Facebook is working on improving face verification software, an alternative to fingerprints for verifying someone’s identity.
Security
Duolingo, reCAPTCHA, and a magnificent piece of crowdsourcing
Luis Von Ahn is a computer science professor at Carnegie Mellon University, but is perhaps best known as the creator of the free language learning app Duolingo, Apple’s 2013 iPhone app of the year.
Interestingly, Luis Von Ahn was part of the team that created CAPTCHA:
In the early years of his Ph.D. study, von Ahn had helped his advisor, CMU computer science professor Manuel Blum, develop a handy identity verification device known as a CAPTCHA. Think of those distorted words you’re asked to translate after attempting to log into your email too many times to verify that you’re human. Those are CAPTCHAs. Initially invented to help keep spambots out of chat rooms, these tests are effective because computers have a difficult time reading distorted text, while people are rather good at it.
What Von Ahn did next was a real stroke of genius.
How Apple fares at the annual Pwn2Own exploit festival
From the annual Pwn2Own exploit festival, held in Vancouver, the details on Safari takedown.
The evolution of malware in the Android marketplace
The Android malware universe is becoming as sophisticated as, say, the credit card resale black market. This creature is evolving. That’s scary.
The black market for prestige Twitter handles
If you’ve got a one word or, even more to the point, a one letter Twitter name, there’s a good chance there’s someone who wants it even more and will do anything they can to get it.
There was a lot of press recently about Twitter user @N, the hijacking of his name and, ultimately, his Twitter account being returned to him.
The linked article digs into the motivations for theft of Twitter handles, talks about the people who take them.
Phishing using plain-text emails
Phishing is typically done using HTML that lets someone hide a malicious link in an email disguised as a legitimate link. Read the post to see how this has been countered, then repacked. Good info to know.
Google locking down approval process for Chrome add-ons
This might seem like an obscure change in a small part of the Google universe, but it might just be signaling a sea change in Google’s stance on the apps and add-on approval process.
Google has been talking up the auto-removal of unsanctioned extensions since November, when the company characterized the policy as a security necessity, claiming that “bad actors” were using loopholes to continue installing malicious add-ons without user approval or knowledge.
Kaspersky Lab reports top 20 mobile malware threats are all Android based
A total of 99.9% of new mobile threat detections target the Android platform.
How to minimize the harm from the theft of your Mac
If you own a Mac, this is well worth reading.
My residence was recently broken into (the alarm malfunctioned on entry and only went off as the thieves left) and two Mac laptops were taken. Luckily, I have good insurance and had an up to date Time Machine backup.
Over the past week, I’ve learned some additional things I could have done to prepare for this eventuality. My house had also been broken into ten years ago.
Here’s a summary of what you should do to prepare your Macs right now for the possibility of theft. It won’t eliminate theft but it will greatly reduce the damage from such events and make it more likely that your device will return to you.
One thing that I did not know was how easy Apple has made it to encrypt your external backup drive. Here’s a link to show you how to do that.
Good stuff.
Apple releases security patch via iOS 7.0.6
This is a security patch for an SSL verification bug. There are three different patches, one for iPhone 4, iPod touch (5th gen) and iPad 2 and later, one for Apple TV, and one for earlier devices. Links in the post.
Security breach at Kickstarter
Kickstarter breach this past Wednesday. Read the post for the full text of the email that went out.
Android Flappy Bird malware and other balmy behavior
Attempts to sell, rent, and infect you back to Flappy Bird (un)happiness.
iOS 7 Bug allows disabling of Find My iPhone without AppleID password
As the video in the post shows, there’s a bug in iOS 7.0.4 that allows anyone with access to your iPhone to disable Find My iPhone. Obviously, this disables the ability to track your iPhone if it is stolen.
Welcome to Sochi. Bam, you’re hacked. How real is this scenario?
A video warning all Sochi Olympic visitors that their electronics will be immediately hacked as soon as they turn them on has been circulating widely. The video and analysis are in the post.
