Tag Archives: security

Expediting changes to Google+ [David Thacker/Google Blog]

Google is shutting down Google+ for consumers in April, rather than August as earlier planned, as it discovers another security hole.

“Expediting changes” means “shutting down faster.” “Sunsetting” means “shutting down.” Corporatespeak is a means of evading accountability.

I like Google+ but I’m glad to see it shutting down sooner. Dragging it out just makes it more irritating.

Link

Bruce Schneier is skeptical of the Bloomberg supply-chain attack on Apple and Amazon servers, among others. He said if it was true, we’d have seen a photo of the chip by now.

That raises a good thumb rule for judging the veracity of any explosive investigative report. Particularly high-profile sexual harassment charges, like Bill Cosby and Harvey Weinstein. Corroborating reports start to come out after the initial expose.

Clever attack uses the sound of a computer’s fan to steal data

Kim Zetter, Wired:

In the past two years a group of researchers in Israel has become highly adept at stealing data from air-gapped computers—those machines prized by hackers that, for security reasons, are never connected to the internet or connected to other machines that are connected to the internet, making it difficult to extract data from them.

Mordechai Guri, manager of research and development at the Cyber Security Research Center at Ben-Gurion University, and colleagues at the lab, have previously designed three attacks that use various methods for extracting data from air-gapped machines—methods involving radio waveselectromagnetic waves and the GSM network, and even the heat emitted by computers.

Now the lab’s team has found yet another way to undermine air-gapped systems using little more than the sound emitted by the cooling fans inside computers. Although the technique can only be used to steal a limited amount of data, it’s sufficient to siphon encryption keys and lists of usernames and passwords, as well as small amounts of keylogging histories and documents, from more than two dozen feet away. The researchers, who have described the technical details of the attack in a paper (.pdf), have so far been able to siphon encryption keys and passwords at a rate of 15 to 20 bits per minute—more than 1,200 bits per hour—but are working on methods to accelerate the data extraction.

The attacker installs malware on a target machine to modify the fans’ speed to change audio output and transmit information to nearby microphones. Diabolical!

Bruce Schneier: How hackers break passwords, and how to pick good ones

Find a good password management app and let it worry about picking good passwords and remembering them. Schneier recommends Password Safe for Windows, but says he can’t vouch for Password Safe on other platforms because he has not evaluated them. I like 1Password, which supports Mac and iOS, which I am familiar with, and Windows and Android, which I’m not.

Donald Trump now says even legal immigrants are a security threat

Jenna Johnson, The Washington Post:

At a rally in Portland, Maine, on Thursday afternoon, Trump provided a lengthy explanation of why he thinks the United States needs to be skeptical of immigrants from many countries, even if they follow the legal process.

He has a point. If there had been better immigration controls 100 years ago when Trump’s grandparents came to the US, we wouldn’t be stuck with the Orange Man-Baby now.

How a US civil war could start in the fall. Blame direct marketing.

Disruptive Robocalling

John Robb says attackers would just need to use robodialers to phone in terrorism threats to heavily partisan electoral districts. The candidate for the other side wins the White House in a landslide. The losing candidate’s supporters take to the streets. Rioting, bloodshed, dogs and cats living together.

Possible because the direct marketing and debt collections industry has made sure the phone system is easy to hack.

I’m still on Facebook double secret probation

Facebook isn’t letting me post links most of the time. It does let me post them some of the time. I don’t have time to deal with this right now so I’m just going to wait it out and hope Facebook takes me off its naughty list on its own.
 
I’m pretty sure I don’t have malware. I’ve scanned my Mac twice using two separate products, and it comes up clean. Nor do I see any other clear indications that I’m infected. There has been some weird behavior — including one incident that might indicate a possible failed attack — but I don’t THINK this machine has malware. I’m pretty sure it doesn’t.
 
I think that what’s going on here is that I’ve been trying some automated tools for posting to Facebook and Facebook has interpreted that behavior as a possible infection, like how your credit card company will flag your account if you take a sudden trip out of town and try to use your card there.
C-26FBFF86-29AF-4BCB-9100-E00AF2DF6AAF

1Password debuts extension to make it easy to log into third-party apps and websites on iOS 8

I’m very much looking forward to this on iOS 8. Logins are an area where mobile falls down in comparison to desktop — it’s much easier for me to log in to things on my Mac than on my iPhone, iPad, or Nexus 7.

The video embedded here is only 34 seconds long and worth watching.

1Password debuts extension for third party apps on iOS.

Link

“Everything Is Broken”

The problem with the normals and tech is the same as the problem with the normals and politics, or society in general. People believe they are powerless and alone, but the only thing that keeps people powerless and alone is that same belief. People, working together, are immensely and terrifyingly powerful.

The US government is rolling out a “driver’s license for the Internet.” No way this could go wrong.

The National Strategy for Trusted Identies in Cyberspace starts testing in government agencies in two US states. “Calling this move ill-timed would be the most gracious way of putting it,” says Techdirt’s Tim Cushing. (US Government Beings Rollout Of Its ‘Driver’s License For the Internet’)

[A]t a time when the public’s trust in government is ant an all-time low, the National Institute of Standards and Technology (NIST – itself still reeling a bit from NSA-related blowback) is testing the program in Michigan and Pennsylvania. The first tests appear to be exclusively aimed at accessing public programs, like government assistance. The government believes this ID system will help reduce fraud and overhead, by eliminating duplicated ID efforts across multiple agencies.

But the program isn’t strictly limited to government use. The ultimate goal is a replacement of many logins and passwords people maintain to access content and participate in comment threads and forums. This “solution,” while somewhat practical, also raises considerable privacy concerns.

The keepers of the identity credentials wouldn’t be the government, but rather a third party. Banks, technology compaies, and cellphone service providers were suggested as keepers when the program was introduced in 2011. “[S]o theoretically Google or Verizon could have access to a comprehensive profile of who you are that’s shared with every site you visit, as mandated by the government.”

The proposal also raises security concerns, creating a central store of identitiy information susceptible to hacking. And with the government behind the proposal, citizens may not have the option of opting out.

Here’s the original statement on Whitehouse.gov: “President Obama Releases the National Strategy for Trusted Identities in Cyberspace.” It cites banking and online health records as example applications.