Chinese Anti-Terrorism Law Forces Companies to Provide Encryption Keys

While the debate on the topic rages on in the West, China now has joined Kazakhstan in the club of nations that have compromised the encryption of their citizens’ data for the sake of the state. As part of new anti-terrorism legislation passed by China’s legislature, internet companies that operate within the borders of China are required to hand over encryption keys and passwords to data when requested by the government.

This turn of events in China has concerned many in the West who fear that this new legislation may put their business and interests in China in jeopardy. Even Barack Obama weighed in on the debate when the law was drafted earlier this year, stating “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”

A Chinese official who is involved in the regulation, Li Shouwei, attempted to assure that the law would not involve setting up government backdoors. “Relevant regulations in the anti-terrorism law will not affect the normal business operation of companies, and we do not use the law to set up ‘backdoors’ to violate the intellectual property rights of companies.” He further stated that “The law will not damage people’s freedom of speech or religion.”

It is currently unclear how this new law will affect companies such as Apple (whose iPhone has a large market share in China), who do not hold encryption keys or passwords to devices. Will it come down to Western companies using their weight in the Chinese market to slip through if decryption is impossible, or will the Chinese government force them to compromise their principles and security to avoid being locked out of the lucrative Chinese market. With the law coming into effect on 1st of January, the answer could come sooner than we think.

With another country’s government rendering privacy and encryption worthless against their whim, could this spur the governments of Europe and America to consider more strongly restricting encryption. We can only hope that seeing such laws in action will drive them away from imposing similar laws on their own citizens believing it will make the world safer.

Hackers Post 10GB Stolen Data as Ashley Madison Stays Online

It has been a while since hackers attacked the online cheating site Ashley Madison where the hackers claimed that they had downloaded pretty much all relevant information about the users from the site. For those who don’t know it, Ashley Madison is an online dating site specifically designed and advertised to married people who want to cheat on their partner. A pure disgrace in my book that a site like that is allowed to stay online, but that is beside the point right now.

The hackers wanted the site to shut down and threatened to release the user data if that didn’t happen. The site didn’t give in to the blackmail as it looks to be a very lucrative operation, even though they’ve exposed for having 90-95% male profiles and most female profiles being faked by the company. I don’t think that women cheat less than men, perhaps they’re smarter about it.

Now the hackers have made good on their promise and released 10GB stolen data that includes not only usernames and emails, but also appears to contain credit card information to pay for the membership as well as many other personal information. While the site doesn’t verify the profiles in any way and it is possible to create fake profiles with any email you wish, it’s still scary how many government email addresses were found in the database.

Avid Life Media, the company behind Ashley Madison, condemned the release of the data with a statement: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

All the information has been posted to the “Dark Web” that only can be accessed through the Tor browser. It will be interesting to see what new dirt will show up as experts dig through the data and decrypt the parts that were secured.

Thank You Wired for providing us with this information

FIDO United! More Backers Emerge for Removing Passwords

Everything you do online, and sometimes offline relies on you remember a string of characters, numbers and even symbols sometimes. These can be anything from your pet name, to something randomly generated by a program you’ve downloaded or even made yourself. These come with two down sides; first you have to create something which other people can’t easily guess, find or generate. The second, however, is remembering them, with a long combination spanning from the left-hand side to your right-hand side of your keyboard the problem quickly becomes “shoot did I put that as a capital or not?”. FIDO hopes to do away with that.

FIDO stands for Fast IDentity Online. They were formed in 2012 as a non-profit focused on addressing the issue of online authentication, how someone gives permission and proves they should be allowed to, for any action you do online. With technology ranging from fingerprints to turning keys and phones into ‘keys’ for your computer, FIDO hopes to bring together the different technologies and companies to provide easy access to everyone for online authentication. One of these methods is the USB key lock, designed to replace the two-factor authentication (when after the initial request to do something, you receive a text with a code to state that it was you that requested the action) used by Google.

It would seem that not only large companies are interested in the idea though, with the likes of Google, Microsoft and Apple being joined now by the UK’s Office of the Cabinet and the US’s National Institute of Standards and Technology. With the government bodies now taking part in FIDO, they will have an impact on how steps are taken to allow fast, password-less authentication online.

Everyone is annoyed by passwords on the odd occasion, and the concept behind easy to use authentication would save a lot of people a lot of hassle, especially when you find out your account’s have been hacked (something biometric security measures are looking to reduce) and you’ve lost access to your level 80 Warlock Sharman.

Thank you Engadget for the information.

Image courtesy of Shutterstock.

