I use a password manager to deal with my hundreds of different passwords, and it's pretty convenient to use on my phone and laptop. But the Fido (fast identification online) Alliance thinks getting access to your online accounts could be even more convenient and secure by replacing passwords with your trusted devices. From 9To5Mac:

For example, if you try to login to a website on your iPhone, you would enter only your username and it would then send an authentication request to one of your other registered devices, such as an Apple Watch. You could simply tap to authorize. Similarly, when accessing a service on your Mac, you would be able to approve it on your iPhone – and so on.

Although this might sound like weaker security, it’s actually secure. Only one of your own trusted devices can make a request for authentication as you, and only a different one of your own trusted devices can approve that request. An attacker wanting to impersonate you would need physical possession of two of your trusted devices, and to be logged in to both. For example, they would need to have your iPhone and its passcode, and your Mac and its password.

While Apple’s system is limited to its own devices, the alliance wants all manufacturers to sign up to this approach, so you’d also be able to authorize a login on an Android smartphone, Android tablet, Chromebook, Windows PC or any other trusted device.

Image: YouTube Read the rest

“If there are no consequences for the [UN] agencies for failures like these … there will be more breaches.”

No encrypted iCloud backups for you, citizen!

“Gee, thanks.”

The US Navy has issued a policy banning the social media app TikTok from government-issued mobile devices, saying the China-owned video messaging service is a “cybersecurity threat.” Read the rest

NordVPN's a popular tool that many people turn to for keeping their shit private while the plumb the depths of the Interwebz. It's available to use with a number of different operating systems. While I'm not fond of what I found while writing about them a few years back (for the record, I rely on ProtonVPN for my online privacy needs) The service is good enough for a whole lot of people.

Or at least it was. Because it's been hacked.

From TechCrunch:

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

...NordVPN told TechCrunch that one of its data centers was accessed in March 2018. “One of the data centers in Finland we are renting our servers from was accessed with no authorization,” said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.

NordVPN did not name the data center provider.

So, that sucks.

According to TechCrunch, the infiltrated server didn't contain any user activity logs, which is nice. Additionally, NordVPN's spokesperson swears that there's no way that a motivated attacker could have intercepted usernames or passwords. This of course, is like saying that you shit the bed, but the pillows are fine. Read the rest

Most U.S. adults answer fewer than half questions correctly on digital know-how quiz, and many struggle with cybersecurity and privacy

The administration of Donald Trump is pulling $270 million from the Department of Homeland Security, including $155 million of FEMA disaster relief funding, to pay for all migrant concentration camps, according to DHS and a leading congressional Democrat.

Money will also reportedly be taken away from the budget for planned upgrades to the National Cybersecurity Protection System, and new equipment for the U.S. Coast Guard.

Everything is awful, and getting worse.

From Reuters:

The money, which was also set aside for the U.S. Coast Guard, will be used to pay for detention facilities and courts for migrants arriving at the U.S.-Mexico border. DHS officials say they have been overwhelmed by a surge of asylum-seeking migrants who are fleeing violence and poverty in Central America.

The Trump administration is seeking to circumvent Congress and move money originally designated for other programs. This will allow the administration to continue to house immigrants arriving at the border, part of President Donald Trump’s promise not to “catch and release” migrants and allow them to await hearings outside of custody.

The administration plans to take $115 million from the Federal Emergency Management Agency’s disaster-relief fund just as hurricane season is heating up in the Atlantic Ocean, according to a letter from U.S. Representative Lucille Roybal-Allard, who chairs the congressional panel that oversees Department of Homeland Security (DHS) spending.

The letter also details that money will be taken for planned upgrades to the National Cybersecurity Protection System and new equipment for the U.S. Coast Guard, Roybal-Allard said.

Read the rest

Friends, you're going to wish you were still making the scene with a magazine after reading this sentence: Google's web trackers are all up in your fap time and there's pretty much nothing (except maybe using a more secure browser like Firefox, read up on cyber security tips from the EFF, refusing to sign into a Google account and never going online without the protection of a VPN) that anyone can do about it. Read the rest

You might be popular, but are you Chinese hacker following your every move, no matter where you go popular?

No? It's cool. Not many people are. Read the rest

I occasionally need to use an Android device to get things done for my day job. I like the flexibility of the operating system: I can tweak to my hearts content. An Android phone often runs cheaper than a handset from Apple and, in some cases, boast photo snapping capabilities that kick the bejesus out Apple's Designed in Cupertino camera app and optics. But when I read shit like this story from The Verge, I'm reminded, once again, about why I put up with the walled garden and stuffy familiarity of iOS.

From The Verge:

Even if you say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it. It’s like a kid asking for dessert who gets told “no” by one parent, so they ask the other parent.

...That’s in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more. “It’s pretty well-known now that’s a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.

