Security researchers at Google this week unveiled that they've found a new "POODLE" vulnerability in SSL 3.0 that allows an attacker to calculate the plaintext of encrypted communications. According to the Google announcement
(complete with a Zappa reference most won't get), notes that while SSL 3.0 is almost 15 years old (and supplanted by Transport Layer Security), it's still commonly in use as a browser backup option when other protocol versions fail.
Since a hacker can cause connection failures, they can force browsers to revert to SSL 3.0, at which point the latest attack comes into play, allowing man in the middle attacks such as intercepting supposedly secure data in transit over a Wi-Fi network. Recommends Google:
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Google says the company hopes to remove SSL 3.0 support completely from their client products in the coming months. There's some additional technical details available here
for those interested.
AT&T is warning some customers in Vermont that an AT&T employee improperly accessed the personal information of a limited but unspecified number of AT&T customers. "We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number," AT&T says in the letter
(pdf) posted to the Vermont Attorney General's website (via Threat Post
). AT&T's promising one year of free credit monitoring to impacted customers.
While most large incumbent ISPs have rushed head-first into the home security and home automation market, few of those companies have been willing to specify how many users have signed up for such services -- suggesting they're not yet seeing quite the uptake they'd like. One other threat has now arisen for ISPs looking to be home security experts: lawsuits. story continues..
Over the years we've seen a number of ISPs
and even hotels
run into user backlash and PR problems when they've decided to use deep packet inspection and ad injection to force their ads into user content. Many users don't like any ISP hijacking of site code, much less advertising injection -- especially if users aren't being told the system is being used.
By now I'm sure you've all heard the various horror stories about how your web browsing activities are being spied upon and stored. This has included government agencies, web site trackers, and possibly even your ISP. story continues..
A report over at ProPublica
breathlessly proclaims this week that there's a new advertising and tracking system that's "virtually impossible to block." The technology, being developed by a company called AddThis
, utilizes something called "canvas fingerprinting." Canvas fingerprinting, first discussed in a 2012 paper by Keaton Mowery and Hovav Shacham
(pdf), uses your computer's unique graphics rendering capabilities (graphics card, browser, driver variant) to track your movements across the Internet --without storing any data locally.
Reliability of canvas fingerprinting has been somewhat iffy; especially on wireless networks (where device hardware and software is far more uniform), and large scale Internet use is far off if it happens at all.
A notice being sent to more than 500 AT&T users
informs them that "intruders" managed to view their personal information, including social security numbers and dates of birth, back in April. Unlike most intruders they weren't trying to steal personal information, they were AT&T vendors pretending to be customers simply so they could unlock user phones, notes the letter.
In what's not exactly a ringing endorsement of Comcast's real-time monitoring for their security services, the Consumerist
notes that Comcast failed to notice that an alarm system installed by the company hadn't been operational -- for seven years. Comcast didn't appear to have problems collecting payments for the service for those seven years according to Houston's KRPC
. Comcast offered a $20 credit for the inconvenience, and is quick to point out the user didn't adhere to the user agreement by testing the system on a regular basis.
One of the official webpages for the widely used TrueCrypt encryption program suddenly this week warned users that the decade-old encryption program is no longer safe to use. "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," the webpage warns visitors
Late last year security researcher Eloi Vanderbeken exposed a backdoor in a 24 different older DSL modem gateways
made by both Netgear and Linksys that allowed an intruder to reset a machine's configuration and gain access to the devices' administrative control panel. While the companies originally claimed the problem had been patched, Vanderbeken is back with a new report that notes the backdoor wasn't really patched -- it was simply hidden from view
. Vanderbeken's full Powerpoint presentation
(pdf) offers significantly more detail and insists that the backdoor isn't a coding error -- it's "deliberate."
Google executives and employees were a little annoyed
at recent revelations that the NSA was hacking into data centers to grab user data, in addition to being given user data directly by the company. As such they've made it a priority to encrypt as much of the traffic moving between data centers as possible. Now a report by the Wall Street Journal
suggests to speed up encryption adoption overall, the search giant is considering giving search result priority to websites that utilize encryption:
Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference...Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.
