Volkswagen gets a special mention for gaming fuel-emission tests via the software in its cars. And BlackBerry, long proud of going its own way, finds itself pinning its comeback hopes on a phone that leans heavily on software from another company, Alphabet’s Google.
Lastly, all of Silicon Valley gets a turkey this year because the tech industry still can’t figure out how to hire, retain and promote more women and minorities.
Since innovation apparently can mean figuring out new ways to screw up, we’ve rounded up a supersized 17 examples of the most cringe-inducing tech turkeys for your holiday entertainment.
To hackers, spies, and cyber-criminals these days, calling Tor “secure” is a bit laughable. There are so many exploits and workarounds, along with unavoidable weaknesses to side-channel attacks performed in the physical world, that in some cases the false sense of cyber-security can end up making relaxed use of Tor less secure than paranoid use of the regular internet. If you’re someone looking to buy some weed on the internet (or communicate securely with your mistress), Tor is probably alright for you. If you’re looking to sell some weed on the internet, get in contact with a government informant, or share sensitive information between foreign activists, it probably isn’t. Tor is looking to change that.
This is coming specifically in the wake of recent revelations of wide-ranging vulnerabilities in Tor’s anonymity protocols. A high-profile expose accused researchers at Carnegie Mellon of accepting a government bounty (reportedly a cool million dollars) to de-anonymize certain Tor users (those specifically mentioned in the expose include a child porn suspect and a Dark Market seller). Their attack vector and others are just what cynical hacker-forum users have been prophesying for years, things like malicious Tor nodes and directory servers that exist solely to suck up the personal info of those Tor users they serve.
One major initiative involves the algorithm governing the selection and use of “guard nodes,” which are the first anonymizing nodes used by a Tor hidden service, and thus the only nodes interacting with the legitimate IP, directly. Right now, a Tor connection might use multiple guard nodes and as a result open itself up to more vulnerability than necessary — now, the developers want to make sure that Tor connections use the minimum possible number of guard nodes, and preferably just one.
Another push hopes to reinforce the wall between dark web domains, the crawlers used by search engines, and specialized server-finders. One of the strengths of a hidden service is that it’s hidden — not just the physical location of the server hosting the service, but the digital address of the service itself, unless you’re specifically handed the randomly generated onion address. Keeping hidden services off of search engine results means that a private service can remain private, used only by those people specifically handed the address. Should an attacker find that address, Tor’s anonymity protocols should protect it. But attackers can’t even try to access services they have no idea exist.
If you’re up to delving a bit deeper into the Dark Web, and you don’t mind looking at 99 useless sites for every interesting one, boot up the Tor Browser and take a look at this ingenious hidden service indexing tool for an idea of the level of crawling that can currently be done on the Deep Web.
The Tor Project exists to provide anonymity — that is its main function, and all other functions are in service to that. So, to attack the security of a Tor user (even a legitimately horrible criminal) is to attack Tor itself. It’s a tough principle to stand behind, at the end of the day — to get mad about police efforts to catch child pornographers. Yet, the security world is united; security researcher Bruce Schneider has called Carnegie Mellon’s alleged collaboration “reprehensible,” as did numerous other academic security researchers.
Their reasoning is sound. There is simply no way to attack the availability of anonymity to bad people without also undermining the availability of anonymity to good ones. We also need to have a class of disinterested researchers who can interface with the criminal/quasi-legal cyber underground and have meaningful, honest conversations — we need this for social understanding, the maintenance of free speech, and effective law enforcement.
That’s not a perspective that seems to exist in the government, to any extent. The recent terrorist attacks in Paris have led to sustained attacks on encryption and anonymity, even before the investigation produced any evidence that the attackers had used encryption, and certainly in absence of any evidence that if they had not used encryption that they would have been detected reliably by French or international security agencies. The New York Times, which broke the story of an alleged encryption aspect to the attacks, has since pulled the story from their website.
Of course, the hacker/security community will take some time to win back, and may never return to the fold. There’s a significant number of people who still believe that Tor is an elaborate government honeypot with zero real security from government spying. That’s unlikely, but ultimately it’s the perception that counts. Can the Tor Project win back the hardcores? Perhaps not. But with its continuing, aggressive updates, it could keep us normies safer as we browse drug-lists without buying, stare uncomprehendingly at ISIS statements posted in Arabic, and just generally indulge the extremes of our intellectual curiosity.
In other words, it could keep the basic tenets of liberty alive just a little bit longer.
Billing it as the largest hacking case ever uncovered, federal prosecutors in Manhattan on Tuesday described a global, multiyear scheme to steal information on 100 million customers of a dozen companies in the United States and use the data to advance stock manipulation activities, illicit online gambling and fraud.
Prosecutors said they uncovered the complex scheme in their investigation of a computer hacking last year atJPMorgan Chase that involved the breach of contact information, such as emails, from 83 million customer accounts.
Before long, investigators had uncovered a trail of 75 shell companies and a hacking scheme in which the three defendants used 30 false passports from 17 different countries. The group’s activity goes back as far as 2007, and it has reaped “hundreds of millions of dollars in illicit proceeds,” some of it hidden in Swiss accounts and other bank accounts, prosecutors said.
The data breaches “were breathtaking in their scope and size,” said Preet Bharara, the United States attorney for the Southern District of New York, at a news conference on Tuesday. The activity, described as a 21-century twist on tried-and-true criminal activity, unveiled the existence of “a brave new world of hacking for profit,” perhaps signaling the next frontier in securities fraud.
