Wednesday, March 16, 2016

For my Computer Security class. It's your fellow employees who will doom your entire security program unless you can drum this lesson into them.
Stealing Nude Pics From iCloud Requires Zero Hacking Skills -- Just Some YouTube Guides
The Department of Justice yesterday charged a 36-year-old man with stealing nude photos from at least 50 iCloud and 72 Gmail accounts, most of which belonged to celebrities. Though not explicitly stated in the court filings or official statements from the DoJ, it’s apparent Ryan Collins is a chief suspect in the 2014 “celebgate” leaks in which major actresses were targeted, including Jennifer Lawrence and Kate Upton. Collins has pled guilty to one count of unauthorized access to a protected computer to obtain information, officials said.
What’s startling about Collins’ alleged “hacks” is how little technical ability he needed to get access to those celebrity accounts. Court documents showed he required no hacking skills at all, creating fake email addresses – and – that appeared to come from official Apple and Google sources. He simply emailed the celebrities and asked them for their login information, which, it seems, they duly gave away.
… On YouTube, a simple search for “iCloud phishing” brings up tutorials on how to craft an effective account theft campaign in just 15 minutes
… The DoJ said: “In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.” [Exactly what the FBI did in the San Bernadino case. Bob]

There’s nothing much new in here if you’ve followed this stuff for years, but some folks still need a reminder and wake-up call not to tolerate this type of insider wrongdoing:
U.S. police officers in Denver, Colorado are only lightly punished if caught using confidential criminal databases for personal reasons like finding out a woman’s phone number, a police watchdog wrote in a report released Tuesday.
According to the monitor, this allows the abuse to continue.
Read more on TeleSur.
[From the article:
Independent Monitor Nicholas Mitchell said 25 Denver officers have been punished for inappropriate use of the databases since 2006. Most of them received reprimands rather than the harsher penalties.

What ISPs can see, the FBI can obtain.
A Canadian reader sent along a link to this paper.
What ISPs Can See Clarifying the technical landscape of the broadband privacy debate
Authors: Aaron Rieke, David Robinson, and Harlan Yu
© 2016 Upturn. Licensed under a Creative Commons Attribution 4.0 International License.
From the Introduction:
In 2015, the Federal Communications Commission (FCC) reclassified broadband Internet service providers (ISPs) as common carriers under Title II of the Communications Act.1 This shift triggered a statutory mandate for the FCC to protect the privacy of broadband Internet subscribers’ information.2 The FCC is now considering how to craft new rules to clarify the privacy obligations of broadband providers.3
Last week, the Institute for Information Security & Privacy at Georgia Tech released a working paper whose senior author is Professor Peter Swire, entitled “Online Privacy and ISPs.”4 The paper describes itself as a “factual and descriptive foundation” for the FCC as the Commission considers how to approach broadband privacy.5 The paper suggests that certain technical factors limit ISPs’ visibility into their subscribers’ online activities. It also highlights the data collection practices of other (non-ISP) players in the Internet ecosystem.6
We believe that the Swire paper, although technically accurate in most of its particulars, could leave readers with some mistaken impressions about what broadband ISPs can see. We offer this report as a complement to the Swire paper, and an alternative, technically expert assessment of the present and potential future monitoring capabilities available to ISPs.
We observe that:
1. Truly pervasive encryption on the Internet is still a long way off. The fraction of total Internet traffic that’s encrypted is a poor proxy for the privacy interests of a typical user. Many sites still don’t encrypt: for example, in each of three key categories that we examined (health, news, and shopping), more than 85% of the top 50 sites still fail to encrypt browsing by default. This long tail of unencrypted web traffic allows ISPs to see when their users research medical conditions, seek advice about debt, or shop for any of a wide gamut of consumer products.
2. Even with HTTPS, ISPs can still see the domains that their subscribers visit. This type of metadata can be very revealing, especially over time. And ISPs are already known to look at this data — for example, some ISPs analyze DNS query information for justified network management purposes, including identifying which of their users are accessing domain names indicative of malware infection.
3. Encrypted Internet traffic itself can be surprisingly revealing. In recent years, computer science researchers have demonstrated that network operators can learn a surprising amount about the contents of encrypted traffic without breaking or weakening encryption. By examining the features of network traffic — like the size, timing and destination of the encrypted packets — it is possible to uniquely identify certain web page visits or otherwise obtain information about what the traffic contains.
4. VPNs are poorly adopted, and can provide incomplete protection. VPNs have been commercially available for years, but they are used sparsely in the United States, for a range of reasons we describe below.
We agree that public policy needs to be built on an accurate technical foundation, and we believe that thoughtful policies, especially those related to Internet technologies, should be reasonably robust to foreseeable technical developments.
We intend for this report to assist policymakers, advocates, and the general public as they consider the technical capabilities of broadband ISPs, and the broader technical context within which this policy debate is happening. This paper does not, however, take a position on any question of public policy.

(Related) This is why you feel like you are being followed by hordes of marketers.
How Marketers Track Your Behaviors When You’re Offline
You know that marketers and retailers track you online; cookies, social logins, canvas fingerprinting, and all sorts of other technologies make it easy for companies to keep track of what you do, not only on their site, but all over the Internet.
But did you know that these same companies are monitoring what you do offline, too? Here are some of the interesting strategies they use to connect your online and offline lives.