It seems fairly unlikely that this would ever come to fruition, given that while well-intentioned, it would compromise the purity of the results, something Google consistently professes to hold to a high standard.
Back in June of 2010
, you might recall that a security hole in AT&T's website allowed two individuals to gain access to the e-mail addresses of 114,000 owners of 3G Apple iPads, including "dozens of CEOs, military officials, and top politicians." A group calling itself Goatse Security at the time claimed responsibility for the "hack," which in addition to e-mail addresses resulted the group obtaining user ICC-IDs -- used to identify their specific iPad on the AT&T network.
One of those two individuals responsible for obtaining the data was Andrew Auernheimer (aka "Weev") an Internet-famous troll who was recently convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.
News emerged this week that the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a bug that allows a hacker to siphon all manner of private data, including passwords and authentication cookies, from many websites server memory. Dubbed "Heartbleed" by the researchers that unveiled the massive bug this week, major online service providers and websites are scrambling to deploy a new patch for the vulnerability. story continues..
With a growing number of ISPs playing content nanny (as seen in the "six strikes" copyright warning system), an equally growing number of users are turning to VPNs and proxies to hide their behavior from the ever-watchful eye of their Internet service provider. Others simply have on eye squarely fixed on true security. Torrent Freak has been taking an annual look
at which VPN services retain user information and logs, how they handle DMCA takedown notices, under which conditions they share user data with third parties, which payment systems they use and more. It's a pretty handy breakdown for VPN users and worth a read.
Snowden leaks had already indicated that the NSA had been busy hacking into Yahoo servers
(and Google, Microsoft), obtaining data via the back door in addition to PRISM data they were collecting up front. Now another Guardian release of Snowden documents
indicates that UK intelligence agency GCHQ, with help from the NSA, intercepted and stored webcam content from millions of Yahoo users, regardless of whether or not they had been suspected of any wrong doing:
GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not. In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo, one of the few companies to try and stand up to PRISM data collection in court, unsurprisingly wasn't pleased with the revelations, calling project optic nerve "a whole new level of violation of our users' privacy."
A malicious worm has been detected on roughly 1,000 different Linksys branded routers, according to a statement from SANS ISC
. According to the report, "TheMoon" worm takes advantage of a CGI script within the administration interface of multiple Linksys’ E-Series router models. An exploit writer has published a proof of concept exploit
, also noting that some older Wireless-N access points and routers may also be impacted. "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled," Linksys says. "Linksys ships these products with the Remote Management Access feature turned off by default."
In April of last year, wireless carriers and the government announced
that they'd be collaborating on building a new nationwide database to track stolen phones (specifically the IMEI number, not just the SIM card ID). The goal is to reduce the time that stolen phones remain useful, thereby drying up the market for stolen phones and reducing the ability of criminals to use the devices to dodge surveillance.
NBC has received a lot of attention this week for a story
that proclaims that visitors to the Sochi games will immediately find that every device they own -- from laptop to phone -- will be hacked immediately upon stepping outside at the games. NBC reporter Richard Engel worked with a "security expert" and claimed that, while sitting at a cafe in Russia, hackers had compromised his devices "before we even finished our coffee" -- "giving hackers the option to tap or even record my phone calls."
Except according to a blog post by Errata Security
, the story is "100% fabricated." Notes Errata's Robert Graham:
•They aren't in Sochi, but in Moscow, 1007 miles away.
For a long time Verizon was dead silent regarding their cooperation with the NSA, with the only public comment at one point being to mock Yahoo and Google
for demanding greater government transparency. Recently Verizon has been more chatty; issuing their first ever transparency report
, and even blogging about intelligence issues.
The government has reached a settlement with several of the nation's biggest Internet companies (Google, Facebook, Yahoo, Microsoft and Apple) which had (to various degrees) to be able to reveal more information on how many data requests they receive from government. While the government has allowed increased disclosure on national security letters (NSLs, or gag letters), companies have been restricted to only stating a range of numbers of such letters they've received (see Verizon's recent transparency report
·more stories, story search, most popular ..
Recent news contributors