Saturday, June 23, 2018

...and yet the government still claims it is secure.
Aria Thaker reports:
In another exposure of Aadhaar’s cybersecurity weaknesses, over 70 subdomains under a Government of India website are providing access to demographic-authentication services without requiring identity verification from the requester. The websites allow users to access an application programming interface, or API, in which anyone can enter a person’s Aadhaar number, name, gender and date of birth, and be directed to a page that either reads “yes” or displays an error message, indicating whether or not the information corresponds to a valid entry in the Aadhaar database. Providing such unrestricted access to this API raises major concerns of privacy, and may be exploited by hackers seeking to uncover people’s Aadhaar numbers. It also violates the Aadhaar Act, the law governing India’s nationwide digital-identity programme.
Two security researchers—Srinivas Kodali and Karan Saini—independently found the vulnerability and reported it to relevant authorities.
Read more on Caravan Magazine.

And for the time being, the hackers pull ahead.
A hacker figured out how to brute force iPhone passcodes
A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software's security mechanisms.
Since iOS 8 rolled out in 2014, all iPhones and iPads have come with device encryption. Often protected by a four- or six-digit passcode, a hardware and software combination has made it nearly impossible to break into an iPhone or iPad without cooperation from the device owner.
And if the wrong passcode is entered too many times, the device gets wiped.
But Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, found a way to bypass the 10-time limit and enter as many codes as he wants -- even on iOS 11.3.
"An attacker just needs a turned on, locked phone and a Lightning cable," Hickey told ZDNet.
… He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.
"Instead of sending passcodes one at a time and waiting, send them all in one go," he said.
An attacker can send all the passcodes in one go by enumerating each code from 0000 to 9999 in one string with no spaces.

They could probably do this faster if the used computers.
Justin Hemmings of Alston & Bird writes:
The FBI recently published its 2017 Internet Crime Report highlighting trends and statistics compiled by the FBI’s Internet Crime Complaint Center (“IC3”) during 2017. The report compiles data from a total of 301,580 complaints which reported losses of over $1.4 billion. In addition to an explanation of the IC3’s history and operations, the report includes five “hot topics” from 2017: business email compromise (“BEC”), ransomware, tech support fraud, extortion, and the Justice Department’s Elder Justice Initiative.

A glimmer of hope?
Cellphone Tracking: A Win for Privacy Advocates!
Today, in Carpenter v. United States, the Supreme Court ruled, in a 5-4 decision, that police need the warrant to search your phone when digging for cellphone tracking information.
Chief Justice John Roberts noted that a phone is basically “a feature of human anatomy.” We’re finally seeing this come to fruition in the court system.
… For even more details check out:

(Related) On the other hand...
The latest Supreme Court decision is being hailed as a big victory for digital privacy. It’s not.
… Whatever it’s other flaws, the Roberts Court thus seems to understand electronic privacy’s importance.
But there are a couple of things to know before toasting the Court’s high regard for privacy in the digital age. The Roberts Court, building on what the preceding Rehnquist Court did, has created an infrastructure for Fourth Amendment law that makes it exceptionally easy for police to do a search, even when a warrant is required. The law also makes it exceptionally difficult for citizens to obtain close judicial oversight, even when the police have violated the Constitution. As a result of these background rules, even a decision as seemingly important as Carpenter is unlikely to have any dramatic effect on police practices.
It’s not just that our digital privacy is insufficiently protected, in other words. It’s that our Fourth Amendment rights and remedies in general have been eroded.

We’re on break now, so all my students should be reading!
Global Grey (Web): Free eBook Series and Collections
You probably know that classic books are available for free on sites like Project Gutenberg. But Aisha goes the extra mile. She collects some of the best book series in collections that you’ll find easy to download and read. Go to “Series” section on Global Grey and you’ll get an endless reading of free ebooks in collections.

(Related) How I organize my ebooks.
Calibre might not be the most polished app in the world, but it’s definitely the best software for managing your ebook collection.
It ticks all the right boxes: it’s free, there aren’t any ads, and it boasts a vast number of powerful features.
1. Merge and Split EPUB Ebooks
3. Turn Calibre Into a Sharing Server
If several members of your household have a Kindle, or if you own multiple Kindles, continually syncing your data manually quickly becomes tedious.
Instead, why not turn your Calibre app into a content server? By doing so, you can make your entire Calibre library available on all your devices. You can even upload new content to your Calibre library from those devices.
5. Remove DRM From Ebooks
Calibre lets your wrestle back control of your ebooks by offering a way to remove the DRM from titles you’ve bought from Amazon and other online stores.
We covered the process in detail when we explained how to remove the DRM on every ebook you own. So we recommend reading that article for the full scoop.
6. Automatically Download Ebook Metadata
7. Put Your Ebook Library in the Cloud

No comments: