A search-engine for insecure cameras, from baby-monitors to grow-ops

IoTSearchEngineShodanLaunchesNewWebcamImageFeed-1-640x361

Hackers have been compromising wireless baby-monitors since 2013, but the more popular they've become, the more vulnerable they've become, and the attacks just keep getting more terrible. Read the rest

Just look at this password-dispensing banana

animation

Just look at it. Read the rest

2015's worst password was 123456

shutterstock_58757608

SplashData's report on the most commonly-used passwords finds a number of traditional disastrously bad choices performing well: "123456" comes out on top, followed by "password".

Other popular choices this year were sports, like "football" and "baseball." And "starwars," a newcomer to the list, ranked as the 25th most popular breached password, probably thanks to excitement over the release of the newest movie in the franchise.

Passwords are the banes of our increasingly online lives: Nearly everything we sign up for needs a password, and creating a secure one can be a pain. Even when we come up with a good one, we always need more because reusing passwords can leave us exposed if a service we use gets breached.

Read the rest

Griefer hacks baby monitor, terrifies toddler with spooky voices

bf2a8163e6514603292138dfb61512d9

Remember how, back in September 2015, researchers revealed that virtually every "smart" baby-monitor they tested was riddled with security vulnerabilities that let strangers seize control over it, spying on you and your family? Read the rest

Clapper hacked: US Intelligence director’s personal e-mail and phone breached

1452619591884590

The same entity that claims to be behind a recent hack of CIA Director John Brennan's personal email now claims to be behind a breach of the accounts of Director of National Intelligence James Clapper. The Office of the Director of National Intelligence confirmed to Motherboard that Clapper had been targeted, and that the case has been forwarded to law enforcement.

Read the rest

Apple CEO Tim Cook demands Obama White House formally defend Americans' right to strong encryption

Tim Cook. Reuters, 2015

Jenna McLaughlin at The Intercept writes that Apple CEO Tim Cook “lashed out at the high-level delegation of Obama administration officials who came calling on tech leaders in San Jose last week.” 

Read the rest

Will the W3C strike a bargain to save the Web from DRM?

256px-HAL9000.svg

The World Wide Web Consortium, which makes the standards the Web runs on, continues to pursue work on DRM -- technology that you can't connect to without explicit permission, and whose bugs can't be reported without legal jeopardy lest you weaken it. Read the rest

Your smartwatch knows your ATM and phone PIN

animation (1)

Because a PIN-pad is so constrained and predictable, the accelerometer in your smartwatch is able to guess with a high degree of confidence (73%) what you enter into it -- it can also serve as a general-purpose keylogger, though with less accuracy (59%), thanks to the complexity of the keyboard. Read the rest

New documents shed light on secret DoJ rules for targeting journalists with National Security Letters

Exterior of U.S. Department of Justice building in DC. Photo: Reuters.

In July 2015, Freedom of the Press Foundation sued the Justice Department (DOJ) over the agency’s secret rules governing how the FBI can target members of the media with due process-free National Security Letters, and we have just received documents back in the ongoing lawsuit. Read the rest

Internal documents from breathalyzer company Lifesaver dumped online

hqdefault

The company makes ignition interlock breathalyzers that are mandated by courts as a condition of driving after DUI convictions. Read the rest

Juniper blinks: firewall will nuke the NSA's favorite random number generator

image02

In the month since network security giant Juniper Networks was forced to admit that its products had NSA-linked backdoors, the company's tried a lot of different strategies: minimizing assurances, apologies, firmware updates -- everything, that is, except for removing th Dual_EC random number generator that is widely understood to have been compromised by the NSA. Read the rest

Vtech, having leaked 6.3m kids' data, now wants to run your home security

animation

Remember the Hong Kong-based crapgadgeteer Vtech, who breached 6.3 million kids' data from a database whose security was jaw-droppingly poor (no salted hashes, no code-injection countermeasures, no SSL), who then lied and stalled after they were outed? They want to make home security devices that will know everything you say and do in your house. Read the rest

Juniper's products are still insecure; more evidence that the company was complicit

MX480_left.png

It's been a month since Juniper admitted that its firewalls had back-doors in them, possibly inserted by (or to aid) US intelligence agencies. In the month since, Juniper has failed to comprehensively seal those doors, and more suspicious information has come to light. Read the rest

Payment system security is hilariously bad

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x910

In Shopshifting: The potential for payment system abuse, Karsten Nohl and Fabian Bräunlein showed attendees at Hamburg's Chaos Communications Congress just how poor the security in payment terminals is, and demonstrated several attacks that would let them harvest card numbers and PINs, make undetectable phantom charges and refunds to merchant accounts, and commit other mischief. Read the rest

The DMCA poisoned the Internet of Things in its cradle

IMG_0724

Bruce Schneier explains the short, terrible history of the Internet of Things, in which companies were lured to create proprietary lock-ins for their products because the DMCA, a stupid 1998 copyright law, gave them the power to sue anyone who made a product that connected to theirs without permission. Read the rest

3.3 million Hello Kitty website accounts leaked

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x906

Last week, security researcher Chris Vickery discovered a database containing 3.3 million accounts from Sanriotown, a commercial Hello Kitty fansite operated by Sanrio, Hello Kitty's corporate owners. Read the rest

Israeli company's product can (allegedly) pwn any nearby mobile phone

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x909

The Interapp from Tel Aviv's Rayzone Group is an intrusion appliance that uses a cache of zero-day exploits against common mobile phone OSes and is marketed as having the capability to infect and take over any nearby phone whose wifi is turned on. Read the rest

More posts