Whatsapp: Facebook's ability to decrypt messages is a "limitation," not a "defect"

Facebook spokespeople and cryptographers say that Facebook's decision to implement Open Whisper Systems' end-to-end cryptographic messaging protocol in such a way as to allow Facebook to decrypt them later without the user's knowledge reflects a "limitation" -- a compromise that allows users to continue conversations as they move from device to device -- and not a "defect." Read the rest

It turns out that halfway clever phishing attacks really, really work

A new phishing attack hops from one Gmail account to the next by searching through compromised users' previous emails for messages with attachments, then replies them from the compromised account, replacing the link to the attachment with a lookalike that sends you to a fake Google login page (they use some trickery to hide the fake in the location bar); the attackers stand by and if you enter your login/pass, they immediately seize control of your account and attack your friends. Read the rest

Moral panic: Japanese girls risk fingerprint theft by making peace-signs in photographs

Isao Echizen, a researcher at Japan's National Institute of Informatics, told a reporter from the Sankei Shimbun that he had successfully captured fingerprints from photos taken at 3m distance at sufficient resolution to recreate them and use them to fool biometric identification systems (such as fingerprint sensors that unlock mobile phones). Read the rest

Bible references make very weak passwords

An analysis of passwords found in the 2009 breach of Rockyou -- 32 million accounts -- finds a large number of Biblical references ("jesus"," "heaven", "faith", etc), including a number of Bible verse references ("john316"). Read the rest

New ransomware will delete all your files -- unless you read two articles on avoiding ransomware

A newly discovered strain of the Koolova ransomware encrypts all your files and deletes the keys -- unless you read two articles about avoiding ransomware: Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom (Bleeping Computer) and Stay safe while browsing (Google Security Blog). Read the rest

Hyperface: a fabric that makes computer vision systems see faces everywhere

Adam Harvey, creator of 2012's CV Dazzle project to systematically confound facial recognition software with makeup and hairstyles, presented his latest dazzle iteration, Hyperface, at the Chaos Communications Congress in Hamburg last month. Read the rest

No, Russia didn't hack Vermont's power grid

Despite what you might have read in this alarming story in the Washington Post, Russia did not hack Vermont's power authority. Read the rest

Your smart meter is very secure (against you) and very insecure (against hackers)

In On Smart Cities, Smart Energy, And Dumb Security -- Netanel Rubin's talk at this year's Chaos Communications Congress -- Rubin presents his findings on the failings in the security of commonly deployed smart meters. Read the rest

It's surprisingly easy to alter anyone's airline reservations

Karsten Nohl and Nemanja Nikodijevic's Chaos Communications Congress presentation details their research into becoming a "Secret travel agent": they figured out how to force the various portals to the Global Distribution System to let them know if they've guessed someone's reservation locator code, which they can use to arbitrarily alter your flight plans, sending you to different cities, reseating you, or cancelling your flight. Read the rest

What we can learn from 2016: the year of the security breach

Ryan McGeehan, who specializes in helping companies recover from data-breaches, reflects on the worst year of data breaches (so far) and has some sound practical advice on how to reduce your risk and mitigate your losses: some easy wins are to get your staff to use password managers and two-factor authentication for their home computers (since everyone is expected to work in their off-hours, most home computers are an easy way to get into otherwise well-defended networks); and stress-test your network for breach recovery. Read the rest

Methbot: a $3M-$5M/day video ad-tech fraud

White Ops, a security firm, has published a detailed report on a crime-ring they call "Methbot" that generated $3M-$5M by creating 6,000 fake websites to embed videos in, then generating convincing bots that that appeared to watch 300,000,000 videos/day -- running virtual instances of various browsers (mostly Chrome) on virtual machines running MacOS X, from a huge pool of IP addresses that they fraudulently had assigned to US locations, deploying clever grace-notes like limiting access to "daylight" hours in their notional locations; simulating mouse-movements and clicks and more. Read the rest

Panasonic's in-flight entertainment systems have critical security flaws

In March 2015, IOActive's Ruben Santamarta privately disclosed his findings on the major bugs in Panasonic's Avionics IFE in-flight entertainment systems; 18 months later, it's not clear whether all airlines have patched these bugs. Read the rest

Trump's policies on net neutrality, free speech, press freedom, surveillance, encryption and cybersecurity

Three posts from the Electronic Frontier Foundation dispassionately recount the on-the-record policies of Trump and his advisors on issues that matter to a free, fair and open internet: net neutrality; surveillance, encryption and cybersecurity; free speech and freedom of the press. Read the rest

Freedom of the Press releases an automated, self-updating report card grading news-sites on HTTPS

Secure the News periodically checks in with news-sites to see how many of them implement HTTPS -- the secure protocol that stops your ISP and people snooping on it from knowing which pages you're looking at and from tampering with them -- and what proportion of them default to HTTPS. Read the rest

Bruce Schneier's four-year plan for the Trump years

1. Fight the fights (against more government and commercial surveillance; backdoors, government hacking); 2. Prepare for those fights (push companies to delete those logs; remind everyone that security and privacy can peacefully co-exist); 3. Lay the groundword for a better future (figure out non-surveillance internet business models, privacy-respecting law enforcement, and limits on corporate surveillance); 4. Continue to solve the actual problems (cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections). Read the rest

Digital self-defense for journalists

The Opennews project has published a set of annotated links to digital operational security tutorials that are relevant to journalists looking to defend themselves against various kinds of attacks, covering two-factor authentication, password managers, phishing, first aid for malware infections, and related subjects. (via 4 Short Links) Read the rest

Malware delivered by bad ads takes over your home router to serve more bad ads (for now)

Proofpoint has identified a new version of DNSChanger EK, a strain of malware that changes your DNS settings so that the ads on the websites you browse are replaced with other ads that benefit the attackers -- and which can also be used for more nefarious ends, because controlling your DNS means controlling things like where your computer gets software updates. Read the rest

More posts