LinkedIn Feature Exposes E-Mail Addresses

A few days ago, Brian Krebs wrote a blog post that details a method of obtaining the LinkedIn e-mail addresses of its existing users. The method exploits the way LinkedIn connects people. When you make a new LinkedIn account, you are allowed to upload a list of e-mail addresses, and if any of those e-mails matches the e-mail of a LinkedIn user, LinkedIn will show you the profiles of those users.

The problem is that LinkedIn has no way of knowing if you actually know the individuals on your list. This allows spammers to harvest e-mails by uploading a list of e-mail addresses that potentially belong to celebrities. Because many people user their real names in their e-mail addresses, it isn’t surprising that at least some guesses are correct.

This exploit clearly highlights the danger in Continue reading LinkedIn Feature Exposes E-Mail Addresses

eBay Flaw Leads to Password Harvesting

The BBC is reporting that eBay suffers from a security flaw that has existed for months. eBay has been criticized for not responding quickly enough.

The flaw causes users who click on listings to be redirected to a malicious, “password-harvesting” site. According to another article, the malicious site asks users for their eBay login and password. It may be easy to fall prey to this scheme because you may think you forgot to log in when you first started browsing on eBay.

The ultimate responsibility for fixing this flaw lies with Continue reading eBay Flaw Leads to Password Harvesting

Facebook Testing Yet Another Snapchat-Like Feature

Facebook is testing yet another feature that allows users to set a time for their status updates to disappear after a certain period of time. The feature is currently only available for certain people using the iOS app. Unlike Snapchat, which allows users to set a time limit of only up to 10 seconds for a photo, this new Facebook feature has a range of 1 hour to 7 days.

As Schneier argues, ephemeral messaging is very hard to get right. Thus, until we see evidence to the contrary, I would treat this new feature with as much skepticism as similar apps like Snapchat. This isn’t to say that ephemerality is inherently bad. The article does point out that “We need ephemeral apps, but we need credible assurances from the companies that they are actually secure and credible assurances from the government that they won’t be subverted.”

Until we do have secure ephemeral messaging, the best way to keep private information private is probably to refrain from posting or sending it in the first place. In the meantime, regardless of the security of ephemeral messaging, some messages just shouldn’t be posted at all. For example, unless you absolutely trust everyone on your friend list, a status update such as “I’m heading to Italy for a 2 week vacation” could be an invitation to burglarize your home. Does it matter that such a message disappears after 1 hour? The cat’s already out of the bag.

“Gmail” Passwords Compromised

In the recent leak of 5 million passwords, Google denies that the company itself was hacked. More than one expert agrees with Google that the passwords were likely obtained from other sources. Therefore, if any of the passwords still work on Gmail, it is probably because people used the same passwords for Gmail as they did on other sites. Google also says they have required the users of affected accounts to reset their passwords.

In short, if you use different, strong passwords for every site, then you probably have little to worry about from this leak. If you don’t, this is another reminder to start doing so before a more serious breach happens.

Comcast Injected Ads Highlight One More Danger of Public Wi-Fi

Comcast has begun injecting ads into webpages accessed by users using one of its 3.5 million public Wi-Fi hotspots. With this action, Comcast joins the list of businesses (e.g. airports) that provide Wi-Fi service with ads.

The injection itself happens using Javascript. Despite Comcast’s claim that they have “multiple layers of security ‘based on industry best practices,'” a staff member of the EFF says even if Comcast has no malicious intent, and even if hackers don’t access the Javascript, the interaction of the Javascript with the website could create new security vulnerabilities. To prevent the ad injection, he recommends using https, which isn’t provided by all websites.

Another potential solution is to use a VPN, which encrypts all the traffic between you and the VPN provider instead of between you and the website.

I have not personally used one of these public hotspots, so take this with a grain of salt, but it may help to turn off all Javascript while using the hotspot. Using a browser extension like NoScript probably won’t work because a normally trusted, unencrypted webpage with an ad injected will likely appear to be coming from the same trusted domain. Continue reading Comcast Injected Ads Highlight One More Danger of Public Wi-Fi

Apple Provides An Update on Celebrity Photo Hack

Apple has released a statement in which it has denied that the recent celebrity photo hack resulted from a breach of iCloud or its Find My iPhone service. The company instead faults “a very targeted attack on user names, passwords and security questions.” Although Apple hasn’t yet detailed all the types of attacks that were used, at least one seems clear based on its statement: hackers likely guessed the answer to poorly chosen security questions.

A well-chosen security question can Continue reading Apple Provides An Update on Celebrity Photo Hack

“Find My iPhone” Exploit Possibly Allowed Celebrity Photo Leak

Update (September 2, 2014): Apple has released a statement providing an update on the situation. I made a new post commenting on the situation here.

Over the past 12 hours, there has been a leak of celebrity photos. Programmers are speculating that the leak was caused by an exploit in the “Find My iPhone” service that allowed brute-forcing of passwords.

To brute-force a password means to try every single possible password until you find the correct one. Online servers have a number of mechanisms that can be used to stop brute-force attacks. For example, a server can limit the number of login attempts from each IP address. After, say, Continue reading “Find My iPhone” Exploit Possibly Allowed Celebrity Photo Leak