Week 15

Article 1:

Suspicion strong that Aussie teen wiz hacked Metro State website

Faisal Kaleem, a computer security expert who happens to teach at Metro State, set out to track down the hacker. He found Abdilo’s profanity-laced blog site, buried deep in the Web’s netherworld, in a matter of minutes.

He calls himself Abdilo. He’s bragged online about hacking into websites on three continents, daring the authorities to catch him.

Now the U.S. Secret Service is trying to find out whether the boastful blogger — said to be a 16-year-old Australian — is behind a massive computer security breach at Metropolitan State University in St. Paul.

Two weeks ago, police raided the Queensland home of the “infamous Australian teen hacker,” as one local news report put it.

The suspect, who has not been publicly identified, has claimed responsibility for a four-month hacking spree that targeted at least one nuclear power organization in Australia, as well as police, government and college websites in his own country, the United States and Britain.

In the process, he attracted the attention of the Minneapolis field office of the Secret Service, which is investigating the Metro State incident. Louis Stephens, special agent in charge, said this week that his agency is working with Australian authorities to determine whether “an Australian teenage hacker utilizing the online alias ‘Abdilo’ is responsible for this and other data breaches.”

Since Metro State discovered that its computers had been hacked in December, it has been scrambling to assess and contain the damage.

This week, after a monthslong investigation, the school announced that the hacker had exposed the personal information of some 160,000 people, including faculty and students, dating back almost 20 years. Some of the data included full or partial Social Security numbers. But so far, there’s no evidence that anyone has used the information for nefarious purposes, says Devinder Malhotra, Metro State’s interim president.

Although he’s heard reports about the teen hacker, he says there’s no proof yet who was behind this “criminal act.”

It was the blogger himself who first blew the whistle. In December, Abdilo wrote a blog post claiming he had hacked into Metro State’s website, among dozens of others. A cyber security firm, which monitors the Web for threats, stumbled across it and notified the university. When the school checked out the claim, it discovered that it had in fact been hacked.

Faisal Kaleem, a computer security expert who teaches at Metro State, said he first learned about the incident from an all-campus e-mail alert in January. Curious, he set out to track down the hacker. He found Abdilo’s profanity-laced blog site, buried deep in the Web’s netherworld, in a matter of minutes.

On the blog, Abdilo wrote that he decided to break into various websites to “see if I got away with it.”

“What most people think is when you attack .edu, .gov and .mil [sites] you get arrested instantly. I decided to test that,” the blogger wrote.

“Here are some of the sites I messed with:”

Yale (“So easy”).

Harvard (“was a challenge but they are dumb”).

Princeton (“LOL easy”).

Why Metro State, a public university in St. Paul? “I broke into you cause i like 22 jump street,” he wrote — an apparent reference to the 2014 film, about undercover cops at a fictional school called Metro City State College.

Kaleem, an associate professor of computer sciences, was struck by the brazenness of the blogger. “It’s basically like a ticket to jail,” he said. “He’s saying that ‘I did it.’ ”

At one point, Abdilo actually live-streamed one of his hacking sessions, according to an Australian news report in January. The report, on abcnet.au, said Abdilo “was showing off his hacking skills to anyone who wanted to watch.” He demonstrated how he broke into American education websites, the report said, and displayed a video stream as databases “spat out people’s private information.” In an Internet chat with the news site, Abdilo said he wasn’t worried about the police.

Kaleem, who teaches courses on cyber security, said the blogger’s braggadocio reveals that he’s probably not an “elite hacker” — the kind who spy on corporations or governments.

“It looks like he wanted to brag about his skills,” he said.

Technically, though, it wasn’t all that difficult to find the weaknesses in these websites, Kaleem said. “There is a plethora of all these ready-made tools that are available online that you can download for free,” he said. The programs can search a website to see whether it’s vulnerable to attack, and if so, steal information before anyone notices.

That’s essentially what Abdilo did, he said. Metro State has said it has since uncovered the flaw in its computer security and fixed it.

Beyond bragging rights, what might motivate someone like Abdilo?

One possibility, of course, is money. “Just imagine,” said Kaleem, “if he were to sell all this information to the organized crime outlets, that could have been a disaster.”

In Abdilo’s case, that doesn’t seem to be the primary motivation, he noted. Yet the hacker claimed, at one point, that he tried to sell his covert access to an insurance company’s website for $5,000, but that the company “fixed it just before I was about to sell it.”

Young hackers, though, may not be in it for the money, experts agree.

“There’s a certain kind of macabre fantasy to it all,” said Cameron Camp, a cybersecurity expert at ESET North America, a San Diego firm that makes software to protect against “cyber criminals.”

For a bored teenager, he said, it can be an ego boost. “It’s this weird thing where you think, hope, somebody takes notice and says, ‘Hey, that’s the smartest kid we’ve met.’ ”

They may fantasize that someone will hire them for their computer savvy, Camp said, but it rarely works out that way. He compares it to bragging to the police about speeding. “It feels good for a second. But then there’s that other part, where they come get you.”

From all appearances, Abdilo apparently thought he had outsmarted the authorities. But the recent police raid, notes Kaleem, suggests that his assumptions “have been proven to be false.”

Even if this hacker is caught, there’s little doubt that others could take his place.

“There’s a lot of 16-year-olds out there,” said Camp. “There’s less than that number inside the university working to defend it.”

That’s the challenge for any organization, he adds. “The 16-year-old only has to be right once. You have to be right all the time.”


Article 2:

Facebook tracks all site vistors, violating EU law, report says

Facebook tracks everyone who visits its site, including people who don’t have an account, and even continues to track users and non-users who have opted out of targeted ads, researchers at two Belgian universities have found.

Researchers at the University of Leuven in cooperation with researchers at the Vrije Universiteit Brussel have published an update to a February analysis of Facebook’s new policies and terms. The report, commissioned by the Belgian Privacy Commission, already found in preliminary conclusions in February that Facebook, with its 2015 privacy policy update, likely acts in violation of European law.

