recentpopularlog in

rgl7194 : security   3079

« earlier  
Companies with data breaches in 2018 - Business Insider
At least 15 retailers were hacked and likely had information stolen from them since January 2017.
Many of these were caused by flaws in payment systems taken advantage of by hackers.
At least 15 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores.
Data breaches are on the rise for both retailers and other businesses. According to Business Insider Intelligence, data breaches are a real danger for both brands and customers, and they can affect a customer's trust in brands.
According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.
Here are 15 retailers that have been affected by data breaches since January 2017...
breach  data  security  privacy  store  credit_cards 
7 days ago by rgl7194
Apple releases iOS 11.4.1 and blocks passcode cracking tools used by police - The Verge
Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone’s passcode and evade Apple’s usual encryption safeguards.
If you go to Settings and check under Face ID (or Touch ID) & Passcode, you’ll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device — shutting out cracking tools like GrayKey as a result. If you’ve got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit.
Apple’s wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.
iphone  security  privacy  ios11  USB 
10 days ago by rgl7194
Daring Fireball: iOS 11.4.1 Blocks USB Passcode Cracking Tools
Chris Welch, writing for The Verge:
Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone’s passcode and evade Apple’s usual encryption safeguards.
Great news and an elegant solution.
iphone  security  privacy  ios11  USB  daring_fireball 
10 days ago by rgl7194
Apple releases iOS 11.4.1 with USB Restricted Mode | Ars Technica
The iOS update also fixes bugs with AirPods and Exchange mail servers.
As usual, this iOS release also includes security updates. However, Apple had not released the details on its security page at the time of this posting, but expect them to appear sometime soon. Significant but not listed: USB Restricted Mode, a change originally included in the iOS 12 beta that makes it more difficult for anyone, including authorities, to break into the iPhone through the Lightning port.
You'll now find a toggle switch labeled "USB Accessories" in the Touch ID & Passcode section of the Settings app labeled "USB Accessories." It's off by default. A caption explains:
Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was unlocked.
At first we thought we would have to wait until iOS 12 this fall to see this feature, but here it is.
iphone  security  privacy  ios11  USB 
10 days ago by rgl7194
How to use USB Restricted Mode on your iPhone or iPad
USB Restricted Mode brings a little extra security to your iPhone or iPad. Here's how you enable it.
While Apple has been testing it since the later beta versions of iOS 11.4, with the release of iOS 11.4.1, USB Restricted Mode is now available to the iPhone-using public at large. This new mode, which is buried under your passcode settings, adds additional security to your iOS device by preventing USB accessories to connect with your iPhone or iPad if the device has been locked for more than one hour.
Recently, we've seen the emergence of a number of devices, including the GrayBox, that allow third parties to gather data from your iPhone or iPad through the Lightning port without having to unlock your device beforehand. While these devices are ostensibly designed for law enforcement, they are still taking advantage of a security hole that anyone could theoretically exploit. This means that Apple has a responsibility to plug this particular hole, despite the protestations of law enforcement.
iphone  security  privacy  ios11  USB 
10 days ago by rgl7194
Plant Your Flag, Mark Your Territory — Krebs on Security
Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.
The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.
security  privacy  banking  krebs  taxes  mail  SSN  credit_cards  credit_freeze  seniors 
19 days ago by rgl7194
Dear Customer: Your Secret is(n’t) Safe with Me - Pindrop
“Secrets based” authentication based off of your customer’s static PII today alone, is useless.
With the addition of another massive data breach earlier this week of over 340M individual records of consumer and businesses with consumer profiles and preferences from a market data aggregation firm, consumer’s secrets are now fully exposed.
Identifying data like the number of children you have, their gender, dog or cat ownership smoking preference,scuba certification, as well as the typical identifying data like name, address, birth date, phone numbers, are no longer secret.
data  safety  security  privacy  business  breach  authentication 
19 days ago by rgl7194
Security Flaws Disclosed in LTE (4G) Mobile Telephony Standard
A team of academics has published research yesterday that describes three attacks against the mobile communication standard LTE (Long-Term Evolution), also known as 4G.
Two of the three attacks are passive, meaning an attacker can watch LTE traffic and determine various details about the target, while the third is an active attack that lets the attacker manipulate data sent to the user's LTE device.
According to researchers, the passive attacks allow an attacker to collect meta-information about the user's traffic (an identity mapping attack), while the second allows the attacker to determine what websites a user might be visiting through his LTE device (a website fingerprinting attack).
cellphones  LTE  security  privacy  hack 
19 days ago by rgl7194
Researchers Uncover New Attacks Against LTE Network Protocol
If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.
A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users' cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.
LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.
However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user's communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.
cellphones  LTE  security  privacy  hack 
19 days ago by rgl7194
Hackers Could Bypass macOS Signature Checks for A Decade - SecureMac
Code signing is one of the most important lines of defense against malware. It allows a user to know that the software they intend to install or run came from a trusted source, such as Apple, or another trusted developer. While code signing is not a 100% foolproof method, since some malware authors will burn legitimate developer IDs to sign their code, it’s generally a very strong safety feature. Code signed by Apple would be considered especially trustworthy, since no one would be able to spoof Apple’s private key. As it turns out, hackers have relied on this inherent trust to exploit poor security implementations in a wide-ranging number of third-party security apps.
Since the 2007 release of OS X Leopard, it seems that confusing language in Apple’s API documentation led many developers, including those of the Little Snitch Firewall, to improperly implement code signing verification. The exploit was surprisingly simple and relied on the Universal file format Apple uses to allow some applications to run on different types of Macs. By bundling together several code binaries in one package and including Apple-signed code at the top, these third-party security applications would read the entire bundle as signed by Apple.
mac  security  privacy  bug  apps  malware 
19 days ago by rgl7194
Bypassing Passcodes in iOS - Schneier on Security
Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once:
We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature.
I didn't write about it, because it seemed too good to be true. A few days later, Apple pushed back on the findings -- and it seems that it doesn't work.
ios  passwords  security  privacy  hack 
19 days ago by rgl7194
EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere
The Electronic Frontier Foundation (EFF) announced a new project named STARTTLS Everywhere that aims to provide guidance to server administrators on how to set up a proper email server that runs STARTTLS the correct way.
STARTTLS Everywhere is eerily similar to Let's Encrypt, another pro-encryption initiative the EFF launched together with Mozilla and Cisco two years ago.
But this initiative aims to bring encrypted communications to email servers, instead of web servers (Let's Encrypt's purpose).
EFF  email  encryption  privacy  security 
19 days ago by rgl7194
Some Spectre In-Browser Mitigations Can Be Defeated
Some of the protections against the Spectre CPU vulnerability introduced in modern browsers can be defeated, security researchers revealed this week.
According to research published by Aleph Security on Tuesday, the company's researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser's protected memory.