5 Million Gmail Passwords and Usernames Leaked

First Apple had their iCloud fiasco, and now the business giant Google has seen 5 million of its users have their usernames and passwords published online.

The evidence of this has been seen on Russian forum boards, incorporating a comprehensive list of all the people affected and are now seencirculating around file sharing websites. But according to Google, this issue is not due to a direct leak of Gmail services, with experts claiming that this list was most likely compromised over a long period of time with the information being stolen from other websites.

Thanks to The Next Web, we were able to read the direct statement from a Google spokesperson which reads:

We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”

Since the leak, the forum linked above has purged the passwords in the original text file, with only the login information remaining. But, if you’re a cyber-criminal looking to take advantage of the situation, the original poster claims that at least 60% of the uncovered account passwords are valid and functional.

We suggest that you change your password just to be safe – and don’t go searching for the document yourself as you never know what you’ll find. Google also suggests you enable their 2-step verification process.

Image courtesy of Create New Gmail Account

eBay Admits User Data Was Hacked Into – Two Months Ago

eBay, one of the most popular websites globally is urging users to change their passwords after it was discovered that their corporate network was attacked and a small number of employee login credentials was stolen. Following the discovery, eBay are stressing that no financial data was accessed and until users passwords have been changed, no activity is permitted on their account.

What is shocking however is the revelation that this attack happen two months ago in the late part of February to early March although they have said that the discovery of the unauthorised access was only made a couple of weeks ago after the compromised employee credentials was discovered. Additionally eBay has spoken out stating that they take customer privacy and security very seriously and they are performing a deep analysis into how the attack was performed and how the data was accessed, with the aim to ensure that this does not happen again.

Starting from now, each and every eBay user will be notified via email that they will need to change their passwords and that any associated PayPal accounts are also safe and secure as this is all stored securely on an encrypted network separate to that of eBay’s user databases.

Whilst users are in the process of changing their passwords, some users will face the error message as seen below whilst the eBay network is put under a very heavy load, however users are reassured that they can try again later and their accounts cannot be used until the passwords are changed.

Whilst this is one of the worst attacks to happen to the business, as with all sites we strongly advise that your passwords are changed on a regular basis and if you use the same password on other sites, you should look into changing these as well to prevent any further issues down the line.

 

Recent Adobe Hack Reveals 1.9 Million People Used 123456 As Their Password

People use stupid passwords, it is a fact that we’ve known since passwords became important for accessing online services. At the end of last month Cybercriminals hacked Adobe’s systems, managing to expose 130 million encrypted passwords. Yet the encryption was so weak that almost all of the passwords have now been converted into plain text equivalents. This is because Adobe used the Triple DES (3DES) hashing algorithm according to Softpedia, and this algorithm provides some clues to what the password might be. If you combine that with the fact Adobe’s database also contained password hints, it has made it very easy for security experts to crack these passwords.

Of those 130 million hacked passwords, 1.9 million of them were “123456”, 0.45 million were “123456789”, 0.35 million were “password” and 0.2 million were “adobe123”. Scrolling down the below list you can see the usual array of lazy passwords that are as rubbish as they are insecure. It goes without saying that if your password for any website or service can be found below then you really need to be changing it pretty quickly to something much stronger.

Image #1 courtesy of Adobe and image #2 courtesy of Stricture Consulting Group

Microsoft Wants To Increase 16 Character Password Limit

Microsoft’s Outlook.com team took to Reddit to engage in an Ask Me Anything (AMA) session recently. One of the hotly debated topics was the reasoning behind the 16 character password limit Microsoft implement. Microsoft’s Outlook.com team still believes that malware and phishing techniques are the most common for compromising accounts. It also believes that the uniqueness, choice and arrangement of characters is generally more important than the password length.

“Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords.”

Microsoft says that it will increase the character limit in the future and that this is something the Outlook.com team is currently working on but it did say that it will take quite some time due to the difficulty in centralising the password logic across different products.

“Sixteen characters has been the limit for years now. We will always prioritize the protection needs of users’ accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services…We are working on increasing the password length. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market.”

Image courtesy of Microsoft

Four Crytek Websites Hacked

According to Blues News four Crytek owned websites have been hacked and all users of the websites are recommended to change their passwords immediately as well as the passwords of any other websites if those accounts use the same email and password combination. The four affected websites are Crytek.com, Mycryengine.com, Crydev.net and MyCrysis.com.

Crytek reportedly noticed unidentified suspicious activity on their website servers and as a result they said all the websites were taken offline immediately to identify the “damage” and deal with the breach.