After these initial findings, the researchers did a further technical analysis on Facebook’s tracking practices. They focused on tracking techniques that use social plug-ins such as the “Like Button”, which is used on more than 13 million third -party websites, and also tested the advertising tracking opt-out.

“In doing so, a number of remarkable new issues have come to light,” said Brendan Van Alsenoy, legal researcher at the Interdisciplinary Center for Law and ICT of the University of Leuven.

Force-feeding cookies

It turns out, for instance, that Facebook places a cookie on the browser of anyone who visits a Web page belonging to the facebook.com domain, even if the visitor is not a Facebook user, the report found. The cookie placed by Facebook is called “datr” which contains a unique identifier and has an expiration date of two years.

Facebook users also get a range of additional cookies which uniquely identify the user.

Once these cookies have been set, Facebook will in principle receive information from them during every subsequent visit to a website containing a Facebook social plug-in. These cookies will give Facebook information like the URL of the Web page that was visited as well as information about the browser and operating system, the report said.

This means that Facebook tracks its users for advertising purposes across non-Facebook websites by default, the report said. Even opting out won’t help. According to the researchers, Facebook will keep tracking you even if you have no account and opted out from targeted advertising on the European Digital Advertising Alliance website. When someone opts-out there, Facebook will place the same unique identifying “datr” cookie, they said.

Facebook sets the tracking cookie on the European opt-out site, but not on the U.S. and Canadian opt-out sites, Van Alsenoy said.

Facebook users are also extensively tracked. Even when a Facebook user deactivates his account, Facebook will still receive cookies that uniquely identify the ex-user, according to the report.

What’s more, if a user opts out from tracking, Facebook will still receive information about visits to external sites containing Facebook social plug-ins. The only thing that changes is that Facebook promises to no longer use this information for targeted advertising, but there is no way the researchers were able to verify that, Van Alsenoy said.

Without consent—and that’s a problem

The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook maintains that the “datr” cookie plays a key role in Facebook’s security and site integrity features. However, given that the “datr” cookie is used in the EU when someone tries to opt out of ad targeting, but isn’t used in U.S. and Canada in similar circumstances, it’s hard to believe that the cookie is strictly necessary for site security, Van Alsenoy said.

People who want an easy way to protect themselves against ad tracking can use browser add-ons such as Privacy Badger, Ghostery and Disconnect, which block tracking, researchers said.

Meanwhile, Facebook slammed the findings. “This report contains factual inaccuracies,” said a Facebook spokeswoman in an emailed statement, adding that the inaccuracies in the report were explained in detail to the Belgian Privacy Commission after the report’s earlier draft was published.

According to the company, the use of cookies for logged-out accounts is a standard, acceptable and lawful practice that has been actively used by Facebook and many other websites for years. Facebook said it uses these cookies to, for example, identify and disable accounts of spammers, recover account information and provide extra security features like login notifications and login approvals. Facebook also uses them to deliver, select, evaluate, measure and understand the ads served on and off Facebook, including ads served by or on behalf of its affiliates or partners, it said.

Cookies are also set for non-Facebook users who have visited facebook.com, to help protect Facebook Services and the people who use it from malicious activity, the company said. They can help detect and prevent denial-of-service attacks and the mass creation of fake accounts, it added.

Facebook is confident that its updated policies comply with EU law, the spokeswoman said, adding that it routinely reviews product and policy updates with its EU regulator, the Irish Data Protection Commissioner (DPC).

Facebook will have to deal with other, national privacy authorities though. The Belgian, Dutch and a German privacy authority have all started investigations into Facebook’s policy changes and the three countries in February formed a task force to examine how the policy might violate EU privacy laws.

The researcher’s report will be taken into account by the three authorities, a spokeswoman for the Belgian Privacy Commission said, adding that it was too early to draw any conclusions. The Commission hopes that if it turns out that Facebook has violated the law, it can come to a friendly agreement, but if that turns out to be impossible, Facebook could also be sued as an extreme measure, the spokeswoman said.


Article 3:

Computer Users Face Hard Choice Pay Ransom or Lose Files

It happened at Jeff Salter’s home health care business last December. The network of nearly 30 computers at Caring Senior Service was infected with ransomware, malicious software that hackers use to try to extort money from people and businesses by preventing them from opening or using documents, pictures, spreadsheets and other files. If computer users don’t pay, there’s no way they can access their files.

Ransomware is one of the fastest-growing forms of hacking, cybersecurity experts say. Anyone from a home computer user to a Fortune 500 company can be infected. It can also attack smartphones. The smaller the users, the more vulnerable they are to losing their files — unless they have a secure backup for their system or go through the complicated process of paying cybercriminals.

Salter thought he was prepared for such an invasion. Most of his files were backed up in a place hackers couldn’t access, and he was able to restore his information. But one machine wasn’t; it contained marketing materials for his San Antonio-based franchise chain with 55 locations. Salter paid a $500 ransom.

“It would have cost us $50,000 to try to spend the time to recreate the stuff,” Salter says. “It would have been pretty devastating if we’d lost all that.”


Like many hackers’ tools, ransomware can arrive in emails with links or attachments that, when clicked on, unleash software into files. Attacks can also occur when users visit websites; cybercriminals can attach computer code even to well-known sites operated by tech-savvy companies, says technology consultant Greg Miller of CMIT Solutions of Goshen, New York.

Anyone can be hit: individuals, big and small companies, even government agencies. The Durham, New Hampshire, police department was attacked by ransomware in June when an employee clicked on a legitimate-looking email. The department’s 20 computers were cleared of the ransomware and files were restored from a backup system. The Swansea, Massachusetts, police department, meanwhile, had to pay a $750 ransom after it was attacked.

“We certainly are seeing ransomware as a common threat out there,” says FBI Special Agent Thomas Grasso, who is part of the government’s efforts to fight malicious software including ransomware.

