badpassword
Latest
Status update: The rise of the social-media extortionist
If you've read recent headlines about high-profile tech CEOs getting hacked, you probably felt a stab of dark amusement at the thought of internet fat cats finally getting a taste of what the rest of us have had to drink. A single group, called OurMine, has managed to catch Facebook's Mark Zuckerberg, Google's Sundar Pichai, Yahoo's Marissa Mayer, AOL's Steve Case and, most recently, Twitter CEO Jack Dorsey with their password pants down. And it's nothing more than a sleazy PR stunt.
Don't believe the 'Pokémon Go' privacy hype
When the Pokémon Go obsession reached full saturation this week, privacy-concern whispers became full-blown hysterical shrieks when a researcher's blog post accused the game's maker of taking over its users' Google accounts. As it turned out, the app's iPhone permissions were just poorly implemented, and fixed immediately. Unfortunately that didn't stop the privacy and security hysteria machine. All week long, headlines made a mountain out of a molehill, scaring some people into uninstalling the app altogether.
Homeland Security's big encryption report wasn't fact-checked
If you watch Marvel's Agents of S.H.I.E.L.D., Blacklist, or any other TV show with make-believe espionage, you probably hear the term "going dark" at least once a week. In the real world, "going dark" has become FBI shorthand for when baddies can't be spied on, or manage to vanish into thin internet, at the fault of encryption. And it's at the heart of an oft-virulent tug-of-war between entities such as the FBI, Apple, civil liberties groups, conspiracy theorists, and lawmakers.
Cybersecurity forecast: Heavy smug
When you think of rockstar hackers and infosec pundits, I'm sure it's easy to imagine people who are humble, kind and patient, and never look down on anyone who would reuse a password. OK, maybe infosec types aren't known for doing benevolence all that well when they need to communicate with those not in the know about computer security. And when they do, they seem to prefer to do it from a stage and safely behind the title of "expert." Case in point: the much-ballyhooed talk being given at the Aspen Ideas Festival, where a professor at Rochester Institute of Technology, Josephine Wolff, is making a case today for punishing people when they're not good at computer security.
The clownish fight over who hacked the DNC
A war of words has erupted over whether the DNC hack was an act of espionage by the Russian government, between soundbite-ready security firm CrowdStrike and a lone hacker who's unkindly claiming credit. And the conspiracy-theory fans went wild.
Lexus software update gives new meaning to 'car crash'
Last year, headlines made everyone fearful of hackers taking over cars on the freeway. Turns out the real menace to owners of connected cars are the loopy manufacturers themselves. Toyota had to suck it up this week and admit to Lexus owners, who were going nuts on Facebook and Twitter on Tuesday, about why the climate control, radio, GPS, USB, Bluetooth, and other features suddenly stopped working for a range of 2014-2016 Lexus models. Or, their dashboard console would reset itself repeatedly.
Sophisticated hack attack? Don't believe the hype.
You wouldn't believe how sophisticated hacking has become in the past few years. It has, in fact, gotten so mind-blowingly complex and erudite that this word, sophisticated, is now the only one human beings can really use to describe any single act of computer-security violation. Actually, no. The word, at best, has almost always been used to cover up egregious screwups of breached companies, and shoddy reporting. Or, when at a loss to understand even the most mundane of hacks. Even high-minded publications step into infosec's linguistic dung heap and track the word throughout their pieces on whatever latest rehashed cyber-bomb hysteria-of-the-week they're pushing.
Retailers fight to silence customer data breaches
A consortium of retailers, including Target and Home Depot, vowed to fight a data breach notification bill. The bill, HR 2205 from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to tell customers when they've been hacked and would also require the encryption of data in both storage and transit. It would hold retailers to the same data-security standards as the financial sector. The large and powerful Retail Industry Leaders Association (RILA) sent a letter on Tuesday to House leadership saying that "it makes no sense to take one industry's regulations and apply it to a large segment of the economy without understanding the consequences."
The TSA is failing spectacularly at cybersecurity
Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service. The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff's handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access. What we're talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.
Where the candidates stand on cyber issues
It's a little difficult to nail down the US presidential candidates on cybersecurity. That's probably because none of the candidates actually has a cybersecurity plan. What little the candidates have said about cybersecurity is as bizarre as the entire reality-TV election process spectacle itself. They each think cybersecurity means one, or possibly two, things. Bernie Sanders is obsessed with the NSA. Donald Trump said that Edward Snowden should be executed and wants to hack-attack China. Hillary Clinton just seems unsure about what exactly she should say.
