Friends, you're going to wish you were still making the scene with a magazine after reading this sentence: Google's web trackers are all up in your fap time and there's pretty much nothing (except maybe using a more secure browser like Firefox, read up on cyber security tips from the EFF, refusing to sign into a Google account and never going online without the protection of a VPN) that anyone can do about it. Read the rest

You might be popular, but are you Chinese hacker following your every move, no matter where you go popular?

No? It's cool. Not many people are. Read the rest

I occasionally need to use an Android device to get things done for my day job. I like the flexibility of the operating system: I can tweak to my hearts content. An Android phone often runs cheaper than a handset from Apple and, in some cases, boast photo snapping capabilities that kick the bejesus out Apple's Designed in Cupertino camera app and optics. But when I read shit like this story from The Verge, I'm reminded, once again, about why I put up with the walled garden and stuffy familiarity of iOS.

From The Verge:

Even if you say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it. It’s like a kid asking for dessert who gets told “no” by one parent, so they ask the other parent.

...That’s in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more. “It’s pretty well-known now that’s a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.

I got a fun reminder last night that there a lot of greasy people out there doing a whole lot of greasy shit unto others. Last night, I was taken on a walk down memory lane: I received an email with an old password I used to use in the subject line. Here's what was inside. I've removed the  password from the mix, for obvious reasons:

_________ is yoũr passphrasęs. Lets get right to the point. No person has paid me to check about you. You do nŏt know me and you're mŏst likely wondęrİng why you're getting this e-mail?

İ installed a softwāre on thę adũlt vidęo clips (porno) web-site and gũess what, yoũ visited this site to have fun (yŏu know what i mean). While yŏu were vİęwing vidęŏ clİps, yŏur internet browsęr startęd working as a RDP that has a kęy logger which prŏvided me with āccessİbİlity to your screen ās well as cām. Jũst aftęr thāt, my software gāthered all yoũr cŏntacts from your Messenger, socİal networks, as well ās e-maİlaccount. after thāt i created ā video. 1st part shows the video yoũ were vİewing (you've got a nice tastę lmao), ānd nęxt part displays the ręcordİng ŏf your web cām, yea its yoũ.

Yŏũ actually hāvę two diffęręnt possİbilities. Shall we explŏre these types ŏf choices in āspęcts:

First optİon is tŏ neglect this messāgę. in thİs case, i ām going to sęnd your vęry own video to each one of yoũr contacts and also yoũ can easİly İmāgine ręgarding the humiliātİŏn you will definitely get.

Physical security keys, like those sold by Yubico, Thetis and Kensington, are a great way to lock down your digital lives. They also tend to be wicked fast compared to the wait you have to put on while you're waiting for a 2FA password to arrive via SMS or typing in a verification code from an app like Google Authenticator.

Unless of course said security key is deeply, deeply borked.

From Engadget:

Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.

The problem in question occurs after the security key powers up. According to Yubico, a bug keeps "some predictable content" inside the device's data buffer that could impact the randomness of the keys generated. Security keys with ECDSA signatures are in particular danger. A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.

If someone reading this can school me on why anyone working at Yubico would think that keeping 'predictable content' on a device meant to secure highly-sensitive governmental systems and information, I'd appreciate it. Read the rest

Frequent Boing Boing contributor Sean O'Brien and his colleagues Laurin Weissinger and Scott J Shapiro built a Raspberry Pi-enabled smart pumpkin and then challenged their Yale cybersecurity students to hack it. Read the rest

With the midterm elections creeping up, everyone in the media's been busier than a cat trying to bury a turd in a marble floor watching for signs of Russian interference. Given the amount of chaos that Russia's cyber operatives have been responsible for over the past few years, this is totally understandable. However, it might be a good idea for the media to keep an eye on China's online comings and goings, as well.

According to a report released by the French government, Chinese cyber operatives have been hard at work attempting to compromise or enlist thousands of well-placed professionals and intellectuals online to leverage in the real world.

From IntelNews:

The report describes Chinese efforts to approach senior French scientists, business executives, academics and others, as “widespread and elaborate”, and warns that it poses an “unprecedented threat against the national interests” of the French state. It goes on to state that nearly 4,000 carefully selected French citizens have been approached by Chinese intelligence operatives via the LinkedIn social media platform. Of those nearly half, or 1,700, have leading posts in French industry, while the remaining 2,300 work in the public sector. In their totality, those targeted are involved nearly every area of industry and government administration, including those of nuclear energy, telecommunications, computing and transportation, said the report.

