recentpopularlog in

rgl7194 : privacy   3167

« earlier  
New Security and Privacy Features in iOS 12 | The Mac Security Blog
iOS 12 has brought many new features to your iPhone and iPad as we discussed here. But beyond the more obvious changes - new notifications, Screen Time, Shortcuts and others - iOS 12 has delivered a bushel of new security features. Most of these features revolve around passwords and iCloud Keychain, but there are a few other features that make your devices more secure. Here's an overview of what's new in iOS 12 security.
iOS 12 has made massive improvements in the way passwords are managed. Not only has iCloud Keychain been improved, but iOS can auto-fill passwords from third party password managers as well. (1Password, LastPass, Dashlane, etc.) When you get to a login page on a website, you'll see a suggested password in the bar above the keyboard and you can tap it to have it entered automatically.
ios12  passwords  safari  security  privacy 
3 days ago by rgl7194
New Security Features in macOS Mojave | The Mac Security Blog
macOS Mojave doesn't have a lot of visible new features, aside from the new dark mode, but under the hood there are plenty of changes to make the operating system faster, more stable, and more secure. In this article, I'm going to discuss some of the new security features that make Mojave easier to use safer and securely.
As in iOS 12 - read this article about the new security features in Apple's mobile operating system - macOS Mojave brings a number of new features around passwords that will help make your computing more secure. Together with the keychain, which stores your passwords and which can sync them with your other Apple devices using iCloud Keychain, Safari now suggests and stores strong passwords when you create an account on a website.
macOS  10.14  passwords  security  privacy  safari 
3 days ago by rgl7194
More than 50 nations, but not U.S., sign onto cybersecurity pact - Axios
French President Emmanuel Macron released an international agreement on cybersecurity principles Monday as part of the Paris Peace Forum. The original signatories included more than 50 nations, 130 private sector groups and 90 charitable groups and universities, but not the United States, Russia or China.
The big picture: The Paris Call for Trust and Security in Cyberspace is another step in the disjointed effort to create international norms and laws for cybersecurity and warfare. In most international matters of regulating the internet, there tends to be a wide split between the liberal Western order and authoritarian nations like Russia and China.
security  privacy  trust  gov2.0  politics  europe  canada  cyber 
3 days ago by rgl7194
The Imitation Game |
Today, Alan Turing is considered the father of theoretical computer science and artificial intelligence. The mathematician, born on June 23, 1912, was a brilliant World War II codebreaker and parlayed that insight into theorizing and creating the first stored-memory computers. Unfortunately, this Officer of the British Empire was persecuted by the British government of the time for his homosexuality and suffered through chemical castration before ending his life.
The Imitation Game by Feynman author Jim Ottaviani and Resistance illustrator Leland Purvis chronicles the life of Turing in a full-size graphic novel. Check back every day this week as releases the entire graphic novel in four parts.
Update: Tuesday June 24: The next installment has been posted! In the box below type in “60” to jump right to it.
Update: Wednesday June 25: The next installment has been posted! In the box below type in “117” to jump right to it.
Update: Thursday June 26: The final installment has been posted! In the box below type in “168” to jump right to it.
encryption  gov2.0  math  military  privacy  security  spying  uk  women  WWII  comics  tor  bletchley 
3 days ago by rgl7194
Bletchley Park: Surviving the stress | Anglia - ITV News
A new exhibition at Bletchley Park "High Spirits in Low Times" explores the ways codebreakers and their colleagues coped with the stress of the job.
Watch a video report by ITV News Anglia's Elodie Harper.
Monotonous tasks and gruelling shifts took their toll on staff, and ensuring they didn't suffer burnout was part of the war effort.
From government sponsored ultraviolet light treatment for those working night shifts to putting on plays, the recreation time led to a better balanced working life.
"It certainly helped some people put up with what was mostly a very dull and very hard job."
encryption  gov2.0  math  military  privacy  security  spying  uk  women  WWII  bletchley 
3 days ago by rgl7194
Bletchley Park's derelict huts where British mathematicians cracked the Nazi Enigma code to be rebuilt | Daily Mail Online
Site cracked 3,000 German messages a day
Said to have shortened World War II by two years
Huts currently stand derelict
Site is 'birthplace of the computer age'
The huts at Bletchley Park where British mathematicians cracked the Nazi Enigma code are to be rebuilt.
The trust has raised the £2.4 million required to restore the huts where codebreakers led by Alan Turing shortened the war by up to two years.
'Raising these funds has been a race against time to save the Huts from dereliction,' said Iain Standen, CEO of the Bletchley Park Trust.
The huts at Bletchley Park were where British mathematicians worked in secret to crack Germany's Enigma code, using desks, blackboards, and feeding their results through primitive mechanical computers that are the grandfathers of the machines we use today.
encryption  gov2.0  math  military  privacy  security  spying  uk  women  WWII  bletchley 
3 days ago by rgl7194
WW2: Winifred Roberts' Bletchley Park work cracking Enigma code - BBC News
Winifred Roberts was 25 when she was plucked from a Salford battery factory and plunged into the top secret world of Bletchley Park, where mathematician Alan Turing had been carrying out his code-breaking work on the Enigma machine. It was a secret she kept from her family for decades.
It was in late 1943 and Hitler's Nazi Germany still occupied much of Central and Western Europe - the tide of World War Two was still yet to turn.
Ms Roberts was living with her parents and had never even heard of Turing, but within weeks she was the working on the top-secret mission which has been credited with shortening the war by as much as four years.
Now aged 96, she talks about the time her life dramatically changed and the role she played in such an important part of the war effort.
"We couldn't talk about what we were doing, we couldn't breathe about it for more than 30 years," she said.
"My father died never knowing what I had done during the war."
encryption  gov2.0  math  military  privacy  security  spying  uk  women  WWII  bletchley 
3 days ago by rgl7194
Elizabeth 'Betty' Balfour tells how she used to dry damp bras on Enigma machine | Daily Mail Online
Wartime codebreaker tells how she and co-workers at Bletchley Park used to dry their damp bras and pants on Enigma machine
Elizabeth 'Betty' Balfour said Bletchley Park was freezing cold at night
The women in the team resorted to drying their bras and pants on Enigma
She said it was 'festooned with bras and pants all through our night duty'
Mrs Balfour worked in Bletchley Park with Alan Turing
She said he was often spotted walked backwards while reading a book
Movie based on Alan Turing and the codebreakers to be released Friday
A wartime codebreaker has revealed she and her co-workers at Bletchley Park dried their bras and knickers on Hitler's Enigma machine during night shifts at the cypher school.
Elizabeth 'Betty' Balfour, 88, joined the Wrens when she was 17 and was handpicked to work on the top secret team under code genius Alan Turing.
She said women at the chilly school would dry their damp underpants on the huge computers linked to the seized Enigma machine as they were the only source of heat at night.
Her saucy secret comes days before the November 14 general release of the Imitation Game film, which stars Benedict Cumberbatch as Turing.
encryption  gov2.0  math  military  privacy  security  spying  uk  women  WWII  bletchley 
3 days ago by rgl7194
U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service — Krebs on Security
A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.
According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”
mail  scanning  identity_theft  security  privacy  krebs  gov2.0  email 
7 days ago by rgl7194
iOS 12.1 Vulnerability - Schneier on Security
This is really just to point out that computer security is really hard:
Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode.
A bad actor would need physical access to the phone that they are targeting and has a few options for viewing the victim's contact information. They would need to either call the phone from another iPhone or have the phone call itself. Once the call connects they would need to:
Select the Facetime icon
Select "Add Person"
Select the plus icon
Scroll through the contacts and use 3D touch on a name to view all contact information that's stored.
Making the phone call itself without entering a passcode can be accomplished by either telling Siri the phone number or, if they don't know the number, they can say "call my phone." We tested this with both the owners' voice and a strangers voice, in both cases, Siri initiated the call.
bug  hack  ios12  iphone  privacy  security 
7 days ago by rgl7194
Chrome Update Targets 'Abusive' Ads Used on Some Pirate Sites - TorrentFreak
After being pushed towards fringe advertising networks, some pirate sites now display ads that many users would prefer not to encounter. Starting in December, however, a new version of Chrome will attempt to curtail certain "abusive experiences" on all sites, by preventing rogue redirects and misleading dialog boxes, while nuking video 'play' buttons that lead to unwanted downloads.
More than a decade ago, users visiting torrent and file-hosting platforms were often greeted with the same quality of ads present on many regular sites.
Leading companies and brands had few problems with their marketing appearing on major ‘pirate’ sites, with visitors to The Pirate Bay, for example, regularly viewing ads indirectly placed by huge corporations.
chrome  advertising  adblock  phishing  malware  security  privacy 
9 days ago by rgl7194
Chrome 71 will block any and all ads on sites with “abusive experiences” | Ars Technica
Fake error messages, phishing, and other annoyances will soon be heavily penalized.
Google is promising to punish sites that offer what the company calls "abusive experiences." Chrome 71, due for release in December, will blacklist sites that are repeat offenders and suppress all advertising on those sites.
The behaviors deemed abusive cover a range of user-hostile things, such as ads that masquerade as system error messages, ads with fake close boxes that actually activate an ad when clicked, phishing, and malware. In general, if an ad is particularly misleading, destructive, or intrusive, it runs the risk of being deemed abusive.
Chrome already takes some actions against certain undesirable website behaviors; it tries to block popups, it limits autoplay of video, and it blocks certain kinds of redirection. These measures have been insufficient to prevent misleading or dangerous ads, hence Google taking further steps to banish them from the Web.
chrome  advertising  adblock  phishing  malware  security  privacy 
9 days ago by rgl7194
How to Use 1Password's New Keyboard Fill Feature in iOS 12 – The Sweet Setup
iOS 12 has given the makers of password apps the ability to integrate with the operating system. If you’ve ever used the native password saving feature on iOS, you’ve probably seen the suggested username and password prompt show up above the keyboard. With the release of iOS 12 and the latest 1Password, you can have your passwords stored in your favorite password manager and the convenience all together!
In Settings, go to Passwords & Accounts → Autofill Passwords. You can enable 1Password (and any other password management applications), and even disable keychain if you like.
1password  ios12  autofill  keyboard  privacy  security 
9 days ago by rgl7194
How to set 1Password as you default AutoFill provider in iOS 12 | iMore
Prefer using 1Password for all of your password needs? Here's how to make it your default password Autofill provider.
When Apple released iOS 12 to the masses a few weeks ago, it brought about many cool new features to our iPhones and iPads. However, one of the best improvements involves password management, which we covered in-depth earlier.
But what if you prefer using 1Password as your default password manager? Or if not 1Password, something like LastPass or Dashlane? Don't worry, with iOS 12 Password Autofill, it is entirely possible to change the autofill provider to your preferred password manager of choice, as long as it supports Apple's new Password Manager API framework.
1password  ios12  autofill  keyboard  privacy  security 
9 days ago by rgl7194
1Password adds support for iOS 12 Password Autofill | iLounge News
Alongside iOS 12, AgileBits has released an update to [1Password] bringing support for the new Password Autofill feature in iOS 12. With 1Password 7.2 and iOS 12, users will now be able to access passwords stored in 1Password directly from the QuickType bar of the keyboard, allowing them to be quickly filled into websites and apps without having to make a trip into the actual 1Password app. This basically extends the autofill capability that Apple has long provided for its own iCloud Keychain to third-party apps, allowing users to keep all of their passwords in a single trusted app while still gaining the benefits of quick autofill in Safari and any other third-party iOS apps supporting autofill password entry. The update also improves a large number of performance enhancements that will make the app faster and more responsive, and, for users of 1Password’s own cloud service, will automatically remain up to date, even in the background.
1password  ios12  autofill  keyboard  privacy  security 
9 days ago by rgl7194
1Password 7.2 for iOS 12 debuts Password Autofill – The Sweet Setup
Some of Apple’s most widely loved features are the ones that pass by on a catch-all smorgasbord slide. Tim or Craig stand on stage talking about how amazing the latest iteration of iOS will be and the audience is left to frantically scan through the slide to see all the remaining under-the-hood feature debuts.
Password Autofill was one of those features. Craig didn’t mention anything about the ability to fill in passwords using third-party password managers, yet this could be one of the most widely used features in iOS 12.
Password Autofill was effectively built for 1Password.
1password  ios12  autofill  keyboard  privacy  security 
9 days ago by rgl7194
Random but Memorable: the security advice podcast from 1Password | 1Password
Last month, we launched Random but Memorable, a bi-monthly security advice podcast. Random but Memorable is named after your Master Password, but is also very appropriate for the show. The “memorable” part mainly comes from my co-host Michael Fey (Roo) not reading the show notes until we start recording, and the “random” part is a direct result of this.
A new episode launches every two weeks to discuss what’s new in 1Password and the wider world of security.
If you’d like us to answer your question on the show, tweet us @1Password using the hashtag #ask1Password.
Subscribe in Overcast, Pocket Casts, or iTunes and please rate and review us on iTunes!
1password  passwords  podcast  privacy  security 
9 days ago by rgl7194
AgileBits 1Password 7.2 | iLounge + Mac
With macOS Mojave hitting the streets late last month, AgileBits has jumped over to the dark side with 1Password 7.2. The new version looks particularly classy in Mojave’s new Dark Mode, with fonts and colourful icons that stand out nicely against the dark background, but it’s also got some additional Mojave support under the hood, including a built-in Safari extension that provides greater security while also saving users the trouble of having to install it as a separate component.
What this means is that users get more protections against exploits like “man-in-the-middle” attacks, since the browser extension is now more closely tied to the main 1Password app, which is now also “fully notarized” by Apple, which means it’s certified of being free of malware, and also now runs within Mojave’s new hardened security mode that ensures it can’t be manipulated or modified by other apps or processes running on your Mac — an important consideration for an app that you should be able to trust with all of your most important and secure passwords. While new security model in Mojave does mean that 1Password will no longer be able to autosubmit login information — essentially pressing the “Return” key for you after filling passwords in Safari — the 1Password developers agree with Apple that it’s the right call both for both security and for improving the user experience overall. As with prior versions, 1Password 7.2 is available as a free download to everybody with a 1Password membership or those who own a standalone 1Password 7 license, and can be downloaded directly from AgileBits or via the Mac App Store.
1password  mac  passwords  plugins  privacy  safari  security 
9 days ago by rgl7194
1Password 7.2 for macOS Mojave Debuts Built-in Safari Support, Dark Mode, Security Improvements, and More – The Sweet Setup
Built-in 1Password Safari Extension
In the past, should you want to insert a password directly into Safari from 1Password, you would have to install the 1Password extension in Safari. As of 1Password 7.2, that’s no longer a requirement. 1Password 7.2 ships with support for the latest Safari web browser and the 1Password extension is built right in.
I’m excited to see if this is a preferable method to 1Password’s X Chrome browser extension, which effectively puts 1Password into any login field imaginable. Time will tell which method is preferable.
1password  mac  passwords  plugins  privacy  safari  security 
9 days ago by rgl7194
1Password 7.2 for Mac: Welcome to the dark side | 1Password
Safari support, baked right in
1Password has had the ability to work within Safari for years, making it super easy to fill your usernames and passwords directly into websites. With 1Password 7.2 we’ve built the Safari extension right into the app, meaning you’ll never have to install a separate browser extension again!
The new Safari 1Password extension also brings with it loads of security improvements. By using the new Safari App Extension feature provided by Apple, 1Password has even more protections against man-in-the-middle attacks and other exploits of that nature.
mac  safari  1password  passwords  security  privacy  plugins 
9 days ago by rgl7194
Steal This Show S04E08: ‘Click Here To Kill Everybody’ - TorrentFreak
Today we bring you the next episode of the Steal This Show podcast, discussing renegade media and the latest decentralization and file-sharing news. In this episode, we talk with computer security & cryptography legend Bruce Schneier about the dangers of the massive proliferation of computing devices.
Embedded in an increasing number of the devices and objects surrounding us today, computers are turning the everyday world into a radically programmable attack surface.
This is the subject of computer security & cryptography legend Bruce Schneier‘s latest book, Click Here To Kill Everybody.
privacy  security  books  podcast 
11 days ago by rgl7194
Proposed data privacy law could send company execs to prison for 20 years | Ars Technica
Privacy law would let consumers opt out of data sharing.
A US senator has proposed a privacy law that could issue steep fines to companies and send their top executives to prison for up to 20 years if they violate Americans' privacy.
Sen. Ron Wyden, D-Ore. announced a discussion draft of his Consumer Data Protection Act yesterday. The bill would establish new privacy rules that major companies must follow and establish fines and prison sentences big enough to make even the largest companies take notice.
Consumers would have the right to opt out of systems that share their data with third parties. Companies that don't follow the proposed law could be fined up to 4 percent of annual revenue on their first offense. The FTC currently is unable to fine first-time corporate offenders, and "fines for subsequent violations of the law are tiny, and not a credible deterrent," Wyden's bill summary says.
data  privacy  business  legal  gov2.0  congress 
13 days ago by rgl7194
Roger Stone Sold Himself to Trump’s Campaign as a WikiLeaks Pipeline. Was He? - The New York Times
WASHINGTON — When the WikiLeaks founder, Julian Assange, appeared on a video link from Europe a month before the 2016 presidential election and vaguely promised to release a flood of purloined documents related to the race, the head of Donald J. Trump’s campaign, Stephen K. Bannon, was interested.
He emailed the political operative Roger J. Stone Jr., who had been trying to reach him for days about what Mr. Assange might have in store. “What was that this morning???” Mr. Bannon asked on Oct. 4.
“A load every week going forward,” Mr. Stone replied, echoing Mr. Assange’s public vow to publish documents on a weekly basis until the Nov. 8 election.
The email exchange, not previously reported, underscores how Mr. Stone presented himself to Trump campaign officials: as a conduit of inside information from WikiLeaks, Russia’s chosen repository for documents hacked from Democratic computers.
gov2.0  leak  politics  privacy  russia  security  spying  wikileaks  trump 
14 days ago by rgl7194
Method to View Contact Info on a Locked iOS 12.1 Device Disclosed
The day after iOS 12.1 was released, a researcher disclosed a new passcode bypass method that allows you to easily view the phone numbers and email addresses of a device's contacts even when the device is locked.
When a iOS device is locked, you are not supposed to be able to access the device's contact list without first unlocking the phone. Unfortunately, a researcher has discovered a ridiculously easy way to bypass this security policy in order to access a user's contacts.
bug  hack  ios12  iphone  privacy  security 
15 days ago by rgl7194
New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1
It's only been a few hours since Apple releases iOS 12.1 and an iPhone enthusiast has managed to find a passcode bypass hack, once again, that could allow anyone to see all contacts' private information on a locked iPhone.
Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.
bug  hack  ios12  iphone  privacy  security 
15 days ago by rgl7194
Around the Watercooler: Bloomberg “Big Hack” Edition
What do a former NSA hacker, a former defense contractor, and an expert in microcontroller hardware all have in common?
They now all work here at Cylance, and they are among a number of security experts we asked to weigh in on the still-unfolding, bombshell news article first reported by Bloomberg in early October.
For the unaware, Bloomberg’s cover story, The Big Hack, alleged the existence of a Chinese government espionage operation which sought to compromise the supply chain of a motherboard manufacturer called Supermicro by inserting microchips into them that would allow them to spy on American technology giants, including Apple and Amazon.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
20 days ago by rgl7194
How to Secure Your WiFi Network | The Mac Security Blog
Whether at home or at work, your wifi network is the gateway to the internet. While it lets your devices reach out into the world, it can also let hackers get into your network, potentially compromising your devices. As such, the security of your wifi network is essential. In this article, I'm going to explain how you can secure your wifi network.
WiFi Is an Easy Target
Wifi networks are an easy target because they are often insecure, or at least not as secure as they could be. In a recent episode of the Intego Mac Podcast, we discussed how some Russian hackers were caught in the Netherlands trying to hack into the wifi network of the Organization for the Prevention of Chemical Weapons. This organization's network was well hardened, and the hackers thought that they might find a weakness in their wifi rather than trying to get at them directly over the internet. Instead of attacking remotely, they parked near the building and tried to get in that way.
The wifi network in question was secure, but that's not the case for all networks. Your home network or the one at your office probably uses a basic router with simple settings designed to make things easy for users. It's important to take some actions to make your router more secure.
wi-fi  networking  router  security  privacy  passwords 
20 days ago by rgl7194
Steal This Show S04E07: ‘Bangladesh Bank Heist, Part 1 - TorrentFreak
Today we bring you the first part of our special Steal This Show podcast series "Advanced Persistent Threat," which takes a closer look at the 2016 Bangladesh Bank Heist. Cheryl Biswas, Strategic Threat Intel Analyst in Cyber Security at a Big Four consulting firm, provides some key insights.
Had it succeeded, the Bangladesh Bank Heist would easily have been the biggest bank robbery in history.
It was carried out almost entirely in the digital realm, using a variety of exploits and malware, in order to leverage access to the SWIFT banking network and the US Federal Reserve.
In Part One, we look at exactly what happened in the Bangladesh heist, and walk through how it was carried out. To help us through the complex story, we hear from Cheryl Biswas, Strategic Threat Intel Analyst in Cyber Security at a Big Four consulting firm.
After covering the how of the robbery, we consider whether trusted systems like SWIFT can remain secure in an information environment replete with radically heterogeneous, eminently hackable device

Cheryl Biswas wishes to make clear that she speaks here on her own behalf Her views do not represent those of her employer.
podcast  banking  hack  security  privacy  asia  cybercrime  malware 
22 days ago by rgl7194
1Password 7.2 Brings Autofill for Apps — MacSparky
It’s easy to be cynical these days. So at WWDC when Apple announced app autofill, an API that will fill in usernames and passwords in applications the same way it does in websites, I naturally assumed this would be a feature for Apple’s own password service only and this would be a not-so-subtle nudge to third-party password managers. Then, just minutes later, Apple explained they are making this also available to third-party password managers. My heart grew two sizes larger.
