The linked article picks up some of the more important (and to some, chilling) things embedded in that license agreement you agreed to when you signed up for Facebook, all with highlighted quotes from Facebook’s Statement of Rights and Responsibilities.
Security
Declared dead just a month ago, Gameover Zeus botnet reanimated using Android and Windows
From Apple Insider:
Last July, a U.S. Government report titled “Threats to Mobile Devices Using the Android OS” warned that Android “continues to be a primary target for malware attacks due to its market share and open source architecture,” and stated that this “makes it more important than ever to keep mobile OS patched and up-to-date.”
A year later, Google still reports that more than 53.4 percent of active Android users accessing Google Play are still using an “Ice Cream Sandwich,” “Gingerbread” or other editions of Android prior to 4.2 that still “have a number of security vulnerabilities that were fixed in later versions.”
A good read with lots of follow-up links.
Apple’s official response to China’s location security accusations
This past Friday, we posted a story titled China labels iPhone a security threat. Apple responded to the Chinese broadcaster’s accusations in a well crafted post on their site.
Here’s the full English-language post from Apple’s web site:
Your Location Privacy
Apple is deeply committed to protecting the privacy…
New TSA rule requires you to charge your device before going through security. Sometimes.
A news story you’ll see bouncing around the blogs this morning says you’ll need to charge your devices before you can get through security. In other words, make sure your phone can boot or you’ll have to leave it behind.
Close, but not quite right.
Washington Post rolls out secure, Tor-based mechanism to protect their sources
The Washington Post is taking steps to isolate their sources from their normal means of data collection, protecting both the Post and the source from any audits that might pick up their IP address or other identifying information.
Nearly all digital communications can leave a trail. The Washington Post’s SecureDrop is designed to minimize these digital trails using best practices, such as…
Beware the IMSI catcher
Newsweek:
Call it the “IMSI catcher” war, with the acronym standing for International Mobile Subscriber Identity. Every device that communicates with a cell tower—mobile phone, smartphone or tablet—has one. What StingRay (manufactured by Florida-based Harris Corp.) and its competitors do is act like a cellphone tower, drawing the unique IMSI signals into their grasp.
DDoS ransom attacks steadily increasing
New York Times:
For several months, the Federal Bureau of Investigation has been investigating a wave of so-called denial-of-service, or DDoS attacks, against web start-ups. In each case, attackers knock their victims offline using a flood of traffic and refuse to stop until victims pay their ransom in Bitcoins.
Among the businesses targeted in the initial wave of attacks were Vimeo, the video-sharing company; Meetup, a company that connects groups offline; Basecamp, a project management software company; Bit.ly, the link-shortening service; Shutterstock, the stock photography agency, and MailChimp, the email marketing provider. In nearly every case, the amount demanded was typically low, in the $300 range. And in some cases, one security consultant said, the victims paid the ransom.
Feedly back up after 3rd wave of DDoS attacks
Here’s the scoop on what happened. Let’s hope that this adventure is in the past. This business just makes me angry.
Ongoing denial of service ransom attack crippling Feedly
From the Feedly blog:
Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.
Wave of Australian iOS devices held for ransom via Find My iPhone hack
Sydney Morning Herald:
One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud “lost phone” message that said “Oleg Pliss” had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked.
Microsoft, a National Security letter, and a gag order
Microsoft explains what happened when they received a National Security letter from the FBI. Fascinating read.
Facebook’s left turn on privacy
Privacy concerns (AKA, Facebook sticking their nose in all my business) is one of several reasons I walked away from the platform more than a year ago.
Facebook is worried that you will start sharing less – or maybe even move to more anonymous services – unless it helps you better manage your private information. On Thursday, the company announced that it would give a privacy checkup to every one of its 1.28 billion users worldwide.
Is Facebook truly taking privacy more seriously?
Apple issues fix for hidden /Users folder
Remember that discussion about the hidden (for some) /Users folder that came with the release of OS X 10.9.3? Well, turns out the issue was really with Thursday’s coinciding release of iTunes 11.2.
Check your Mac for an update this morning. The update (to iTunes 11.2.1) restored my /Users folder to its former glorious visibility.
Who’s got your back? Apple, that’s who.
From the EFF report, Protecting Your Data From Government Requests:
Apple earned credit in all 6 categories in this year’s Who Has Your Back report. Apple’s rating is particularly striking because it had lagged behind industry competitors in prior years, earning just one star in 2011, 2012, and 2013. Apple shows remarkable improvement in its commitments to transparency and privacy.