Attacks are generally random, but specific companies and people can be targeted. Many small businesses and individuals are at risk because they lack technology teams and sophisticated software to protect them from hackers, says Keith Jarvis, a vice president at Dell SecureWorks, a security arm of the computer maker. Many don’t have secure backup systems that will allow them to retrieve uninfected files.

Hackers can invade computers at large companies, as seen in attacks at companies like retailer Target Corp. that stole customer information. Big companies’ risks from ransomware are relatively low; they have backups and separate computers for departments like sales or accounting, Jarvis says. An email click in one department could infect one or more computers, but likely wouldn’t spread elsewhere.



Week 14

Article 1:

Researchers show that IoT devices are not designed with security in mind

The research was performed by a team from application security firm Veracode for six up-to-date devices acquired in December and found serious issues in five of them. The tested devices were the Chamberlain MyQ Garage, the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Ubi from Unified Computer Intelligence Corporation, the Wink Hub and the Wink Relay.

All of these devices enable remote control and monitoring over the Internet of various home automation devices and sensors, including door locks, interior switches and power outlets. Most of them connect to cloud-based services and users can interact with them through Web portals or smartphone applications.

The Veracode team didn’t look for vulnerabilities in the firmware of the tested devices, but instead analyzed the implementation and security of the communication protocols they use.

The researchers looked at the front-end connections, those between users and the cloud services, as well the back-end ones—those between the devices themselves and the cloud services.

For front-end connections, they found that with the exception of SmartThings Hub, none of the devices enforced strong passwords. In addition, the Ubi did not enforce encryption for user connections, exposing them to possible man-in-the-middle (MitM) attacks.

For back-end connections the situation was even worse. The Ubi and MyQ Garage did not employ encryption, did not offer adequate protection against man-in-the-middle attacks and did not protect against replay attacks, which enable man-in-the-middle (MitM) attackers to capture traffic and then play it back, potentially triggering unauthorized actions. In addition, the Ubi did not properly secure sensitive data.

MitM protection was lacking across all devices with the exception of the SmartThings Hub, either because TLS (Transport Layer Security) encryption was not used at all or because it was implemented without proper certificate validation.

This suggests that those who designed these IoT devices assumed that the local area networks they’ll be installed on were secure. That’s an error, because research over the past several years have showed that if there’s anything worse than the security of IoT devices, it’s the security of consumer routers. Security researchers find serious vulnerabilities in routers on a routine basis, most of which enable hackers to perform man-in-the-middle attacks, and those flaws have resulted in millions of routers being compromised in large-scale attacks over the past few years.

The misguided trust of IoT manufacturers in the security of home networks is also reflected by the debugging interfaces and other services their devices expose to such networks.

The Veracode researchers found that the Wink Hub runs an unauthenticated HTTP service on port 80 that is used to configure the wireless network settings, the Wink Relay runs a network-accessible ADB (Android Debug Bridge) service, the Ubi runs both an ADB and a VNC (remote desktop) service with no password, the SmartThings Hub runs a password-protected telnet server and the MyQ Garage runs an HTTPS service that exposes basic connectivity information.

In the case of the Wink Relay and the Ubi, the exposed ADB interface can provide attackers with root access and can allow them to execute arbitrary code and commands on the devices.

While they didn’t directly analyze the security of the vendors’ cloud services, the Veracode researchers considered several scenarios, like what would happen if attackers compromised user accounts, intercepted connections somewhere close to the service—for example by compromising an upstream provider—or fully breach the cloud service. They concluded that the impact of such breaches could range from attackers gaining access to sensitive data to taking control of a device and executing commands.

The reliance of these devices on cloud services is not always clearly explained to users and they should be, because not everyone realizes that when they talk to their device through a mobile app, they don’t do so directly and the traffic actually passes through a service run by someone else, said Brandon Creighton, a member of the Veracode research team.

This also means that manufacturers should have security processes in place not only for the hardware devices themselves, but also for their Web services, Creighton said. “These services can be vulnerable as any other application running on the Internet—Web service or network service—so it’s important to get those tested and reviewed as well.”

Based on the results of their analysis, the Veracode team concluded that the designers of the tested devices “weren’t focused enough on security and privacy, as a priority, putting consumers at risk for an attack or physical intrusion.”

For example, information gathered from an Ubi device could enable criminals to know when a user is home or not based on ambient noise or light, the team said in their report. Furthermore, by exploiting vulnerabilities in the Ubi or Wink Relay devices, attackers could turn on their microphones and listen to conversations. “Using vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when the garage door is opened / closed, indicating a window of opportunity to burgle the house, and then remotely open the door.”

Creighton stopped short of saying that the issues they found on some of the tested devices were a universal problem in the IoT world, but he doesn’t think they were anomalies either.

“I think these are common problems that would probably be shared across a lot of different embedded devices,” he said.

The good news is that unlike routers for example, many of these IoT devices come with automatic update capabilities, so whenever an issue is found, the vendors can more easily distribute a fix. Veracode has already contacted the affected vendors and at least one of them, Wink, has already issued patches.


Article 2:

Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

The multicast Domain Name System (mDNS) is a protocol that allows devices on a local network to discover each other and their services. It is used both by PCs and embedded devices like network attached storage (NAS) systems, printers and others.

The mDNS protocol allows queries to be sent to a specific machine using its unicast address. However, the official specification recommends that when receiving such queries, the mDNS service should check before responding that the address that made the request is located in the same local subnet. If it’s not, the request should be ignored.

A security researcher named Chad Seaman discovered that some mDNS implementations don’t follow this recommendation and will respond to mDNS queries received from the Internet. The problem with this behavior is twofold.

First, depending on the type of query, mDNS responses can leak sensitive details about the device and its services, including its model, serial number, host name, physical MAC address, network configuration and more. This information could potentially help hackers better plan their attacks.

The second implication is even more serious. Because mDNS responses can be considerably larger than the queries triggering them and because the source IP address can be spoofed, devices that accept mDNS queries from the Internet can be abused to reflect and amplify DDoS attacks.

