Internet-connected hospital drug pumps vulnerable to remote lethal-dose attacks

Researcher Billy Rios (previously) has extended his work on vulnerabilities in hospital drug pumps, discovering a means by which their firmware can be remotely overwritten with new code that can result in lethal overdoses for patients. Read the rest

Open garage-doors in less than a minute with a hacked kid's toy

Applied Hacking's Samy Kamkar (previously) has released Opensesame, an app for hacked IM-ME texting toys that can open millions of fixed-code garage doors in less than a minute. Read the rest

Facebook rolls out new encryption features

The update allows users to post their public email encryption key on their Facebook profile, so others can encrypt future emails to that user.

NSA can't legally surveil Americans' every phone call, for now. Thanks, Edward Snowden.

For the time being, we can call our mom, our best friend, or a pizza delivery service without the NSA automatically keeping a record of who we called, when, and how long the conversation lasts.

IRS leaks 100K taxpayers' data to identity thieves

The IRS sent extensive dossiers on 100,000 US taxpayers to identity thieves who used weak "secret security" questions to trick the agency's "Get Transcript" service. Read the rest

Secret security questions deemed insecure

Google analyzed the "secret questions" used by its vast userbase and was not surprised to learn that they are mostly terrible.

In a blog post at the company's Online Security Blog, Elie Bursztein said that "secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism."

"That’s because they suffer from a fundamental flaw," Bursztein wrote. "Their answers are either somewhat secure or easy to remember—but rarely both."

Here are some specific insights:

With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question

• "What is your favorite food?" (it was ‘pizza’, by the way) With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question

• "What’s your first teacher’s name?" With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question,

• "What is your father’s middle name?" With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.

They're not the first to acknowledge the problems with secret questions. Read the rest

Experimental plugin lets computers share URLs with ultrasonic tones

Tone is an experimental Chrome plugin from Google Research that lets computers share small amounts of information (like URLs) with ultrasonic chirps. Read the rest

Today's terrifying Web security vulnerability, courtesy of the 1990s crypto wars

The Logjam bug allows attackers to break secure connections by tricking the browser and server to communicate using weak crypto -- but why do browsers and servers support weak crypto in the first place? Read the rest

Self-sustaining botnet made out of hacked home routers

Telcos send routers with default passwords to their customers, who never change them, and once they're compromised, they automatically scan neighboring IP space for more vulnerable routers from the same ISP. Read the rest

Smart Grid consortium rolled its own crypto, which is always, always a bad idea

When you make up your own crypto, it's only secure against people stupider than you, and there are lots of people smarter than the designers of the Open Smart Grid Protocol, who rolled their own (terrible) crypto rather than availing themselves of the numerous, excellent, free public cryptographic protocols. Read the rest

Drug pump is "most insecure" devices ever seen by researcher

Security researcher Jeremy Richards has called the Hospira Lifecare PCA 3 drug-pump "the least secure IP enabled device" he's examined. Read the rest

Legal threat against security researcher claims he violated lock's copyright

Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act. Read the rest

Anyone can open a Master Lock padlock in under two minutes

Well-known security researcher Samy Kamkar has discovered a simple method for cracking the popular Master Lock padlock in eight or fewer tries, meaning that most gym lockers can be popped in less than two minutes. Read the rest

Encrypting your laptop demystified

On The Intercept, Micah Lee follows up on his great primer on NSA-proof passwords with a soup-to-nuts tutorial on encrypting your laptop. Read the rest

$17 radio amp lets thieves steal Priuses

If your car has a proximity-based ignition fob that lets you start the engine without inserting a key, thieves on the street in front of your house can use an amp to detect its signal from your house and relay it to the car, getting away clean. Read the rest

NSA-proof passwords

The Intercept's Micah Lee explains how to use Diceware's to generate a passphrase that can survive the NSA's trillion-guess-per-second cracking attempts -- but which can still be easily memorized. Read the rest

35 Secret hiding places in your home

Ordinarily, the folks over at Family Handyman Magazine are a straight-laced bunch, but their slideshow 20 Secret Hiding Places shows that their practical creativity might be hiding something, such as fat stacks of cash. Read the rest

More posts