Geeks are Sexy Technology News » Security

Europe to Google: Hold your Horses

JLister — Fri, 03 Feb 2012 17:00:54 +0000

European privacy officials have demanded that Google put planned privacy policy changes on hold until they can check that the new rules comply with local laws.

The demand comes from the Article 29 Working Party. That’s not a legal organization in itself, but rather a group made up of the data protection authorities in each of the European Union’s member countries. The group itself doesn’t have enforcement powers, so this is more of a co-ordinated warning of potential individual action.

The new Google policy is set to take effect on March 1st and contains two main changes. Firstly, the existing collection of 70 separate policy documents, each covering an individual service, is to be reduced to 11. That will include one master policy that covers most services, with the remaining 10 requiring individual policies for legal reasons. Google says this change will make it easier for users to keep track of the way it behaves.

The second change is that Google is now claiming the right to treat all data it collects about a user from across its services as a single record. From a user perspective, this could mean for example that the contents of your Gmail messages influences the ads you see on YouTube, the clips you view on YouTube influences your autocomplete suggestions when searching, and the sites you visit most often could even influence your dictionary suggestions in Gmail.

Of course, this also means Google will have even more accurate and detailed information with which to sell advertising. It also potentially increases the risk of inappropriate data use according to privacy campaigners.

The changes have already prompted a hostile advertising campaign by Microsoft which effectively accuses Google of compromising user privacy for the sake of profit.

Although Google doesn’t have to take notice of the European request, and it seems unlikely it will delay the changes at this stage, it has said it’s happy to talk to authorities about its policies. Between European governments being particularly unhappy with the debacle of Google unintentionally collecting Wi-Fi data through its Street View work, and European Union officials proposing a major overhaul of online data protection laws including giving users the right to demand a company delete all data about them, now wouldn’t be a smart time for Google to pick a fight.

Quantum Computing Blinds Information Intruders

Daljeet — Mon, 30 Jan 2012 15:00:37 +0000

Image Credit: Creativity103

As the hype for cloud computing rises ever higher, the issue of security is becoming a hot topic in the information exchange industry. The benefits of working in the cloud are immense, but many fear the risk posed by having their sensitive data accessible by the cyber-ether.

Quantum computing to the rescue. Researchers at the Vienna Center for Quantum Science and Technology (VCQ) at the University of Vienna and the Institute for Quantum Optics and Quantum Information (IQOQI) have successfully demonstrated how quantum-enabled computers can process information without ever knowing anything about the information it’s processing.

Here’s the gist of it: the user prepares qubits (kinda like the quantum computer equivalent of ‘bits’ in a classical computer) in a state that’s known only to him/herself and sends those qubits to the quantum computer via photons (light particles). The quantum computer then waves its magic wand and entangles the qubits according to a standard scheme. The processing of the information can now be performed using a measurement-based method so the computer only has to perform simple measurements on the qubits. The user would send measurement instructions along with each qubit, which is then sent to the quantum server. The computer does its thing, sends the results back, and the user then interprets the computed information using the original state to decode it. Anyone who caught the information in the middle wouldn’t have a clue how to decipher it without knowledge of the initial state!

Since the cost to create a quantum computer is a little bit outside of the average geek’s price range, it seems quantum computers won’t be helping you keep your parents unaware of your porn stash, but are more likely to be used in specialised facilities around the globe. This concept will work seamlessly with the direction the world is taking, operating everything in a cloud that is controlled by central remote servers.

Only now the whole up-in-the-air issue of security becomes that much more grounded.

[Via Science Daily]

Guerrilla Shoulder Surfing Tactics [Pic]

Geeks are Sexy — Wed, 18 Jan 2012 19:00:55 +0000

Beware! Someone could be watching you right now, waiting for the right moment to grab one of your many passwords… because I’m sure you use multiple passwords for all the password-protected sites you access, right?