DDoS reflection helps attackers hide the source of their malicious traffic. Instead of flooding a target with packets directly, attackers can send mDNS queries with a spoofed source address to vulnerable devices causing them to send unsolicited responses to the victim’s IP address.

DDoS amplification implies reflection, but also increases the amount of rogue traffic attackers can generate. That’s because the size of the mDNS responses sent by vulnerable devices to the victim will be larger than the queries made by the attackers.

In tests, some of the vulnerable mDNS services amplified the traffic by as much as 975 percent, Seaman said in a write-up on GitHub. “The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be over 130 percent amplification on average.”

Amplification techniques have been used in some of the largest DDoS attacks seen in recent years. There are several protocols that can be abused for this purpose if configured improperly, including DNS (Domain Name System), SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol).

Seaman found over 100,000 devices that respond to mDNS queries over the Internet and can potentially be used by attackers for DDoS amplification.

“These devices include several NAS boxes and printers as well as Windows and Linux machines,” he said. “Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all.”

The researcher notified the CERT Coordination Center (CERT/CC), which issued an advisory about the issue Tuesday.

“If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network,” the organization said.

Some devices from Canon, Hewlett-Packard, IBM and Synology were found to respond to Internet-based mDNS queries in their default configurations. However, it’s not clear which software running on them actually responds to the queries, CERT/CC said.

Avahi, a Linux software package for zero-configuration networking, was also found to be vulnerable.


Week 13

Article 1:

Malicious, large-scale Google ad campaign slams users with malware

A large number of ads distributed by a Google advertising partner redirected users to Web-based exploits that attempted to install malware on users’ computers.

Security researchers from Dutch security firm Fox-IT observed the malvertising campaign Tuesday, when ads coming through a Google partner in Bulgaria called Engage Lab started redirecting users to the Nuclear Exploit Kit.

Exploit kits are Web-based attack platforms that try to exploit vulnerabilities in browsers and browser plug-ins in order to infect users’ computers with malware. The Nuclear Exploit Kit specifically targets vulnerabilities in Adobe Flash Player, Oracle Java and Microsoft Silverlight.

“It appears as if all of engagelab.com, its advertisement and zone ID’s, are currently redirecting to a domain, which in turn is redirecting to the Nuclear Exploit Kit, indicating a possible compromise at this reseller of Google advertisement services,” Fox-IT researcher Maarten van Dantzig said Tuesday in a blog post.

The rogue redirects stopped later in the day, suggesting that either Google or Engage Lab took action.

Google and Engage Lab did not immediately respond to requests for comment.

It’s unclear how many websites and users were affected, but according to Dantzig, Fox-IT “detected a relatively large amount of infections and infection attempts from this exploit kit among our customers.”

The Fox-IT researchers have yet to identify the specific malware program distributed through the campaign.

Malvertising has been a growing problem for years and despite large advertising networks claiming to have sophisticated defenses in place, attackers still find ways to bypass them.

These attacks are particularly dangerous, because users don’t need to visit obscure websites in order to get infected. Once attackers manage to push malicious ads onto a large advertising network, those ads get displayed on popular, generally trusted websites.

A 2014 investigation into malversting by the U.S Senate concluded that “the online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user’s computer through an advertisement.”

That’s because a typical online advertisement goes through five or six intermediaries before being displayed in a user’s browser and it can be replaced with a malicious one at any point in that chain. Website owners also have no control over what ads will be displayed on their websites, the U.S. Senate said.


Article 2:

Report: Russian hackers accessed White House email

The State Department and the White House said late last year they had seen suspicious activity in their networks, though the White House said at the time only unclassified systems were affected. That may have been true, but it understated the sensitivity of the information accessed, CNN reported Tuesday, citing unnamed U.S. officials briefed on the investigation.

While the White House designates its email system as “unclassified,” it still contains sensitive information that could be valuable to foreign spies. The information accessed included real-time, non-public details about Obama’s schedule, CNN reported.

The Russian hackers used their earlier breach of the State Department’s network as a “perch” from which to access the White House computer systems, CNN said.

A spokesman for the White House’s National Security Council played down the significance of the CNN report, calling it speculation about a previously disclosed breach.

“Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity,” said spokesman Mark Stroh.

The National Security Council will not comment on CNN’s “attribution to specific actors, he said.

The White House does not believe its classified systems, which contain national security information, were compromised, White House Deputy National Security Advisor Ben Rhodes told CNN in an interview.

The earlier breach of the State Department is believed to have been carried out using a phishing email targeting a State Department email account.


Week 12

Article 1:

Hackers May Be Able to Secretly Download Malicious Apps onto Nearly Half of All Android Phones

Hackers May Be Able to Secretly Download Malicious Apps onto Nearly Half of All Android Phones

A researcher at Palo Alto Networks has discovered a frightening Android vulnerability that could allow hackers to steal data from unknowing users. Even scarier, it could affect nearly half of all current Android users.

Called the “Android installer hijacking vulnerability,” the bug reportedly allows attackers to surreptitiously download apps to Android users without them knowing.

Here’s how it works:

-When an Android user installs an app, they are always directed to a permissions screen ensuring the user know what sort of requirements the app has.
-This vulnerability, however, indicates that if a user downloads an app from a third-party app store or an app promotion (that is, not Google Play), Android doesn’t make sure that the app being presented to the user in the permissions page is the actual app being downloaded.
-This means that an attacker can “modify or replace the package in the background.” That is, hackers can secretly change the files that you think you’re downloading for other, more malicious ones. Think of it as an app bait and switch.
There are two ways for attacker to capitalize on this vulnerability. One, they can present to consumers a normal-looking app and then, once approved by the user, swap it for a piece of malware. Or, attackers can flat-out lie about the permissions the app requires, meaning app can look benign but actually gain all sorts of access to private phone data.

The fact that so many users are at risk highlights a real problem with Android. In short, Android operating systems are disturbingly fragmented. While the company has been working to fix its operating system fragmentation problem, more than half of the devices on the market use versions that are as many as three versions behind the latest. The most recent update, dubbed Lollipop, was released in November of 2014 and only 3.3% of all Android users currently run it.

Compare that with Apple, which claimed last fall that 94% of all iPhone users use a version of iOS that was released in the past year. With so many Android users spanning so many versions, it’s difficult for Google to issue a clean fix to problems like these.

The Android installer hijacking vulnerability applies to Android 4.3 devices. It was first discovered in January of 2014 and the researchers informed Google, Samsung, and Amazon (all of which provide operating systems to which the vulnerability applies). Now, more than a year later, all of the vendors have installed patches to fix it, but earlier versions of Android are still at risk.

According to the most recent numbers, that represents 49.5% of the Android devices on the market.

The most obvious fix for Android users would be to update their software. If they are unable to do that, users should only download apps through Google Play, as those files are unable to be overwritten by attackers.

So if you’re running an older version of Android, you better make sure you know what you’re downloading.


Article 2:

Microsoft to Offer Biometric Sign-In for Windows 10

Microsoft to Offer Biometric Sign-In for Windows 10

Microsoft Corp will introduce an automatic biometric sign-in option with its Windows 10 operating system due out later this year, the first time it has offered such a service widely across devices.

The feature, called Windows Hello, means users will be able to scan their face, iris or fingerprint to verify identity and access Windows phones, laptops and personal computers.

Microsoft, which announced the feature on Tuesday, said users’ biometric data would be stored locally on the device and kept anonymous to make sure personal data is safe from hackers.

Windows Hello will only be available on new devices that are capable of running the new feature. Chip-maker Intel Corp said all machines incorporating its RealSense F200 sensor will run Windows Hello.

The feature is the latest effort from Microsoft to make its products more amenable to natural interaction with users, following its Kinect motion sensor for the Xbox game console and its Cortana personal assistant on Windows phones, a rival to Apple Inc’s Siri.


Week 11

Article 1:

Alibaba’s Latest Payments Innovation: Selfie-Powered Transactions

Alibaba's Latest Payments Innovation: Selfie-Powered Transactions

As mobile payments become more a part of the business landscape, the question of how to make them safer is top of mind. Alibaba — the vast Chinese ecommerce company that closed out 2014 with the biggest U.S.-based IPO to date — has a solution.

This week, Alibaba founder Jack Ma spoke at the CeBit conference in Hanover, Germany and demonstrated a new service called “Smile to Pay” that would give consumers a password-free way to shop online. The service would allow users to make a purchase from their mobile phone, then require them to snap a selfie to authenticate the purchase using Alibaba’s facial recognition technology.

“Today we’ll show you a new technology, how in the future people will buy things online,” said Ma of this latest innovation, which will first be rolled out in China.

View image on Twitter
Alibaba owns an online payment platform called Alipay, which has a complicated back story. It was launched in 2004 to be used for Taobao, an online marketplace comparable to eBay. In 2011, it was spun off into its own entity under the control of a company called ANT Financial (which in turn was founded by the Alibaba Group).

Ma still has a 46 percent stake in Alipay, which boasts more than 100 million mobile users (over 300 million users as of December ’14) and has hosted over 2.78 billion transactions on the Alipay Wallet app.

Alipay is currently accepted by a number of Western-based retailers including Bloomingdale’s, Macy’s and Saks Fifth Avenue, thanks to a relationship with ecommerce platforms such as ShopRunner.


Article 2:

Flaw in WordPress caching plug-in could affect over 1 million sites

WordPress websites are a popular target for hackers and many of them are compromised due to plug-in vulnerabilities. Just on Tuesday, the FBI warned that attackers sympathetic to the extremist group ISIS—also known as ISIL—have defaced many websites by exploiting known vulnerabilities in WordPress plug-ins.

The persistent cross-site scripting (XSS) flaw in WP Super Cache can be exploited by sending a specifically crafted query to a WordPress website with the plug-in installed, according to Marc-Alexandre Montpas, a senior vulnerability researcher at Web security firm Sucuri.

The attack could be used to inject malicious scripts into a page that lists the files cached by the plug-in, and which is accessible only to administrators. As such, in order for the malicious code to be executed, the page must be viewed by an administrator.

“When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.,” Montpas, who found the vulnerability, said Tuesday in a blog post.

WP Super Cache can be used to optimize WordPress sites by converting dynamically generated pages into static HTML files that are then served to visitors. This can be very helpful for websites that receive a lot of traffic, because it reduces server resource and bandwidth consumption.

However, replacing PHP-generated pages with static, cached copies has its downfalls. The biggest one is that whenever there are changes to a page, the corresponding cached file needs to be regenerated.

As outlined in an older bug entry, after making tweaks to a page, administrators might need to look at the list of cached files to know which one to delete. So, the administrative action needed to exploit the vulnerability found by Montpas is not uncommon.

According to statistics from the official WordPress plug-in directory, the WP Super Cache plug-in has over one million active installations. In order to be protected, WordPress site owners should upgrade the plug-in to the latest version—1.4.4 at the time of this article.


Week 10

Article 1:

How Hackable Are You? – Calculate Your ‘Pwned’ Score

The last several years have been good for criminal hackers and bad for consumers. From last year’s unprecedented string of major retailer breaches to the massive JP Morgan hack and Sony’s epic debacle, hackers have been almost unstoppable. So what should consumers expect for 2015?

Cyber attacks on major US companies and financial institutions aren’t likely to slow down this year, which means consumers will continue to find themselves targeted by increasingly brazen cyber-criminals. Of particular concern are the growing sophistication of ” crimeware kits” used in phishing attacks, and the widespread distribution of “ransomware” and banking Trojans.

Many people mistakenly believe cyber attacks are beyond their ability to prevent, and they instead rely on the vague hope that big corporations will do all they can to protect their information – or make them whole again after a breach. But this certainly isn’t advisable. Once a person’s identity is stolen, it can create problems for years or decades down the road. Additionally, some financial institutions won’t always cover stolen funds resulting from a hacked computer – and this is particularly true for people who own small businesses.

