| story continues..
Last week we examined how
Lenovo was under fire for including "Superfish" malware in the company's consumer-grade laptops. The malware in question encrypted Web sessions and -- because the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears is the same for every Lenovo machine -- made Lenovo users vulnerable to HTTPS man-in-the-middle attacks that should be relatively easy for attackers to carry out.
Lenovo was quick to issue a flimsy mea culpa
and pull the software from its products, but subsequent investigations have found that there's numerous more examples of software that uses the HTTPS-breaking technology made by IT firm Komodia
The U.S. Department of Homeland Security has issued a warning
that notes numerous parental control outfits have also embedded the technology. As have some privacy and security firms including Lavasoft, which used the certificate in the company's web inspection software Ad-Aware Web Companion and the Alpha testing version of AdBlocker. LavaSoft was quick to state that they've removed the offending software from all of their products
, but not before taking a PR beating:
Prior to the public announcement of the security vulnerability, and upon consultation with our partners and evaluation of the risks/benefits to our end-users, Lavasoft took the decision to remove the functionality and eliminate the deployment of the root CA certificate to inspect traffic. Although Lavasoft’s most recent release of Ad-Aware Web Companion (released on February 18th 2015) removed this functionality and was not supposed to contain the SSL Digestor; it was determined that trace elements of the Komodia SSL Digestor were still present.
Again, the software effectively uses man in the middle attacks to effectively break HTPPS connections for the purpose of injecting advertisements.
The latest Edward Snowden-fueled scoop from The Intercept indicates that the NSA and overseas intelligence allies hacked into the networks of the world's largest manufacturer of SIM cards to obtain encryption keys, effectively undermining phone security for users worldwide. According to the full, must-read report
, the hack of Netherlands-based Gemalto took place sometime before 2010.
Lenovo is taking heat for pre-installing a man in the middle adware by the name of Superfish on many of the company's computers. According to Ars Technica
, the Superfish malware hijacks encrypted Web sessions and -- because the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears is the same for every Lenovo machine -- makes Lenovo users vulnerable to HTTPS man-in-the-middle attacks that should be relatively easy for attackers to carry out:
As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package.
Verizon's MyFioS Android App
contained a bug that exposed some Verizon customer information and could allow a hacker to view customer e-mails and send e-mails from those accounts. Randy Westergren, senior software developer with XDA-Developers, states in a blog post
that the bug has existed since at least June 2013 when the app was created.
An international survey of Internet users
polled 23,376 Internet users in 24 countries, and found that Edward Snowden and his leaks have had a profound global impact on security awareness. The survey found that 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."
Security Guru Bruce Schneier complains that many in the media have been downplaying those numbers and shouldn't be
, since it shows roughly 700 million have taken steps to improve their security practices:
I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)
The survey also found that:
• 83% of users believe that affordable access to the Internet should be a basic human right;
• two thirds (64%) of users are more concerned today about online privacy than they were compared to one year ago; and,
• when given a choice of various governance sources to effectively run the world-wide Internet, a majority (57%) chose the multi-stakeholder option—a “combined body of technology companies, engineers, non-governmental organizations and institutions that represent the interests and will of ordinary citizens, and governments."
That last bit in particular suggests that the NSA's activities can be thanked for an uptick in global concern about ICANN's US-centric approach to Internet governance. For years many countries have been pushing for a global coalition approach to Internet governance, most likely via the ITU.
A blog post at Symantec
this week is turning heads after the team uncovered a new, previously undetected piece of malware that has been used for years to spy on government operations. Dubbed "Regin," Symatec states that the construction of the malware "displays a degree of technical competence rarely seen," resulting in the malware remaining largely undetected since it arrived on the scene back in 2008.
The Electronic Freedom Foundation last week filed a petition with the Librarian of Congress and the Copyright Office to extend and expand six different exemptions to the DMCA, covering everything from the right to bypass car DRM -- to the right to continue tinkering with games no longer supported by the developers. In a blog post
the EFF notes the group also urged the Librarian of Congress “to extend and expand the exemption that allows you to ‘jailbreak’ your phone from those restrictions, without running afoul of the Digital Millennium Copyright Act (DMCA).”
In January of last year unlocking your cellphone technically became illegal
after the Librarian of Congress removed it from the DMCA exception list.
Security researchers at Google this week unveiled that they've found a new "POODLE" vulnerability in SSL 3.0 that allows an attacker to calculate the plaintext of encrypted communications. According to the Google announcement
(complete with a Zappa reference most won't get), notes that while SSL 3.0 is almost 15 years old (and supplanted by Transport Layer Security), it's still commonly in use as a browser backup option when other protocol versions fail.
