Follow by Email

Saturday, February 21, 2015

Bulk SIM Card Database and Steals Billions of Keys Hacked by NSA

The Intercept has an extraordinary story: the NSA and/or GCHQ hacked into the Dutch SIM card manufacturer Gemalto, stealing the encryption keys for billions of cell phones. People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards.
"We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can."
I think this is one of the most important Snowden stories we've read.

Common Password "Mustang" Is at 16th position


This is what happens when a PR person gets hold of information he really doesn't understand.
"Mustang" is the 16th most common password on the Internet according to a recent study by SplashData, besting both "superman" in 21st place and "batman" in 24th
Mustang is the only car to appear in the top 25 most common Internet passwords
That's not bad. If you're a PR person, that's good.
Here are a few suggestions for strengthening your "mustang" password:
  • Add numbers to your password (favorite Mustang model year, year you bought your Mustang or year you sold the car)
  • Incorporate Mustang option codes, paint codes, engine codes or digits from your VIN
  • Create acronyms for modifications made to your Mustang (FRSC, for Ford Racing SuperCharger, for example)
  • Include your favorite driving road or road trip destination
Keep in mind that using the same password on all websites is not recommended; a password manager can help keep multiple Mustang-related passwords organized and easy-to-access.
At least they didn't sue users for copyright infringement.

The Brand Lenovo Deployed Malware By Default

It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections.
Here's how it works, and here's how to get rid of it.
And you should get rid of it, not merely because it's nasty adware. It's a security risk. Someone with the password -- here it is, cracked -- can perform a man-in-the-middle attack on your security as well.
Since the story broke, Lenovo completely misunderstood the problem, turned off the app, and is now removing it from its computers.

Saturday, February 7, 2015

Facebook Will Soon Be Able To ID You In Any Photo

Appear in a photo taken at a protest march, a gay bar, or an abortion clinic, and your friends might recognize you. But a machine probably won't — at least for now. Unless a computer has been tasked to look for you, has trained on dozens of photos of your face, and has high-quality images to examine, your anonymity is safe. Nor is it yet possible for a computer to scour the Internet and find you in random, uncaptioned photos. But within the walled garden of Facebook, which contains by far the largest collection of personal photographs in the world, the technology for doing all that is beginning to blossom.

How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars

BMW recently fixed a security hole in their ConnectedDrive software, which left 2.2 million cars open to remote attacks. Security expert Dieter Spaar reverse engineered the system and found some serious flaws [note: if you'd prefer English to German, try this translation], including using the same symmetric keys in all vehicles, not encrypting messages between the car and the BMW backend or using the outdated DES.

Utah Cyberattacks, Up To 300 Million Per Day, May Be Aimed At NSA Facility

Five years ago, Utah government computer systems faced 25,000 to 30,000 attempted cyberattacks every day. At the time, Utah Public Safety Commissioner Keith Squires thought that was massive. "But this last year we have had spikes of over 300 million attacks against the state databases" each day: a 10,000-fold increase. Why? Squires says it is probably because Utah is home to the new, secretive National Security Agency computer center, and hackers believe they can somehow get to it through state computer systems. "I really do believe it was all the attention drawn to the NSA facility. In the cyberworld, that's a big deal," Squires told a legislative budget committee Tuesday. "I watched as those increases jumped so much over the last few years. And talking to counterparts in other states, they weren't seeing that amount of increase like we were.

Depending On Hackers For the Information - NSA


In the latest article based on the Snowden documents, the Intercept is reporting that the NSA and GCHQ are piggy-backing on the work of hackers:
In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. "Hackers are stealing the emails of some of our targets...by collecting the hackers' 'take,' we...get access to the emails themselves," reads one top secret 2010 National Security Agency document.