infosec
Latest
How Armenian gangsters blew up the fingerprint-password debate
Paytsar Bkhchadzhyan is a woman with a colorful past and a bummer of a present. She arrived this week in news stories with a string of criminal convictions and gained notoriety for pleading "no contest" to felony identity theft early this year. Her iPhone was seized from the home of her boyfriend, one Sevak Mesrobian, a member of Los Angeles-based gang Armenian Power. Her fingerprint then began its long journey to giving civil-liberties fetishists a new storyboard for their "bad touch" role-play scenes.
Who hacked Facebook?
Late last week, a hacker named Orange Tsai wrote about how he hacked into Facebook under the aegis of its bug bounty program. A bug bounty is when a company pays hackers for vulnerabilities they find, providing the company with real-world threat testing outside the scope of its security team. But Tsai found much more than a bug. He discovered that another hacker had been in the company's systems for around eight months, grabbing employee usernames and passwords -- and probably more.
CNBC shows how not to handle a security screwup
As articles go, Tuesday's CNBC piece trying to cobble together the Apple/FBI fight with interactive clickbait -- a little box where readers should enter their password to test its hackability -- was a stretch. Worse, the story, called "Apple and the construction of secure passwords," hinged entirely on encouraging people to do something no one should ever, ever do. Namely, enter a password anywhere except the proper login page. CNBC, it seems, was trying to teach its readers about security.
You say advertising, I say block that malware
The real reason online advertising is doomed and adblockers thrive? Its malware epidemic is unacknowledged, and out of control. The Forbes 30 Under 30 list came out this week and it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list. On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information. Or, as is popular worldwide with these malware "exploit kits," lock up their hard drives in exchange for Bitcoin ransom. One researcher commented on Twitter that the situation was "ironic" -- and while it's certainly another variant of hackenfreude, ironic isn't exactly the word I'd use to describe what happened.
Laugh the pain away with 2015's best infosec memes
As you might guess, infosec memes aren't as straightforward as Pizza Rat or Left Shark. That's because most of the time they run on one part inside jokes and two parts hacker history. They're usually technical, and they communicate an intimate knowledge of the slow-roasted levels of hell only understood by an information security professional.Recently, infosec coughed up two particularly transcendent and painfully hilarious memes.
The problem with 'pumpkin spice' security bugs
Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fear mongering and jargon with expertise, a friendly voice and a little levelheaded perspective. When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes. Fixing and patching, we're led to believe, is almost as fun as a trip to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the truly terror-inducing nom-de-sploit POODLE are not, in fact, a list of situational phobias. These were named with intent to become PR markers -- although looking at the way some of these vulns (vulnerabilities) got their names and brands, it seems like the focus was more on the credit for naming them, rather than the actual usefulness of trying to "pumpkin spice" a bug.
Security flaw lets Delta passengers access strangers' boarding passes
If you've been dreaming about tanning on Miami Beach versus visiting your family in Minneapolis this holiday, a security flaw involving Delta Airlines' electronic boarding pass system might just make that a reality. Dani Grant, a product intern at BuzzFeed and founder of Hackers of NY, realized she could share the URL to her boarding pass for anyone to download. Then, by changing a digit in the URL, someone else's boarding pass (even on another airline) popped right up.
Over 65 million voice samples guard your bank data from scammers
Two-factor authentication might be all the rage these days, but it sounds like there could be an even more secure way of protecting against fraud -- your voice. It's being employed by major banks including Wells-Fargo and JPMorgan Chase to weed out scammers who call financial institutions armed with the info gleaned from cyber attacks, according to the Associated Press. The system combines recorded voice samples with blacklists of repeat calls from would-be criminals, and has reduced fraud attempts by as much as 90 percent so far. And if you're wondering where the banks have gotten these 65 million-plus voice samples, well, we've all likely heard the familiar notice that a call may be monitored or recorded before being connected to an operator. So, that explains that.
JPMorgan: cyberattack stole contact info for 76 million households
Is it just that time of year, or are data breaches just becoming more and more common? No matter: following the report that JPMorgan Chase and a handful of other banks had been hit by hackers comes confirmation from the main financial institution itself. The banking juggernaut says that as many as 76 million households and 7 million small businesses had names, phone numbers, street addresses and email addresses stolen in a cyberattack, according to a regulatory filing spotted by Bloomberg. The nation's largest bank noted that despite these intrusions, however, sensitive information like Social Security and account numbers, login credentials and dates-of-birth were not pilfered. If you have accounts at Chase, now might be time to reset your passwords and contact your local branch, regardless. [Image credit: Getty Images]
