Vtech breach dumps 4.8m families' information, toy security is to blame


Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints. Read the rest

Dell apologizes for preinstalling bogus root-certificate on computers

serial-number (1)

Yesterday, Dell was advising customers not to try to uninstall the bogus root certificate it had snuck onto their Windows machine, which would allow attackers to undetectably impersonate their work intranets, bank sites, or Google mail. Today, they apologized and offered an uninstaller -- even as we've learned that at least one SCADA controller was compromised by the bad cert, and that Dell has snuck even more bogus certs onto some of its machines. Read the rest

Not just Lenovo: Dell ships computers with self-signed root certificates


Last February, Lenovo shocked its security-conscious customers by pre-installing its own, self-signed root certificates on the machines it sold. These certificates, provided by a spyware advertising company called Superfish, made it possible for attackers create "secure" connections to undetectable fake versions of banking sites, corporate intranets, webmail providers, etc. Read the rest

How browser extensions steal logins & browsing habits; conduct corporate espionage


Seemingly harmless browser extensions that generate emojis, enlarge thumbnails, help you debug Javascript errors and other common utilities routinely run secret background processes that collect and retransmit your login credentials, private URLs that grant access to sensitive files, corporate secrets, full PDFs and other personally identifying, potentially compromising data. Read the rest

Zero: the number of security experts Ted Koppel consulted for hysterical cyberwar book


Ted Koppel's new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath warns of an impending disaster when America's critical infrastructure will be destroyed by cyberattackers, plunging the nation into a literal dark age. Read the rest

The Web is pretty great with Javascript turned off


Wired's Klint Finley tried turning off Javascript and discovered a better Web, one without interruptors asking you to sign up for mailing list, without infinitely scrolling pages, without ads and without malvertising. Read the rest

Hospitals are patient zero for the Internet of Things infosec epidemic


As I have often noted, medical devices have terrifyingly poor security models, even when compared to the rest of the nascent Internet of Things, where security is, at best, an afterthought (at worst, it's the enemy!). Read the rest

Did the FBI pay Carnegie Mellon $1 million to identify and attack Tor users?


Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the FBI.

No matter who the researchers and which institution, it sounds like a serious ethical breach.

First, from VICE, a report which didn't name CMU but revealed that a U.S. University helped the FBI bust Silk Road 2, and suspects in child pornography cases:

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

Here's a screenshot of the relevant portion of one of the court Documents that Motherboard/Vice News published:

Later today, a followup from Wired about discussion that points the finger directly at CMU:

The Tor Project on Wednesday afternoon sent WIRED a statement from its director Roger Dingledine directly accusing Carnegie Mellon of providing its Tor-breaking research in secret to the FBI in exchange for a payment of “at least $1 million.” And while Carnegie Mellon’s attack had been rumored to have been used in takedowns of dark web drug markets that used Tor’s “hidden service” features to obscure their servers and administrators, Dingledine writes that the researchers’ dragnet was larger, affecting innocent users, too.

Read the rest

UK Snooper's Charter "would put an invisible landmine under every security researcher"

800px-Mines_warning_sign (1)

Respected UK tech elder statesman and journalist Rupert Goodwins blasts the UK government's plan to impose secret gag-orders on researchers who discover government-inserted security flaws in widely used products, with prison sentences of up to a year for blowing the whistle or even mentioning the gag orders in a court of law. Read the rest

The Economist's anti-ad-blocking tool was hacked and infected readers' computers


Pagefair is an ad-blocking circumvention tool that publishers can use to track readers who've taken technological countermeasures to protect their privacy. The company has sold its service to many publishers -- including the Economist -- by deploying moral arguments about the evils of ad-blocking. Read the rest

British government will (unsuccessfully) ban end-to-end encryption

Home Secretary Theresa May has introduced the long-awaited, frequently assayed Snoopers' Charter, and it is a complete disaster.

TSA screeners can't detect weapons and they never could


TSA screeners' ability to detect weapons in luggage is "pitiful," according to classified reports on the security administration's ongoing story of failure and fear.

We know about them because lawmakers are tiring of the charade and the complacency that comes with it. Ars Technica reports:

"In looking at the number of times people got through with guns or bombs in these covert testing exercises it really was pathetic. When I say that I mean pitiful," said Rep. Stephen Lynch (D-Mass.), speaking Tuesday during a House Oversight hearing concerning classified reports from federal watchdogs. "Just thinking about the breaches there, it's horrific," he added.

Auditors from the Inspector General's Office, posing as travelers, discovered enormous loopholes in the TSA's screening process. A leaked classified report this summer found that as much as 95 percent of contraband, like weapons and explosives, got through during clandestine testings. Lynch's comments were in response to the classified report's findings.

What will the future bring? We all love puppies, don't we? Read the rest

Blackmail: Manila airport security's "bullet scam"


Filipino politicians have decried an alleged blackmail scheme by Manila airport security officers, who are said to drop bullets into passengers' luggage and then demand cash payouts to stay out of jail. Read the rest

US Senate passes CISA, a very bad spying bill dressed up as a cybersecurity bill


CISA won't make you and I any more secure, and it threatens what's left of our online privacy. The very helpful sounding “Cybersecurity Information Sharing Act” will definitely help the government, though: it'll make it a lot easier for technology companies to share your personal data with the government, and everyone knows that this data never ends up in the wrong hands, so you're fine.

The gaping privacy flaws in CISA didn't stop the Senate from passing it by a wide margin today: 74 to 21. CISA now goes to a conference committee between House and Senate.

Here's the EFF's take, by Mark Jaycox:

CISA passed the Senate today in a 74-21 vote. The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities. The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

The conference committee between the House of Representatives and the Senate will determine the bill's final language. But no amount of changes in conference could fix the fact that CISA doesn't address the real cybersecurity problems that caused computer data breaches like Target and the U.S. Office of Personnel Management (OPM).

Read the rest

Sixth grader sells artisanal Diceware passwords


11 year old Mira Modi, daughter of privacy journalist Julia Angwin, has a startup through which she hand-generates secure Diceware passwords for $2, which she mails in sealed letters through the USPS, "which cannot be opened by the government without a search warrant." Read the rest

Botnets running on CCTVs and NASs


Researchers at Incapsula have discovered a botnet that runs on compromised CCTV cameras. There are hundreds of millions, if not billions, of these in the field, and like many Internet of Things devices, their security is an afterthought and not fit for purpose. Read the rest

Putting your kettle on the Internet of Things makes your wifi passwords an open secret


The $150 Smarter Ikettle lets you start your water boiling from anywhere in the world over the Internet -- and it also contains long-term serious security vulnerabilities that allow attackers to extract your wifi passwords from it. Read the rest

More posts