A deep dive into stalkerware's creepy marketing, illegal privacy invasions, and terrible security

Stalkerware -- spyware sold to people as a means of keeping tabs on their romantic partners, kids, employees, etc -- is a dumpster fire of terrible security (compounded by absentee management), sleazy business practices, and gross marketing targeted at abusive men who want to spy on women. Read the rest

Arts&Crafts: bypass a fingerprint scanner with glue and tinfoil

I recently wrote about how much I enjoyed testing the OnePlus 7 Pro. One of the nicer things about it was the fact that its in-display fingerprint reader, unlike the one in the last-gen OnePlus handset, works in a timely manner. Too bad that, no matter how quickly it can read a fingerprint, it still isn't smart enough to stand up to a bit of arts and crafts from a determined security hacker.

Now, before anyone goes and loses their minds over this hack, it's important to note that in order for it to work, a digital interloper would need to get hold of the fingerprint belonging to the handset's owner in order to copy it. The best way to secure your phone against a hack like this, or being forced to unlock your smartphone for the authorities is to lock it down with an alphanumeric code.

While using biometrics to unlock your hardware might be convenient, when push comes to shove, it won't keep your digital life secure from professional snoops for long. Read the rest

Hackers stole a US Customs and Border Patrol facial recognition database

Data from facial recognition scans performed by US Customs and Border Patrol on travelers crossing at an unnamed lander border point (an anonymous source says it's a US-Canada crossing) have been stolen by hacker or hackers unknown. Read the rest

Weekend SIM-swapping blitz targets US cryptocurrency holders

SIM swapping attacks involve tricking or bribing a phone company into assigning someone else's phone number to you; once you have the number, you can intercept SMS-based two-factor authentication messages and use them to take over accounts. Read the rest

U.S. will examine 2016 North Carolina poll books for election hacking

Finally. It's been almost 3 years.

It's time to stop asking users for periodic password changes

Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons

Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation. Read the rest

Apple to limit third-party tracking in children's apps

You can't trust tech companies' word that the privacy controls they say they're implementing will protect you and your children.

A Wall Street Journal study of 80 apps in Apple’s App Store shows that most apps, including ones selected and featured by Apple editors, are tracking you in ways you would not expect, and cannot avoid. Read the rest

Study: Popular iOS apps use 'background app refresh' to send your location and IP address

You're browsing a news app on your phone in bed, alone, late at night. Did you know your physical location and IP address are being shared with the app maker? Read the rest

Analysis of a far-right disinformation campaign aimed at influencing the EU elections

F-Secure Labs used a bot to harvest and analyze high-ranked disinformation tweets aimed at influencing the EU elections; they found that some of the highest-ranked xenophobic/Islamophobic disinformation came from a pair of related accounts: NewsCompact and PartisanDE, both in "the top three most engaged accounts in the EU election conversation space on Twitter two weeks ago." Read the rest

Real estate title insurance company exposed 885,000,000 customers' records, going back 16 years: bank statements, drivers' licenses, SSNs, and tax records

First American Financial Corp is a Fortune 500 company that insures titles on peoples' property; their insecure website exposed 885,000,000 records for property titles, going back 16 years, including bank accounts (with scanned statements), Social Security numbers, wire transaction receipts, scanned drivers' licenses, tax records, mortgage records, etc -- when notified of the error, the company (which employs 18,000 people and grossed more than $5.7B last year) closed the misconfiguration. Read the rest

HACKED: Perceptics, license plate reader provider for US Border Patrol at Mexico border

Hackers have breached Perceptics, which sells border security technology and license plate reader systems and the like to governments and other entities. The U.S. government uses their readers, including along the US-Mexico border. Read the rest

Nominations are open for EFF's Barlow/Pioneer Awards

Every year, the Electronic Frontier Foundation presents its Pioneer Awards (previously); now renamed the Barlow Award in honor of EFF co-founder John Perry Barlow, who died last year. Read the rest

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page. Read the rest

Thangrycat: a deadly Cisco vulnerability named after an emoji 😾😾😾

Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed. Read the rest

The government of Baltimore has been taken hostage by ransomware and may remain shut down for weeks

Nearly two weeks after the city of Baltimore's internal networks were compromised by the Samsam ransomware worm (previously), the city is still weeks away from recovering services -- that's weeks during which the city is unable to process utility payments or municipal fines, register house sales, or perform other basic functions of city governance. Read the rest

Research shows that 2FA and other basic measures are incredibly effective at preventing account hijacking

Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable. Read the rest

Sleuthing from public sources to figure out how the Hateful Eight leaker was caught

In 2014, Quentin Tarantino sued Gawker for publishing a link to a leaked pre-release screener of his movie "The Hateful Eight." The ensuing court-case revealed that the screeners Tarantino's company had released had some forensic "traitor tracing" features to enable them to track down the identities of people who leaked copies. Read the rest

More posts