Google Chrome allows malicious sites to eavesdrop via your computer mic
I have always been a little paranoid about my computer’s web cam and microphone. Here’s yet another reason why.
A user visits a site, that uses speech recognition to offer some cool new functionality. The site asks the user for permission to use his mic, the user accepts, and can now control the site with his voice. Chrome shows a clear indication in the browser that speech recognition is on, and once the user turns it off, or leaves that site, Chrome stops listening. So far, so good.
But what if that site is run by someone with malicious intentions?
Most sites using Speech Recognition, choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication that you are being listened to, and that the site can’t start listening to you in background windows that are hidden to you.
When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden popunder window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.
To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that Speech Recognition is turned on in such windows – only in regular Chrome tabs.
This is scary.
Digitally signed malware targeting Mac users
The mechanics of this particular scam are fairly sophisticated. Most readers would be cautious enough to avoid this trap, but even so, this is worth a read.
Chinese internet traffic redirected to small Wyoming house
On Tuesday, most of China’s 500 million Internet users were unable to load websites for up to eight hours. Nearly every Chinese user and Internet company, including major services like Baidu and Sina.com, was affected.
Starbucks caught storing mobile passwords in the clear
Are you kidding me, Starbucks?
The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
Reddit thread on hardening/securing OS X Mavericks
Take a look and, if you’ve got some experience in this area, add to the thread.
World of Warcraft new domain for intelligence gathering
Fascinating article in today’s NY Times.
Google employees lash out at NSA
A pair of Google Inc employees involved with the internet company’s security systems have publicly lashed out at the National Security Agency, with one of the employees accusing the organization of subverting the law by intercepting communications on cables linking Google’s various data centers.
Anti-hacking checklist for other folks in your company
This is a useful starting point if your company does not yet have an anti-hacking security procedure in place. Even if you know every one of these, odds are good that there are plenty of folks you know who have never given these steps a first thought, let alone a second.
Any suggestions for additions/changes to the list?
CNET’s adware
I hate companies that do stuff like this.
Snoop-proofing the NSA’s Macs
Back in 2010 the NSA published “Hardening Tips for Mac OS X 10.6 ‘Snow Leopard’” (PDF), a terse, two-page pamphlet recommending a series of security precautions. The agency hasn’t updated that pamphlet for more recent versions of OS X—so I thought I’d do so in the agency’s stead.
Some security tips and explanations.
Facebook “picture delete” hack details
A 21-year-old communications engineer and self-professed security enthusiast named Arul Kumar, from India, is about to get his second bounty from Facebook for pointing out a flaw in the system. This one was pretty interesting.
Basically, the hacker uses the support dashboard to request the removal of a photo from someone’s account. During the request process, the hacker has access to the photo owner’s Profile_id. Change the Profile_id to the hacker’s own id and the request is sent to the hacker instead of the owner. The hacker approves the request and the photo is deleted.
This movie is from Arul’s blog post. Good job, Arul.
Delete any Photo from Facebook by Exploiting Support Dashboard from Arul Kumar.V on Vimeo.
New York Times web site under attack
The New York Times’ website is down from what appears to be a “malicious external attack,” according to an official Times statement posted to its Facebook page. The Atlantic Wire reports that the paper’s domain has reportedly been in and out of service since 3PM EST, when it first became unavailable. The attack seems to the work of the Syrian Electronic Army (SEA), a group of hackers that claims to be promoting the Assad regime. The Times has been reporting on the recent Syrian chemical attacks, which may have attracted the SEA’s attention.
Appears to be up as of this writing.
Apple and security as a service
Ben Bajarin:
By owning all the key components from designing the system-on-chip, to the hardware and software security layers, the operating system, the hardware itself, and the underlying cloud framework, Apple is uniquely positioned to create a security solution unlike many others.
Reward raised for man who hacked Zuckerberg’s Facebook page
A man who hacked into Mark Zuckerberg’s Facebook page to expose a software bug is getting donations from hackers around the world after the company declined to pay him under a program that normally rewards people who report flaws.
Wonder why Facebook is not paying him under their bug bounty program.