I got a fun reminder last night that there a lot of greasy people out there doing a whole lot of greasy shit unto others. Last night, I was taken on a walk down memory lane: I received an email with an old password I used to use in the subject line. — Read the rest
Physical security keys, like those sold by Yubico, Thetis and Kensington, are a great way to lock down your digital lives. They also tend to be wicked fast compared to the wait you have to put on while you're waiting for a 2FA password to arrive via SMS or typing in a verification code from an app like Google Authenticator. — Read the rest
Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons
Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation.
Passwords are necessary. Passwords are also a pain – especially when you've got multiple ones to remember for your email, subscriptions, bills and work sites.
The problem is keeping all those passwords stored and ready, yet still secure from hackers and malware. — Read the rest
OG Users is a forum for people who steal login credentials for online services, mostly to sell desirable login-names for popular services like Instagram; it attained notoriety when Motherboard's Lorenzo Franceschi-Bicchierai linked the forum to an epidemic of SIM-swapping attacks; a few months later, the Reply All podcast devoted an episode to the forum.
Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable.
Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together.
I use a password manager to create and manage all my passwords. In this video, Dr. Mike Pound explains how password managers work and why it's a good idea to use one.
A year ago, Facebook — wracked by the Cambridge Analytica scandal (and many, many others) — promised a "Clear History" feature that would allow its users to wipe clean the nonconsensual dossiers that the company had compiled on them, a promise uttered by Mark Zuckerberg himself during the F8 developer conference.
Itrack and Protrack are commercial devices for tracking fleets of commercial vehicles; they can be configured to allow for remote killswitching of the cars' engines, presumably as a theft-prevention measure.
40 years ago, antitrust law put strict limits on mergers and acquisitions, but since the Reagan era, these firewalls have been dismantled, and now the biggest companies grow primarily by snapping up nascent competitors and merging with rivals; Google is a poster-child for this, having only ever created two successful products in-house (search and Gmail), with all other growth coming from acquisitions and mergers.
Scammer software is usually quite crude and, as demonstrated here, vulnerable to clever victims aware of their shortcomings.
Engineer Man: "Taking it to another scammer using some nmap analysis and a common exploit to save 105 people. Mission accomplished." — Read the rest
Mark Risher adapts his viral Twitter thread about the security advantages of security keys like Ubikey and Google's Titan Security Key, and how they are game-changers for information security.
The Mexican media company Cultura Colectiva and an app called "At the Pool" used their access to their users Facebook data to make local copies of it, then left that data exposed, in the clear, without a password, on the public internet — 540 million records in all, stored in publicly accessible Amazon S3 buckets.
Andreas Gal, former chief technical officer of Mozilla, filed a civil rights complaint against US Customs and Border Protection after he was detained in late 2018 for several hours at the San Francisco International Airport, interrogated, asked to unlock his devices, threatened with false criminal charges, and told he couldn't have a lawyer. — Read the rest
It's always sort of baffling when security breaches reveal that a company has stored millions of users' passwords in unencrypted form, or put their data on an insecure cloud drive, or transmitted it between the users' devices and the company's servers without encryption, or left an API wide open, or some other elementary error: how does anyone in this day and age deploy something so insecure?
63Red Safe is an app affiliated with 63red, a far-right news site, that is a sort of Green Book for racists, identifying restaurants and other establishments that will serve people sporting MAGA hats and other modern Klan-hood-alikes without calling them out on their overt racist symbology.
Security researchers announced at RSAC today announced they have discovered a trove of 809 million personal records exposed on the internet. This time more than just emails and passwords were exposed — data also includes physical addresses, personal mortgage details, social media accounts, and credit score analysis.
The National Socialist Movement is one of America's oldest and most influential Holocaust denial/neo-Nazi movements, proprietors of one of the world's most prominent Holocaust denial websites and defendants in a case over members who participated in racist violence at the Charlottesville "Unite the Right" rally.
If someone wants to steal your phone number — say, to intercept the two-factor authentication SMSes needed to break into your bank account or other vital service — they hijack your SIM by impersonating you to your phone company (or by bribing someone at the company to reassign your phone number to them), and this has made the security of phone numbers into a top concern for security experts and telcoms companies, as there are millions of dollars at stake.