[Via CB]

Facebook privacy protesters earn EPIC win

JLister — Wed, 30 Nov 2011 17:00:28 +0000

Facebook has agreed to settle charges by the Federal Trade Commission that it lied to customers about its privacy policies. The agreement means it will now be forced to ask first before changing any privacy settings.

The agreements comes after an investigation by several online privacy advocates, led by the Electronic Privacy Information Center (EPIC). Making the agreement does not involve formally admitting any wrongdoing, but Facebook is legally obliged to stick to the agreement. The potential penalty for any violation is $16,000, though it appears that could apply to each individual affected user if Facebook did breach the deal.

The FTC complaint that brought about the agreement lists seven instances when Facebook misled customers about its privacy policies. The most prominent was the December 2009 change when the company increased the range of options users had for controlling who could see particular types of information, but introduced the change by setting a lot of info to publicly available by default and then leaving users to put it back to a more private setting.

Other claims Facebook made that proved to be untrue included app developers only having access to info that was needed for the app (in fact they could access most other personal data); not sharing personal data with advertisers; certifying the security of supposedly “Verified Apps”; and complying with rules on data transfers between the United States and European Union. The company also failed to inform users that setting privacy to “Friends Only” meant data was shared with developers of apps used by those friends. And claims that photos and videos were inaccessible once an account was closed were also false.

The settlement not only legally forces Facebook to stop misleading customers over privacy and security, but changes the main principle of its privacy policies: in the future it can only make changes that affect privacy once a user has explicitly authorized the change. The company must also ensure that once an account is deleted, the user’s content becomes inaccessible after 30 days.

As part of the settlement Facebook must also establish a privacy program that will be independently audited every two years until 2032.

With Facebook agreeing to the deal, the FTC has unanimously agreed to approve it. It will now go through a 30 day public consultation (which appears to be little more than a procedural nicety) before being confirmed and taking effect.

While the settlement is a major public relations black eye for Facebook, it seems likely the company decided to stop fighting the issue and settle now, rather than have the case still active and frighten potential investors if and when it goes public.

How to Make the Ultimate Privacy Monitor [Video]

Geeks are Sexy — Mon, 28 Nov 2011 22:00:12 +0000

Finally you can do something with that old LCD monitor you have in the garage. You can turn it into a privacy monitor! It looks all white to everybody except you, because you are wearing “magic” glasses! All you really have to have is a pair of old glasses, x-acto knife or a box cutter and some solvent (paint thinner.)

Apple’s App store security breached

JLister — Tue, 08 Nov 2011 21:00:34 +0000

A man who created a bogus stock price tracker app for the iPhone that was in fact malware has been thrown out of Apple’s developer program. That would seem uncontroversial until you discover the app was designed to highlight a security flaw rather than cause damage or steal data.

Charlie Miller was told his right to create and upload apps had been terminated “effective immediately.”

If Miller’s name seems familiar, that may be because he’s a perennial winner at the PWN2OWN competition, held at the CanSecWest security event in Vancouver each year. Contestants can ask judges to visit a URL using various combinations of hardware, operating system and browser, with the latest publicly available security updates applied. Last year was a particularly bad day for Apple with a MacBook Pro running Safari the first computer to fall (Miller being the successful attacker) and the iPhone the first smartphone hacked.

According to Miller, his latest “attack” came after he spotted a security flaw in iOS. The flaw, unwittingly introduced in a recent iOS update, appeared to allow code to be added to an app after it had already been vetted by Apple and installed on devices.

To prove this was a genuine threat, Miller released an app named InstaStock in September. Using a post-approval update, he says he was in a position where he could have remotely downloaded contacts and pictures from phones running the app.

Miller says he reported the flaw to Apple in mid-October. He went public yesterday and was barred from the program a few hours later. He’s scheduled to unveil more details of the flaw at a security conference next week.

The BBC quotes one possible overenthusiastic analyst who calls the revelation the “the most significant threat yet to Apple’s app store economy.”

Meanwhile The Register has more details on the flaw, making the important point that it merely allows would-be attackers the same opportunities they’ve had on Android devices for some time.

(Image credit: Garret Gee)

Must Watch: Open-Source Cancer Research and the JQ1 Molecule [SCIENCE!]

Geeks are Sexy — Fri, 04 Nov 2011 18:00:38 +0000

Now if only everyone would be as open as this guy when it comes to medical research, I guess the world we live in would be very different…

How does cancer know it’s cancer? At Jay Bradner’s lab, they found a molecule that might hold the answer, JQ1 — and instead of patenting JQ1, they published their findings and mailed samples to 40 other labs to work on. An inspiring look at the open-source future of medical research.

Further Reading:

-Cancer Explained: The Cure for Cancer
-Novel Approach Scores First Success Against Elusive Cancer Gene

Facebook adds real-time link scanning

JLister — Tue, 04 Oct 2011 18:00:36 +0000

Facebook has partnered with a web security company to automatically scan all outgoing links that appear on the site. It’s an attempt to combat spam links that understandably flourish on Facebook.

The tool being used is the impressively sounding Websense ThreatSeeker Cloud powered by the Advanced Classification Engine. (There’s a TRITON in there somewhere as well.) In practice it’s a similar tool to that which is used by several search engines and browsers: when a user clicks on the link, it’s checked against a database and, if it looks suspicious, the user is given the choice of proceeding, going back to Facebook, or getting more technical details. The button to go back is intentionally made more prominent than the one to follow the link regardless.

How successful this is in practice depends on the accuracy of the database, but in principle it certainly seems a sensible idea. With 800 million users, there’ll be plenty of people on Facebook who either take no security precautions whatsoever, or have installed so many bogus antivirus applications that their screen is flooded with toolbars to the point that the main window looks like the view through a suit of armor visor.

The partnership also involves Websense producing a Facebook app named Defensio. It’s for people who run a Facebook page (as a opposed to a personal profile) and allows them to block links to malicious content, as well as optionally filtering links to particular topics.

In what’s probably not a coincidence, the announcement came just as Websense revealed the results of a survey into office staff computer use. As well as reporting “Facebook users growing at 41% year over year” (more poking = less aerobics?), it claimed that 63 percent of firms agreed that employee use of social media was a risk to the organization’s security, but that only 29 percent said they had adequate security measures. What percentage of those responding had any idea what they were talking about isn’t known.

Cryptography’s Human Problem [Video]

ACrezo — Thu, 22 Sep 2011 20:00:12 +0000

“The primary weakness in any modern security mechanism tends to be the modern consumers utilizing it.”

If you’ve got security issues, there’s a nonzero chance it’s your fault. Or, if you’re especially vigilant, the fault of another person in the chain of people who control account security. In this new video from our friends at World Science Festival, security expert Brian Snow discusses the prevalence of fatal user error in encryption.

This video is part of the Keeping Secrets series on WSFtv — check out other great posts and videos about encryption, security, and privacy on World Science Festival.

Those magnificent men with their hacking machines

JLister — Fri, 05 Aug 2011 18:00:49 +0000

Ah, that age-old problem: you’re wandering around with your laptop trying to steal Wi-Fi, hack into wireless networks, or just hit some sucker with a DOS attack, but then you find your potential victim lives in a huge mansion with grounds so big you can’t get within range of his router.

If you’re just messing about, you’ll probably relocate to a coffee shop where it’s easy pickings. But if you’re a little more ambitious, well, why not bring in a small plane.

Yes, unmanned drones are no longer for bombing enemy combatants or sneaking illicit video footage. Two security researchers have now shown they can be adapted for very literal wireless hacking.

Richard Perkins and Mike Tassey told the Black Hat security conference how they souped up a $300 drone with a gadgetry including a video camera, a Wi-Fi dongle, and even a miniature antenna that can pose as a GSM cellphone tower to intercept calls. The drone even has an electronic dictionary of 340 million words in case a brute force attack is needed to find a password.