Read the rest

I got a fun reminder last night that there a lot of greasy people out there doing a whole lot of greasy shit unto others. Last night, I was taken on a walk down memory lane: I received an email with an old password I used to use in the subject line. Here's what was inside. I've removed the  password from the mix, for obvious reasons:

_________ is yoũr passphrasęs. Lets get right to the point. No person has paid me to check about you. You do nŏt know me and you're mŏst likely wondęrİng why you're getting this e-mail?

İ installed a softwāre on thę adũlt vidęo clips (porno) web-site and gũess what, yoũ visited this site to have fun (yŏu know what i mean). While yŏu were vİęwing vidęŏ clİps, yŏur internet browsęr startęd working as a RDP that has a kęy logger which prŏvided me with āccessİbİlity to your screen ās well as cām. Jũst aftęr thāt, my software gāthered all yoũr cŏntacts from your Messenger, socİal networks, as well ās e-maİlaccount. after thāt i created ā video. 1st part shows the video yoũ were vİewing (you've got a nice tastę lmao), ānd nęxt part displays the ręcordİng ŏf your web cām, yea its yoũ.

Yŏũ actually hāvę two diffęręnt possİbilities. Shall we explŏre these types ŏf choices in āspęcts:

First optİon is tŏ neglect this messāgę. in thİs case, i ām going to sęnd your vęry own video to each one of yoũr contacts and also yoũ can easİly İmāgine ręgarding the humiliātİŏn you will definitely get.

Read the rest

Physical security keys, like those sold by Yubico, Thetis and Kensington, are a great way to lock down your digital lives. They also tend to be wicked fast compared to the wait you have to put on while you're waiting for a 2FA password to arrive via SMS or typing in a verification code from an app like Google Authenticator.

Unless of course said security key is deeply, deeply borked.

From Engadget:

Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.

The problem in question occurs after the security key powers up. According to Yubico, a bug keeps "some predictable content" inside the device's data buffer that could impact the randomness of the keys generated. Security keys with ECDSA signatures are in particular danger. A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.

If someone reading this can school me on why anyone working at Yubico would think that keeping 'predictable content' on a device meant to secure highly-sensitive governmental systems and information, I'd appreciate it. Read the rest

Frequent Boing Boing contributor Sean O'Brien and his colleagues Laurin Weissinger and Scott J Shapiro built a Raspberry Pi-enabled smart pumpkin and then challenged their Yale cybersecurity students to hack it. Read the rest

With the midterm elections creeping up, everyone in the media's been busier than a cat trying to bury a turd in a marble floor watching for signs of Russian interference. Given the amount of chaos that Russia's cyber operatives have been responsible for over the past few years, this is totally understandable. However, it might be a good idea for the media to keep an eye on China's online comings and goings, as well.

According to a report released by the French government, Chinese cyber operatives have been hard at work attempting to compromise or enlist thousands of well-placed professionals and intellectuals online to leverage in the real world.

From IntelNews:

The report describes Chinese efforts to approach senior French scientists, business executives, academics and others, as “widespread and elaborate”, and warns that it poses an “unprecedented threat against the national interests” of the French state. It goes on to state that nearly 4,000 carefully selected French citizens have been approached by Chinese intelligence operatives via the LinkedIn social media platform. Of those nearly half, or 1,700, have leading posts in French industry, while the remaining 2,300 work in the public sector. In their totality, those targeted are involved nearly every area of industry and government administration, including those of nuclear energy, telecommunications, computing and transportation, said the report.

Uh Oh.

In many cases, the Chinese operatives used fake identities, pretending to be headhunters for overseas corporations and think tanks on LinkedIn. As part of the ruse, the ops would invite their targets on all-expenses-paid trips to China for job interviews or research symposiums – whatever turned their target's crank. Read the rest

Well this is fun: The United States Government Accountability Office released a report today that explains, in no uncertain terms, that the majority of the nation's new-fangled, high-tech weapons systems are hilariously vulnerable to cyber attacks.

From the Washington Post:

The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.

A public version of the study, published on Tuesday, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.

The Government Accountability Office used a team of hackers to see what sort of shenanigans could be caused with a little bit of access and a whole lot of digital kung-fu. The results aren't a good look for America's military. In one instance, the red team that the GOA used was pitted against Pentagon personnel tasked with holding the line against cyberintrusions. The security checks that the Pentagon were easily bypassed, thanks to the use of easy-to-crack passwords and "insiders" who were familiar with the program acting as meatspace backdoors to what would normally be secure systems. It gets worse: hackers working for the GAO reported being able to watch, in real time, a system operator's every move. Read the rest

When scammers get inside of the networks of financial institutions, they sometimes stage "cashouts" where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features in the banks' systems, enabling confederates to drain ATMs of all the cash they contain. This is called an "unlimited cashout." Read the rest