After a late-December Washington Post story revealed a nationwide epidemic of colleges quietly installing pervasive wireless location-tracking systems on campus, which gathered data on students without meaningful consent, inside and outside of class, broken down by protected categories such as race and gender, as well as on potentially invasive lines such as whether a student is from abroad, security researcher Lace R Vick (previously) tweeted an offer to students to explain how they could "dismantle such a system."
[Amazon's surveillance doorbell company Ring sells "security" — the sense that surveilling your porch or your driveway or your home can make you safe. But when the company experienced a grotesque and completely predictable breach that saw hackers breaking into Ring cameras and spying on and tormenting their owners, Amazon blamed their customers for recycling passwords. — Read the rest
A family in DeSoto County, Mississippi, bought a Ring security camera so they could keep an eye on their three young girls in their bedroom. Four days later, they learned that a hacker had broken into the camera and subjected their children to continuous bedroom surveillance, taunting the children through the camera's built-in speaker.
In 2006, Aaron Patzer founded Mint. Patzer had grown up in the city of Evansville, Indiana—a place he described as "small, without much economic opportunity"—but had created a successful business building websites. He kept up the business through college and grad school and invested his profits in stocks and other assets, leading to a minor obsession with personal finance that saw him devoting hours every Saturday morning to manually tracking every penny he'd spent that week, transcribing his receipts into Microsoft Money and Quicken.
Inspired by XKCD's classic diceware strip, a programmer named Alice created an open-source algorithm to randomly generate secure passphrases in Welsh. As difficult as it would be for any human or computer to figure out a nonsense phrase like, "correct horse battery staple," it would be even more difficult to guess, "stwffwl batri ceffyl cywir," especially when there are only about 700,000 Welsh speakers to begin with. — Read the rest
Today, we are told that the bigness of Big Tech giants was inevitable: the result of "network effects." For example, once everyone you want to talk to is on Facebook, you can't be convinced to use another, superior service, because all the people you'd use that service to talk to are still on Facebook. — Read the rest
Frank Wu writes, "Brianna Wu (US Congressional candidate in MA-8 and cybersecurity expert) has a brand new article in The Boston Globe about election security. People think electronic voting machines are the biggest problem. They're wrong. The electronic VOTER ROLLS are the largest attack surface for hackers. — Read the rest
NordVPN's a popular tool that many people turn to for keeping their shit private while the plumb the depths of the Interwebz. It's available to use with a number of different operating systems. While I'm not fond of what I found while writing about them a few years back (for the record, I rely on ProtonVPN for my online privacy needs) The service is good enough for a whole lot of people. — Read the rest
Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities.
German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks.
Another data security disaster for 'food delivery on demand' startup DoorDash, and it's not their first. The company confirms a data breach, and says sensitive information belonging to 4.9 million individual customers, delivery workers, and merchants — all stolen by hackers.
The entries at the dumb-password-rules hall of shame are truly dreadful, especially the banks. My favorite ones are sites whose security measures run in the user's browser, which means it can be overridden by opening the web inspector and editing the rules. — Read the rest
Election Systems & Software (ES&S) is America's leading voting machine vendor; they tell election officials (who are county-level officials who often have zero cybersecurity advice or expertise) not to connect their systems to the internet, except briefly to transmit unofficial tallies on election night.
David Tinley developed complex spreadsheets under contract to Siemens, which used them to manage its equipment orders; Tinley hid "logic bombs" in the spreadsheets' scripts that caused them to malfunction every couple of years, which would gin up new work for him as he was called in to fix them.
When it comes to passwords, there's no such thing as paranoia. You want them secure and complex, and you definitely don't want to repeat them on all your accounts. The trouble is, the internet seems to keep growing. And so do those accounts. — Read the rest
Magecart is the hacker gang that pulled off the British Airways and Ticketmaster credit-card heists; now they've build an Amazon cloud scanner that systematically probes S3 storage "buckets" for configuration errors that allow them to overwrite any Javascript files they find with credit-card stealing malware.