The browsers were running a version that received mitigations against such attacks, researchers said.
The Aleph team says their PoC bypassed Spectre mitigations and retrieved data from browsers such as Edge, Chrome, and Safari. They were not able to retrieve browser memory data from Firefox, mainly because of a different type of mitigation Mozilla had used for its browser.
browser  bug  cpu  javascript  linux  mac  meltdown_spectre  privacy  security  windows 
19 days ago by rgl7194
Internet Safety Month: How to manage your child's online presence - Malwarebytes Labs | Malwarebytes Labs
When you hear the term “reputation risk management,” you might think of a buzzword used in the business sector. Reputation risk management is a term used to describe how companies identify potential risks that may harm their reputation and mitigate them before they blow off.
As companies grow, so grows their public reputation. Heading potential PR disasters or credible crises off at the pass can keep organizations from losing revenue, confidence, and trust from their clients. Suffice it to say, putting your best foot forward and keeping it there is crucial.
Now, here’s a thought: If businesses know they have much to lose if their reputation is threatened, shouldn’t parents and guardians also consider that their children can lose out if their digital footprint is at risk?
To cap off Internet Safety Month, we’re going to ditch the buzzword in favor of a phrase that parents, teens, and young kids can easily grasp: You must manage your online presence. Before we delve into how parents and guardians can take charge, it is crucial that we first understand one thing when it comes to having a digital life...
internet  safety  children  security  privacy  reputation  google 
19 days ago by rgl7194
Equifax Engineer Who Designed Breach Website Charged With Insider Trading
The US Securities and Exchange Commission (SEC) has indicted a former Equifax engineer on charges of insider trading.
According to court documents, Sudhakar Reddy Bonthu, 44, of Cumming, Georgia, worked for Equifax between September 2003 and March 2018.
Starting September 2013, Bonthu worked as Production Development Manager of Software Engineering in Equifax's Global Consumer Solutions (GCS) business unit. Bonthu's job involved creating software for Equifax's internal use, but also for its clients.
breach  credit_report  data  equifax  gov2.0  hack  identity_theft  legal  privacy  security  crime 
19 days ago by rgl7194
Terrifying Spam Call Leaves Voicemail Phishing for iCloud Logins | The Mac Security Blog
Have you received a weird spam call or voicemail claiming to be from Apple support, notifying you of suspicious activity with your Apple iCloud ID? The computer-generated recording may even sound terrifying to some victims, and its goal is to snare you into giving up your iCloud ID and password as part of a new phishing campaign.
Phishing scams targeting Apple IDs and passwords are not new, ranging from text message scams to clever phishing websites, but what appears to be making headway is a new method of calling your iPhone in attempt to trick you into giving up your secret information. What's happening is you'll receive a call from a random or unknown number, such as 646-434-5603 or 844-282-0419, and if you don't pick up the scammer or hacking group will even leave a voicemail phishing for your iCloud ID and password.
security  privacy  icloud  scam  phishing  social_engineering 
19 days ago by rgl7194
A Technical Deep Dive into STARTTLS Everywhere | Electronic Frontier Foundation
Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.
Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.
Note that this is a technical deep dive into EFF’s new STARTTLS Everywhere project, which assumes familiarity with SMTP and STARTTLS. If you’re not familiar with those terms, you should first read our post intended for a general audience, available here.
email  security  privacy  EFF  encryption 
19 days ago by rgl7194
Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery | Electronic Frontier Foundation
Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.
Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.
email  security  privacy  EFF  encryption 
19 days ago by rgl7194
WPA3 Standard Officially Launches With New Wi-Fi Security Features
The Wi-Fi Alliance today officially launched WPA3—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous KRACK attacks.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed KRACK (Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic.
Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2's technical shortcomings from the ground.
wi-fi  security  privacy  standards 
20 days ago by rgl7194
New WPA3 Wi-Fi Standard Released
On Monday, the Wi-Fi Alliance, the organization that manages Wi-Fi technologies, announced the official release of WPA3.
WPA3 is the latest version of Wi-Fi Protected Access (WPA), a user authentication technology for Wi-Fi connections.
News that the Wi-Fi Alliance was working on WPA3 leaked online in January. The organization started working on WPA3 after a security researcher revealed KRACK, a vulnerability in the WPA2 WiFi protocol that made it somewhat trivial for an attacker to gain access to WiFi transmissions protected by WPA2.
WPA3 is currently optional for all newly produced devices, but it will become the de-facto Wi-Fi authentication standard for all Wi-Fi capable devices in the coming years. A date has not been set yet, but the new WPA3 will retain interoperability with older WPA2 devices to ensure as less friction as possible during the transition to WPA3.
wi-fi  security  privacy  standards 
20 days ago by rgl7194
WPA3 Wi-Fi security standard is officially rolling out to replace the 14-year-old WPA2 | iMore
The new standard wants to make your Wi-Fi network more secure than it's ever been.
As our mobile world progresses with new phones, smart home gadgets, and more, it's becoming even more critical that our online presence is as safe and secure as can be. To ensure things stay that way, the Wi-Fi Alliance is now certifying products that support the new WPA3 standard.
WPA3 is officially replacing WPA2, and considering that WPA2 was first released in 2004, the time for this is long overdue. Although not much is changing from a consumer point-of-view, WPA3 is chock-full of new features and tools to ensure your wireless internet connection is more secure than ever before.
One of the highlights found with WPA3 is that it makes it much more difficult for hackers to tap into your network using offline password-guessing attacks. WPA2 allows deviants to capture data from your router and then repeatedly guess your password over and over on their computer so they can gain access to your Wi-Fi setup, but with WPA3, one incorrect hacking attempt will render this data useless.
wi-fi  security  privacy  standards 
20 days ago by rgl7194
Ex-Senate Aide Charged in Leak Case Where Times Reporter’s Records Were Seized - The New York Times
WASHINGTON — A former Senate Intelligence Committee aide was arrested on Thursday in an investigation of classified information leaks where prosecutors also secretly seized years’ worth of a New York Times reporter’s phone and email records.
The former aide, James A. Wolfe, 57, was charged with lying repeatedly to investigators about his contacts with three reporters. According to the authorities, Mr. Wolfe made false statements to the F.B.I. about providing two of them with sensitive information related to the committee’s work. He denied to investigators that he ever gave classified material to journalists, the indictment said.
Mr. Wolfe, the Intelligence Committee’s director of security, was slated to appear before a federal judge on Friday in Washington. Reached on Thursday evening before his arrest, Mr. Wolfe declined to comment.
digital  security  privacy  encryption  signal  EFF  gov2.0  FBI  nytimes  leak 
26 days ago by rgl7194
Journalists and Digital Security: Some Thoughts on the NYT Leak Case | Electronic Frontier Foundation
The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources.
