Many of you may have read about, or even experienced firsthand, the recent DDoS attacks, especially if you have used popular sites such as Amazon, Pinterest, Tumblr, Netflix, Twitter, Reddit, and PayPal. From users’ perspective, it may have looked like these sites were down. Some of you might even have participated in the attack; or some would have you believe. So you might be wondering: Just how responsible are you for this massive attack?
Let’s begin with what a DDoS attack is. Here’s a quick analogy I wrote on the topic back in 2014: Continue reading How Responsible Are Consumers for the Insecurity of IoT?
As many Americans have no doubt heard, probable 2016 presidential candidate Jeb Bush has publicly released a large number of e-mails from his tenure as Florida’s governor. Unfortunately, in their rush to release the e-mails, his staff neglected to redact sensitive information from his constituents such as real names, physical addresses, e-mail addresses, and Social Security numbers! According to the article, Bush’s staff is working on fixing the problem.
I’m not sure why anyone would include their Social Security numbers in an e-mail to their governor, but the incident reminds us that we may not always be the weakest link when a leak or breach occurs. This particular one may have been averted if senders had been more careful about including personal information in an e-mail to a public figure or if Bush’s staff had been more thorough, but there will be times when we have to send sensitive information or otherwise place it in the hands of another party, thus taking it out of our direct control. It is therefore not merely as individuals but as a society that we need to be more vigilant about our privacy and security.
Yesterday, the New York Times reported on flaws in the security and privacy of cars with wireless systems. The article was based on a report released today by the office of Ed Markey, a United States Senator for Massachusetts. The report is titled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers At Risk” and, as the title implies, focuses on the following two problems:
1. Wireless technologies allow hackers to “gain access and control to the essential functions and features of those cars.”
2. Other parties can “utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.” Continue reading Modern Cars With Wireless Systems Are A Threat to Privacy And Security
Researchers have developed a prototype of a “smart” keyboard that claims to be able to recognize its owner based on characteristics such as the pressure applied to keys and typing speed. The article hints that it may have applications for security, such as locking out someone else who knows the password but has a different typing style.
In a recent article, the New York Times has cast a spotlight on a new website called Hacker’s List; possibly a reference to the popular classified advertising site Craigslist. The website allows its clients to “Find professional hackers for hire.” Despite the use of the word “professional,” the types of jobs clients desire seem to be limited to relatively mundane, if illegal activities. ZDNet gives several examples of job offers that were posted on the site, including the following:
$10-$350: Need some info and messages from a Facebook account. Other jobs to come if successfull
$300-$600: I need a hacker to change my final grade, it should be done in a week.
$200-$300: Hack into a company email account. Copy all emails in that account. Give copies of the emails employer. Send spam emails confessing to lying and defamation of character to everyone in the email list.
Continue reading Hacker’s List: Personalizing the Enterprise of Hacking
Have you ever wondered whether you can trust the security of wireless keyboards? Samy Kamkar has released the schematic and source code for a device called KeySweeper, a device that looks like a USB wall charger, but claims the ability to intercept and decrypt all keystrokes from any Microsoft wireless keyboard in the area. If true, it would mean no Microsoft wireless keyboard is safe at the moment. The code is posted on GitHub, and according to Samy, a basic version of the device could be built for as little as $10. The device even features an internal battery, which means it could sniff keystrokes without even being plugged in.
A number of publications, including Ars Technica, have reported that Gogo is issuing fake HTTPS certificates to users visiting YouTube. HTTPS, when properly used, assures users that:
1. They are actually visiting the real site; Youtube in this case.
2. The communications between the visitor and the site, including passwords and cookies, are encrypted.
Ars Technica shows a screenshot of the fake certificate. It clearly shows that the issuer is Gogo rather than a Certificate Authority (CA) that the browser trusts; hence, the pop-up warning. Unfortunately, Continue reading Gogo Issues Fake HTTPS Certificates
Remember this cyberattack on JPMorgan Chase? According to the New York Times, the intrusion may have been thwarted if the bank had installed a security fix that provided two-factor authentication to an overlooked server. The attack apparently began with the simple theft of the login credentials of a JPMorgan employee, but the newspaper gives no further details as to how those credentials were stolen.
Some articles appear to be misinterpreting Continue reading What Really Caused the JPMorgan Chase Breach?
Over 100,000 WordPress sites have been compromised by malware called SoakSoak. According to security company Sucuri, the compromise occurred via a plugin called RevSlider. The developers of the plugin have been criticized for making automatic updates difficult.
According to Gizmodo, the malware only affects self-hosted sites; not sites hosted on WordPress.com. Furthermore, WordPress itself is not affected, so you shouldn’t be vulnerable just because you’re using WordPress; you had to have used a vulnerable version of the RevSlider plugin. If you think you might have been affected though, Sucuri provides some technical details here. Its instructions, however, could have been clearer. For example, they tell you to “remove all backdooors [sic],” but don’t provide any specific instructions on how to remove these backdoors. An article in The Guardian hints that one such backdoor may consist of new administrator users.
It seems even ICANN staffers aren’t immune to spear phishing attacks. See my old post for some tips on how to protect yourself against spear phishing.