Crytek stated that all passwords should be changed quickly and that no financial data has been compromised in this incursion, at least not so far. Yet again this is another example of a company not taking the proper precautions to ensure the safety of its users data and accounts. Hopefully Crytek will learn their lesson and ensure adequate safety measures in future.

Image courtesy of Crytek

Turkish Hackers Claim To Have Leaked 40,000 Sony Italy Account Details

According to “Maxney” on Twitter, a member of the Turkish Ajan hacking group, Sony Italy has been breached revealing the details and passwords of 40,000 customers. What’s worrying is that these passwords are plain text meaning that they are not encrypted and can be easily read by anyone.

The information, stolen from web.sony.it, includes account names, usernames, addresses, dates of births, plain text passwords and many more details. The hackers posted the details online onto SpeedyShare but the file has since been removed. Though it was probably online long enough for enough people to get their hands on it and start distributing it to criminal organisations and forums.

So a word of warning to all our Italian based readers – if you were a Sony Italy customer and you use the same password with the same email for any other service then change your passwords immediately as you are at great risk. As far as Sony is concerned the lack of security is just amateur, passwords should never be left unencrypted when there are so many details at stake here. It is not the first time Sony has had security breaches, in the UK they were fined after a huge breach of the PlayStation Network.

Image courtesy of Turkish Ajan

Ubisoft Says 58 Million Users Had Details Stolen – Payment Details Safe

The phrase “EPIC FAIL” comes to mind after Ubisoft have just sent an email out to all Ubisoft account holders warning of a massive data breach. Apparently a staggering 58 million accounts have been hacked allowing the hackers to gain access to user names, email addresses and encrypted passwords. Ubisoft reports that no debit or credit card information was lost as Ubisoft does not store them.

In response Ubisoft has advised all users to change their passwords on their Ubisoft accounts, and change your password that is the same and used with the same email address on any other site. I am quite shocked at Ubisoft’s incompetence. Firstly, that they didn’t auto-reset passwords for all Ubisoft accounts to prevent hackers gaining access to them without the associated emails. Secondly, if they went to such extraordinary measures of outsourcing payment details to another company with better security, why did they not do a similar thing for account details?

This isn’t the first time Ubisoft have been victim to a “hack-attack” and last year a security hole allowed hackers to download software from its store for free that hadn’t even been released yet. I guess some companies will never learn.

Image courtesy of Ubisoft

Rumour: Windows 8.1 To Have Fingerprint Passwords

According to the leaked screenshot which you can see above, it is reported that Windows 8.1 will bring an option to have a fingerprint as a password. This would allow a lot more flexibility and convenience with the security of your Windows 8.1 device.

The evidence isn’t really “new” and comes from build 9385 that was released well over a month ago, but the feature can clearly be seen dormant in the system settings on the Windows 8.1 OS.

The fingerprint password security tool isn’t currently working and it is possible that it may never make it to the final build of Windows 8.1 but we can only wait and see what happens.

Microsoft will release the first public preview of Windows 8.1 on June 26th and the final retail version is expected in the August-October time frame.

What are your thoughts on the potential for a fingerprint password in Windows 8.1? A Good idea? Or are you worried that it might be abused?

Source, Via

Berkeley Research Found A Way To Replace Passwords With ‘Passthoughts’


Researchers at UC Berkeley have found a way to replace passwords which typically uses a combination of mixed- cases and numbers with passthoughts. In short, you’re thought process or “will” can be used as an authentication method.

The method involves using a biometric identifier to scan your brain activity and use it as an authentication method, similar to using DNA or blood vessels as they’re unique. Since brainwaves are also unique and can be used to identify an individual, it can used to log into a computer or to prove your identity.

The Berkeley researchers were able to do this by using a $100 worth electroencephalogram made a company called Neurosky. The device looks like a Bluetooth headset but comes with an electrode that rests on your forehead. This devices transmit the brain pattern from the brain’s left frontal lobe to a nearby system assigned to collect this data.

The best part is that according to their research, there was only 1% error rates and its easily comparable to clinical EEGs which typically uses 32 to 256 electrodes over the head. As one could imagine these will obvious cost a lot more than $100. So on the bright side, the only cost involved is the initial investment $100, but accuracy of the collection of the brainwave equivalent as clinical devices and good enough to use it for authentication purposes.

There are certain issues that come with the biometric authentication method. The EEG device that costs $100 is bulky as one won’t really imagine to be seen wearing this in public. There would be a device which has electrodes with skin colour. Once the accuracy is improved, not only these EGG units can be used for smartphones with Bluetooth headsets, but also for corporate systems as the only part involves is simply wearing the device.

Source: Extreme Tech