Going forward, it’s critical for consumers to take a much more active role in protecting themselves from hackers and identity thieves. While no one can be safe 100% of the time, there are a number of easy and inexpensive steps people can take to dramatically reduce their risk of getting hacked.

Here’s a basic questionnaire every consumer can use to evaluate their personal ‘hackability.’ Add up your ‘pwned‘ score to see how at risk you are:

  1. How strong are your passwords? (10 points) – People often make basic mistakes with passwords, like writing easily cracked/guessed ones (ex: ‘password123’), keeping default passwords, reusing the same password for multiple accounts, etc. Hackers also have tools at their disposal to crack passwords – like dictionary attacks and rainbow tables. Score Yourself: If you write complex passwords (10+ characters long, combination of letters, numbers and symbols), use unique passwords for each online account and take advantage of two-factor authentication when available, give yourself 10 points. If you don’t do all of these things, 0.
  2. Do you back up data? (10 points) – Cyber-criminals are increasingly using “ransomware” to victimize consumers. Since these attacks render personal files (documents, photos, videos, music, etc.) and computers unusable, the best way to protect against it is by regularly backing up data to an external hard-drive, thumb drive or cloud-based account. Score Yourself: Those who back-up data at least once a week have a +10. Those who don’t, 0.
  3. Do you use a Mac or PC? (5 points) – Because more people around the world use Windows-based PCs rather than OS X or Linux-based systems, cyber-criminals typically write malware that is specifically designed for this operating system. As a result, consumers who use Macs or Linux devices will generally be less exposed (but that doesn’t mean they’re immune) to malware than Windows users. Score Yourself: If you use a Mac or Linux device, give yourself a +5. If you use Windows, 0.
  4. Do you use antivirus? (5 points) – Admittedly, antivirus is no silver bullet – and it’s going to miss a lot of dangerous malware. But consumers still need to run it on all of their devices and keep it updated, because without it you’re even more at risk of infection. Score Yourself: If you use an antivirus product like Symantec, McAfee, Kaspersky or Sophos on all of your devices (whether PC, Mac or Linux), give yourself a +5. If you don’t, 0.
  5. How do you browse the Internet? (10 points) – More attacks now come through the web browser (drive-by downloads, cross-site scripting, man-in-the-browser, etc.), so it’s important for consumers to surf the web carefully. That means: add script-blocking security plugins to your browser (ScriptSafe, NoScript, Adblock Plus, etc.); never click on pop-up ads or alerts; don’t visit a sign-in page from a link sent via email; and use separate browsers for shopping and surfing the web. Score Yourself: If you do all of the above, 10 points. If you don’t, 0.
  6. Do you bank from your home PC? (10 points) – At some point, almost every computer that browses the web will pick up malware – and the worst-case scenario is a banking Trojan. If consumers should protect one thing, it’s their online bank account. The best way to do this is to have a dedicated computer (such as a cheap netbook or Chromebook) that is only used to login to your online bank account. Score Yourself: If you have a dedicated laptop that is only used for online banking, give yourself +10. If not, 0.
  7. Do you use public WiFi? (10 points) – If you use public WiFi, you’re just begging to get hacked. There are a number of free or inexpensive hacking tools online that make it easy for almost anyone to hack an open WiFi connection.Score Yourself: If you use public WiFi at least once a year, give yourself 0. If you never use it, 10. If you never use public WiFi, but do use password-protected WiFi at your home and you live in an apartment, condo or townhouse, subtract 5 points.
  8. Do you visit naughty sites? (10 points) – This isn’t a personal judgment, but if you’re someone who occasionally visits adult websites or file-sharing sites where users swap bootlegged movies and music, you’re increasing the potential of exposing yourself to a variety of Trojans and malware – and your computer may become unsafe to use. Score Yourself: If you visit these sites, 0. If you never do, +10.

So … how did you do?

Unless you scored 60 points or higher, you’re not very secure at all and it’s time to change your ways. And if you scored 35 points or less, watch out because you’re an extremely easy target for hackers and the only thing keeping you safe is dumb luck. Chances are, you may have already been compromised in one way or another, whether you know it or not.


Article 2:

Security Shock: Why Did 2700 Websites Expose Our Passwords?

Why did they do it?

With all the data breaches and website hacking that have been going on, how on earth could big brands like AT&T, The New York Times, and Macy’s needlessly expose their users’ passwords?

Here’s what I’m talking about and why you should be worried: Over the past few years, my latest investigation for StateoftheNet.Net found, more than 2700 websites left their users’ passwords in plain sight by placing them undisguised smack dab in the middle of e-mails to those users.

A Glaring Security Lapse

Security pros consider this a terrible security practice. Here’s why:

“When a company sends a password in plain-text it is essentially inviting a user’s account to be compromised,” says Rick Redman, Senior Security Consultant at KoreLogic Security. “It also means that the company not only KNOWS your password, but stores it in a method that anyone can see…it is an insult to the customer. In my mind, it is the same as saying, ‘we do not care about your security.'” (If a site stores passwords in plain text, it’s even worse than sending them in e-mails, experts say.)

Government officials agree. “Sending a user’s password in plain text increases the risk of unauthorized access,” Mark Eichorn, Assistant Director of the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, told me.

It Gets Worse

When a website commits such a lapse, it puts more at risk than just the personal information stored in your account at that site. A survey that I reported on in 2012 for Consumer Reports found that nearly one in five consumers used the same passwordfor more than five accounts. So by exposing the passwords their users had entrusted to them, the thousands of sites in question were also increasing the risk of a breach of their users’ accounts at other institutions, such as retail, banking, and social network sites.

And that kind of risk could linger for months, or even years, according to Redman. “Most users don’t change their passwords,” he points out. “So an email with your password in it is sitting somewhere deep in your inbox, long forgotten by you, but it still has valid credentials in it.”

What does all this mean for you? Two things: Sloppy online security is more widespread than you probably thought; it’s hardly limited to the few websites that have been in the news. And even if you follow to the letter my recent advice on how to avoid a big password mistake, whenever you divulge your password to a website that sends or stores it in plain text, you might just as well have used the word “password” as your password.

