Skip to content

Google to kill passwords on Android, replace ’em with ‘trust scores’

Quote

Bad idea – basically adds new features for google to identify you, track you, and sell your private info to their empire. Yeah, I need protection from Google, not protection from them.

Google is planning to use “trust scores” to kill off traditional passwords on Android.

The internet giant wants to get rid of password logins, at least for Android apps, by 2017. Google outlined its plans at its I/O conference last week.

Chrome trumps all comers in reported vulnerabilities

Quote

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that’s according to research that also found 2014 clocked record numbers of zero-day flaws.

The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company’s Personal Software Inspector tool residing on “millions” of customer end points, each with an average of 76 installed applications.

It said the Chocolate Factory’s web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products. ….Chrome leads the browser pack with 504 reported vulnerabilities followed by Internet Explorer with 289 and Firefox with 171. Some 1035 flaws were reported across all browsers including Opera and Safari, up from 728 in 2013.

Wait, but isn’t Google itself a threat?

Microsoft adds ‘non-security updates’ to security patches

Quote

The line between functional software and advertising junk is getting more blurred. Anyone else need a reasons to avoid Micro$oft?

MS16-023, billed as a “Security update for Internet Explorer” and issued on March 8, includes six “General distribution release (GDR) fixes”

Five are innocuous as they address glitches like “Empty textarea loses its closing tag in Internet Explorer 11 after conversion from XML to HTML.”

But the last item on the list item 3146449, has the rather more interesting title “Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7.”

Only once you visit 3146449’s knowledge base page you’ll find the following explanation for the patch:

This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.

Big data breaches found at major email services

Quote

Hold Security, a Wisconsin-based security firm famous for obtaining troves of stolen data from the hacking underworld, announced that it had persuaded a fraudster to give them a database of 272m unique email addresses along with the passwords consumers use to log in to websites. The escapade was detailed in a Reuters article.

It might sound bad, but it is also easily mitigated.

The passwords and email addresses, which include some from Gmail, Yahoo and Russia’s mail.ru service, aren’t necessarily the keys to millions of email accounts. Rather, they had been taken from various smaller, less secure websites where people use their email addresses along with a password to log in.

People who use a different password for both their email account and, say, Target.com, won’t be affected. But those who tend to use the same password for multiple sites as well as their email should change their email password.

“Some people use one key for everything in their house,” Hold Security founder Alex Holden says. “Some people have a huge set of keys that they use for each door individually.”

Holden said there is no way for consumers to check if their emails were included in his firm’s latest find. In 2014, when his firm tried to set up such a service after obtaining a billion hacked login credentials, his site crashed.

Sad to say, despite all tools available like password databases, people are real stupid when it comes to passwords. The takeaway from this is that you need to use a different password for each site. If the site allows it, use a different user name also. There is no excuse.

Kuwaiti Government will DNA Test Everyone

Quote

There’s a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program “does not include genealogical implications or affects personal freedoms and privacy.”

I assume that “visitors” includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from sharing that information with any other government.

Despicable

United Air – Very Late Arrival at Security

Quote

United Airlines has renovated the security on its frequent flyer scheme “MileagePlus” by requiring users to answer one of five security questions and enter a password when they log on.
The airline sent emails to customers requesting they update their security from weak, short PINs to complex passwords.
The new codes require two special characters, a number, and five letters to reach the minimum of what United deems a strong password.
United customers will still need to use their PINs when they ring United customer contact centres until the changes are complete.
Users have 30 days to make the changes.
Five pull-down security questions need to be filled from pre-selected answers, reducing the chance users will lock themselves out. Those whose childhood dreams were journalism and to play the Huang won’t find their answers within, however.

 

Lenovo’s file-sharing app uses hardwired password ‘12345678’ … or no password at all

Quote

Lenov-LOL!

Lenovo ShareIT users, get patching: the PC maker’s file-sharing app is pretty much unsecured.

The software runs on Windows and Android devices, and creates a Wi-Fi hotspot allowing data to be exchanged – from phone to PC, PC to phone, etc. But the wireless network is pretty much unsecured on both platforms.

In ShareIT for Windows, the Wi-Fi uses “12345678” as a hardcoded password, while in Android, there’s no password at all. If someone logs into the Wi-Fi hotspot on Windows, they can browse, but not download, files on the machine.

Core Security, which found the design flaw, also note that file transfers in Windows and Android aren’t encrypted. If an attacker was logged into the hotspot on either side of a file transfer, traffic sniffing would yield a copy of the transfer.

The vulnerable versions are ShareIT for Windows version 2.5.1.1 and ShareIT for Android 3.0.18_ww. The bugs are designated CVE-2016-1489, CVE-2016-1490, CVE-2016-1491, and CVE-2016-1492.

Lenovo’s latest versions are available here. Get ’em.

That’s not the only issue. Their machines have come through with so much crapware lately that out of the box they are slower than the old XP machines we are replacing.

 

Panama papers’ came from e-mail server hack at Mossack Fonseca

Quote

Money-shuttling firm lost 2.6 TB of data and didn’t even notice

The staggering, Wikileaks-beating “Panama Papers” data exfiltration has been attributed to the breach of an e-mail server last year.

The leak of documents from Panama-based, internationally-franchised firm Mossack Fonseca appears to confirm what has long been suspected but rarely proven: well-heeled politicians, businesses, investors, and criminals use haven-registered businesses to hide their wealth from the public and from taxmen.

Bloomberg says co-founder Ramon Fonseca told Panama’s Channel 2 the leaked documents are authentic and were “obtained illegally by hackers”.

According to The Spanish, the whistleblower (here in Spanish) accessed the vast trove of documents by breaching Mossack Fonseca’s e-mail server, with the company sending a message to clients saying it’s investigating how the breach happened, and explaining that it’s taking “all necessary steps to prevent it happening again”.

The company added that it’s engaged security consultants to close the horse-long-gone stable door.

I love it! Law firm involved in a highly secretive operation cannot even do the basic steps to secure their servers. Of course I am not surprised, IT (ICT) security has been deemed more of an annoyance than a top priority at so many businesses. “Why me worry?” is the word of the day.  Probably had an ISP el cheapo “firewall” device.

 

 

Surprise! Magic Kinder app could let hackers send vids to your kids

Quote

Security watchers have warned of massive privacy problems with the Magic Kinder App for children.

A lack of encryption within the Magic Kinder smartphone app and other security shortcomings open the doors for all sorts of exploits, they claim.

Hacktive Security alleges that a malicious user could “read the chat of the children, send them messages, photographs and videos or change user profile info such as date of birth and gender,” as explained in detail in a blog post here.

The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher.

The mobile software aims to offer “strategic, educational games and quizzes to improve children’s skills and development”.

Ferrero has yet to respond to a request for comment.

Joe Bursell, marketing manager at independent security consultancy Pen Test Partners, said that the app Magic Kinder App is riddled with basic security problems.

“These are not subtle, hard-to-find issues,” Bursell told El Reg. “You’d see those IDs in the proxy within minutes of testing and the first thing you would do is manually increment/decrement them.”

“There are no authorisation checks on any of the requests. This means that anyone can: send a message to your kids, read your family diary, and change other data about people, e.g. gender.”

“Also, it doesn’t use encryption,” Bursell added.

Probably laden with spyware to hoover up all sorts family data.

 

Report: Apple designing its own servers to avoid snooping

Apple suspects that servers are intercepted and modified during shipping.

 

Quote

Apple has begun designing its own servers partly because of suspicions that hardware is being intercepted before it gets delivered to Apple, according to a report yesterday from The Information.

“Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter,” the report said. “At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.”