The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee, James Wolfe, for possibly leaking classified information to reporters. So far Wolfe has only been indicted for making false statements to investigators about his contacts with reporters.
The investigation appears to have been focused on how New York Times reporter Ali Watkins, when she worked for Buzzfeed News, learned that Russian spies had attempted to recruit a former advisor to President Trump, Carter Page.
Reading the New York Times article, three things jumped out at us.
digital  security  privacy  encryption  signal  EFF  gov2.0  FBI  nytimes  leak 
26 days ago by rgl7194
ETTV Launches Official Proxy to Fight ISP Blocking - TorrentFreak
When several torrent distribution groups started their own home at, they moved into unchartered territory. In addition to distributing the latest releases, they were facing new problems, including ISP blockades. With a new proxy portal, ETTV is now responding to this week's Australian blockade, as well as similar efforts.
For several years, ETTV has been a household name in the torrent community.
The group, which distributes pirated TV-shows, originated at ExtraTorrent but when the site closed it built its own home.
Together with several like-minded uploaders, including ETHD, they launched last fall. While the groups still distribute their work on other mainstream torrent indexes, the site’s traffic has been growing steadily.
tv  bittorrent  security  privacy 
26 days ago by rgl7194
Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
Security researchers are warning of almost a decade old issue with one of the Apple's macOS feature which was designed for users' convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.
Earlier this month, security researcher Wojciech Regula from SecuRing published a blog post, about the "Quick Look" feature in macOS that helps users preview photos, documents files, or a folder without opening them.
Regula explained that Quick Look feature generates thumbnails for each file/folder, giving users a convenient way to evaluate files before they open them.
mac  bug  security  privacy  encryption  preview 
26 days ago by rgl7194
macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives
Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to Wojciech Reguła and Patrick Wardle, two macOS security experts.
The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers.
mac  bug  security  privacy  encryption  preview 
26 days ago by rgl7194
Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill - Schneier on Security
Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them.
Sounds like a really good idea, but Andreas Gutmann points out an application where this could become a vulnerability: when authenticating transactions...
This is an interesting interaction between two security systems. Security code AutoFill eliminates the need for the user to view the SMS or memorize the one-time code. Transaction authentication assumes the user read and approved the additional information in the SMS message before using the one-time code.
ios  security  privacy  autofill  2FA  bug 
26 days ago by rgl7194
Objective-See: Breaking macOS Mojave Beta
does apple adequately protect the webcam and mic?
In the "Your Apps and the Future of macOS Security" WWDC session - Apple states that the final (i.e. non-beta) version of macOS Mojave will prompt for applications that attempt to control (or script) other applications (discussion is at 13:45 in the presentation).
Thus this attack should be mitigated when macOS Majove ships! Hooray.
On Monday, Apple announced the latest version of macOS: Mojave (10.14) and released a beta (18A293u). I decided to play around with it today.
From a security point of view, one of the most interesting features of Mojave is new 'access controls' on user data, and devices such as the microphone and webcam:
This is a welcomed security feature, as malware often surreptitiously accesses the mic or the webcam (as well as sensitive user data). For example, the author of the infamous OSX/FruitFly malware spied on Mac users (including children) for over a decade via their webcams. Yikes!
Mysterious Mac Malware Has Infected Victims for Years
Man Charged Over Super Creepy Apple Mac Spyware That Snooped On Victims Via Webcams
Other examples of Mac malware that accessed the webcam and/or mic includes OSX/Mokes...
Also OSX/Eleanor...
..and OSX/Crisis (HackingTeam)...
Moreover yours truly recently described an attack, which would allow Mac malware to piggyback on legitimate webcam sessions to secretly record mac users without detection!
We all known Apple hates bad press - so in Mojave, they (finally?) decided to do something about this. Hooray!
security  privacy  macOS  10.14 
26 days ago by rgl7194
Are Free Societies at a Disadvantage in National Cybersecurity - Schneier on Security
Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post...
I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)
I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know.
EDITED TO ADD (6/21): Jack Goldsmith also wrote this.
security  cyber  gov2.0  free  society 
26 days ago by rgl7194
Five easy ways to recognize and dispose of malicious emails - Malwarebytes Labs | Malwarebytes Labs
I suppose we all get our share of spam. Some more than others. But how do we differentiate between simple commercial spam and the types of emails that want to get us in trouble?
The unsolicited commercial spam email is generally easy to recognize, report, and discard, but what about more dangerous types of spam? How can you determine if an email contains a malicious link or attachment, or is trying to scam you out of money or your personal information?
And if you do discover you have malicious emails in your inbox, what then? Is reporting as spam and deleting the email enough?
Knowing what you are up against helps you determine what to do with all that spam—whether it’s simply a nuisance or a landmine waiting to detonate.
security  privacy  email  phishing  spam  language  grammar  URL 
26 days ago by rgl7194
Objective-See: Cache Me Outside
› apple's 'quicklook' cache may leak encrypted data
'QuickLook' is a super cool mechanism of macOS, that allows you to quick check file contents without opening it in specialized application. When you press the space bar on for instance on an *.xlsx file, you can see following preview without having MS Excel installed:
While reading *OS Internals Volume I (that I highly recommend btw) I stopped on QuickLook chapter. I found out that Quicklook registers the XPC service that is responsible for creating thumbnails database and storing it in the $TMPDIR/../C/ directory.
This means that all photos that you have previewed using space (or QuickLook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.
Quicklook will also generate thumbnails of other 'default' file type such as documents...again, even if those files are stored within encrypted containers.
Depending on Finder's view settings (e.g. icon mode, list mode, etc), file thumbnails may be created and cached by QuickLook automatically when a directory is viewed via the UI.
mac  bug  security  privacy  encryption  preview 
26 days ago by rgl7194
Google Developer Discovers a Critical Bug in Modern Web Browsers
Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser.
Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.
For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.
google  browser  bug  security  privacy 
26 days ago by rgl7194
How to Secure Your Home Router | The Mac Security Blog
A home router is your gateway to the Internet. When configured correctly to be secure, your home router can act as a first line of defense against network intruders. Configured incorrectly, however, and your router can be an open door allowing hackers and cyber-criminals to infiltrate your network and potentially access your computers and files.
Configuring a home router isn't complicated, but many people don't make needed changes to the default settings when they set up the device—and you might be one of them, but it's okay, we're here to help! Have you changed the default settings in your home router? When was the last time you checked your router settings to be sure it's as secure as can be? Follow along below, and we'll show you the main settings you can change right now to ensure your home router is secure and protects you from hackers.
security  privacy  internet  router  passwords  wi-fi  firmware 
26 days ago by rgl7194
The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers | Electronic Frontier Foundation
Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick. Compared to more well-known tracking “cookies,” browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it’s very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques.