1password  autofill  ios12  keyboard  privacy  security 
23 days ago by rgl7194
1Password Extends into the iOS QuickType Keyboard with Password AutoFill – MacStories
This year's WWDC must have been a wild roller coaster ride for 1Password's developers, Agile Bits. Anxieties were surely at a high as Apple shared news of iCloud Keychain's expanded capabilities in iOS 12 – the system now offers seamless new password creation, security code AutoFill, and more. Those segments seemed to signal Apple's intent to make third-party apps like 1Password unnecessary for most users. Yet not long after Apple's Keychain announcements, a new API was discovered that told an entirely different story. As I wrote in my iOS 12 overview earlier this summer:
One advantage Apple's own iCloud Keychain has had over third-party password managers like 1Password is that it can populate relevant account info inside the QuickType keyboard. That level of convenience is hard to beat, no matter how much more full-featured third-party apps may be. Fortunately, in iOS 12 a new Password Manager API will enable the same type of feature to be adopted by third parties.
The team at Agile Bits wasted no time getting to work implementing this Password Manager API, and it's launching today in 1Password alongside iOS 12.
1password  ios12  autofill  keyboard  privacy  security 
23 days ago by rgl7194
Two new supply-chain attacks come to light in less than a week | Ars Technica
As drive-by attacks get harder, hackers exploit the trust we have in software providers.
Most of us don’t think twice about installing software or updates from a trusted developer. We scrutinize the source site carefully to make sure it’s legitimate, and then we let the code run on our computers without much more thought. As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.
The first involves VestaCP, a control-panel interface that system administrators use to manage servers. This Internet scan performed by Censys shows that there are more than 132,000 unexpired TLS certificates protecting VestaCP users at the moment. According to a post published last Thursday by security firm Eset, unknown attackers compromised VestaCP servers and used their access to make a malicious change to an installer that was available for download.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
23 days ago by rgl7194
Another Bloomberg Story about Supply-Chain Hardware Attacks from China - Schneier on Security
Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. (I linked to other commentary and analysis here.)
Again, I have no idea what's true. The story is plausible. The denials are about what you'd expect. My lone hesitation to believing this is not seeing a photo of the hardware implant. If these things were in servers all over the US, you'd think someone would have come up with a photograph by now.
EDITED TO ADD (10/12): Three more links worth reading.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
24 days ago by rgl7194
TaoSecurity: Network Security Monitoring vs Supply Chain Backdoors
On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.” From the article:
Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
Companies mentioned in the story deny the details, so this post does not debate the merit of the Bloomberg reporters’ claims. Rather, I prefer to discuss how a computer incident response team (CIRT) and a chief information security officer (CISO) should handle such a possibility. What should be done when hardware-level attacks enabling remote access via the network are possible?
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
24 days ago by rgl7194
More commentary on China, Apple, and supply-chain hacking | Mac Virus
Following up the previous story Supply chain hacking: bull in a China shop? [updated]…
[Additional: Motherboard – The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories]
Paul Ducklin for Sophos: Apple and Amazon hacked by China? Here’s what to do (even if it’s not true) – more useful than most of the commentary I’ve seen!
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
24 days ago by rgl7194
Government Perspective on Supply Chain Security - Schneier on Security
This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
24 days ago by rgl7194
Bloomberg blunder highlights supply chain risks - Malwarebytes Labs | Malwarebytes Labs
Ooh boy! Talk about a back-and-forth, he said, she said story!
No, we’re not talking about that Supreme Court nomination. Rather, we’re talking about Supermicro. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government operations such as the Department of Defense and CIA facilities. And it was recently reported by Bloomberg that Chinese spies were able to infiltrate nearly 30 US companies by compromising Supermicro—and therefore our country’s technology supply chain.
If you’ve been trying to follow the story, it may feel a bit like this...
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
24 days ago by rgl7194
Daring Fireball: 'Your Move, Bloomberg'
Washington Post media critic Erik Wemple:
Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed. […]
The best journalism lends itself to reverse engineering. Though no news organization may ever match the recent New York Times investigation of Trump family finances, for instance, the newspaper published documents, cited sources and described entities with a public footprint. “Fear,” the recent book on the dysfunction of the Trump White House, starts with the story of a top official removing a trade document from the president’s desk, an account supported by an image of the purloined paper.
Bloomberg, on the other hand, gives readers virtually no road map for reproducing its scoop, which helps to explain why competitors have whiffed in their efforts to corroborate it. The relentlessness of the denials and doubts from companies and government officials obligate Bloomberg to add the sort of proof that will make believers of its skeptics. Assign more reporters to the story, re-interview sources, ask for photos and emails. Should it fail in this effort, it’ll need to retract the entire thing.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball 
24 days ago by rgl7194
Should Bloomberg retract? | Mac Virus
John Gruber cites Amazon Web Services CEO Andy Jassy’s tweet while considering Bloomberg’s decreasingly convincing insistence on the Apple/Amazon/etc. supply chain story: AWS CEO ANDY JASSY: ‘BLOOMBERG SHOULD RETRACT’
I have to agree: Bloomberg’s position is not looking very tenable.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
24 days ago by rgl7194
Daring Fireball: AWS CEO Andy Jassy: 'Bloomberg Should Retract'
Amazon Web Services CEO Andy Jassy on Twitter:
@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.
If you want a taste of Bloomberg’s attitude toward Apple’s and Amazon’s protestations, check out this video from Bloomberg TV from the day after the story was originally published. Jordan Robertson, co-author of the story, says this:
In addition, there is no consumer data that is alleged to have been stolen. This attack was about long term access to sensitive networks. So by that logic, companies are not required to disclose this information, so there’s no advantage for these companies in confirming this reporting.
This shows their dismissive attitude toward Amazon’s and Apple’s strenuous, unambiguous denials. Rather than give them pause, they blew it off.
I would argue that Amazon and Apple have a tremendous amount to lose — their credibility. If they wanted to hide something, whether for publicity or national security reasons (or both), the way to do it without risking their credibility is not to comment at all. Both Amazon and Apple have instead vigorously denied the veracity of this story.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball 
24 days ago by rgl7194
Apple CEO Tim Cook calls on Bloomberg to retract its Chinese spy story | Ars Technica
"We were very clear with them that this did not happen," Cook tells BuzzFeed.
Apple CEO Tim Cook is calling on Bloomberg Business to retract a story that said his company was the victim of a hardware-based attack carried out by the Chinese government. It's the first time Apple has ever publicly demanded a retraction, according to BuzzFeed.
Since Bloomberg published the exclusive article 15 days ago, a gaggle of companies, well-placed government officials, and security researchers have publicly challenged its accuracy. Apple and Amazon have said they have no knowledge of ever finding or removing servers that contained the kind of spy chips Bloomberg alleged were found in the companies’ networks. Supermicro has also denied knowing anything about malicious chips being secretly implanted into any of its motherboards during the manufacturing process, as Bloomberg reported.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  tim_cook 
27 days ago by rgl7194
Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story
"I feel they should retract their story. There is no truth in their story about Apple. They need to do that right thing."
Apple CEO Tim Cook, in an interview with BuzzFeed News, went on the record for the first time to deny allegations that his company was the victim of a hardware-based attack carried out by the Chinese government. And, in an unprecedented move for the company, he called for a retraction of the story that made this claim.
