Category Archives: Computer Security

Shellshock Is Not One Bug, But A Family of Bugs

Over the past week or so, I’ve seen a lot of articles and blog posts about Shellshock, and many of them refer to Shellshock as a single bug, even though it is really a family of related bugs. Further confusion potentially resulted from reports that patches for the first bug were incomplete.

That the articles talk about Shellshock as if the name refers to only one bug doesn’t mean the articles are wrong. Continue reading Shellshock Is Not One Bug, But A Family of Bugs

Code with BadUSB Tricks Published on Github

Remember the major USB flaw demonstrated by Karsten Nohl about 2 months ago? Although Nohl never released the code he used in the demonstration, two other researchers have managed to perform the same tricks, and they’ve made their code publicly available on Github. Now anybody can use this code to perform attacks. The researchers say they released the code in an attempt to start the process whereby the security architecture of USB devices is fundamentally redesigned.

At the time Nohl first made his presentation, he gave Continue reading Code with BadUSB Tricks Published on Github

eBay Flaw Leads to Password Harvesting

The BBC is reporting that eBay suffers from a security flaw that has existed for months. eBay has been criticized for not responding quickly enough.

The flaw causes users who click on listings to be redirected to a malicious, “password-harvesting” site. According to another article, the malicious site asks users for their eBay login and password. It may be easy to fall prey to this scheme because you may think you forgot to log in when you first started browsing on eBay.

The ultimate responsibility for fixing this flaw lies with Continue reading eBay Flaw Leads to Password Harvesting

“Gmail” Passwords Compromised

In the recent leak of 5 million passwords, Google denies that the company itself was hacked. More than one expert agrees with Google that the passwords were likely obtained from other sources. Therefore, if any of the passwords still work on Gmail, it is probably because people used the same passwords for Gmail as they did on other sites. Google also says they have required the users of affected accounts to reset their passwords.

In short, if you use different, strong passwords for every site, then you probably have little to worry about from this leak. If you don’t, this is another reminder to start doing so before a more serious breach happens.

Comcast Injected Ads Highlight One More Danger of Public Wi-Fi

Comcast has begun injecting ads into webpages accessed by users using one of its 3.5 million public Wi-Fi hotspots. With this action, Comcast joins the list of businesses (e.g. airports) that provide Wi-Fi service with ads.

The injection itself happens using Javascript. Despite Comcast’s claim that they have “multiple layers of security ‘based on industry best practices,'” a staff member of the EFF says even if Comcast has no malicious intent, and even if hackers don’t access the Javascript, the interaction of the Javascript with the website could create new security vulnerabilities. To prevent the ad injection, he recommends using https, which isn’t provided by all websites.

Another potential solution is to use a VPN, which encrypts all the traffic between you and the VPN provider instead of between you and the website.

I have not personally used one of these public hotspots, so take this with a grain of salt, but it may help to turn off all Javascript while using the hotspot. Using a browser extension like NoScript probably won’t work because a normally trusted, unencrypted webpage with an ad injected will likely appear to be coming from the same trusted domain. Continue reading Comcast Injected Ads Highlight One More Danger of Public Wi-Fi

Apple Provides An Update on Celebrity Photo Hack

Apple has released a statement in which it has denied that the recent celebrity photo hack resulted from a breach of iCloud or its Find My iPhone service. The company instead faults “a very targeted attack on user names, passwords and security questions.” Although Apple hasn’t yet detailed all the types of attacks that were used, at least one seems clear based on its statement: hackers likely guessed the answer to poorly chosen security questions.

A well-chosen security question can Continue reading Apple Provides An Update on Celebrity Photo Hack

“Find My iPhone” Exploit Possibly Allowed Celebrity Photo Leak

Update (September 2, 2014): Apple has released a statement providing an update on the situation. I made a new post commenting on the situation here.

Over the past 12 hours, there has been a leak of celebrity photos. Programmers are speculating that the leak was caused by an exploit in the “Find My iPhone” service that allowed brute-forcing of passwords.

To brute-force a password means to try every single possible password until you find the correct one. Online servers have a number of mechanisms that can be used to stop brute-force attacks. For example, a server can limit the number of login attempts from each IP address. After, say, Continue reading “Find My iPhone” Exploit Possibly Allowed Celebrity Photo Leak

Several Gaming Services hit by DDoS Attacks

Blizzard’s, Microsoft’s Xbox LIVE, and Sony’s Playstation Network have all been hit by DDoS attacks, causing disruption in the services.

A DDoS (distributed denial of service) attack is basically a large-scale attempt to disrupt a web server using requests from many different “zombie” computers. Suppose there’s a pizza store in your town, and it normally gets 3-4 orders by phone every hour. Continue reading Several Gaming Services hit by DDoS Attacks

New Facebook Malware Uses Old Tricks

New Facebook malware has surfaced, but the type of trick it uses is at least 2 years old. According to Cheetah Mobile, which claims to be the first to report the latest iteration of the malware, the malware exhibits one or more of the following behaviors:

1. Provides a link claiming to lead to an app capable of changing the color of a user’s Facebook layout. If clicked, the link leads to a Facebook page that redirects the user to a malicious site.

2. At the malicious site, users are asked to view a tutorial video that allows them to steal the user’s access tokens.

3. Continue reading New Facebook Malware Uses Old Tricks

1.2 Billion Usernames and 500 Million E-mails Stolen

1.2 billion usernames and 500 million emails have been stolen from 420,000 websites. The worst part is that we still don’t know exactly which websites were affected.

The everyday user may not be able to do much to convince companies to allocate their budgets so that they take security more seriously, but that doesn’t mean we are completely helpless.

Perhaps the most important lesson we can take away from this breach is Continue reading 1.2 Billion Usernames and 500 Million E-mails Stolen