Uh Oh.

In many cases, the Chinese operatives used fake identities, pretending to be headhunters for overseas corporations and think tanks on LinkedIn. As part of the ruse, the ops would invite their targets on all-expenses-paid trips to China for job interviews or research symposiums – whatever turned their target's crank. Read the rest

Well this is fun: The United States Government Accountability Office released a report today that explains, in no uncertain terms, that the majority of the nation's new-fangled, high-tech weapons systems are hilariously vulnerable to cyber attacks.

From the Washington Post:

The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.

A public version of the study, published on Tuesday, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.

The Government Accountability Office used a team of hackers to see what sort of shenanigans could be caused with a little bit of access and a whole lot of digital kung-fu. The results aren't a good look for America's military. In one instance, the red team that the GOA used was pitted against Pentagon personnel tasked with holding the line against cyberintrusions. The security checks that the Pentagon were easily bypassed, thanks to the use of easy-to-crack passwords and "insiders" who were familiar with the program acting as meatspace backdoors to what would normally be secure systems. It gets worse: hackers working for the GAO reported being able to watch, in real time, a system operator's every move. Read the rest

When scammers get inside of the networks of financial institutions, they sometimes stage "cashouts" where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features in the banks' systems, enabling confederates to drain ATMs of all the cash they contain. This is called an "unlimited cashout." Read the rest

A federal lawsuit brought by voting security activists against the State of Georgia has revealed breathtaking defects in the state's notoriously terrible voting machines -- and, coincidentally, the machines in question were wiped and repeatedly degaussed by the state before they could be forensically examined as evidence of their unsuitability for continued use. Read the rest

Have you tried turning it off and on again?

The FBI sent out an urgent bulletin advising anyone with a home or small office internet router to immediately turn it off and then turn it on again as a way to help stop the spread of a malware outbreak with origins in Russia. Read the rest

A recently concluded cybersecurity review conducted by the Trump White House and Department of Homeland Security finds most government agencies remain shockingly insecure, despite Trump's campaign promises for super great cybersecurity unlike the very bad hacker criminal Hillary Clinton who bleached emails and acid-washed her network devices, and should be in jail. Read the rest

According to The Hong Kong Free Press, Apple is set to hand over the keys to the the accounts of iCloud users in China to a company owned by the surveillance and censorship-happy Chinese government.

Guizhou-Cloud Big Data (GCBD) will take over the operation of Apple's Chinese data center at the end of February, making GCBD responsible for all legal and financial transactions between the Apple and China's iCloud users. Once GCBD is running the show, Apple will be responsible for investing one billion USD to build a new server farm in Guiyang and to provide technical support in the interest of preserving data security.

Apple's doesn't like telling folks what iCloud user data they're able to read. The information could be limited to the size of uploaded files and where those files were uploaded, or as comprehensive as being able to browse through the photos taken with an iPhone. That China's communist government, which is big on watching the digital doings of its citizens, censorship and political activism could will soon have access to the iCloud account information of every iPhone, iPad or Mac user in China pretty troubling. 

This isn't the first time that Apple has bowed to pressure from the Chinese government, either. At the ass end of 2017, they happily removed close to 700 VPN apps from the Chinese iTunes App Store, making it extremely difficult for iOS users to view uncensored content. So, say good bye to news stories about China and the rest of the world that hasn't been approved by Chinese state censors. Read the rest

U.S. Girl Scouts as young as 5 years old will soon be able to earn their first-ever cybersecurity badges. 18 of these merit patches will be launched by the Girl Scouts of the USA starting in September, 2018. Read the rest

Micah Lee and The Intercept put together this video with “tips on how to prepare your phone before you go to a protest and on how to safely communicate with your friends.” Read the rest

'President' Donald Trump is expected to sign an executive order addressing cybersecurity today, Reuters reports in an item that cites "two sources familiar with the situation.” The EO is expected to be Trump's first action to address what he called a top priority of his administration during the Presidential campaign. Read the rest

Of 1700+ known acts of global power-grid sabotages, affecting some 5,000,000 people, 879 were caused by squirrels; between 0 and 1 were caused by Russia, and another 1 was caused by the USA (Stuxnet). Read the rest