Security/privacy news

[acct]

https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

 

Quote

A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.

 

[...] we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.

 

 

[trendy]

The Untold Story of NotPetya, the Most Devastating Cyberattack in History

 

Ωραία ιστορία, εφοδιαστείτε με ποπ-κορν και αναψυκτικό γιατί ακολουθεί σεντόνι.

 

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

[acct]

https://help.quora.com/hc/en-us/articles/360020212652

 

Quote

What kind of user data was affected?

Based on what we have learned, some of our users’ information has been exposed, including:

Account information, e.g. name, email address, encrypted password (hashed with a salt that varies for each user), data imported from linked networks when authorized by users
Public content and actions (e.g. questions, answers, comments, upvotes)
Non-public content and actions (e.g. answer requests, downvotes, direct messages)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

 

Μέχρι στιγμής φαίνεται ότι έχουν διαρρεύσει δεδομένα από ~100 εκατομμύρια λογαριασμούς, συμπεριλαμβανομένου το κωδικού. Από την περιγραφή, οι κωδικοί δε φαίνεται να είναι κρυπτογραφημένοι με κάποιον ιδιαίτερα ισχυρό αλγόριθμο, διαφορετικά -λογικά- θα φρόντιζαν να το επισημάνουν.

 

Το περιεχόμενο στον παραπάνω σύνδεσμο έχει ενημερωθεί αρκετές φορές και εδώ και μερικές ώρες περιλαμβάνει και οδηγίες για όσους θελήσουν να διαγράψουν τον λογαριασμό τους με αυτήν την αφορμή...

[trib]

Υπάρχουν και χειρότερα.

 

Hacker είχε πρόσβαση για μήνες σε e-mail μελών της επιτροπής του Κογκρέσου των Δημοκρατικών, καταγράφοντας όπως λένε "sensitive information" και το ανακάλυψαν τον Απρίλιο του 2018. Και το κουφό στην όλη υπόθεση; Δεν το είπαν στους ανωτέρους τους έως και σήμερα! Το FBI είχε ξεκινήσει έρευνα αλλά όπως ισχυρίζονται, δεν το ανακοίνωσαν ώστε να βρουν τον hacker χωρίς να το υποπτευθεί.

 

https://www.politico.com/story/2018/12/04/exclusive-emails-of-top-nrcc-officials-stolen-in-major-2018-hack-1043309

[acct]

https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

 

Quote

Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

• We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.
• With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
• In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
• The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
• No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.

[...]

 

We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019.  We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.

 

[acct]

https://signal.org/blog/setback-in-the-outback/

 

Quote

Like many others, we have been following the latest developments in Australia related to the “Assistance and Access” bill with a growing sense of frustration. [...] Attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development.

 

Although we can’t include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself. Historically, this strategy hasn’t worked very well.

 

[trendy]

Μία ανάλυση πάνω στο διαβόητο νόμο της Αυστραλίας

https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/

[trendy]

Γραμματοσειρά της Microsoft προδίδει απάτη σε υπόθεση χρεωκοπίας.

[EraserheadX]

https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

[minast]

Η NSA διένειμε δωρεάν το Ghidra, λογισμικό που ανέπτυξε για reverse engineering λογισμικού:

https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/

[minast]

Στοχευμένο malware μέσω του installer της Asus αποκάλυψε η Kaspersky:

https://uk.reuters.com/article/uk-asus-cyber/hackers-attacked-one-million-plus-asus-users-through-malicious-update-idUKKCN1R61R5

[acct]

https://www.theverge.com/2019/4/13/18309192/microsoft-outlook-email-account-hack-breach-security

 

Quote

Microsoft has started notifying some Outlook.com users that a hacker was able to access accounts for months earlier this year. The software giant discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019. Microsoft says the hackers could have viewed account email addresses, folder names, and subject lines of emails, but not the content of emails or attachments.

 

Έγινε επεξεργασία Απρίλιος 15, 2019 από acct

[trendy]

https://nakedsecurity.sophos.com/2019/05/29/researchers-uncover-smart-padlocks-dumb-security/

Παράθεση

Unfortunately, says Pen Test Partners, the Nokelock and its API also come with some major security flaws that prospective owners might like to know about before they stump up their cash.

Such as the ability to:

• Unlock the Nokelock within a range of 10m without needing to know anything about the registered account.
• Discover the owner’s information from the Nokelock database, including the email address and password hash.
• Discover the lock’s location from its GPS coordinates.
• Assign the lock to another account, locking owners out of their Nokelock.

 

[salde]

https://www.zdnet.com/article/cloudflare-google-chrome-and-firefox-add-http3-support/

 

Quote

HTTP/3, the next major iteration of the HTTP protocol, is getting a big boost today with support added in Cloudflare, Google Chrome, and Mozilla Firefox...

HTTP v3 -- or HTTP/3 -- is different from everything that came before it. It's a complete rewrite of HTTP that uses the QUIC protocol instead of TCP, and also comes with built-in TLS (encryption) support...

HTTP/3 is QUIC implemented inside HTTP, replacing TCP and SPDY at the transport level. It was formally approved last October...

 

[trendy]

Άλλη μία μεγάλη ιστορία σχετικά με την επίθεση στους χειμερινούς Ολυμπιακούς αγώνες της Κορέας το 2018.

https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/

[tyxeros]

https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

[trendy]

https://nakedsecurity.sophos.com/2019/10/24/robot-hotel-says-sorry-about-the-buggy-bedside-bots/

Παράθεση

One guy kept getting woken up during his one-night stay because the in-room bot interpreted his loud snoring as a command, causing it to ask, repeatedly…

Sorry, I couldn’t catch that. Could you repeat your request?

 

[trendy]

Κλείσανε τον ΟΤΕ οι αλήτες!

https://www.wired.com/story/iran-internet-shutoff/

 

[minast]

Επειδή τα proprietary πρωτόκολλα μας αρέσουν, ορίστε μία ωραία ευπάθεια του Cisco Discovery Protocol που επηρεάζει αμέτρητες συσκευές:

https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/

Εδώ χρησιμοποιείται για να τρέξει Doom σε IP phones

 

 

Σε άλλο θέμα,  (για να πιάσουμε και λίγο privacy), κάποιος μπορεί να αναρωτηθεί γιατί χρειάζεται να συμφωνήσεις με privacy policy για να χρησιμοποιήσεις μία ταμπλέτα της Wacom. Και ο παρακάτω κύριος είχε την ίδια απορία, και με λίγο ψάξιμο βρήκε ότι στέλνουν "στη βάση" όλα τα προγράμματα που εκτελείς...

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/

[acct]

‘The intelligence coup of the century’ - For decades, the CIA read the encrypted communications of allies and adversaries.

 

Quote

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.

 

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

 

Personal Data of All 6.5 Million Israeli Voters Is Exposed

 

Quote

The website for an election app used by Prime Minister Benjamin Netanyahu’s party made it possible to view full names, addresses, identity card numbers and more.

 

A software flaw exposed the personal data of every eligible voter in Israel — including full names, addresses and identity card numbers for 6.5 million people — raising concerns about identity theft and electoral manipulation, three weeks before the country’s national election.