GDPR  privacy  security  browser  europe  fingerprint  tracking  EFF 
29 days ago by rgl7194
Army researchers find the best cyber teams are antisocial cyber teams | Ars Technica
High-performing blue teams are "purposive social systems"—they shut up and work.
Army researchers have discovered what experienced information security teams already know: actual human interaction isn't a key to success when you already know your role on the team.
At the National Cyberwatch Center's Mid-Atlantic Collegiate Cyber Defense Competition in March and April 2017, the team of researchers decided to conduct a study observing the competing teams. The CyberDawgs of the University of Maryland Baltimore County won the MACCDC before going on to win the Nationals a few weeks later. And like the other top-performing teams in the event, researchers discovered the CyberDawgs were able to coordinate and collaborate most effectively without leaving their keyboards.
military  cyber  security  competition 
4 weeks ago by rgl7194
Security Trade-Offs in the New EU Privacy Law — Krebs on Security
On two occasions this past year I’ve published stories here warning about the prospect that new European privacy regulations could result in more spams and scams ending up in your inbox. This post explains in a question and answer format some of the reasoning that went into that prediction, and responds to many of the criticisms leveled against it.
Before we get to the Q&A, a bit of background is in order. On May 25, 2018 the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.
security  privacy  GDPR  europe  gov2.0  krebs 
4 weeks ago by rgl7194
Who Is Afraid of More Spams and Scams? — Krebs on Security
Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access to that information for at least six months starting at the end of May 2018, under a new proposal that seeks to bring the system in line with new European privacy laws. The result, some experts warn, will likely mean more spams and scams landing in your inbox.
On May 25, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.
In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — has proposed redacting key bits of personal data from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses).
internet  standards  security  privacy  data  GDPR  europe 
4 weeks ago by rgl7194
Here's the Status of Meltdown and Spectre Mitigations in Windows
Yesterday's Patch Tuesday release included fixes for the latest Spectre vulnerability, known as Spectre variant 4, or SpectreNG.
These patches are currently not available for all Windows versions, though, and all mitigations are disabled by default.
Only Windows 10, Windows Server 2016, Windows 7, and Windows Server 2008 R2 have received SpectreNG patches.
Meltdown and Spectre patching is a mess
Furthermore, because of a constant stream of Meltdown and Spectre patching that has been going on for the last six months, it's been getting harder and harder for users to keep track of what patches they've received, what patch needs manual intervention, and which ones cause issues.
To help system administrators with these confusing issues, Microsoft has published a table yesterday that contains the status of each of the Meltdown and Spectre patches it released since January 3, this year.
meltdown_spectre  browser  bug  cpu  javascript  linux  mac  privacy  security  windows 
4 weeks ago by rgl7194
Think You’ve Got Your Credit Freezes Covered? Think Again. — Krebs on Security
I spent a few days last week speaking at and attending a conference on responding to identity theft. The forum was held in Florida, one of the major epicenters for identity fraud complaints in United States. One gripe I heard from several presenters was that identity thieves increasingly are finding ways to open new mobile phone accounts in the names of people who have already frozen their credit files with the big-three credit bureaus. Here’s a look at what may be going on, and how you can protect yourself.
Carrie Kerskie is director of the Identity Fraud Institute at Hodges University in Naples. A big part of her job is helping local residents respond to identity theft and fraud complaints. Kerskie said she’s had multiple victims in her area recently complain of having cell phone accounts opened in their names even though they had already frozen their credit files at the big three credit bureaus — Equifax, Experian and Trans Union (as well as distant fourth bureau Innovis).
credit_freeze  credit_report  equifax  identity_theft  privacy  security 
4 weeks ago by rgl7194
Detecting Laptop Tampering - Schneier on Security
Micah Lee ran a two-year experiment designed to detect whether or not his laptop was ever tampered with. The results are inconclusive, but demonstrate how difficult it can be to detect laptop tampering.
security  privacy  computers  research 
4 weeks ago by rgl7194
Computer Alarm that Triggers When Lid Is Opened - Schneier on Security
"Do Not Disturb" is a Macintosh app that send an alert when the lid is opened. The idea is to detect computer tampering.
Wired article:
Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with the laptop's webcam to catch the perpetrator in the act, or they can shut down the computer remotely. The app can also be configured to take more custom actions like sending an email, recording screen activity, and keeping logs of commands executed on the machine.
Can someone please make one of these for Windows?
apps  mac  security  privacy 
4 weeks ago by rgl7194
Securing Elections - Schneier on Security
Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them.
Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.
security  privacy  election  gov2.0  politics 
4 weeks ago by rgl7194
HTTP Injector Apps Are Becoming a Popular Method to Obtain Free Internet Access
"HTTP injector" apps traded in public Telegram channels are becoming a popular method of gaining free Internet access on mobile devices.
Such apps work by modifying HTTP headers on network requests with malicious code that tricks "captive portals" into giving the user access to the Internet.
Captive portals are the temporary web pages that some mobile telcos or private WiFi networks show users when trying to access the Internet, sometimes asking for a password or urging the user to recharge his SIM card's credit.
HTTP/S  free  internet  hack  security  privacy 
4 weeks ago by rgl7194
The Digital Security Exchange Is Live - Schneier on Security
Last year I wrote about the Digital Security Exchange. The project is live:
The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats.
We do this by pairing civil society and social sector organizations with credible and trustworthy digital security experts and trainers who can help them keep their data and networks safe from exposure, exploitation, and attack. We are committed to working with community-based organizations, legal and journalistic organizations, civil rights advocates, local and national organizers, and public and high-profile figures who are working to advance social, racial, political, and economic justice in our communities and our world.
If you are either an organization who needs help, or an expert who can provide help, visit their website.
Note: I am on their advisory committee.
digital  security 
4 weeks ago by rgl7194
Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018 — Krebs on Security
A story published here last week warned readers about a vast network of potentially malicious Web sites ending in “.cm” that mimic some of the world’s most popular Internet destinations (e.g. espn[dot]cm, aol[dot]cm and itunes[dot].cm) in a bid to bombard visitors with fake security alerts that can lock up one’s computer. If that piece lacked one key detail it was insight into just how many people were mistyping .com and ending up at one of these so-called “typosquatting” domains.
On March 30, an eagle-eyed reader noted that four years of access logs for the entire network of more than 1,000 dot-cm typosquatting domains were available for download directly from the typosquatting network’s own hosting provider. The logs — which include detailed records of how many people visited the sites over the past three years and from where — were deleted shortly after that comment was posted here, but not before KrebsOnSecurity managed to grab a copy of the entire archive for analysis.