Google, Facebook, Microsoft and Twitter, among others, also got the same rating as Apple.
Symantec: “Antivirus is dead”
Hackers are finding new techniques that are beyond the grasp of antivirus software. You might think that Symantec was throwing in the towel. But no, they’ve got a new strategy. Interesting read.
Internet Explorer exploit makes 26% of the world’s browsers vulnerable
Sounds to me like this is a very large exploit (impacts IE version 6 through 11) that is currently active, being used in attacks. If you use Windows, the quickest fix is to switch to another browser, at least until … Continued
How to outguess passwords
Think you know how to generate a secure password? Do you follow your own advice?
This is a thoughtful look at the process of guessing people’s passwords. Well written, an enjoyable read, and I learned a few things along the way.
Lost your iPhone or iPad? Here’s what to do next
Follow the link to learn about Lost Mode and how to turn it on for your iOS device.
XKCD’s take on Heartbleed
Read the linked comic, then take a read of the How it works post from a few days ago. The XKCD comic is basically showing a series of GET requests and what happens when the requested data size doesn’t match the actual data size.
Test your favorite sites to see if they are susceptible to Heartbleed attack
Follow the link to the site, then type in your favorite URL. The site will attempt to send the malformed Heartbeat request to your URL and report on what comes back.
How the Heartbleed vulnerability works
I’ve been reading about the Heartbleed bug, trying to understand how it does what it does, how a hacker could use the vulnerability to gain access to your data.
If you have not heard of Heartbleed, read this, which was posted last night.
Read the main post for my ham-handed attempt at explaining how this vulnerability works.
A new phase in scamming: using your online photos
A new breed of scammer now lifts your online photos to create a fake online identity, using your real name. For example, they might use your photos to create a Facebook account, using your name. Someone who knows you might search for you, see the pictures, invite the fake account into a friendship, setting themselves up for a scam.
The scammers obviously know who you are, and block you from these accounts making it difficult for you to detect.
This is a fascinating read.
Access any Tesla S with only a 6 character password over the net
I don’t find this worrisome, since if someone wants access to a Tesla S, they’d find a way to break in. But I do find it interesting.
Tesla Motors Inc’s electric vehicles can be located and unlocked by criminals remotely simply by cracking a six-character password using traditional hacking techniques, according to newly released research.
Popular Google Play apps are hacked, secretly mining Bitcoins, Dogecoins, and Litecoins
Every time I read about Android and malware like this, I shudder at the though of bringing an Android phone or tablet into my universe. I know Android is popular, but I just can’t get my head around why people seem not to care about this problem. Am I missing something?
One on one with a hacker – ShopTalk podcast host interviews hacker who took his identity
No embed code, so follow the headline link to listen. The hacker talks through the exact process he used to take over Chris Coyier’s web sites.
His fake name is “Earl Drudge”, an anagram of “Drug Dealer”. In early March 2014, he used some social engineering techniques and fake US federal documents to be granted full access to Chris’ servers. After missing the opportunity and a failed retaliation attempt, he posted sensitive personal information of Chris’ onto a site where not only can it never be removed, if it’s attempted to be removed becomes promoted.
Surreal.
Basecamp was under network attack this morning: A summary of two hellish hours
From a Basecamp blog post, in a lull from the denial-of-service attack earlier today:
Criminals attacked the Basecamp network with a distributed denial-of-service attack (DDoS) attack this morning. The attackers tried to extort us for money to make it stop. We refused to give in and worked with our network providers to mitigate the attack the best we could. Then, about two hours after the attack started, it suddenly stopped.
This really sucks.
BaseCamp in middle of denial of service attack
Are you a user of 37Signals’ Basecamp project management app? If so, things might be a little slow to respond this morning. From their Twitter account this morning at about 10a ET, US:
We are experiencing a DDoS attack. All apps may be slow to respond while we investigate. Stay tuned for updates.
Just FYI.
A drone that can hack into your phone?
This is really no different than the danger you face when you go out in any crowded public space. But that doesn’t mean the danger is not real. Pretty interesting.
How your tweets reveal your home location
Geotagged tweets and images can breach privacy walls and even cost lives:
But it also raises privacy issues, particularly when users are unaware, or forget that, their tweets are geotagged. Various celebrities are thought to have given away their home locations in this way. And in 2007, four Apache helicopters belonging to the US Army were destroyed by mortars in Iraq when insurgents worked out their location using geotagged images published by American soldiers.
EA Games website hacked to steal Apple IDs
No way to verify this (at least not yet) but take extra care if you find yourself heading over to the EA Games site.