Verizon's MyFioS Android App
contained a bug that exposed some Verizon customer information and could allow a hacker to view customer e-mails and send e-mails from those accounts. Randy Westergren, senior software developer with XDA-Developers, states in a blog post
that the bug has existed since at least June 2013 when the app was created. When tinkering with the app's communications coding, Westergren found it wasn't very hard to trick the app into showing him other users' e-mail accounts:
Altering the uid parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies. Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected.
He proceeds to note that sending e-mail as those other users
was a fairly trivial affair:
Using the same parameter substitution, one was able to read the email messages of other users. It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user. This request was also successful.
To their credit, Westergren states that Verizon was very responsive when he revealed the bug to them, and fixed it quickly. Westergren also got a free year of FiOS service for his efforts.
An international survey of Internet users
polled 23,376 Internet users in 24 countries, and found that Edward Snowden and his leaks have had a profound global impact on security awareness. The survey found that 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."
Security Guru Bruce Schneier complains that many in the media have been downplaying those numbers and shouldn't be
, since it shows roughly 700 million have taken steps to improve their security practices:
I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)
The survey also found that:
• 83% of users believe that affordable access to the Internet should be a basic human right;
• two thirds (64%) of users are more concerned today about online privacy than they were compared to one year ago; and,
• when given a choice of various governance sources to effectively run the world-wide Internet, a majority (57%) chose the multi-stakeholder option—a “combined body of technology companies, engineers, non-governmental organizations and institutions that represent the interests and will of ordinary citizens, and governments."
That last bit in particular suggests that the NSA's activities can be thanked for an uptick in global concern about ICANN's US-centric approach to Internet governance. For years many countries have been pushing for a global coalition approach to Internet governance, most likely via the ITU.
A blog post at Symantec
this week is turning heads after the team uncovered a new, previously undetected piece of malware that has been used for years to spy on government operations. Dubbed "Regin," Symatec states that the construction of the malware "displays a degree of technical competence rarely seen," resulting in the malware remaining largely undetected since it arrived on the scene back in 2008.
The Electronic Freedom Foundation last week filed a petition with the Librarian of Congress and the Copyright Office to extend and expand six different exemptions to the DMCA, covering everything from the right to bypass car DRM -- to the right to continue tinkering with games no longer supported by the developers. In a blog post
the EFF notes the group also urged the Librarian of Congress “to extend and expand the exemption that allows you to ‘jailbreak’ your phone from those restrictions, without running afoul of the Digital Millennium Copyright Act (DMCA).”
In January of last year unlocking your cellphone technically became illegal
after the Librarian of Congress removed it from the DMCA exception list.
Security researchers at Google this week unveiled that they've found a new "POODLE" vulnerability in SSL 3.0 that allows an attacker to calculate the plaintext of encrypted communications. According to the Google announcement
(complete with a Zappa reference most won't get), notes that while SSL 3.0 is almost 15 years old (and supplanted by Transport Layer Security), it's still commonly in use as a browser backup option when other protocol versions fail.
AT&T is warning some customers in Vermont that an AT&T employee improperly accessed the personal information of a limited but unspecified number of AT&T customers. "We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number," AT&T says in the letter
(pdf) posted to the Vermont Attorney General's website (via Threat Post
). AT&T's promising one year of free credit monitoring to impacted customers.
While most large incumbent ISPs have rushed head-first into the home security and home automation market, few of those companies have been willing to specify how many users have signed up for such services -- suggesting they're not yet seeing quite the uptake they'd like. One other threat has now arisen for ISPs looking to be home security experts: lawsuits. story continues..
Over the years we've seen a number of ISPs
and even hotels
run into user backlash and PR problems when they've decided to use deep packet inspection and ad injection to force their ads into user content. Many users don't like any ISP hijacking of site code, much less advertising injection -- especially if users aren't being told the system is being used.
By now I'm sure you've all heard the various horror stories about how your web browsing activities are being spied upon and stored. This has included government agencies, web site trackers, and possibly even your ISP. story continues..
A report over at ProPublica
breathlessly proclaims this week that there's a new advertising and tracking system that's "virtually impossible to block." The technology, being developed by a company called AddThis
, utilizes something called "canvas fingerprinting." Canvas fingerprinting, first discussed in a 2012 paper by Keaton Mowery and Hovav Shacham
(pdf), uses your computer's unique graphics rendering capabilities (graphics card, browser, driver variant) to track your movements across the Internet --without storing any data locally.