We know about this massive security failure thanks to two public-spirited techies, Omer van Kloeten, Chief Technology Officer at New York-based app developer, AppMyDay and Igal Tabachnik, Lead Developer at OzCode. Fed up with having his own passwords repeatedly e-mailed to him in plain text, since 2011 van Kloeten has been posting examples of similar experiences that users send him at the site Plain Text Offenders (PTO), which he and Tabachnik created and he says is “dedicated to publicly shaming this horrible practice.” He typically receives and posts evidence for several offenders per day. For the year 2014 alone, the site’s archive contains more than 980 screen shots of offending e-mails. The full archive bulges with more than 2,700 examples dating back to 2011.

Who Are the Culprits?

Besides the three major brands I mentioned above, PTO’s archive also contains examples of culpable e-mails from such brands as Fedex, J. Crew, Laura Ashley, Office Depot, Rhapsody, SeaWorld, and Sprint, as well as examples from government sites, such as Indiana.gov and BoulderColorado.gov; local and regional businesses; and sites that appeal mainly to gamers or geeks.

I began this investigation in October by registering with roughly 20 of PTO’s reported sites to see if they were still exposing passwords. E-mails containing passwords are usually sent either when you first register with a site or when you tell the site you have forgotten your password. When I tried this with my small group of sites, quite a few did not include my password in their e-mail responses. But some did: One retailer of electronic lab equipment included both my user name and password in its account confirmation e-mail. And PetSmart, which stores customers’ credit card numbers on its site, sent me a temporary password in plain text when I told the site I had forgotten my old one.

Most troubling to me were the e-mails I received from Princess Cruises, whose exposure of passwords had first been reported by PTO in May, 2014. When I told the Princess site I had forgotten my password, the site–which may store such sensitive personal information as your address, birthdate, passport number, medical conditions, or sexual preference–e-mailed me my password in plain text. When I checked back with the site again on New Year’s Day, it sent me this e-mail with my password in it:


The site’s privacy policy says, “we take steps to protect your personal information and keep it secure.” But, as noted above, security experts and government officials don’t agree that e-mailing a password in plain text does keep personal information secure.

PTO’s van Kloeten also maintains a list, called Reformed Offenders, of the good guys that he knows have stopped sending passwords in plain text. As of early January, 26 sites were listed. “I’m very hopeful. It’s still an incredibly low percentage (less than 1 percent), but it’s growing,” he told me. He acknowledges that he hasn’t had time to follow up regularly on every submission, so even he doesn’t know just how many of the rest of the reported offenders may have reformed.

Earlier this year, software maker Dashlane, which offers a free password manager for consumers, published evidence that confirmed the sorry state of password security on many websites. Studying 100 of the top e-commerce sites in the U.S., it found that eight had sent passwords in plain text via e-mail. Among Dashlane’s many other troubling findings were that 64 percent of the sites had questionable password practices and 55 percent still accepted some of the worst conceivable passwords, such as “123456.”

What You Can Do

• If a website e-mails you your password in plain text, notify the owners of the offending site, if possible. Then report it to PTO using that site’s submission forms. PTO’s van Kloeten welcomes submissions and offers a helpful FAQ that answers many of your questions. You may also want to report the incident to the FTC, which welcomes consumer complaints about such practices, according to Mark Eichorn. To file such a complaint with the FTC , use the FTC Complaint Assistant.

• Use a different password on each site plus a password manager, such as Lastpass, Keenpass, or Dashlane. “Password Managers aren’t perfect,” says KoreLogic’s Rick Redman. “And there is an inherent risk with using them, but the risk is much less than using the same password on every site.”

• If a site you use (such as your bank, Google/Gmail, PayPal) offers two-factor authentication, a feature that provides extra security by requiring more than just a password for account access, take advantage of it.

• Look for telltale signs that a site isn’t properly securing your password. Says PTO’s van Kloeten, “You can be certain of it if the site shows you your password at any time. This can be in an email, on the site itself when viewing your account details, in a text message or even when conversing with a representative on the phone or via chat (“You forgot your password? Oh, it’s kitten123.”). If that’s not the case, you can still be suspicious if, for instance, the site has weird restrictions like not letting you choose a long and/or strong password.”

• To find out if sites you visit have ever been reported by PTO, install either the third-party Chrome Extension or the Firefox Add-on on PTO’s tools page. I can’t vouch for these tools’ accuracy or security, but when I tried them myself they appeared to work and I didn’t experience any noticeable problems. When they issue a warning, it doesn’t guarantee that the site still exposes passwords in plain text, but does mean that it has been reported to have done so at some time since 2011.

How It Could Get Better

“We try to educate, not just shame,” says van Kloeten. ” Offenders who contact us are immediately pointed to our very detailed and lovingly crafted FAQs and I even take as much time as needed to help them understand why what they did was wrong and how to fix it. We also encourage our wonderful community to spread the word. Google has started working towards making the web more secure, like giving higher PageRank to sites that are all-SSL. I hope this trend continues.”


Week 9

Article 1:

On Friday, the White House convened a “cyber summit” at Stanford’s campus in Palo Alto so that business and government leaders could get together and talk, essentially, about how scary hackers are.

There were two keynote speakers: Apple CEO Tim Cook, who got 10 minutes of talking time, and President Obama, who got 30 minutes. Obama focused on the threats to our digital security — “This is not a liberal or conservative issue. Everybody is online and everybody is vulnerable” — and legislation he’s proposed, including a revision to the existing law against computer intrusion and a national data breach notification law. He ended the talk by signing an executive order to promote companies sharing information about digital attackers. Cook, meanwhile, spent most of his time promoting Apple Pay and talking about threats to privacy in the name of security.

Cook obliquely addressed an ongoing tension between Apple and the U.S. government: Apple’s decision to add encryption to its iPhones so that the data on them can only be unlocked by their owners, and not with a government order. The enhanced security measure has come under criticism by the U.K. prime minister and by the director of the FBI, who said Apple and Google (which plans to offer the same feature for Androids) are putting their customers “beyond the law.”

“We believe deeply that everyone has a right to privacy and security,” said Cook. “So much of our information now is digital: photos, medical information, financial transactions, our most private conversations. It comes with great benefits; it makes our lives better, easier and healthier. But at Apple, we have always known this also comes with a great responsibility. Hackers are doing everything they can to steal your data, so we’re using every tool at our disposal to build the most secure devices that we can.”

Cook used the opportunity at the podium to take a dig at his tech competitors—pointing out that Apple, unlike other companies, doesn’t sell or monetize its customers’ data. His fellow CEOs were not there to hear the burn, though. Despite being invited, Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google CEO Larry Page, were not in attendance at the hastily-arranged summit, though their security executives did show up.

Cook signaled that Apple has no intention to back down on allowing its customers to encrypt their devices, despite the criticism the policy has gotten from government types and calls for “golden keys” to grant law enforcement access to otherwise secure messages.

“People have trusted us with their most personal and private information and we must give them the best technology we can to secure it,” said Cook. “Sacrificing our right to privacy can have dire consequences. We live in a world where people are not treated equally. There are people who don’t feel free to practice their religion, express their opinion or love who they choose. Technology can mean the difference between life and death.”

“Sacrificing our right to privacy can have dire consequences.”

In other words: people have secrets that they want to keep from hackers, but also, in some places with repressive governments, from authorities themselves.

“If we don’t do everything we can to protect privacy, we risk more than money,” said Cook. “We risk our way of life.”


Article 2:

Passwords Are Terrible — And These Companies Want To Kill Them


Imagine sitting down in front of your computer or grabbing your smartphone and being able to seamlessly log in to every account you need. Maybe your device recognizes your fingerprint, your eyes or your heartbeat. It just knows it’s you, and not an impostor.

That’s the password-free future that many tech companies envision. It just may take them a while to get there.

Passwords have long been the gold standard in online and device security, and we’ve been using them for as long as we’ve had to log in to computers and accounts.

The trouble is, passwords are horrible. Many people don’t use them properly. While security experts recommend using a strong, unique password for every service, most users don’t do that,leaving them vulnerable to hacking. And many of us regularly forget our passwords and have to reset them frequently.

But take heart: The race to kill the dreaded password is on. Tech giants are battling to replace it with biometric technology — using your face, eyes, fingerprint or heartbeat to identify you — which could mean more security and convenience for consumers.

This week, Qualcomm, which makes the chips for many Android smartphones, announced Snapdragon Sense ID, a new type of sensor that uses sound waves to detect 3-D details of your fingerprint. The company says the sensor can read fingers covered in sweat or lotion and can work on glass, steel, plastic and aluminum devices, giving more flexibility to device manufacturers.

Snapdragon Sense ID, unveiled this week at Mobile World Congress, an annual gathering in Barcelona for tech and telecom leaders, is just one of several new developments in biometric security that technology companies have announced of late.

Also at Mobile World Congress, Samsung said that it had improved the fingerprint sensor on its new high-end smartphones.

At the Consumer Electronics Show in January, chipmaker Intel unveiled True Key, which uses facial recognition, fingerprint scanning and other authentication methods to unlock a password manager that gives access to apps and online accounts.

And Touch ID, Apple’s fingerprint-sensing technology for newer iPhones and iPads — widely seen as the most successful application of biometric security to consumer devices — is available on a growing number of third-party apps.

“There’s somewhat of a perfect storm happening in the marketplace now,” said Anthony Antolino, the chief marketing and business development officer at eyeLock, a New York-based company that has built iris authentication platform technology.

Antolino said that frequent high-profile security breaches, the availability of less expensive and smaller biometric technologies and the staggering rise in the number of mobile devices are all driving the urge to end the password age.

The success of Apple’s Touch ID in particular has inspired the rest of the industry to follow, according to Chester Wisniewski, a senior security advisor at the security company Sophos.

In September 2013, Apple released Touch ID on the iPhone 5S as an alternative to unlocking the phone with a passcode. The company said at its developer conference last June that before Touch ID was available, fewer than half of iPhone owners used a passcode. But as of that conference, 83 percent of iPhone 5s users were using Touch ID to unlock their phones.

“Apple proved a business model offering consumers biometrics,” Wisniewski said. “Apple went out there and proved people will use it if it’s easy enough to use.”

A year later, Apple opened up Touch ID to non-Apple apps, so people can now use their fingerprints to log in to some services, like Amazon and personal finance manager Mint. And people with the latest Apple devices can also use Touch ID to pay for things with their phones.

Still, it will be quite a while before the password is out of our lives completely.

One issue is the reliability of biometric security. Even though Touch ID is widely seen as successful, it doesn’t work well for everyone. It also may not work if your hands are cold or after you’ve showered or done the dishes.

When Intel debuted True Key during a keynote address at the CES, the program failed to recognize the presenter during the demonstration.

Passwords have no such issues. Despite their drawbacks, they work — if you type in your password correctly, you’ll get in.

Another issue is trust: Consumers must believe that these companies are taking good care of data on their fingerprints, faces and eyes.

Wisniewski lauded Apple for the way it protects the privacy of users’ fingerprints, but said consumers shouldn’t expect the same levels of security from every company that holds their biometric data — especially when protecting password data has already proven to be so difficult.

“Why should we trust that the companies asking us for our biometric data are going to be any better with it than my password?” Wisniewski said.

For the time being, security experts recommend using password managers — digital lockers that not only generate strong, unique passwords, but also store them — that can be unlocked with one strong password. They also recommend using multi-factor authentication, which requires you to use a code generated on another device, like a smartphone, when it’s available.

“Right now we’re eliminating the hassle of remember multiple passwords,” said Mark Hocking, vice president and general manager of Safe Identity at Intel. “Down the road, we want to eliminate the password completely. But that’s going to take a long time.”