URL  security  privacy  krebs 
4 weeks ago by rgl7194
Omitting the “o” in .com Could Be Costly — Krebs on Security
Take care when typing a domain name into a browser address bar, because it’s far too easy to fat-finger a key and wind up somewhere you don’t want to go. For example, if you try to visit some of the most popular destinations on the Web but omit the “o” in .com (and type .cm instead), there’s a good chance your browser will be bombarded with malware alerts and other misleading messages — potentially even causing your computer to lock up completely. As it happens, many of these domains appear tied to a marketing company whose CEO is a convicted felon and once self-proclaimed “Spam King.”
Matthew Chambers is a security professional and researcher in Atlanta. Earlier this month Chambers penned a post on his personal blog detailing what he found after several users he looks after accidentally mistyped different domains — such as espn[dot]cm.
Chambers said the user who visited that domain told him that after typing in he quickly had his computer screen filled with alerts about malware and countless other pop-ups. Security logs for that user’s system revealed the user had actually typed espn[dot]cm, but when Chambers reviewed the source code at that Web page he found an innocuous placeholder content page instead.
URL  security  privacy  krebs 
4 weeks ago by rgl7194
Lifting a Fingerprint from a Photo - Schneier on Security
Police in the UK were able to read a fingerprint from a photo of a hand:
Staff from the unit's specialist imaging team were able to enhance a picture of a hand holding a number of tablets, which was taken from a mobile phone, before fingerprint experts were able to positively identify that the hand was that of Elliott Morris.
Speaking about the pioneering techniques used in the case, Dave Thomas, forensic operations manager at the Scientific Support Unit, added: "Specialist staff within the JSIU fully utilised their expert image-enhancing skills which enabled them to provide something that the unit's fingerprint identification experts could work. Despite being provided with only a very small section of the fingerprint which was visible in the photograph, the team were able to successfully identify the individual."
photo  editing  security  police  uk  fingerprint 
4 weeks ago by rgl7194
How to Prevent Facebook Apps from Accessing Your Profile Information | The Mac Security Blog
If you've been following the news recently, you may have been surprised to discover that a data analysis company managed to scrape up information on some 50 million Facebook users without their knowledge. While this is not the first time Facebook has offered entities access to its data, the controversy in recent news deals with exactly how a consulting firm, Cambridge Analytica, obtained the data from Facebook.
A CNBC report says that Cambridge Analytica legally purchased the data from Aleksandr Kogan and his company, Global Science Research, which gathered the data through a Facebook app and a psychological test taken by Facebook users.
apps  facebook  privacy  security 
4 weeks ago by rgl7194
An accessible overview of Meltdown and Spectre, Part 2 | Trail of Bits Blog
This is the second half of our blog post on the Meltdown an Spectre vulnerabilities, describing Spectre Variant 1 (V1) and Spectre Variant 2 (V2). If you have not done so already, please review the first blog post for an accessible review of computer architecture fundamentals. This blog post will start by covering the technical details of Spectre V1 and Spectre V2, and conclude with a discussion of how these bugs lurked undetected for so long, and what we think the future holds.
Like Meltdown, the Spectre vulnerabilities rely on speculative execution and timing side channels to read memory without proper permission. The difference between Meltdown and Spectre is the method of operation and the potential impact — more computers are vulnerable to Spectre. Meltdown works by taking advantage of an asynchronous permissions check, and affects only Intel processors. Spectre works by tricking the branch predictor (Figure 1), and affects almost every processor released in the last 25 years.
meltdown_spectre  browser  bug  cpu  javascript  linux  mac  privacy  security  windows 
4 weeks ago by rgl7194
GreyKey iPhone Unlocker - Schneier on Security
Some details about the iPhone unlocker from the US company Greyshift, with photos.
Little is known about Grayshift or its sales model at this point. We don't know whether sales are limited to US law enforcement, or if it is also selling in other parts of the world. Regardless of that, it's highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from Grayshift or indirectly through the black market.
It's also entirely possible, based on the history of the IP-Box, that Grayshift devices will end up being available to anyone who wants them and can find a way to purchase them, perhaps by being reverse-engineered and reproduced by an enterprising hacker, then sold for a couple hundred bucks on eBay.
iphone  privacy  security  USB  encryption  police  hack 
4 weeks ago by rgl7194
Police Can Now Access iPhone Data Using a Secretive Piece of Hardware - SecureMac
For several years now, a fierce debate has raged over how much access law enforcement organizations (LEOs) should be able to have to the mobile devices of those suspected of a crime. The issue made nationwide headlines after the San Bernardino attacks in 2015, when the FBI grappled with how to break into an iPhone used by one of the perpetrators. While the FBI did eventually retrieve device data by utilizing an unknown group to gain access to the phone’s encrypted contents, law enforcement agencies, in general, have maintained that they must have a “backdoor” to access info secured by your iPhone passcode. Apple has steadfastly refused to give in to such demands, but it appears that for now, those refusals don’t matter: LEOs can now use a pricey piece of hardware called GrayKey.
Developed and maintained by a very small Georgia-based company called Greyshift LLC, apparently led by a former engineer for Apple, GrayKey is a small black box with two Lightning cables for connecting suspect iPhones. After a few minutes of connection to the GrayKey box, one simply has to disconnect the cables and wait for the software to work.
iphone  privacy  security  USB  encryption  police  hack 
4 weeks ago by rgl7194
Apple confirms security lockdown of Lightning port in iOS 12 | iLounge News
Apple has confirmed plans to tighten security in iOS 12 to block the use of external hacking devices such as Grayshift’s GrayKey box by locking down the Lightning port on iOS devices, Reuters reports. A feature recently discovered in iOS 11.4 was designed to prevent the Lightning port from accepting USB device connections when nothing had been connected in seven days, and after the first iOS 12 beta came out, it was discovered that the feature had been adjusted to reduce the time limit down to a mere one hour — meaning that when connecting a USB device to an iPhone running iOS 12, users will be prompted to unlock their iPhone unless a USB device has already been connected in the past hour. While Apple had previously been silent on the issue, this week an Apple spokesperson confirmed to Reuters that the feature is being implemented, but clarified that the move is being undertaken to protect all customers, and not specifically to thwart law enforcement efforts, as some have suggested.
encryption  ios12  iphone  privacy  security  USB 
4 weeks ago by rgl7194
New iPhone OS May Include Device-Unlocking Security - Schneier on Security
iOS 12, the next release of Apple's iPhone operating system, may include features to prevent someone from unlocking your phone without your permission:
The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones.
"That pretty much kills [GrayShift's product] GrayKey and Cellebrite," Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard in an online chat. "If it actually does what it says and doesn't let ANY type of data connection happen until it's unlocked, then yes. You can't exploit the device if you can't communicate with it."
encryption  ios12  iphone  privacy  security  USB 
4 weeks ago by rgl7194
'iTunes Wi-Fi Sync' Feature Could Let Attackers Hijack Your iPhone, iPad Remotely
Be careful while plugging your iPhone into a friend's laptop for a quick charge or sharing selected files.
