whitehats find and discover bugs and vulnerabilities, they report it to either a third party or directly to the vendor. In this case, it was through Bugzilla to Mozilla. This allows a common platform to share the information required to demonstrate and fix the bug. Even if there is no outside facing infrastructure to report bugs, more developers probably have their own internal system for keeping up with, detailing and cataloguing bugs. For widely popular software, an attacker may not need to spend time researching their own zer0-days. Instead, they can simply hit one of these bug repositories and grab a whole host of vulnerabilities and use them as needed before they are patched.
In this case, Bugzilla got hit via as a privileged user account had the same password for Bugzilla as on another site that got hacked. Due to this, attackers were able to break into Bugzilla undetected for at least a year. They managed to get away with 185 non-public vulnerabilities of which 10 were unpatched at the time. Given how many users tend not to patch, and that Mozilla is unsure when the attackers first got in, it’s possible many users were vulnerable. In fact, one of the vulnerabilities was exploited widely for a while. In response, Mozilla is implementing steps to shore up security by things like restricting access and two-factor authentication.
Once again, it shows that security can be pretty hard and even systems introduced to better protect users can severely backfire. Given the wealth of information stored within bug repositories on various vulnerabilities, they can become a juicy target for blackhats. Just like major retailers and the recent US government data breaches, the sensitive information means these systems are guaranteed to be attacked at some point. Another major lesson is that if you want good security, not reusing passwords, keeping patched and using two-factor authentication is key.