passwords

Longstanding, unpatched Bluetooth vulnerability lets burglars shut down Google security cameras

A security researcher has published a vulnerability and proof-of-concept exploits in Google's Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure. Read the rest

EFF presents: a guide to protecting your data privacy when crossing the US border

The Electronic Frontier Foundation has just updated its 2011 guide to Digital Privacy at the U.S. Border with an all new edition that covers the law, administrative rules, technological options and potential repercussions of crossing the US border while not undergoing the warrantless seizure and indefinite retention of all of your sensitive data -- in a guide that breaks out the different risks for US citizens, US permanent residents, and visitors to the USA. Read the rest

How a fishing guide's WordPress site became home to half a million fraudulent pages

Ned Desmond shares the scary story of how a small site he managed that advertised fishing expeditions ended up with 565,192 scam pages. He also suggests five ways to avoid the same fate. Read the rest

Human rights coalition to DHS: don't demand social media passwords from people entering the USA

A huge coalition of human rights groups, trade groups, civil liberties groups, and individual legal, technical and security experts have signed an open letter to the Department of Homeland Security in reaction to Secretary John Kelly's remarks to House Homeland Security Committee earlier this month, where he said the DHS might force visitors to America to divulge their social media logins as a condition of entry. Read the rest

"I’ll never bring my phone on an international flight again. Neither should you."

Quincy Larson asks you to image "What’s the worst thing that could happen if the Customs and Border Patrol succeed in getting ahold of your unlocked phone?"

Read the rest

Proof-of-concept ransomware locks up the PLCs that control power plants

In Out of Control: Ransomware for Industrial Control Systems, three Georgia Tech computer scientists describe their work to develop LogicLocker, a piece of proof-of-concept ransomware that infects the programmable logic controllers that are used to control industrial systems like those in power plants. Read the rest

US-born NASA scientist was detained at the border until he unlocked his phone

Sidd Bikkannavar, a scientist at NASA’s Jet Propulsion Laboratory (JPL), still doesn't know why he was detained by US Customs and Border Patrol and compelled under duress to give agent's the access PIN to his NASA-owned mobile phone.

From The Verge:

Seemingly, Bikkannavar’s reentry into the country should not have raised any flags. Not only is he a natural-born US citizen, but he’s also enrolled in Global Entry — a program through CBP that allows individuals who have undergone background checks to have expedited entry into the country. He hasn’t visited the countries listed in the immigration ban and he has worked at JPL — a major center at a US federal agency — for 10 years. There, he works on “wavefront sensing and control,” a type of optics technology that will be used on the upcoming James Webb Space Telescope.

...

The officer also presented Bikkannavar with a document titled “Inspection of Electronic Devices” and explained that CBP had authority to search his phone. Bikkannavar did not want to hand over the device, because it was given to him by JPL and is technically NASA property. He even showed the officer the JPL barcode on the back of phone. Nonetheless, CBP asked for the phone and the access PIN. “I was cautiously telling him I wasn’t allowed to give it out, because I didn’t want to seem like I was not cooperating,” says Bikkannavar. “I told him I’m not really allowed to give the passcode; I have to protect access.

Read the rest

Seafood-related queries from own internet-connected vending machines brought college network to its knees

A university, mercifully left unnamed, blew off complaints from students about its slow network. When the problem became too bad to ignore, their IT team found the culprit thanks to a "sudden big interest in seafood-related domains."

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet. ... botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems.

The Internet of Hacked Things strikes again! I'm sure some content filtering and updating passwords will do the trick. Read the rest

How to legally cross a US (or other) border without surrendering your data and passwords

The combination of 2014's Supreme Court decision not to hear Cotterman (where the 9th Circuit held that the data on your devices was subject to suspicionless border-searches, and suggested that you simply not bring any data you don't want stored and shared by US government agencies with you when you cross the border) and Trump's announcement that people entering the USA will be required to give border officers their social media passwords means that a wealth of sensitive data on our devices and in the cloud is now liable to search and retention when we cross into the USA. Read the rest

Son of Stuxnet: "invisible," memory-resident malware stalks the world's banks

Duqu 2.0 is a strain of clever, nearly undetectable malware, derived from Stuxnet, that stays resident in its hosts' memory without ever writing persistent files to the system's drives. Read the rest

After shutting down to protect user privacy, Lavabit rises from the dead

In 2013, Lavabit -- famous for being the privacy-oriented email service chosen by Edward Snowden to make contact with journalists while he was contracting for the NSA -- shut down under mysterious, abrupt circumstances, leaving 410,000 users wondering what had just happened to their email addresses. Read the rest

Apple Store employees fired after accusations of snooping on customers' devices for sexual selfies and sharing them

Last October, an Apple Store in Brisbane, Australia terminated some of its employees after they were accused of searching customers' devices for sexually explicit selfies and sharing them with colleagues, rating them on a scale of 1-10. Read the rest

Bible references make very weak passwords

An analysis of passwords found in the 2009 breach of Rockyou -- 32 million accounts -- finds a large number of Biblical references ("jesus"," "heaven", "faith", etc), including a number of Bible verse references ("john316"). Read the rest

Your smart meter is very secure (against you) and very insecure (against hackers)

In On Smart Cities, Smart Energy, And Dumb Security -- Netanel Rubin's talk at this year's Chaos Communications Congress -- Rubin presents his findings on the failings in the security of commonly deployed smart meters. Read the rest

Yahoo reveals hackers took a further 1 billion accounts (phone, DoB, names, emails)

Just a few months after Yahoo disclosed a 2014 breach of 500 million user accounts, the company today revealed this was preceded by a 1 billion account breach in 2013, in which the hackers took everything: hashed passwords, names, email addresses, phone numbers, dates of birth, and possibly the tools necessary to forge login cookies that would bypass password checks altogether.

Read the rest

This TV streaming service offers more than Hulu and Netflix for just $24

These days, we benefit from having a plethora of TV streaming options, but SelectTV had never been on my radar. SelectTV may be a less known option, but it actually offers significantly more content than the usual suspects. For that reason alone, I thought it was definitely worth checking out. 

As advertised, SelectTV delivers a massive library of TV shows, movies, live channels, and more—over 300,000 + TV episodes and 200,000 movies, to be exact. I appreciate that fact that it’s all available through the same interface, which means no more switching between windows or having to enter different passwords to watch what I want.

What's especially unique is that SelectTV also includes a Pay Per View service, which isn't usually an option with streaming services. This comes in handy for watching big fights and new movie releases. Plus, SelectTV connects to home TVs via Chromecast or an HDMI cable. 

If you love entertainment variety and enjoy not paying cable companies an arm and a leg, you owe it to yourself to check out this service. In fact, for a limited time, you’ll also get a free HD antenna from SelectTV post-purchase if you buy a one year ($24) or three year ($49) subscription Read the rest

Iphones secretly send your call history to Apple's cloud, even after you tell them not to

Apple has acknowledged that its Icloud service is a weak link in its security model, because by design Apple can gain access to encrypted data stored in its customers' accounts, which means that the company can be hacked, coerced or tricked into revealing otherwise secure customer data to law enforcement, spies and criminals. Read the rest

Previous PageNext page