Researchers at Symantec have issued a security warning for iPhone and iPad users about a new attack, which they named "TrustJacking," that could allow someone you trust to remotely take persistent control of, and extract data from your Apple device.
Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable.
itunes  wi-fi  sync  trust  security  privacy 
4 weeks ago by rgl7194
Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
A severe programming bug has been found in APFS file system for macOS High Sierra operating system that exposes passwords of encrypted external drives in plain text.
Introduced two years ago, APFS (Apple File System) is an optimized file system for flash and SSD-based storage solutions running MacOS, iOS, tvOS or WatchOS, and promises strong encryption and better performance.
Discovered by forensic analyst Sarah Edwards, the bug leaves encryption password for a newly created APFS volume (e.g., encrypting USB drive using Disk Utility) in the unified logs in plaintext, as well as while encrypting previously created but unencrypted volumes.
"Why is this a big deal? Well, passwords stored in plaintext can be discovered by anyone with unauthorized access to your machine, and malware can collect log files as well and send them off to someone with malicious intent," Edwards said.
10.13  APFS  bug  encryption  macOS  passwords  privacy  security 
4 weeks ago by rgl7194
Internet Safety Month: How to protect your child's privacy online - Malwarebytes Labs | Malwarebytes Labs
June marks the beginning of summer. It is also National Internet Safety Month.
This is the perfect time to remind vacationers that while it is essential to check that everything you need is packed and ready for a trip, it is equally vital for the family to take steps in securing their devices and their online footprint. We’re talking about managing online privacy and reputation—for you and especially for your children.
So to celebrate Internet Safety Month, we’ll be pushing out a two-part series tackling the concepts mentioned above. In part 1, we’ll be talking about online privacy geared toward kids and teens. So parents and guardians, whip out that pen and paper—or a note-taking app, if you like—and start taking notes.
internet  safety  children  security  privacy  howto 
4 weeks ago by rgl7194
Tips for safe summer travels: your cybersecurity checklist - Malwarebytes Labs | Malwarebytes Labs
Summer is just around the corner in the Northern Hemisphere, and with it comes vacation plans for many. Those looking to take some time away from work and home are likely making plans to secure their home, have their pets taken care of, and tie up loose ends at work. But how about securing your devices and your data while you’re away? Here are some things to take into consideration if you want to have a trip free of cyber worries.
privacy  security  travel  technology  wi-fi  passwords  backup  malware  charger  cables  gadgets 
4 weeks ago by rgl7194
All New Privacy and Security Features Coming in macOS 10.14 Mojave
At Worldwide Developer Conference 2018 on Monday, Apple announced the next version of its macOS operating system, and it's called Mojave.
Besides introducing new features and improvements of macOS 10.14 Mojave—like Dark Mode, Group FaceTime, Dynamic Desktop, and Finder—at WWDC, Apple also revealed a bunch of new security and privacy features coming with the next major macOS update.
Apple CEO Tim Cook said the new features included in Mojave are "inspired by pro users, but designed for everyone," helping you protect from various security threats.
Here's a list of all macOS Mojave security and privacy features...
macOS  10.14  preview  security  privacy  WWDC 
4 weeks ago by rgl7194
Why iOS 12 Is Huge for Security and Privacy | The Mac Security Blog
Apple held its yearly Worldwide Developers Conference (WWDC) keynote on Monday, June 4, 2018. Apple's CEO Tim Cook, SVP of Software Engineering Craig Federighi, and other Apple executives and engineers took the stage to share what's coming in the next versions of iOS, watchOS, tvOS, and macOS.
There are some great new consumer-oriented features in each operating system, from Memoji to Walkie-Talkie to Zero Sign-on to Desktop Stacks. But as a security researcher and journalist, what stood out to me was something that probably barely registered for most people watching the keynote.
ios12  security  privacy  WWDC 
4 weeks ago by rgl7194
macOS Mojave: What’s New in Security and Privacy Features | The Mac Security Blog
At Apple's Worldwide Developers Conference (WWDC) keynote on Monday, June 4, 2018, Apple executives and engineers took the stage to share what's coming in the next versions of macOS, iOS, watchOS, and tvOS.
Among other things, Apple announced a new version of its Mac operating system, macOS Mojave 10.14, which includes some nifty new consumer-oriented features including Dark Mode and Desktop Stacks.
While macOS Mojave has a lot of great new features, this article will specifically focus on the new security and privacy features coming soon to Macs near you.
But before we get to the good stuff… first, the bad news.
macOS  10.14  security  privacy  WWDC 
4 weeks ago by rgl7194
A cure for the common cold call: freeze them out - Malwarebytes Labs | Malwarebytes Labs
The phone rings and it’s a number I don’t recognize. That’s enough to bring my mood down a few degrees. It shouldn’t, but unfortunately experience has taught me that at least 95 percent of the calls from numbers that are “private” or that I don’t have an account name stored for on my phone are so-called cold calls.
A cold call is an unsolicited visit or telephone call made by someone trying to sell goods or services. These goods or services don’t necessarily need to have any real value, so cold calling can also include tech support scammers trying to convince you they work for Microsoft and happen to know that your computer is having problems.
Recently, phone numbers that look vaguely familiar have been showing up on my phone. This is because scammers have found out how to spoof telephone numbers that appear to be from the same area code as the victim. This phenomenon is called neighbor spoofing, and it’s the latest strategy being used by scam artists in an attempt to get people to answer the phone.
So what can you do about these annoying and sometimes dangerous calls? Here are a few tips on how to handle and protect yourself from cold calls.
spam  robocalls  security  privacy  do_not_call  telemarketing 
4 weeks ago by rgl7194
The 600+ Companies PayPal Shares Your Data With - Schneier on Security
One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data.
Is 600 companies unusual? Is it more than average? Less? We'll soon know.
privacy  paypal  data  sharing  security  GDPR 
4 weeks ago by rgl7194
The digital entropy of death: link rot - Malwarebytes Labs | Malwarebytes Labs
Hot on the heels of a grim blog about digital death comes…another blog about digital death. Except in this case, the recently deceased would be the links that tie the web together, otherwise known as link rot.
Link rot is a weird thing. Say I blog for Puppy Chow and I write an article about the best dog shows. For one of my examples, I link to an article with the URL “fabulous-puppy-show.html.” Since I’m Puppy Chow, my product has a decent shelf-life and my blog sticks around for a while. But now, if readers stumble upon that original Puppy Chow article and click on my example link, they land on a page about “Top 10 laptops of 2018.” What gives?
death  digital  privacy  security  URL 
4 weeks ago by rgl7194
The digital entropy of death: what happens to your online accounts when you die - Malwarebytes Labs | Malwarebytes Labs
Unless you’re planning on having your mind jammed inside some sort of computer chip, eventually mortality will catch up and you’re going to have to work out what you’ll do with all of your online accounts. When it’s time to shuffle off this mortal coil, you might, theoretically, be slightly annoyed if someone is using your dormant accounts to spam viagra or fake Twitter apps. The sad reality is, when we go, we leave behind a potentially terrifying amount of accounts lying around in the digital ether, and not all of them may be as secure as one would like.
Even if they’re locked down with multiple security steps, someone could break into a database and pilfer insecure information from the back end. We have the very odd situation of there being a digital zombie sleeper army, ready and willing to come back and cause all sorts of security/spam issues worldwide.
Is there anything we can do about it? Can relatives ensure we don’t come back as some sort of bizarre cyber-horror? Do websites and services have any process in place for this strange new world of accounts that are, to coin a phrase, just taking a nap?
Surprisingly, help is at hand more often than not. First, though, we need to have a think about some sort of tally.
data  security  privacy  digital  death  legal 
4 weeks ago by rgl7194
The state of Mac malware - Malwarebytes Labs | Malwarebytes Labs
Mac users are often told that they don’t need antivirus software, because there are no Mac viruses. However, this is not true at all, as Macs actually are affected by malware, and have been for most of their existence. Even the first well-known virus—Elk Cloner—affected Apple computers rather than MS-DOS computers.
In 2018, the state of Mac malware has evolved, with more and more threats targeting these so-called impervious machines. We have already seen four new Mac threats appear. The first of these, OSX.MaMi, was discovered on our forums by someone who had had his DNS settings changed and was unable to change them back.
mac  malware  privacy  security 
4 weeks ago by rgl7194
Cyber is Cyber is Cyber
If you’re in the business of safeguarding data and the systems that process it, what do you call your profession? Are you in cybersecurity? Information security? Computer security, perhaps? The words we use, and the way in which the meaning we assign to them evolves, reflects the reality behind our language. If we examine the factors that influence our desire to use one security title over the other, we’ll better understand the nature of the industry and its driving forces.
Until recently, I’ve had no doubts about describing my calling as an information security professional. Yet, the term cybersecurity is growing in popularity. This might be because the industry continues to embrace the lexicon used in government and military circles, where cyber reigns supreme. Moreover, this is due to the familiarity with the word cyber among non-experts.
cyber  security 
4 weeks ago by rgl7194
Leaked NSA Dump Also Contains Tools Agency Used to Track Other Hackers
A years ago when the mysterious hacking group 'The Shadow Brokers' dumped a massive trove of sensitive data stolen from the US intelligence agency NSA, everyone started looking for secret hacking tools and zero-day exploits.
A group of Hungarian security researchers from CrySyS Lab and Ukatemi has now revealed that the NSA dump doesn't just contain zero-day exploits used to take control of targeted systems, but also include a collection of scripts and scanning tools the agency uses to track operations of hackers from other countries.
According to a report published today by the Intercept, NSA's specialized team known as Territorial Dispute (TeDi) developed some scripts and scanning tools that help the agency to detect other nation-state hackers on the targeted machines it infects.
gov2.0  hack  NSA  privacy  security  shadow_brokers  spying  wikileaks 
4 weeks ago by rgl7194
How to Fight Mobile Number Port-out Scams — Krebs on Security
T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily “porting” your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark. Tips for minimizing the risk of number porting fraud are available below for customers of all four major mobile providers, including Sprint and Verizon.
Unauthorized mobile phone number porting is not a new problem, but T-Mobile said it began alerting customers about it earlier this month because the company has seen a recent uptick in fraudulent requests to have customer phone numbers ported over to another mobile provider’s network.
security  mobile  privacy  krebs  cellphones 
4 weeks ago by rgl7194
Allergic to Phish – Recognizing Phishing Messages
While phishing-related malware is still mostly Windows targeting, attacks that rely purely on social engineering and fake web sites might be delivered by any platform, including smartphones and tablets. The more cautious you are, the better informed you are, and the more you think before you click, the more chance you have of leaving phishing craft stranded.
This an updated and expanded version of advice that I’ve given many times in blog articles, white papers and conference papers. I’m not resurrecting it with reference to any particular phish (though I’m seeing an interesting selection of Apple-ID-targeting phishing mails at the moment), but because in the course of a conversation I had on a social media site, I promised to generate an update: sadly, there’s a continuing need for (hopefully) reliable advice on phishing.
Note that phishing is by no means restricted to email messages, but most of the advice given here also applies to other messaging media such as direct messaging in social media and instant messaging applications. Then there are telephone scams, but they probably deserve an article of their own, given the range of unpleasantness they cover.
The hope here is that the advice given here will make it a little easier to recognize a probably phish message. It’s probably inevitable that I’ll offer more information than some people will want – it’s an occupational hazard among security professionals – but there’s a summary of the most important points in the Conclusion. However, the more detailed content should be of use to people and organizations using this material as the basis for educational and training initiatives, for instance.
phishing  security  privacy  malware 
4 weeks ago by rgl7194
AppleID phish, and how to recognize phish messages | Mac Virus
My long-time mate Roger Thompson at Thompson Cyber Security Labs has flagged a Pretty good Apple phish worth noting. (Not good in a good way!) Some phishing attacks are laughably amateur, but as Roger says, this one is likely to catch a few people out.
He includes a number of screenshots of an attack aimed at AppleID users: the original email message warns of an ‘issue’ with payment. If you click the link – you know not to click on login links embedded in messages, right?* – it takes you to a pretty good facsimile of the AppleID site.
If you view that screenshot on a small screen like a cellphone, you may not be able to read the URL properly, but a closer look reveals that it’s not, in fact, Be aware, though, that there are ways of spoofing a URL so that it really does look like the real site in the browser.
appleID  phishing  security  privacy 
4 weeks ago by rgl7194
E-Mail Leaves an Evidence Trail - Schneier on Security
If you're going to commit an illegal act, it's best not to discuss it in e-mail. It's also best to Google tech instructions rather than asking someone else to do it:
One new detail from the indictment, however, points to just how unsophisticated Manafort seems to have been. Here's the relevant passage from the indictment. I've bolded the most important bits...
So here's the essence of what went wrong for Manafort and Gates, according to Mueller's investigation: Manafort allegedly wanted to falsify his company's income, but he couldn't figure out how to edit the PDF. He therefore had Gates turn it into a Microsoft Word document for him, which led the two to bounce the documents back-and-forth over email. As attorney and blogger Susan Simpson notes on Twitter, Manafort's inability to complete a basic task on his own seems to have effectively "created an incriminating paper trail."
If there's a lesson here, it's that the Internet constantly generates data about what people are doing on it, and that data is all potential evidence. The FBI is 100% wrong that they're going dark; it's really the golden age of surveillance, and the FBI's panic is really just its own lack of technical sophistication.
email  legal  security  privacy 
4 weeks ago by rgl7194
Visa: EMV Cards Cut Down Counterfeit Card Fraud in the US by 70%
Visa said last week that two years after US retailers started deploying terminals that could read chip-based credit and debit cards, reports of counterfeit card fraud have dropped by 70%.