From a purely business model perspective, how much could Apple save each year if it did not have to respond to the tens of thousands of requests/warrants/subpoenas from (not just US) law enforcement?
Apple Actively Working to 'Double Down' on iCloud Encryption
Apple is working to further harden iCloud security so that even it won't be able to access user information stored on its data servers, The Wall Street Journal has reported.
… Currently, data kept on the cloud service is accessible by Apple using a key, which is used for restoring account information if, for example, a user forgets their password. Apple's access also allows the company to provide relevant information it has to law enforcement agencies that approach it with proper, legal requests.
However, Apple appears to be concerned that keeping a copy of the key means it could be compromised by hackers or that the company could be legally compelled to turn it over to governments.

(Related) Does Google have better lawyers than Apple or are they closer to President Obama?
Google reveals 77 percent of its online traffic is encrypted
Google is disclosing how much of the traffic to its search engine and other services is being protected from hackers as part of its push to encrypt all online activity.
Encryption shields 77 percent of the requests sent from around the world to Google’s data centers, up from 52 percent at the end of 2013, according to company statistics released Tuesday.
… In August 2014, Google revised its secret formula for ranking websites in its search order to boost those that automatically encrypted their services. The change meant websites risked being demoted in Google’s search results and losing visitors if they didn’t embrace encryption.
… Nearly 96 percent of Google’s unencrypted traffic comes from mobile devices.

(Related) Attention terrorists?
Encrypted messaging app Peerio launches on Android and iOS
Startup Peerio today announced the availability of its encrypted messaging app on both iOS and Android. They’re a long time coming; Peerio first launched in January 2015, but it’s only been available on desktop, and the alpha and beta testing for the mobile apps — which support cloud storage, group chat, and offline read access — have been going on for several months. Now the iOS app is on the App Store, and the Android app is on the Google Play Store.
Plus, all the code for the app is available for anyone to inspect on GitHub under an open source GPL license.

Have we become so lazy we no longer go out for dinner? Or is it too easy to have dinner come to us?
Uber For Food Launches Standalone UberEATS App And It's Expanding To A Dozen More Cities
Last December, Uber launched UberEATS, the company's standalone app for food delivery, and it is now available on Android and iOS.
… The app is initially available to users in San Francisco, Los Angeles, Houston, Chicago and Toronto, where it will deliver food ordered from the customers' favorite local restaurants whatever time of the day and whatever day of the week.
UberEATS will also launch in more cities such as New York, Dallas, Austin, Atlanta, Seattle, Washington, Paris and Melbourne in the weeks ahead.
… The app offers different meals with varying prices. Instant Delivery pricing options would usually range from $8 to $12.
The Instant Delivery feature has a curated menu that includes four to five daily specials. The feature promises to deliver food in less than 10 minutes.

(Related) If Google becomes the “go to” site for all transportation, they control entry into these markets.
Google Maps goes beyond Uber, adds Ola, Hailo and more car services to its app
Google reportedly is working on building its own Uber competitor, and while some believe this will come in the form of a fleet of autonomous cars, there is a more immediate option for how Google can position itself more prominently in Uber’s world: by searching and aggregating everything that the wider on-demand transport landscape has to offer.
Today, Google announced its navigation app Google Maps will be adding a new car services tab as a complement to its walking, driving and public transportation directions. It will show fares and riding options from a number of providers in addition to Uber.

Once upon a time, you could walk to the corner store and the human behind the counter would greet you by name. Now you Uber to Walmart and only your iPhone knows who you are.
Amazon Files To Patent Pay-by-Selfie System
If Amazon manages to follow through on its recent application to the U.S. Patent & Trademark Office, its customers might one day be able to verify purchases via action-oriented selfies. According to the patent application filed Thursday, Amazon has developed an image-based authentication system that uses facial recognition technology and sensors to detect an action like blinking to verify a user's identity during a transaction.
… A survey of 10,000 consumers conducted by MasterCard found that more than half -- 53 percent -- forgot important passwords "more than once a week." The subsequent process needed to reset their passwords typically took more than 10 minutes, according to the survey. [This is why I have always advocated writing down your passwords – and then making certain that list stays with you. Bob]

Didn't they learn from the Internet Explorer lawsuits?
Microsoft upgraded users to Windows 10 without their OK
Although I've seen sporadic reports of forced Windows 10 upgrades appearing out of the blue for several weeks now, the complaints really started piling up Friday evening. More and more Windows 7 and 8.1 customers are complaining that Microsoft upgraded their computers to Windows 10 -- and they didn't do anything to bring it on.

One of the most important technologies ever?
How Bitcoin’s Blockchain Is Making the World More Secure
The blockchain is an essential part of how most major cryptocurrencies work, including Bitcoin. But it’s also esoteric and can be hard to understand. Even when you think you’ve got it, it can still trip you up.
In its most distilled form, the blockchain is a chronological ledger of every transaction that ever happened. Records are stored in cryptographically-verifiable chunks, called “blocks”, which are then “chained” together. Ergo, the blockchain.
This ledger is shared between people on the Bitcoin network, which essentially prevents people from spending coins they don’t have. It also prevents coins from being spent twice.
But while Bitcoin has yet to become a mainstream currency — and probably never will — the concept of a blockchain is having success in other fields, such as e-voting and finance. In many ways, the blockchain is more successful than Bitcoin ever will be, and it’s certainly going to impact your day-to-day life in the near future.

This would make my job much easier and increase my income! Thanks Dilbert!

No comments: