infosec
Latest
Good luck finding a safe VPN
If you're most people, you just found out about the FCC's internet privacy rules by way of their untimely demise. Thanks to the FCC's new chief, Congress, and Donald Trump, ISPs are now free to track you like crazy and sell your data to the four directions. As a result, interest in VPNs exploded overnight.
When the 'S' in HTTPS also stands for shady
Just when we'd learned the importance of HTTPS in address bars, spammers and malicious hackers have figured out how to game the system. Let's Encrypt is an automated service that lets people turn their old unencrypted URLs into safely encrypted HTTPS addresses with a type of file called a certificate. It's terrific, especially because certificates are expensive (overpriced, actually) and many people can't afford them. So it's easy to argue that the Let's Encrypt service has done more than we may ever realize to strengthen the security of the internet and users everywhere.
When vending machines attack (a university)
We are marching toward certain doom at the hands of an angry Skynet of our own invention. Need proof? This week a school was attacked by its own soft drink vending machines. You read that right.
A whole new low in government trust
Our country changed so quickly in the past week that it feels like the pod doors have been sealed shut and an antigravity switch flipped inside our borders. From the outside, it probably looks like a snowglobe scene of hell. The Doomsday Clock advanced, "thanks to Trump," and it's now only two and a half minutes to nuclear midnight, while The Economist's Democracy Index downgraded the US from "full democracy" to "flawed."
Russian authorities arrest Kaspersky researcher for high treason (updated)
Security researcher Ruslan Stoyanov from Russia's Kaspersky Labs was arrested for treason last December. According to Russian newspaper Kommersant (translated), Stoyanov was taken in for breach of Article 275 of the Crimes Against the Fundamentals of the Constitutional System and State Security. The specifics of why aren't exactly clear, however. Kaspersky has issued a statement saying that the arrest had nothing to do with Stoyanov's work at the Lab, and didn't offer any information beyond the following:
Giuliani as Trump's cybersecurity adviser is an unfunny joke
I had just finished hacking the Gibson when I heard the news: Rudy Giuliani, the guy who said he was gonna solve cybersecurity, had just been named Trump's cyber adviser. I hopped onto our hacker mafia's government-proof encrypted chat app to make sure everyone knew that we were in real trouble. When I got no response from Mr. Robot or Anonymous, I got my rollerblades on and got out of my mom's basement as fast as possible. I dialed our ringleader with a secret, anti-authority encrypted phone app while hacking all the traffic lights between here and his mom's basement as I raced over. When he picked up I blurted, "Stop hacking baby monitors and trying to crash the stock market!"
FTC vs D-Link: All bark, no bite
Most routers are bad. Bad to their little router bones. But they were made that way. And when you get one of the bad ones in your home, they sit there like little privacy and security time bombs, just waiting to become conduits of evil in your house. You think I'm joking. But if you look at the state of router security, then you will know this is a big problem. And it's one that's nearly impossible for normal people to fix.
2016's biggest privacy threat: Your phone
When it comes to handing malicious hackers' intimate details about our lives, right now Yahoo is leading the pack as one of the worst threats to privacy in recent history. Yet there's one thing that has Yahoo beat in both the amount and sensitivity of the data being leaked, as well as the frequency. And like IoT appliances, it's a well-known and massive problem among security professionals, but it doesn't garner a lot of attention from the public. I'm talking about your smartphone.
FriendFinder breach shows it's time to be adults about security
Like all sectors -- government, retail, finance and healthcare -- the adult and porn businesses are feeling the consequences of not making security a priority, in the worst possible ways. Namely, by getting hacked and pwned, hard. Take for example this week's breach-bloodbath, in which FriendFinder Networks (FFN) lost their Sourcefire code to criminal hackers and put their users in serious risk. Combined with Ashley Madison's many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.
The truth about Trump's secret server and Russia
It's hard not to follow the hacks and cracks of the election, even if you don't want to -- every day there's a new accusation or hysterical revelation. So you no doubt saw "Was a Trump Server Communicating With Russia?" postulating that Donald Trump's connections to Russia were confirmed with the discovery of a secret email server. That story came from Slate and was based on a connection a researcher found between a Trump Organization server and a Russian bank. News outlets took the bait and ran with it, telling us that this was as damning as it appeared.
Untangling the NSA's latest alleged embarrassment
Last week, security researcher Mikko Hypponen found a notice on Github from an entity called Shadow Brokers, a reference to master of the galactic black market for information in the game Mass Effect. The notice was for an auction of exploits from the Equation Group (widely believed to be operated by the NSA).