While the drone is legally required to stay under 400 feet, the creators say that’s high enough, and the device quiet enough, that it could fly overhead without necessarily attracting attention. According to Perkins and Tassey, all the equipment used on the drone was purchased legally. One drawback is that it must be in the line of sight for take-off and landing, but can be put on autopilot while airborne. It has a flight time of 30 to 45 minutes.

The pair say they built the drone to show the potential security risks if more criminally minded people used the same tactics. But they do say it could be used for military purposes, such as relaying messages or jamming enemy signals, as well as legitimate civilian life purposes such as providing emergency cellphone access after a natural disaster.

Ur car cd b stolen by txt

JLister — Thu, 04 Aug 2011 19:00:36 +0000

A security consultant has shown it’s possible to steal some cars simply by sending a specially crafted series of text messages.

Don Bailey of iSEC Partners was speaking at the Black Hat security conference in Las Vegas. It’s an annual event designed to inform security professionals about the latest threats, and has become known for speakers giving practical demonstrations of vulnerabilities.

Bailey’s presentation covered the growing number of devices that are simply attached to the telephone network and thus aren’t as easy to isolate from attacks over the Internet itself.

In his demonstration, he used a laptop to send text messages as if from a phone: some reports say he noted the technique could be carried out simply using an Android handset. Not only were Bailey and colleague Matthew Solnik able to unlock the car without touching it, but they were then able to start the engine.

The car used in the demonstration was a Subaru Outlook, though there’s no indication the problem is specific to that model. As is common practice at Black Hat, Bailey didn’t reveal precise details of the system involved as he wants to give the manufacturers time to tackle the issue.

The heart of the problem is that such wireless products rely on the GSM phone network system. But it appears to be too easy to set up a bogus server and intercept messages to and from devices.

It wasn’t actually cars where Bailey first tried out the technique. He came up with the idea after seeing Oprah Winfrey discuss the Zoombak, a gadget that helps parents track their children’s movements. Bailey says he was able to break into the Zoombak system through a similar technique (pictured).

But while the car lock made for a more spectacular demonstration, there’s a wide range of systems that could be attacked with the same technique, including traffic systems. (Surely not traffic lights, Superman III style?) Most worryingly it could mean some SCADA industrial control systems are vulnerable.

According to Bailey, the problem could be stopped if manufacturers were prepared to use more expensive components in wireless devices — and if the public were willing to pay extra.

Hacker convention adds junior event

JLister — Tue, 02 Aug 2011 16:00:51 +0000

Kids are being invited to Las Vegas to learn hacking skills.

Nope, this isn’t another story from the creative mind of Stephen Glass, but a genuine event. The annual DEF CON hacker convention will for the first time feature a special children’s event this weekend at the Rio hotel, known as DefCon Kids.

The event is aimed at children aged 8 to 16 and will include a range of activities including using Google to find “secret information”, the history of cryptography, and practical lockpicking.

There’ll also be a session where a ten-year-old girl using the pseudonym CyFi will show off “her first public vulnerability disclosure.” And for one event, there’s the promise that the audience “will leave with smiles on their faces and circuit boards around their necks.”

There’s no charge for the events, but all children must be accompanied by a parent at all times, and the parent must have a ticket for the main DEF CON event. There’s also a spectacular disclaimer for those thinking of bringing their kids:

“The DefCon Kids conference room will be situated in and around the adult DEFCON, therefore you and your kids will be exposed to a wide assortment of people, lifestyles and philosophies…. There will be adult language, alcohol and there may be nudity.”

It’s also important to note the FAQ for the main event which, dealing with the question of what to bring, explains “Its generally a good idea if you are a pale geek to have some sunscreen at the top of your list.”

It seems encouraging parents and children to come to the events together isn’t just a case of serving an audience, but also dealing with an inevitability. The event FAQ also notes “While there are no age limits [for the main convention], we have consistently cooperated with parents and/or private investigators who are looking for children that ‘ran away from home’ to go to DEF CON.”