Earlier this month Bloomberg Businessweek published an investigation alleging Chinese spies had compromised some 30 US companies by implanting malicious chips into Silicon Valley–bound servers during their manufacture in China. The chips, Bloomberg reported, allowed the attackers to create “a stealth doorway” into any network running on a server in which they were embedded. Apple was alleged to be among the companies attacked, and a focal point of the story. According to Bloomberg, the company discovered some sabotaged hardware in 2015, promptly cut ties with the vendor, Supermicro, that supplied it, and reported the incident to the FBI.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  tim_cook 
27 days ago by rgl7194
Daring Fireball: Apple CEO Tim Cook Is Calling for Bloomberg to Retract Its Chinese Spy Chip Story
John Paczkowski and Joseph Bernstein, reporting for BuzzFeed News...
I’m calling it now. Bloomberg is fucked on this story. The longer they drag this out before a full retraction, the more damage they’re taking to their long-term credibility. Read their statement closely — they’re not saying their story is true or that Apple and Tim Cook are wrong. All they say is they spent a year on the story and spoke to 17 sources multiple times.
And the bottom half of BuzzFeed’s story is even more damning than the top — no one in the security community has been able to verify anything in Bloomberg’s story. Anything at all. And no other news publication has backed the story. Bloomberg is all alone on this.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball  tim_cook 
27 days ago by rgl7194
FBI security expert: Apple are “jerks” about unlocking encrypted phones | Ars Technica
"Apple is pretty good at evil genius stuff," FBI official laments at conference.
Federal Bureau of Investigation officials are continuing to voice their displeasure with Apple's approach to iPhone security, with one FBI official reportedly calling the company "jerks" and an "evil genius" this week.
Apple has repeatedly made it more difficult to access data on encrypted iPhones, making Apple customers safer from hackers but also preventing the FBI from breaking into phones used by suspected criminals.
"At what point is it just trying to one-up things and at what point is it to thwart law enforcement?" FBI forensic expert Stephen Flatley said yesterday while speaking at the International Conference on Cyber Security in Manhattan, according to a report by Motherboard. "Apple is pretty good at evil genius stuff."
apple  privacy  security  encryption  gov2.0  politics  FBI  iphone 
28 days ago by rgl7194
FBI expert calls Apple "jerks" over encryption - Six Colors
Ars Technica’s Jon Brodkin:
“At what point is it just trying to one-up things and at what point is it to thwart law enforcement?” FBI forensic expert Stephen Flatley said yesterday while speaking at the International Conference on Cyber Security in Manhattan, according to a report by Motherboard. “Apple is pretty good at evil genius stuff.”
Flatley also used the word “jerks” to describe Apple and its approach to iPhone security, according to Motherboard.
I guess it’s like the old saying goes: one person’s “evil genius” is another’s “champion of personal privacy.”
apple  privacy  security  encryption  gov2.0  politics  FBI  iphone 
28 days ago by rgl7194
Let’s Encrypt takes free “wildcard” certificates live | Ars Technica
In a victory for securing Web, anybody can now get a certificate valid for every site in a domain.
In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.
ACME version 2 "has gone through the IETF standards process," said Josh Aas, executive director of the Internet Security Research Group (ISRG), the group behind Let's Encrypt, in a blog post on the release. ACME v2 is currently a draft Internet Engineering Task Force standard, so it may not yet be in its final form. But the current version is the result of significant feedback from the industry. And its use is required to obtain wildcard certificates.
security  privacy  encryption  HTTP/S  free  internet 
28 days ago by rgl7194
Equifax breach exposed millions of driver’s licenses, phone numbers, emails | Ars Technica
17.6 million driver's license numbers, thousands of ID images stolen in breach.
On May 7, executives of Equifax submitted a "statement for the record" to the Securities and Exchange Commission detailing the extent of the consumer data breach the company first reported on September 7, 2017. The data in the statement, which has also been shared with congressional committees investigating the breach, reveals to a fuller extent how much personal data was exposed in the breach. Millions of driver's license numbers, phone numbers, and email addresses were also exposed in connection with names, dates of birth, and Social Security numbers—offering a gold mine of data for identity thieves and fraudsters.
Equifax had already reported that the names, Social Security numbers, and dates of birth of 143 million US consumers had been exposed, along with driver's license numbers "in some instances," in addition to the credit card numbers of 209,000 individuals. The company's management had also reported "certain dispute documents" submitted by about 182,000 consumers contesting credit reports had been exposed as well, in addition to some information about British and Canadian consumers.
breach  credit_report  data  equifax  identity_theft  privacy  security 
28 days ago by rgl7194
Apple's New Data & Privacy Portal Lets You Download Your Data
Apple has released a new data & privacy portal that can be used to download data that is linked to your Apple ID. This data can include transaction history, Apple app history, AppleCare history, marketing data, and more.
To access the portal, you need to go to ªª andºº login with the Apple ID associated with your account.
Once you are logged in, you will be presented with the "Get a copy of your data", "Correct your data", "Deactivate your account", "Delete your account" choices.
For the most part, the choices are self explanatory and in this article we will focus mostly on using the portal to download your Apple data. It should be noted, though, that the "Correct your data" option simply brings you to a page containing links to the Apple ID  and Apple Store account pages.
To download your data, click on the "Get a copy of your data" option and you will be presented with a page displaying the type of information that can be downloaded.
The data that can be downloaded using this portal includes:
App Store, iTunes Store, iBooks Store, Apple Music activity
Apple ID account and device information
Apple Online and Retail Stores activity
AppleCare support history, repair requests, and more
Game Center activity
iCloud Bookmarks and reading list
iCloud Calendars and Reminders
iCloud Contacts
iCloud Notes
Maps Report an Issue
Marketing subscriptions, downloads, and other activity
Other data
iCloud Drive files and documents
iCloud Mail
iCloud Photos
When downloading your data, it will be delivered in various formats. For textual data, it will be delivered as a spreadsheet or in JSON, CSV, XML, or PDF files. For binary files, it will be delivered in its original format. For example, images will be sent as image files and files stored in iCloud will be delivered as its native format.
Apple states that adding iCloud Drive files and documents, iCloud Mail, and iCloud Photos iCLoud Drive files will increase the size and time required to collect your data.
Once you have selected all of the items you wish to download, Apple will compile it into a downloadable archive. According to Apple this process can take up to 7 days to complete.
"As a reminder, this process can take up to seven days. To ensure the security of your data, we use this time to verify that the request was made by you."
While the archive is being created, you can check on its status by visiting
apple  data  GDPR  privacy  download 
28 days ago by rgl7194
Macintosh Security: Apple's New Privacy Pages: Your Reading Assignment!
In this day and age, when the western world is being increasingly China-fied and Russia-fied, IOW devolving into totalitarian surveillance states, it's wonderful to watch Apple resist and insist upon user privacy. Good on 'em!
It used to be that Apple merely provided semi-annual transparency reports, annual white papers on Apple gear security and some diffuse documents about securing, hardening our Apple devices. Now, everything has been gathered into one area on their website for easy access along with elaborations no doubt inspired by EU's GDPR, General Data Protection Regulations.