The hysterical hacking headlines of Def Con 24
You might've noticed that your regular news outlets have way more hysterical, random-seeming and utterly terrifying articles about hacking this week. That's because hacking conference Def Con happened last weekend, where a fair number of journalists had the pee scared out of them and decided to share their irrational reactions with everyone.
SMS two-factor authentication isn't being banned
Another week gone by, and the place is in cybersecurity shambles again. A years' old hacking issue, unencrypted wireless keyboards, being featured in an upcoming Defcon talk mystifyingly became a hot new Internet of Things threat. Obama gave us a colorful "threat level" cyber-thermometer that no one's really sure what to do with. Ransomware is hitting hospitals like there's a fire sale on money. And the DNC-Wikileaks email debacle exploded, splattering blame all over Russia.
Status update: The rise of the social-media extortionist
If you've read recent headlines about high-profile tech CEOs getting hacked, you probably felt a stab of dark amusement at the thought of internet fat cats finally getting a taste of what the rest of us have had to drink. A single group, called OurMine, has managed to catch Facebook's Mark Zuckerberg, Google's Sundar Pichai, Yahoo's Marissa Mayer, AOL's Steve Case and, most recently, Twitter CEO Jack Dorsey with their password pants down. And it's nothing more than a sleazy PR stunt.
Homeland Security's big encryption report wasn't fact-checked
If you watch Marvel's Agents of S.H.I.E.L.D., Blacklist, or any other TV show with make-believe espionage, you probably hear the term "going dark" at least once a week. In the real world, "going dark" has become FBI shorthand for when baddies can't be spied on, or manage to vanish into thin internet, at the fault of encryption. And it's at the heart of an oft-virulent tug-of-war between entities such as the FBI, Apple, civil liberties groups, conspiracy theorists, and lawmakers.
Cybersecurity forecast: Heavy smug
When you think of rockstar hackers and infosec pundits, I'm sure it's easy to imagine people who are humble, kind and patient, and never look down on anyone who would reuse a password. OK, maybe infosec types aren't known for doing benevolence all that well when they need to communicate with those not in the know about computer security. And when they do, they seem to prefer to do it from a stage and safely behind the title of "expert." Case in point: the much-ballyhooed talk being given at the Aspen Ideas Festival, where a professor at Rochester Institute of Technology, Josephine Wolff, is making a case today for punishing people when they're not good at computer security.
Cyber 'bombs,' digital D-Days and other nonsense
Cybergeddon is coming. To the disappointment of many, it's just going to look like some dude sitting at a desk, typing, and probably farting into his Department of Defense office chair. Secretary of Defense Ash Carter was quoted recently as saying the United States was going to be "dropping cyber bombs" on ISIS, and the newly invented rhetoric produced its desired effect. In expressions of both eagerness and incomprehension, outlets wrote, "Pentagon hits ISIS with 'cyber bombs' in full-scale online campaign." Scientific American even went so far as to try and explain the skin-crawlingly crazy phrase in a piece titled "How U.S. 'Cyber Bombs' against Terrorists Really Work." India Times took it all quite literally, in an article titled "There's Something Called a Cyber Bomb and the US Is Planning to Drop It on ISIS." It explained, "The proper definition of a cyber-bomb is still a little convoluted and has been kept under wraps mainly because an operation of such magnitude is yet to be carried out."
Sophisticated hack attack? Don't believe the hype.
You wouldn't believe how sophisticated hacking has become in the past few years. It has, in fact, gotten so mind-blowingly complex and erudite that this word, sophisticated, is now the only one human beings can really use to describe any single act of computer-security violation. Actually, no. The word, at best, has almost always been used to cover up egregious screwups of breached companies, and shoddy reporting. Or, when at a loss to understand even the most mundane of hacks. Even high-minded publications step into infosec's linguistic dung heap and track the word throughout their pieces on whatever latest rehashed cyber-bomb hysteria-of-the-week they're pushing.
Retailers fight to silence customer data breaches
A consortium of retailers, including Target and Home Depot, vowed to fight a data breach notification bill. The bill, HR 2205 from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to tell customers when they've been hacked and would also require the encryption of data in both storage and transit. It would hold retailers to the same data-security standards as the financial sector. The large and powerful Retail Industry Leaders Association (RILA) sent a letter on Tuesday to House leadership saying that "it makes no sense to take one industry's regulations and apply it to a large segment of the economy without understanding the consequences."
The TSA is failing spectacularly at cybersecurity
Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service. The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff's handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access. What we're talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.