Reliability of canvas fingerprinting has been somewhat iffy; especially on wireless networks (where device hardware and software is far more uniform), and large scale Internet use is far off if it happens at all.
A notice being sent to more than 500 AT&T users
informs them that "intruders" managed to view their personal information, including social security numbers and dates of birth, back in April. Unlike most intruders they weren't trying to steal personal information, they were AT&T vendors pretending to be customers simply so they could unlock user phones, notes the letter.
In what's not exactly a ringing endorsement of Comcast's real-time monitoring for their security services, the Consumerist
notes that Comcast failed to notice that an alarm system installed by the company hadn't been operational -- for seven years. Comcast didn't appear to have problems collecting payments for the service for those seven years according to Houston's KRPC
. Comcast offered a $20 credit for the inconvenience, and is quick to point out the user didn't adhere to the user agreement by testing the system on a regular basis.
One of the official webpages for the widely used TrueCrypt encryption program suddenly this week warned users that the decade-old encryption program is no longer safe to use. "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," the webpage warns visitors
Late last year security researcher Eloi Vanderbeken exposed a backdoor in a 24 different older DSL modem gateways
made by both Netgear and Linksys that allowed an intruder to reset a machine's configuration and gain access to the devices' administrative control panel. While the companies originally claimed the problem had been patched, Vanderbeken is back with a new report that notes the backdoor wasn't really patched -- it was simply hidden from view
. Vanderbeken's full Powerpoint presentation
(pdf) offers significantly more detail and insists that the backdoor isn't a coding error -- it's "deliberate."
Google executives and employees were a little annoyed
at recent revelations that the NSA was hacking into data centers to grab user data, in addition to being given user data directly by the company. As such they've made it a priority to encrypt as much of the traffic moving between data centers as possible. Now a report by the Wall Street Journal
suggests to speed up encryption adoption overall, the search giant is considering giving search result priority to websites that utilize encryption:
Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference...Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.
It seems fairly unlikely that this would ever come to fruition, given that while well-intentioned, it would compromise the purity of the results, something Google consistently professes to hold to a high standard.
Back in June of 2010
, you might recall that a security hole in AT&T's website allowed two individuals to gain access to the e-mail addresses of 114,000 owners of 3G Apple iPads, including "dozens of CEOs, military officials, and top politicians." A group calling itself Goatse Security at the time claimed responsibility for the "hack," which in addition to e-mail addresses resulted the group obtaining user ICC-IDs -- used to identify their specific iPad on the AT&T network.
One of those two individuals responsible for obtaining the data was Andrew Auernheimer (aka "Weev") an Internet-famous troll who was recently convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.
News emerged this week that the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a bug that allows a hacker to siphon all manner of private data, including passwords and authentication cookies, from many websites server memory. Dubbed "Heartbleed" by the researchers that unveiled the massive bug this week, major online service providers and websites are scrambling to deploy a new patch for the vulnerability. story continues..
With a growing number of ISPs playing content nanny (as seen in the "six strikes" copyright warning system), an equally growing number of users are turning to VPNs and proxies to hide their behavior from the ever-watchful eye of their Internet service provider. Others simply have on eye squarely fixed on true security. Torrent Freak has been taking an annual look
at which VPN services retain user information and logs, how they handle DMCA takedown notices, under which conditions they share user data with third parties, which payment systems they use and more. It's a pretty handy breakdown for VPN users and worth a read.
Snowden leaks had already indicated that the NSA had been busy hacking into Yahoo servers
(and Google, Microsoft), obtaining data via the back door in addition to PRISM data they were collecting up front. Now another Guardian release of Snowden documents
indicates that UK intelligence agency GCHQ, with help from the NSA, intercepted and stored webcam content from millions of Yahoo users, regardless of whether or not they had been suspected of any wrong doing:
GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not. In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo, one of the few companies to try and stand up to PRISM data collection in court, unsurprisingly wasn't pleased with the revelations, calling project optic nerve "a whole new level of violation of our users' privacy."
A malicious worm has been detected on roughly 1,000 different Linksys branded routers, according to a statement from SANS ISC
. According to the report, "TheMoon" worm takes advantage of a CGI script within the administration interface of multiple Linksys’ E-Series router models. An exploit writer has published a proof of concept exploit
, also noting that some older Wireless-N access points and routers may also be impacted. "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled," Linksys says. "Linksys ships these products with the Remote Management Access feature turned off by default."
·more stories, story search, most popular ..
Recent news contributors
, Bill Neilson