How Armenian gangsters blew up the fingerprint-password debate
Paytsar Bkhchadzhyan is a woman with a colorful past and a bummer of a present. She arrived this week in news stories with a string of criminal convictions and gained notoriety for pleading "no contest" to felony identity theft early this year. Her iPhone was seized from the home of her boyfriend, one Sevak Mesrobian, a member of Los Angeles-based gang Armenian Power. Her fingerprint then began its long journey to giving civil-liberties fetishists a new storyboard for their "bad touch" role-play scenes.
Who hacked Facebook?
Late last week, a hacker named Orange Tsai wrote about how he hacked into Facebook under the aegis of its bug bounty program. A bug bounty is when a company pays hackers for vulnerabilities they find, providing the company with real-world threat testing outside the scope of its security team. But Tsai found much more than a bug. He discovered that another hacker had been in the company's systems for around eight months, grabbing employee usernames and passwords -- and probably more.
How '60 Minutes' played 'Telephone' with public-hacking hysteria
On Sunday, 60 Minutes took a year-old segment on phone hacking it shot and aired in Australia, fluffed it up with other old hacks from last year's Def Con and repackaged it for an American audience. Almost no one noticed those particular details. But just about everyone panicked. "Hacking Your Phone" set off a scare that raged through headlines and social media all week. As the miasmic cherries on top, the episode also freaked out California Rep. Ted Lieu (D), who has called for a congressional investigation, and the FCC is now involved.
Senate to Americans: Your security is not our problem
The Senate Intelligence Committee just released a draft of long-awaited legislation to tackle the problem authorities have with encrypted communications. Namely, because encryption is so secure, it interferes with court orders in the same way private property poses problems for police who just want to get things done.
The Panama Papers, a breach we can all get behind
Now here's a breach and leak everyone can get behind (unless you're a billionaire despot, that is). Selected excerpts from the Panama Papers dropped on Sunday, an unprecedented snatch-and-grab of offshore tax haven records released to a handful of global news organizations. In them, the tax-avoiding dealings of the super-rich were exposed in a gigantic haul of data said to total around 11.5m files (2.6 terabytes). It was taken from shell-company specialist Mossack Fonseca by an anonymous source, who shared the Panamanian law firm's trove with German newspaper Süddeutsche Zeitung.
CNBC shows how not to handle a security screwup
As articles go, Tuesday's CNBC piece trying to cobble together the Apple/FBI fight with interactive clickbait -- a little box where readers should enter their password to test its hackability -- was a stretch. Worse, the story, called "Apple and the construction of secure passwords," hinged entirely on encouraging people to do something no one should ever, ever do. Namely, enter a password anywhere except the proper login page. CNBC, it seems, was trying to teach its readers about security.
Advertising's hottest surveillance software is surprisingly legal
You may have heard that the FTC this week sent out a dozen strongly worded letters to apps using the SilverPush framework. The FTC politely told 12 app developers that they needed to let users know that SilverPush was collecting data and selling it to third parties. SilverPush responded two days ago by issuing a statement claiming it no longer uses the "Unique Audio Beacons" (UAB), and has "no active partnership with any US-based developers." Well, if this is true, then perhaps SilverPush should remove UAB as a core product from its website -- and from the heart of its business model, as well.
America accuses Iran of hacking the dam, cyber-squirrels rejoice
As cyber-geddon stories go, Middle Eastern countries hacking into US dams or power grids and making stuff go haywire sounds like the plot for a not-so-subtly racist Hollywood scare flick. But that's the story we got when news outlets, citing unnamed sources, recently reported the Obama administration would be calling out Iranian hackers as the culprits behind a malicious 2013 breach at a New York dam.
RSA security conference: 25 years of discontent and pranks
The first time I went anywhere near the RSA information security conference in San Francisco, it was by way of a prank. Two things I love to cover are computer crime and and enterprise security, so when I met friends for drinks at a downtown hotel bar during the conference one year they were genuinely surprised I'd never attended RSA. One of my drinking pals that night was Twitter's head of security, and he jokingly asked if I wanted to go to RSA -- right now.
MasterCard's selfie security: What could possibly go wrong?
When I read about MasterCard's plan to do selfie security with purchases, I wondered what the first massive breach of biometric data is going to look like. Unlike passwords, biometrics such as face mapping, fingerprints and iris scans can't be changed when a database gets popped. Worse, data sold to marketers or snarfed into an authoritarian database isn't revokable. Manny the cat would not approve. Fortunately, MasterCard isn't going to be replacing the password or pin with selfies, but instead wants to make its "Selfie Pay" app part of a two-step security routine when purchases are made or money is withdrawn. MasterCard says users will be required to blink for the app to demonstrate it's a live image. The company plans to roll it out in the U.S., Canada, the U.K. and a few European countries by this summer.
