Thord D. Hedengren

ℹ️ This is an archived legacy site for link purposes only.

Tag: security

  • Twitter hack was an inside job, could’ve been a lot worse

    If you saw Elon Musk, Barack Obama, and more tweet bitcoin scams recently, you saw the result of a social engineering hack targeting verified Twitter accounts primarily. Vice has the full story.

    “We used a rep that literally done all the work for us,” one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.

    I’m amazed and horrified that the scam worked, collecting over $100,000 worth of bitcoin. Please be more careful, and don’t trust so easily, okay?

    Things could’ve been worse though. What if a hack like this was used to spread disinformation, rather than just grab cash from gullible suckers that thinks Elon Musk can magically duplicate bitcoins for free? Come election time, get ready to not trust anything, verified badge or not.

  • Was WannaCry the NSA's fault?

    Wired reporting on the Windows ransomware that’s wreaking havoc at the moment:

    One reason WannaCry has proven so vicious? It seems to leverage a Windows vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild last month in a trove of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven’t caught up.

    Even if this doesn’t originate from the NSA, it’s ample proof that no one should have backdoors.

  • SMS is not a secure protocol

    This was bound to happen:

    O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

    In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

    SMS (aka text message) is not a secure means of communication, and that isn’t anything new either. Keep that in mind when you send details, and use two-factor authentication that doesn’t rely on other means of verification too.

  • Fake ID, present and past

    Fascinating story about fake IDs, present and past:

    The fake ID racket wasn’t always so easy. In 1994, one of my 10th-grade classmates in boarding school purchased a fake ID kit from a graduating senior for $700. Even at 15, Phil had a remarkable entrepreneurial spirit and naturally gravitated toward the prospect of cornering the fake ID market at our New England prep school. “Once I got out of the red,” he remembers thinking, “I’d be minting money.”

  • Your online activities are for sale

    US citizens lost a little bit more of their privacy the other day, when Congress made sure that internet service providers will be able to sell customer information, such as web browsing history, in the future too. Yes, too, because this isn't new, just cemented now (barring president Trump's signature). The Verge:

    It’s hard to see this as anything but a major loss for consumers. While reversing the FCC’s privacy rules will technically just maintain the status quo — internet providers have actually been able to sell your web browsing data forever (it’s just not a thing we think about all that much) — they were about to lose permission to keep doing it, unless they got explicit consent or anonymized the info.

    It was the Republican party who voted this one through, so while there are lists of the traitors to the internet and whatnot, you should probably call your representatives no matter what.

    Want to know what the ISPs can actually sell? Motherboard has you covered, and it's pretty scary reading. You might want to consider getting yourself a VPN (Zenmate, Tunnelbear, and NordVPN are easy to use), use secure messaging apps such as Signal or iMessage, and live in incognito mode until the Big Brother Corp nastiness passes. If it ever will.

  • Be careful with petitions

    In days like these it’s only natural to want to do something – anything! – that could help the situation. It could be buying a t-shirt (not really helping, but sure) or sign a petition to stop whatever madness it is that’s bothering you today.

    Be careful with petitions. There are several claims that petitions are being used as honeypots to get details on people that adhere to certain world-views. After all, if you sign a petition about something that’s important to you, that means that the admin of the petition will know this about you. What then happens when the admin isn’t who he or she claims to be, but rather is just hosting the petition to collect names and details on people of a certain point of view?

    Potentially dangerous, that. Be careful with your personal details online, as always.

  • No master keys, please

    Tim Cook, from the recent Time interview:

    No one should have a key that turns a billion locks. It shouldn’t exist.

  • Let's encrypt, y'all

    Let’s Encrypt automates SSL certificates, for free, which is all kinds of great for the web. It’s now in public beta:

    We have more work to do before we’re comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We’ll be monitoring feedback from users closely, and making improvements as quickly as possible.

  • The problem with GPG

    Speaking of security and hacks, Moxie Marlinspike pretty much nails the problem with GPG:

    Looking forward, however, I think of GPG as a glorious experiment that has run its course. The journalists who depend on it struggle with it and often mess up (“I send you the private key to communicate privately, right?”), the activists who use it do so relatively sparingly (“wait, this thing wants my finger print?”), and no other sane person is willing to use it by default. Even the projects that attempt to use it as a dependency struggle.

    This is true for PGP too.

    (GPG is for encrypting email using keys, basically an open alternative to PGP. All email should be encrypted, but in reality, it’s just too much of a hassle for most people, me included.)

  • 87 percent of Android devices are vulnerable

    ZDNet, writing about Android vulnerabilities:

    Nearly 90 percent of Android devices are exposed to at least one critical vulnerability, because of Android handset makers’ failure to deliver patches, according to research from the UK’s University of Cambridge.

    Security is one of the reasons I stay clear of Android (snoopy business models is another one). If you want to know more, check out AndroidVulnerabilities.org, made by the researchers. There, Android devices are compared and graded accordingly.

  • Patreon security breach

    Patreon has had unwanted visitors:

    There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.

    Update your password if you use Patreon.

  • People are still using stupid passwords

    People are still relying on stupid passwords, with 12345 and password topping the SplashData list once again. Recode:

    Two new passwords in the top 10 are “696969” and “batman.” Evidently those looking for an easy-to-remember password were feeling less affectionate in 2014, as “iloveyou” fell off the list.

    If you can’t manage unique and proper passwords for your various logins, just get a password manager that you can trust. I use 1Password, and to a lesser extent, the iCloud keychain.

  • Windows 7 is no longer supported (sort of)

    Microsoft is no longer supporting Windows 7. Well, almost, because you’ll still get security updates, just nothing else. In the words of Vox, of all places:

    After 2020, Windows 7 users are expected to be totally on their own. Microsoft won’t provide support even if you want to pay for it. And if hackers find a vulnerability in the software, Microsoft won’t necessarily fix it.

    That’s quite a commitment. Microsoft are nice that way, so give thanks by not swearing too much the next time your computer reboots on you for no reason other than it thinks that you really need to install the latest Windows update…

  • Cheap Android tablets aren't secure at all

    Bluebox tested sub-$99 Android tablets, and – shocker! – found them to be security nightmares.

    Bluebox Labs purchased over a dozen of these Black Friday “bargain” Android tablets from big name retailers like Best Buy, Walmart, Target, Kmart, Kohl’s and Staples, and reviewed each of them for security. What we found was shocking: most of the devices ship with vulnerabilities and security misconfigurations; a few even include security backdoors. What seemed like great bargains turned out to be big security concerns. Unfortunately, unsuspecting consumers who purchase and use these devices will be putting their mobile data & passwords at risk.

  • WordPress 4.0.1 is an important security release

    WordPress 4.0.1 is out, and you shouldn’t wait to install the update. This is an important security release that addresses serious issues. If you’ve got automatic updates on, you’re probably already rolling 4.0.1, but if you don’t, or if the automatic install failed for some reason, then now’s the time to update.

    Older versions of WordPress are affected by the vulnerabilities as well, so make sure you update to 4.0.1 as soon as possible.