Boing Boing 

IRS leaks 100K taxpayers' data to identity thieves


The IRS sent extensive dossiers on 100,000 US taxpayers to identity thieves who used weak "secret security" questions to trick the agency's "Get Transcript" service.

Read the rest

Secret security questions deemed insecure

Security

Google analyzed the "secret questions" used by its vast userbase and was not surprised to learn that they are mostly terrible.

In a blog post at the company's Online Security Blog, Elie Bursztein said that "secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism."

"That’s because they suffer from a fundamental flaw," Bursztein wrote. "Their answers are either somewhat secure or easy to remember—but rarely both."

Here are some specific insights:

With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question

• "What is your favorite food?" (it was ‘pizza’, by the way) With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question

• "What’s your first teacher’s name?" With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question,

• "What is your father’s middle name?" With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.

They're not the first to acknowledge the problems with secret questions.

Experimental plugin lets computers share URLs with ultrasonic tones


Tone is an experimental Chrome plugin from Google Research that lets computers share small amounts of information (like URLs) with ultrasonic chirps.

Read the rest

Today's terrifying Web security vulnerability, courtesy of the 1990s crypto wars

The Logjam bug allows attackers to break secure connections by tricking the browser and server to communicate using weak crypto -- but why do browsers and servers support weak crypto in the first place?

Read the rest

Self-sustaining botnet made out of hacked home routers


Telcos send routers with default passwords to their customers, who never change them, and once they're compromised, they automatically scan neighboring IP space for more vulnerable routers from the same ISP.

Read the rest

Smart Grid consortium rolled its own crypto, which is always, always a bad idea


When you make up your own crypto, it's only secure against people stupider than you, and there are lots of people smarter than the designers of the Open Smart Grid Protocol, who rolled their own (terrible) crypto rather than availing themselves of the numerous, excellent, free public cryptographic protocols.

Read the rest

Drug pump is "most insecure" devices ever seen by researcher

Security researcher Jeremy Richards has called the Hospira Lifecare PCA 3 drug-pump "the least secure IP enabled device" he's examined.

Read the rest

Legal threat against security researcher claims he violated lock's copyright


Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act.

Read the rest

Anyone can open a Master Lock padlock in under two minutes

Well-known security researcher Samy Kamkar has discovered a simple method for cracking the popular Master Lock padlock in eight or fewer tries, meaning that most gym lockers can be popped in less than two minutes.

Read the rest

Encrypting your laptop demystified

On The Intercept, Micah Lee follows up on his great primer on NSA-proof passwords with a soup-to-nuts tutorial on encrypting your laptop.

Read the rest

$17 radio amp lets thieves steal Priuses

If your car has a proximity-based ignition fob that lets you start the engine without inserting a key, thieves on the street in front of your house can use an amp to detect its signal from your house and relay it to the car, getting away clean.

Read the rest

NSA-proof passwords


The Intercept's Micah Lee explains how to use Diceware's to generate a passphrase that can survive the NSA's trillion-guess-per-second cracking attempts -- but which can still be easily memorized.

Read the rest

35 Secret hiding places in your home

Family Handyman home security

Ordinarily, the folks over at Family Handyman Magazine are a straight-laced bunch, but their slideshow 20 Secret Hiding Places shows that their practical creativity might be hiding something, such as fat stacks of cash.

Read the rest

Backchannel: computers can talk to each other with heat

A paper by Ben Gurion University researchers to be presented at a Tel Aviv security conference demonstrates "Bitwhisper," a covert communications channel that allows computers to exchange data by varying their temperature, which can be detected by target machines within 40cm.

Read the rest

Automating remote BIOS attacks


Legbacore's upcoming "digital voodoo" presentation will reveal an automated means of discovering BIOS defects that are vulnerable to remote attacks, meaning that your computer can be compromised below the level of the OS by attackers who do not have physical access to it.

Read the rest

Windows 10 announcement: certified hardware can lock out competing OSes


Microsoft has announced a relaxation of its "Secure Boot" guidelines for OEMs, allowing companies to sell computers pre-loaded with Windows 10 that will refuse to boot any non-Microsoft OS.

Read the rest

Plane safety cards, explained


(moar)