Security firm Kryptowire discovered that at least hundreds of thousands of Android phones in the US are configured to automatically send all text messages, call logs, location information, contact lists and more to servers in China every 72 hours. This is all invisible to the end user. (more…)
On October 21st, a large number of websites, including some of the biggest names, were knocked off the Internet by a massive distributed denial-of-service (DDoS) attack. A DDoS attack occurs when thousands to millions of devices send traffic to a target, completely overloading its servers or Internet connection.
If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode.
Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.
I had a great time talking with Gary about privacy, anonymity, security, Cypherpunks, WikiLeaks, and more. Check it out!
When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.
When it comes to checking for hostile files coming in from the web, it is much more difficult than simply scanning an email. Communications are being conducted in real-time and often encrypted. So in order to defend against the two ways to get malware when surfing the Internet — an exploited browser (which automatically downloads malware without the need for you to click anything) and being tricked into downloading an infected file — you need a secure browser and some common sense.
To effectively protect yourself against browser exploits it doesn’t take much, you just need to use a secure browser. Conventional browsers will always be vulnerable to attacks, while secure browsers like Passages provide complete protection against browser exploits. Regardless of where you go or what you click on, malicious files will never make it to your physical computer.
Read my whole article on the Ntrepid blog.
There is a lot of hand wringing about the announcement that the FBI, with outside help, has been able to break into Syed Farook’s iPhone. This is not at all the same situation we would have if Apple had agreed to create the FBI requested version of the operating system. The important difference is scalability.
With this announcement we now know that law enforcement can break into any iPhone (of that generation or earlier at least) given sufficient effort. That effort is the key. It appears that the phone hack requires disassembling the phone and desoldering at least one chip at a minimum. It might actually be more complicated and cumbersome.
This is absolutely not something that any government is going to do thousands of times, it can not be done quickly and would probably leave evidence of the activity. This is fine for investigations of high value cases, but is absolutely useless for mass surveillance.
Contrast that with what could happen if Apple had created the security bypass operating system. Once created it would certainly be compelled in many different cases. Governments around the world would all demand access to the tool. That tool would allow rapid software only compromise of the phones without physical modification. This kind of attack scales to large numbers much more easily. Fortunately it would still require physical access to the phone, but that could obtained in many ways both overt and covert. I suspect that the compromised OS could be delivered through a modified phone charger for example.
Doubtless many companies will be working to make their devices secure against this kind of physical attack as well as making the kind of FBI requested modification actually impossible. In the meantime, the effort required to compromise each phone ensures that only a very few phones belonging to very narrowly targeted individuals will be unlocked. I can live with that.
At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.
The point of sales (POS) breaches at Hilton, and Starwood before that, suggest that a group of hackers is specifically targeting hotels, probably because most travelers have above average income. It should also make us brace for a likely wave of further POS breaches in many other businesses during the holiday shopping season.
It really makes me wish that more merchants accepted secure payment tools like Apple Pay, or even that more than a small fraction accepted the new chip and signature cards.