AT&T is warning some customers in Vermont that an AT&T employee improperly accessed the personal information of a limited but unspecified number of AT&T customers. "We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number," AT&T says in the letter
(pdf) posted to the Vermont Attorney General's website (via Threat Post
). AT&T's promising one year of free credit monitoring to impacted customers.
While most large incumbent ISPs have rushed head-first into the home security and home automation market, few of those companies have been willing to specify how many users have signed up for such services -- suggesting they're not yet seeing quite the uptake they'd like. One other threat has now arisen for ISPs looking to be home security experts: lawsuits. story continues..
Over the years we've seen a number of ISPs
and even hotels
run into user backlash and PR problems when they've decided to use deep packet inspection and ad injection to force their ads into user content. Many users don't like any ISP hijacking of site code, much less advertising injection -- especially if users aren't being told the system is being used.
By now I'm sure you've all heard the various horror stories about how your web browsing activities are being spied upon and stored. This has included government agencies, web site trackers, and possibly even your ISP. story continues..
A report over at ProPublica
breathlessly proclaims this week that there's a new advertising and tracking system that's "virtually impossible to block." The technology, being developed by a company called AddThis
, utilizes something called "canvas fingerprinting." Canvas fingerprinting, first discussed in a 2012 paper by Keaton Mowery and Hovav Shacham
(pdf), uses your computer's unique graphics rendering capabilities (graphics card, browser, driver variant) to track your movements across the Internet --without storing any data locally.
Reliability of canvas fingerprinting has been somewhat iffy; especially on wireless networks (where device hardware and software is far more uniform), and large scale Internet use is far off if it happens at all.
A notice being sent to more than 500 AT&T users
informs them that "intruders" managed to view their personal information, including social security numbers and dates of birth, back in April. Unlike most intruders they weren't trying to steal personal information, they were AT&T vendors pretending to be customers simply so they could unlock user phones, notes the letter.
In what's not exactly a ringing endorsement of Comcast's real-time monitoring for their security services, the Consumerist
notes that Comcast failed to notice that an alarm system installed by the company hadn't been operational -- for seven years. Comcast didn't appear to have problems collecting payments for the service for those seven years according to Houston's KRPC
. Comcast offered a $20 credit for the inconvenience, and is quick to point out the user didn't adhere to the user agreement by testing the system on a regular basis.
One of the official webpages for the widely used TrueCrypt encryption program suddenly this week warned users that the decade-old encryption program is no longer safe to use. "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," the webpage warns visitors
Late last year security researcher Eloi Vanderbeken exposed a backdoor in a 24 different older DSL modem gateways
made by both Netgear and Linksys that allowed an intruder to reset a machine's configuration and gain access to the devices' administrative control panel. While the companies originally claimed the problem had been patched, Vanderbeken is back with a new report that notes the backdoor wasn't really patched -- it was simply hidden from view
. Vanderbeken's full Powerpoint presentation
(pdf) offers significantly more detail and insists that the backdoor isn't a coding error -- it's "deliberate."
Google executives and employees were a little annoyed
at recent revelations that the NSA was hacking into data centers to grab user data, in addition to being given user data directly by the company. As such they've made it a priority to encrypt as much of the traffic moving between data centers as possible. Now a report by the Wall Street Journal
suggests to speed up encryption adoption overall, the search giant is considering giving search result priority to websites that utilize encryption:
Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference...Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.
It seems fairly unlikely that this would ever come to fruition, given that while well-intentioned, it would compromise the purity of the results, something Google consistently professes to hold to a high standard.
Back in June of 2010
, you might recall that a security hole in AT&T's website allowed two individuals to gain access to the e-mail addresses of 114,000 owners of 3G Apple iPads, including "dozens of CEOs, military officials, and top politicians." A group calling itself Goatse Security at the time claimed responsibility for the "hack," which in addition to e-mail addresses resulted the group obtaining user ICC-IDs -- used to identify their specific iPad on the AT&T network.
One of those two individuals responsible for obtaining the data was Andrew Auernheimer (aka "Weev") an Internet-famous troll who was recently convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.
News emerged this week that the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a bug that allows a hacker to siphon all manner of private data, including passwords and authentication cookies, from many websites server memory. Dubbed "Heartbleed" by the researchers that unveiled the massive bug this week, major online service providers and websites are scrambling to deploy a new patch for the vulnerability. story continues..
·more stories, story search, most popular ..
Recent news contributors