This week in computer security

Unrelated much but just so you know.
Facebook tried and is trying to stop privacy legislations all over the world:
https://www.theguardian.com/technol...campaign-against-data-privacy-laws-investment
Social network targeted legislators around the world, promising or threatening to withhold investment
Yea, all your answers to security questions about an account should belong to Facebook and it should be able distibute them to 3rd parties without any penalty.

Here's hope this blackmailer/hating platform that started as a positive company to keep people connected then ended up as big brother gets banned worldwide.
 
Joined
Apr 12, 2009
Messages
23,459
On the positive side (you remember the positive side, right?) - it looks like PGP is coming to authentication: https://www.w3.org/2019/03/pressrelease-webauthn-rec.html

If I understand that right, websites don't keep your password anymore. Instead, they keep your public key. The actual authentication is done on your PC/phone/internet-aware-mattress via whatever method you like (I'll leave the mattress' method of ID up to your imagination). Every website gets its own key pair.

I haven't looked yet on what happens if the device that has your keys goes missing.
 
Joined
Aug 3, 2008
Messages
8,220
Location
Kansas City
I didn't read the standard but it sounds like a good start; I guess they will have you answer a security question; you encrypt it with your private key and they decrypt it with your public key?

Wonder how they deal with key loggers and if it will make people more vulnerable once the private key is lost ?

On the positive side (you remember the positive side, right?) - it looks like PGP is coming to authentication: https://www.w3.org/2019/03/pressrelease-webauthn-rec.html

If I understand that right, websites don't keep your password anymore. Instead, they keep your public key. The actual authentication is done on your PC/phone/internet-aware-mattress via whatever method you like (I'll leave the mattress' method of ID up to your imagination). Every website gets its own key pair.

I haven't looked yet on what happens if the device that has your keys goes missing.
 
Last edited:
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
Joined
Nov 8, 2014
Messages
12,085
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
https://www.tomshardware.co.uk/oper...ersky-asus-victims-securelist,news-60470.html
Asus Wasn't the Only One Struck by Operation ShadowHammer

One of the companies impacted, Electronics Extreme, makes the survival game Infestation: Survivor Stories. The second, Innovative Extremist, is a web and IT infrastructure services provider that has also worked in game development. The third company, Zepetto, is from South Korea and made the video game Point Blank.

According to Kaspersky’s researchers, the attackers either had access to the source code of thee companies’ software or were able to infect their software during compilation. The hackers could have infiltrated the networks of these companies. The researchers noted that this reminded them of how the CCleaner attack happened. Avast’s CCleaner update servers were infiltrated in a similar way, exposing millions of users to a trojanized CCleaner update.

Kaspersky said that three other South Korean companies were targeted, including another video game company, a conglomerate holding company and a pharmaceutical firm. The cybersecurity firm didn't share their names.
While my motherboard is ASUS', I've never installed Asus live update so I was safe on that side, but usual customers who were buying preinstalled ASUS machines on the other hand…
Also note that when I have to intervene somewhere, among first things I do is removing CCleaner. That tool was nice about a decade ago, later became an unwanted burden - and I didn't know there was a security breach.

-----------------------------------------------------------

https://www.tomshardware.co.uk/eu-centralized-biometrics-database-criticism,news-60467.html
EU To Create One Large Centralized Biometrics Database, Drawing Criticism

The European Parliament has voted to create one large centralized biometrics database that the law enforcement agencies of any member state can access (with some restrictions).
It's awsome and I love the idea.
But it needs to be offline and accessed only through outdated bureaucracy ways. Otherwise, we'll crack it and spy random strangers for fun (and in some cases for $).
 
Joined
Apr 12, 2009
Messages
23,459
I once had this Asus thing, but I disliked it, so I uninstalled it.
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
Security Researchers Expose Vulnerability in Philips Hue Smart Bulbs: https://www.macrumors.com/2020/02/05/security-flaw-philips-hue-smart-bulbs/ "A new vulnerability has been discovered in the Philips Hue smart lighting system that could let hackers gain access to the local host network and other devices connected to it."

I may be wrong, but I have a feeling that security is not as well handled in the internet of things as in the internet of computers.

Another example. There is a group in the Norwegian Health Care informatics organisation responsible for evaluating security by trying to break into health care networks. My workplace has in general performed quite well in these tests, but once they were able to break in through some medical technical equipment - don't remember exactly what i was, but it wasn't one of the PC's.

a pibbur whose knowledge about things like this "leaves something to be desired" (he loves that expression).
 
Joined
Nov 11, 2019
Messages
2,060
Location
beRgen@noRway
Most of the IoT devices have enormous security holes which allows hackers to not only take over the device but access the local network.

An interesting bug (not security hole) that cropped up a couple of days ago is a lot of windows 7 users can no longer perform a shutdown ;)
 
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
BBC report in Indian scam callcenters : https://www.bbc.com/news/technology-51740214

Should be read by everyone. I have witnessed 2 of these calls on the telephone of my parents myself.
I get them once or twice a month at work. I always enjoy talking to them and playing dumb. The longer I can keep them busy the more angry and cursing they become :D

I saw you had a post on 2-factor being hacked but I still believe its the best security measure you can do. I recommend using an authenticator app with push-notification, and sms as backup. Most email probiders supports this now.
 
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
They fixed the firmware such that the drives only fail at 40.000 hours + Math.rand(seed) now.
 
Joined
Aug 12, 2010
Messages
170
I think they're taking the "planned obsolescence" thing a bit too far!
 
Joined
Aug 3, 2008
Messages
8,220
Location
Kansas City
Account data from the service "zoom" have been found online.
I don't have any English-language link yet.
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
Back
Top Bottom