Where to start:
Privacy - Apple
Our Approach to Privacy
Manage Your Privacy
Transparency Report
Our Privacy Policy
apple  data  privacy  GDPR 
28 days ago by rgl7194
Apple’s full Data & Privacy Portal now available in U.S., Canada, Australia, and New Zealand | iLounge News
Apple’s full Data and Privacy Portal is now available in the U.S., Canada, Australia, and New Zealand, MacRumors has discovered. While the data download option is being gradually rolled out, soon all Apple users in those countries will be able to download a complete copy of the data that Apple has associated with their Apple ID, including not only the standard information such as calendars, reminders, photos, and iCloud documents, but also purchase history, Game Center activity, AppleCare support history, app usage history, and more. The expanded version of the Data and Privacy Portal, which previously only allowed users to correct their data or delete their account, launched earlier this year in the European Union in order to comply with Europe’s General Data Protection Regulation (GDPR), although Apple said at the time that it would eventually be rolling out the feature worldwide. While Apple has allowed customers to manually request this data for some time, the new portal streamlines the process considerably.
apple  data  privacy  GDPR 
28 days ago by rgl7194
How to use Apple's data and privacy portal | iMore
Apple has launched a new Data and Privacy portal that lets you request changes to the data you've shared with the company. It also lets you delete your Apple ID and associated data. Here's how to use it!
With GDPR underway, you've probably already received a number of emails alerting you to privacy policy updates, new terms and conditions, and GDPR compliance from many of the sites and services you use online. Apple has joined the party with the launch of its new Data and Privacy portal. You can use the site to correct any erroneous personal information stored by Apple and delete your Apple ID along with its associated data.
How to use Apple's data and privacy portal
How to correct your data using Apple's data and privacy portal
How to delete your account using Apple's data and privacy portal
How to request a copy of your data using Apple's data and privacy portal
You can learn more about how Apple protects your data and your privacy here:
apple  data  privacy  GDPR 
28 days ago by rgl7194
Apple's updated privacy site and why it matters | iMore
Apple has expanded its privacy website, diving deeper and detailing even more broadly how the company's relentless belief in privacy and security defines every one of its products and services.
Tim Cook will be delivering the keynote speech at this year's International Conference of Data Protection and Privacy Commissioners, on Wednesday 24 October 2018. It's significant because Apple, as a matter of company policy, believes privacy is a fundamental human right. From Tim Cook at the very top to engineers on the front line, this belief permeates Apple and drives the company's product development process every bit as much as the technology itself. As much as Apple is designing for experience and for accessibility, the company is also designing for security and privacy.
Apple's belief in privacy is made manifest again today with the launch of an updated version of
apple  data  privacy  GDPR 
28 days ago by rgl7194
How To Check If Your Twitter Account Has Been Hacked
Did you ever wonder if your Twitter account has been hacked and who had managed to gain access and when it happened?
Twitter now lets you know this.
After Google and Facebook, Twitter now lets you see all the devices—laptop, phone, tablet, and otherwise—logged into your Twitter account.
Twitter has recently rolled out a new security feature for its users, dubbed Apps and Sessions, allowing you to know which apps and devices are accessing your Twitter account, along with the location of those devices.
twitter  privacy  security  hack 
4 weeks ago by rgl7194
Apple, Amazon server spy story is wake-up call to security pros (u) | Computerworld
I'm not convinced at the 'spy-chip' claims, but the tale helps illustrate the complex security challenges enterprises face.
Apple and Amazon have strenuously denied Bloomberg’s claims of a sophisticated hardware exploit against servers belonging to them and numerous other entities, including U.S. law enforcement  
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
4 weeks ago by rgl7194
Apple to Congress: Chinese spy-chip story is “simply wrong” | Ars Technica
"Our internal investigations directly contradict every consequential assertion."
Apple isn't relenting in its attacks on last week's Bloomberg story claiming that tiny Chinese chips had compromised the security of Apple and Amazon data centers. In a Monday letter to Congress, Apple wrote that the claims in the Bloomberg story were "simply wrong."
Bloomberg's story, published last Thursday, claimed that the Chinese government had secretly added spy chips to the motherboards of servers sold by Supermicro. According to Bloomberg, these servers wound up in the data centers of almost 30 companies, including Apple and Amazon. But the three companies featured in the story—Apple, Amazon, and Supermicro—have all issued broad and strongly worded denials.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
4 weeks ago by rgl7194
Is two-factor authentication (2FA) as secure as it seems? - Malwarebytes Labs | Malwarebytes Labs
Two-factor authentication (2FA) was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of entering a username and password.
One of the most well-known examples of 2FA is when you try to log into a familiar website from a different machine or from a different location, which results in a different IP. With 2FA-enabled login procedures, you will first enter your username and password on the computer and then receive a text message to your phone providing you with a verification code. You must enter that verification code on the computer to complete the login procedure.
security  privacy  2FA 
4 weeks ago by rgl7194
Why OPSEC Is for Everyone, Not Just for People with Something to Hide
Originally posted by CyberSecStu on, reposted here with permission from him
OPSEC (Operational Security) is a term derived from the U.S. military and is an analytical process used to deny an adversary information that could compromise the secrecy and/or the operational security of a mission. The very process of performing OPSEC or protecting yourself from an adversary not only plays a very important role in both offensive and defensive security strategies but also in everyday life.
Examples of OPSEC that pertain to this article include protecting the real identity of someone who has chosen to create a pseudonym that black hat and white hat hackers most commonly will undertake online. The process of ensuring that critical information, such as IP addresses, language used, writing styles, email accounts, personal traits etc. cannot be used to unmask their real identity is a constant process.
privacy  security  anonymity  data  sharing  social_media 
4 weeks ago by rgl7194
Facebook Is Giving Advertisers Access to Your Shadow Contact Information
Last week, I ran an ad on Facebook that was targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn’t work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove’s office, a number Mislove has never provided to Facebook. He saw the ad within hours.
facebook  advertising  privacy  security  data 
4 weeks ago by rgl7194
Facebook October 2018 security breach: Everything you need to know | iMore
Around 30 million people had their information compromised.
Earlier this year, Facebook came under fire for sharing heaps of data for over 87 million users with Cambridge Analytica. As if the company wasn't already having a tough time regaining the trust of its user base, Facebook's now announced that information for around 30 million people was exposed during an attack it shut down in September.
Here's everything you need to know.
The latest news
October 13, 2018: Find out if you've been affected by the October 2018 Facebook security breach
Facebook now has a dedicated page on its site to allow you to see whether your account was one of the 30 million affected by its most recent security breach.
Click here to see if you're Facebook account was affected
The page offers information about what happened and the current status of the investigation. At the bottom of the page, you'll see a special box with "Is my Facebook account impacted by this security issue?"
If you are signed in to Facebook, you'll see the status of your account and whether it was affected by the breach. If you don't see the box, sign in to your Facebook account and go back to the page.
Whether you've been affected by the most recent Facebook security breach or not, it's important to lock down your account in the most secure way possible, even at the expense of convenience.
Despite Facebook's irresponsible recommendation that "There's no need for anyone to change their passwords...," you should change your password regularly using a unique complex password.
breach  data  facebook  privacy  security 
4 weeks ago by rgl7194
30 Million Facebook Accounts Were Hacked: Check If You're One of Them
Late last month Facebook announced its worst-ever security breach that allowed an unknown group of hackers to steal secret access tokens for millions of accounts by taking advantage of a flaw in the 'View As' feature.
At the time of the initial disclosure, Facebook estimated that the number of users affected by the breach could have been around 50 million, though a new update published today by the social media giant downgraded this number to 30 million.
breach  data  facebook  privacy  security 
4 weeks ago by rgl7194
An important update about Facebook's recent security incident | Facebook Help Center
Is my Facebook account impacted by this security issue?
Based on what we've learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts.
breach  data  facebook  privacy  security 
4 weeks ago by rgl7194
Here’s how to see if you’re among the 30 million compromised Facebook users | Ars Technica
The bad news: Private data was stolen. The good: Fewer accounts were affected.
The attackers who carried out the mass hack that Facebook disclosed two weeks ago obtained user account data belonging to as many as 30 million users, the social network said on Friday. Some of that data—including phone numbers, email addresses, birth dates, searches, location check-ins, and the types of devices used to access the site—came from private accounts or was supposed to be restricted only to friends.
The revelation is the latest black eye for Facebook as it tries to recover from the scandal that came to light earlier this year in which Cambridge Analytica funneled highly personal details of more than 80 million users to an organization supporting then-presidential candidate Donald Trump. When Facebook disclosed the latest breach two weeks ago, CEO Mark Zuckerberg said he didn’t know if it allowed attackers to steal users’ private data. Friday’s update made clear that it did, although the 30 million people affected was less than the 50 million estimate previously given. Readers can check this link to see what, if any, data was obtained by the attackers.
breach  data  facebook  privacy  security 
4 weeks ago by rgl7194
Facebook States 30 Million People Affected by Last Month's "View As" Bug
Remember that bug Facebook revealed two weeks ago that may have affected 50 million users if not more? Well Facebook has stated that 30 million of those user had their access tokens stolen by attackers according to a new updated posted by Facebook today.
This bug was part of Facebook’s “View As” tool, which allows allows you to view your profile as it would appear to someone else on Facebook. Attackers chained 3 vulnerabilities together to exploit a bug in this feature and steal a user's, and their friends, access tokens. These access tokens could then be used to login to the associated account and provide full access to everything on it.
breach  data  facebook  privacy  security 
4 weeks ago by rgl7194
Supply Chain Security 101: An Expert’s View — Krebs on Security
Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.
Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.
The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.
Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.
apple  hack  security  privacy  chip  china  supply_chain  server  amazon  krebs  interview  101 
4 weeks ago by rgl7194
Another Bloomberg report, another supply-chain issue | Mac Virus
In a story from 9th October, Bloomberg tells us of New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom.
“A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.”
The tampering described differs from that in Bloomberg’s previous report. This one describes an ‘implant’ in a server’s Ethernet connector. The communications company has not been named, but the report is based on information from Yossi Appleboum, described as “co-chief executive officer of Sepio Systems”, who suggests that this approach to snooping has been seen in other equipment supplied by China, while Bloomberg compares it to manipulations used by the NSA.
Commentary from The Verge: Tampered Chinese Ethernet port used to hack ‘major US telecom,’ says Bloomberg report.
Whatever the truth is of this story, it seems to go far beyond Apple, so also published on the AVIEN blog.
amazon  apple  china  chip  daring_fireball  hack  privacy  security  server  supply_chain 
4 weeks ago by rgl7194
Daring Fireball: Named Source in ‘The Big Hack’ Has Doubts About the Story
Hardware security researcher Joe Fitzpatrick was one of the very few named sources in Bloomberg’s blockbuster “The Big Hack” story. He provided only background information on the potential of hardware exploits in general — he claimed no knowledge of this specific case. On Patrick Gray’s Risky Business (great name) podcast, he expresses serious unease with the story Bloomberg published. The whole episode is worth a listen, but here’s partial transcript...
I’m going to go with “something else is going on”.
amazon  apple  china  chip  daring_fireball  hack  privacy  security  server  supply_chain 
4 weeks ago by rgl7194
Apple tells Congress it found no signs of hacking attack | Reuters
SAN FRANCISCO (Reuters) - Apple Inc’s (AAPL.O) top security officer told Congress on Sunday that it had found no sign of suspicious transmissions or other evidence that it had been penetrated in a sophisticated attack on its supply chain.
Apple Vice President for Information Security George Stathakopoulos wrote in a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points in a Bloomberg Businessweek article published on Thursday, including that chips inside servers sold to Apple by Super Micro Computer Inc (SMCI.PK) allowed for backdoor transmissions to China.
amazon  apple  china  chip  daring_fireball  hack  privacy  security  server  supply_chain  gov2.0  congress 
4 weeks ago by rgl7194
Daring Fireball: Statement From DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise
Official statement from DHS:
The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month — National Cybersecurity Awareness Month — we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.
For me, having the current U.S. government weighing in publicly on this issue does not fill me with any sense of confidence or reassurance on either side of this story.
But, still: Bloomberg’s Big Hack story should eventually be fully-corroborated, if true. According to their report, there are thousands of compromised servers out there. If there are, security experts will eventually identify these rogue chips and document them.
And whatever you think of a statement from DHS, from what I’ve heard, this is only beginning. Apple is not letting this go.
amazon  apple  china  chip  daring_fireball  hack  privacy  security  server  supply_chain  gov2.0  press_release 
4 weeks ago by rgl7194
Daring Fireball: Senator Ron Wyden: U.S. Senate, Staff Targeted by State-Backed Hackers
Frank Bajak and Raphael Satter
Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that “at least one major technology company” has warned an unspecified number of senators and aides that their personal email accounts were “targeted by foreign government hackers.” Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections.
Wyden did not specify the timing of the notifications, but a Senate staffer said they occurred “in the last few weeks or months.” The aide spoke on condition of anonymity because he was not authorized to discuss the issue publicly.
But the senator said the Office of the Sergeant at Arms , which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts.
I’m going to guess the “major technology company” is Google, simply because Gmail is the leading email provider. If you ever wonder why Ron Wyden seems almost amazingly well-informed on very technical computer security matters, keep in mind that Christopher Soghoian is on his staff as a senior advisor.
gov2.0  politics  google  gmail  daring_fireball  congress  russia  hack  security  privacy 
4 weeks ago by rgl7194
6 ways to keep up with cybersecurity without going crazy - Malwarebytes Labs | Malwarebytes Labs
As we dive headfirst into National Cybersecurity Awareness Month, it seems only fitting to discuss ways to stay on top of developments in modern cybersecurity and privacy. What’s the best way to stay protected? How can you determine if something is a scam? Which big company has been breached now?
The topic of security features heavily across many industries, blogs, and news channels simply because of the current state of affairs. It seems like every day we hear about a new major data breach, affecting thousands—if not millions—of people. From retailers like Target to social media sites such as Facebook to more prominent credit agencies like Equifax—no one is safe.
The uncontrolled nature of attacks coupled with the 24/7 news cycle make it downright overwhelming to keep up with all the cybersecurity information lobbed at us. The widespread release of new attacks, data breaches, systems failures, and malware use have led many to a feeling of security fatigue. We’re essentially all at a point where we’re sick and tired of hearing about it, and frankly disappointed in many companies and individuals who continually fail to protect the data they are responsible for.
Fatigue or not, we shouldn’t collectively ignore what’s happening in the world of cybersecurity right now. We all have a duty to not only protect ourselves, but also our communities, countries, and world over by staying in the know. You can contribute by keeping your knowledge up-to-date and employing a few simple strategies to capture the good information out there and weed out the bad.
security  privacy  social_media  podcast  RSS  blogs 
5 weeks ago by rgl7194
California Password Law | 1Password
California just became the first state to put a cybersecurity law on the books for any internet-connected devices that are made or sold in the state. This new legislation goes into effect January 2020 and is designed to protect consumers by setting higher security standards for smart devices.
To comply with this new law, companies will either need to set a unique password for the device at the time of manufacture or prompt people to set a new password during the initial device setup.
state  gov2.0  passwords  privacy  security  california 
5 weeks ago by rgl7194
Google+ users, upset over data leak, sue Google | Ars Technica
Hours after Google+ shuttered, lawsuit filed in San Francisco.
It was only a matter of time—the same day that Google announced it was shutting down Google+ in the wake of a data leak, two users filed a proposed class-action lawsuit in federal court in San Francisco, saying that their privacy had been violated.
The case, Matt Matic and Zak Harris v. Google, alleges that the company’s "lax approach" to security resulted in API bugs that exposed the private details of almost 500,000 Google+ users.
breach  data  google  hack  privacy  security  social_media  legal 
5 weeks ago by rgl7194
What is Solid?
Solid is an exciting new project led by Prof. Tim Berners-Lee, inventor of the World Wide Web, taking place at MIT. The project aims to radically change the way Web applications work today, resulting in true data ownership as well as improved privacy.
What does Solid offer?
Solid (derived from "social linked data") is a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles. Solid is modular and extensible and it relies as much as possible on existing W3C standards and protocols.
At a glance, here is what Solid offers...
privacy  web  internet  solid  data  berners-lee 
5 weeks ago by rgl7194
Exclusive: Tim Berners-Lee tells us his radical new plan to upend the World Wide Web
With an ambitious decentralized platform, the father of the web hopes it’s game on for corporate tech giants like Facebook and Google.
Last week, Tim Berners-Lee, inventor of the World Wide Web, asked me to come and see a project he has been working on almost as long as the web itself. It’s a crisp autumn day in Boston, where Berners-Lee works out of an office above a boxing gym. After politely offering me a cup of coffee, he leads us into a sparse conference room. At one end of a long table is a battered laptop covered with stickers. Here, on this computer, he is working on a plan to radically alter how all of us live and work on the web.
“The intent is world domination,” Berners-Lee says with a wry smile. The British-born scientist is known for his dry sense of humor. But in this case, he is not joking.
privacy  web  internet  solid  data  berners-lee 
5 weeks ago by rgl7194
Google+ Shutting Down After Bug Leaks Info of 500k Accounts
Google has announced that they are closing the consumer functionality of Google+ due lack of adoption and an API bug that leaked the personal information of up to 500,000 Google+ accounts.
While no evidence was found that indicates this bug was ever misused, it was determined that the complexity of protecting and operating a social network like Google+ was not a worthwhile endeavor when so few users actually used the service for any length of time.
"This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps," stated a blog post by Google regarding the Google+ closure. "The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds."
The consumer functionality of Google+ will be closing over a 10 month period, while Google transitions the product to be used internally by the Enterprise.
google  security  privacy  hack  social_media  data  breach 
5 weeks ago by rgl7194
Google shutting down Google+ after exposing data of up to 500,000 users - CNET
But the search giant didn't disclose the vulnerability because it reportedly feared regulatory scrutiny.
A vulnerability in the Google+ social network exposed the personal data of up to 500,000 people using the site between 2015 and March 2018, the search giant said Monday.
Google said it found no evidence of data misuse. Still, as part of the response to the incident, Google plans to shut down the social network permanently.
The company didn't disclose the vulnerability when it fixed it in March because the company didn't want to invite regulatory scrutiny from lawmakers, according to a report Monday by The Wall Street Journal. Google CEO Sundar Pichai was briefed on the decision to not disclose the finding, after an internal committee had already decided the plan, the Journal said.
google  security  privacy  hack  social_media  data  breach 
5 weeks ago by rgl7194
Google+ leaks data; service to be sent into the west - Six Colors
According to a report in the Wall Street Journal, the Google+ social network exposed the personal data of up to half a million users. As CNET reports:
Google said it found the bug as part of an internal review called Project Strobe, an audit started earlier this year that examines access to user data from Google accounts by third-party software developers. The bug gave apps access to information on a person’s Google+ profile that can be marked as private. That includes details like email addresses, gender, age, images, relationship statuses, places lived and occupations. Up to 438 applications on Google Plus had access to this API, though Google said it has no evidence any developers were aware of the vulnerability.
The good news is, not a lot of people use Google+, which was Google’s attempt to wedge itself into a social-media space occupied by Facebook and Twitter. It didn’t work, and Google admitted as much today, when it announced that it has “decided to sunset the consumer version of Google+.”
Sunset as a verb means what you might think it means. It’s moving to a farm upstate. It’s going to a better place. It’s following Frodo to Valinor, the Undying Lands across the sea to the west. Where does the sun set? Where Frodo is, probably happy and playing with your childhood pets every day.  It is an ex-service.
Google+ will survive as an enterprise product, apparently.
google  security  privacy  hack  social_media  data  breach 
5 weeks ago by rgl7194
Google+ to shut down after vulnerability discovered that left customer data unprotected | iMore
Google's also putting its foot down on Gmail APIs and access to call/text data.
Google+ has long been the butt of many jokes as a failed social network that refuses to die, but according to a new report from The Wall Street Journal and then an official response from Google itself, it looks like it's been home to a serious security vulnerability for three years that Google chose to not disclose to the public.
Per WSJ, a "software glitch" allowed user data to be potentially exposed to unwanted eyes from 2015 all the way through March 2018 when Google learned about it.
google  security  privacy  hack  social_media  data  breach 
5 weeks ago by rgl7194
Google+ shutting down after data leak affecting 500,000 users | Ars Technica
Citing "significant challenges," failed social network will be put out to pasture.
Google exposed the private details of almost 500,000 Google+ users and then opted not to report the lapse, in part out of concern disclosure would trigger regulatory scrutiny and reputational damage, The Wall Street Journal reported Monday, citing people briefed on the matter and documents that discussed it. Shortly after the article was published, Google said it would close the Google+ social networking service to consumers.
The exposure was the result of a flaw in programming interfaces Google made available to developers of applications that interacted with users’ Google+ profiles, Google officials said in a post published after the WSJ report. From 2015 to March 2018, the APIs made it possible for developers to view profile information not marked as public, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. Data exposed didn’t include Google+ posts, messages, Google account data, phone numbers, or G Suite content. Some of the users affected included paying G Suite users.
google  security  privacy  hack  social_media  data  breach 
5 weeks ago by rgl7194
Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users' Data
Google is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers.
According to the tech giant, a security vulnerability in one of Google+'s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.
Since Google+ servers do not keep API logs for more than two weeks, the company cannot confirm the number of users impacted by the vulnerability.
google  security  privacy  hack  social_media  data  breach 
5 weeks ago by rgl7194
Google is losing users’ trust – Slate | Finer Things in Tech
Matthew Green at Slate, after Google changed a default Chrome feature to automatically log users into the browser if they log into any Google service. This means all browsing history now gets sent to Google, and at rollout there wasn’t even a way to shut it off:
This pattern of behavior by tech companies is so routine that we take it for granted. Let’s call it “pulling a Facebook” in honor of the many times that Facebook has “accidentally” relaxed the privacy settings for user profile data, and then—following a bout of bad press coverage—apologized and quietly reversed course. A key feature of these episodes is that management rarely takes the blame: It’s usually laid at the feet of some anonymous engineer moving fast and breaking things.
We are way, way past time to start holding these companies and their lame, ‘anonymous engineer’ management scapegoat accountable for their awful approach to our privacy.
google  privacy  trust 
5 weeks ago by rgl7194
« earlier      
per page:    204080120160

Copy this bookmark:

to read