While modern chip-based payment cards —also known as EMV (Europay, MasterCard, Visa) cards after the three organizations that promoted the new technology— are the standard payment card issued in most regions of the globe, the US has always lagged behind.
The reasons are many, but most banks and retailers cited that it would be more costly to issue new EMV cards and replace classic magnetic strip payment terminals with modern devices that could also accept EMV cards.
credit_cards  security  chip  fraud 
4 weeks ago by rgl7194
Apple Is Testing a Feature That Could Kill Police iPhone Unlockers - Motherboard
Apple’s new security feature, USB Restricted Mode, is in the iOS 12 Beta, and it could kill the popular iPhone unlocking tools for cops made by Cellebrite and GrayShift.
This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.
On Monday, at its Worldwide Developers Conference, Apple teased the upcoming release of the iPhone’s operating system, iOS 12. Among its most anticipated features are group FaceTime, Animoji, and a ruler app.
But iOS 12’s killer feature might be something that’s been rumored for a while and wasn’t discussed at Apple’s event. It’s called USB Restricted Mode, and Apple has been including it in some of the iOS beta releases since iOS 11.3.
iphone  security  privacy  ios12  encryption  USB 
5 weeks ago by rgl7194
Daring Fireball: Apple Is Testing a Feature That Could Kill Police iPhone Unlockers
Lorenzo Franceschi-Bicchierai, reporting for Motherboard:
But iOS 12’s killer feature might be something that’s been rumored for a while and wasn’t discussed at Apple’s event. It’s called USB Restricted Mode, and Apple has been including it in some of the iOS beta releases since iOS 11.3.
The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones.
I love this feature. So clever.
iphone  security  privacy  ios12  encryption  daring_fireball  USB 
5 weeks ago by rgl7194
Daring Fireball: FBI Repeatedly Overstated Encryption Threat Figures to Congress, Public
Devlin Barrett, reporting for The Washington Post...
Even if the accurate number really was 7,800, it wouldn’t change the fact that adding backdoors to phones would be a disaster for security and privacy. The number really doesn’t matter. But the fact that they overstated it by a factor of 6 makes the FBI look really bad. I’m not saying they lied, but I think it’s unlikely they would have undercounted the number of phones by a factor of 6.
daring_fireball  iphone  FBI  security  privacy  encryption 
5 weeks ago by rgl7194
‘Too inconvenient’: Trump goes rogue on phone security - POLITICO
The president has kept features at risk for hacking and resisted efforts by staff to inspect the phones he uses for tweeting.
President Donald Trump uses a White House cellphone that isn’t equipped with sophisticated security features designed to shield his communications, according to two senior administration officials — a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance.
The president, who relies on cellphones to reach his friends and millions of Twitter followers, has rebuffed staff efforts to strengthen security around his phone use, according to the administration officials.
gov2.0  hillary  iphone  politics  privacy  security  trump  twitter 
5 weeks ago by rgl7194
Daring Fireball: ‘Too Inconvenient’
Eliana Johnson, Emily Stephenson, and Daniel Lippman, reporting for Politico:
The president uses at least two iPhones, according to one of the officials. The phones — one capable only of making calls, the other equipped only with the Twitter app and preloaded with a handful of news sites — are issued by White House Information Technology and the White House Communications Agency, an office staffed by military personnel that oversees White House telecommunications.
While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was “too inconvenient,” the same administration official said.
I don’t get it — surely it wouldn’t be inconvenient at all for Trump. It’s not like he’d be the one setting up the new phones.
Anyway, I’m sure everyone who was outraged by Hillary Clinton’s email practices will be just as outraged by this.
trump  gov2.0  daring_fireball  hillary  security  privacy  politics  iphone  twitter 
5 weeks ago by rgl7194
WWDC18: Presents from Apple - AgileBits Blog
Hello everyone! It’s WWDC week and a large portion of the 1Password development team is here in San Jose basking in the glow of this year’s Apple’s Worldwide Developer Conference. For me it’s my first time coming to WWDC since it was last held in San Francisco two years ago, and I absolutely love it. The conference center itself is gorgeous, and the surrounding area is wonderful. Somehow I’m finding it easier to run into folks I know, and I’ve already caught up with a bunch of old friends and made a number of new ones since I’ve arrived.
WWDC is much more than a place for me to stretch the wings of my social butterfly tendencies, however; it’s all about new tech, and boy oh boy did Apple hook us up this year. Many of us are already rocking iOS 12 and macOS Mojave on our main devices and computers and they are awesome. Not only that, but 1Password is running quite happily on iOS 12 and needs just a couple small tweaks on macOS Mojave.
1password  passwords  privacy  security  ios12  macOS  10.14 
5 weeks ago by rgl7194
FBI Admits It Inflated Number of Supposedly Unhackable Devices | Electronic Frontier Foundation
We’ve learned that the FBI has been misinforming Congress and the public as part of its call for backdoor access to encrypted devices. For months, the Bureau has claimed that encryption prevented it from legally searching the contents of nearly 7,800 devices in 2017, but today the Washington Post reports that the actual number is far lower due to "programming errors" by the FBI.
Frankly, we’re not surprised. FBI Director Christopher Wray and others argue that law enforcement needs some sort of backdoor “exceptional access” in order to deal with the increased adoption of encryption, particularly on mobile devices. And the 7,775 supposedly unhackable phones encountered by the FBI in 2017 have been central to Wray’s claim that their investigations are “Going Dark.” But the scope of this problem is called into doubt by services offered by third-party vendors like Cellebrite and Grayshift, which can reportedly bypass encryption on even the newest phones. The Bureau’s credibility on this issue was also undercut by a recent DOJ Office of the Inspector General report, which found that internal failures of communication caused the government to make false statements about its need for Apple to assist in unlocking a seized iPhone as part of the San Bernardino case.
FBI  privacy  security  encryption  hack  gov2.0  politics  EFF  smartphone 
6 weeks ago by rgl7194
1Password 7 for Mac
This is a big update for 1Password on the Mac. Not only does the applicaiton look great but one of my favorite features is getting a lot more useful: Secure notes now support Markdown formatting!
I have a lot of secure notes in 1Password. I don't just need to know passwords, I need to know the details about restarting servers once I login. I need to know details about my family that extend beyond birthdays. Notes are great in 1Password and I'm confident that they are secure between my devices. With my 1Password family plan, I can also share those with my family with ease and be sure they are secured on their end to.
1password  mac  privacy  security  passwords 
6 weeks ago by rgl7194
« earlier      
per page:    204080120160

Copy this bookmark:

to read