The accused — two Israeli citizens and a United States citizen — face 23 counts of fraud and other illegal activities, according to an indictment unsealed Tuesday that added hacking to manipulation and fraud charges that were filed against the three in July. The charges are the first directly linked to the JPMorgan hack.
Two of the accused, Gery Shalon and Ziv Orenstein, remain in custody awaiting extradition from Israel after being arrested in July. A third defendant, Joshua Aaron, the American, is believed to be in Russia. The Federal Bureau of Investigation has issued a “wanted notice” for him “for his alleged involvement in a scheme to hack major American companies in order to acquire customer contact information.”
A separate indictment on Tuesday outlined seven charges against Anthony Murgio, a Florida man previously accused of running an unlicensed Bitcoin exchange. That exchange was owned by Mr. Shalon, whom prosecutors described Tuesday as the founder and leader of the sprawling criminal enterprise.
Lawyers for the four men could not immediately be reached.
Another man facing fraud charges, Yuri Lebedev, has not been charged with hacking. Mr. Bharara said on Tuesday “there are discussions between the parties.”
Prosecutors charged that the group led by Mr. Shalon hacked seven financial institutions and two newspapers to get contact information with which they could advance their pump-and-dump stock manipulation scheme. They “took the classic stock fraud scheme and brought it into the cyber age,” Mr. Bharara said.
Prosecutors said the group was involved in a broad array of activities, including processing payments for illegal pharmaceutical suppliers, running illegal online casinos and owning an unlicensed Bitcoin exchange.
Nearly all the activities “relied for their success on computer hacking and other cybercrimes,” prosecutors said on Tuesday.
According to the indictment, the three used a rented computer server based in Egypt to try hacking into customer databases at the brokerage firms TD Ameritrade and Fidelity Investments as well as JPMorgan. The ring also gained access to a computer network at what was called “Victim 8,” or Dow Jones, publisher of The Wall Street Journal, containing up to 10 million customer email addresses, prosecutors said.
Separately, federal prosecutors in Atlanta on Tuesday announced charges against Mr. Shalon, Mr. Aaron and an unnamed defendant in the late-2013 attacks on E-Trade Financial Corporation and Scottrade Financial Services, both major online brokers. The 10 charges include aggravated identity theft, computer fraud and wire fraud.
Prosecutors in Atlanta said they had uncovered online chats in which Mr. Shalon and an unnamed hacker discussed their plans to use stolen customer contact information to build their own brokerage database for peddling stocks to investors.
The New York indictment also charges the three men with hacking two software development companies to obtain information to advance their online gambling activities, and they targeted a market intelligence firm to support their card-processing activities.
The men operated at least 12 unlawful Internet casinos and marketed them to customers in the United States through extensive email promotions. The casinos generated “hundreds of millions of dollars in unlawful income,” prosecutors said, at least $1 million in profits a month.
JPMorgan confirmed on Tuesday that it was identified as “Victim 1” in the superseding indictment.
“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” the bank said in a statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
On Tuesday, E-Trade Financial, based in New York, said it was attacked in late 2013 and found no evidence that sensitive financial information had been compromised. It added that contact information for some 31,000 customers may have been exposed.
“Security is a top priority, and we focus a significant amount of time and energy to help keep our customers’ data and information safe and secure,” E-Trade said in a statement.
Fidelity, based in Boston, said, “We have confirmed with the F.B.I. that there is no indication that our customers were affected.”
In a statement, Scottrade said, “We continue to work closely with the authorities by providing any and all information and resources we can to support their investigation and prosecution of the criminals.” Scottrade, based in St. Louis, previously said 4.6 million client accounts were targeted.
Dow Jones said in a statement on Tuesday, “The government’s investigation is ongoing, and we continue to cooperate with law enforcement.”
Hackers offered 200,000 customer passwords for sale online, forcing Comcast to send reset notices to many users. The lesson? We all need to get a lot smarter about Internet security.
In case you needed a reminder: Change your passwords frequently, and use a different password on every website.
I know, it’s annoying. But that’s the takeaway from news that Comcast had to reset passwords on nearly 200,000 customer email accounts.
Here’s the catch. Hackers didn’t breach Comcast’s computers to steal the information. Instead, they created their list of passwords with information stolen from you and me. Sometimes we’re so gullible that hackers can trick us into giving them our password. Then, since we often use the same password everywhere, those hackers have a skeleton key to our lives.
Comcast’s answer was to reset all the passwords for its affected customers, said a spokeswoman for the company. Steve Ragan, a security researcher and blogger, was the first to stumble on the list of passwords.
The good news is there are some smart password habits that can protect you from losing control of your entire online life.
Use complicated passwords
With so much information potentially for sale on the dark side of the Internet, or easily found on your Facebook page, it really isn’t a good idea to make your password the name of your beloved Pomeranian. Randomly generated passwords that use special characters and numbers are best.
There are lots of memory tricks you can use to help you accomplish this, but you should probably just…
Use a password manager
We applaud you if you’ve gotten this far without screaming out, “That’s impossible!” and closing your browser window.
The fact is, few people can memorize complicated, unique passwords for every online account they have. That’s OK.
Fortunately, software developers have come up with an answer. A variety of tools can help you keep track of all your passwords. Two of the most popular password managers are called LastPass and 1Password, both of which can help you use every tip listed here.
Of course, password managers aren’t perfect either. After hackers breached its systems a few months ago, LastPass was recently purchased by workplace log-in company LogMeIn. The hackers couldn’t access all the user passwords, but they found the hints that could have let them into some user accounts.
OK, now that you’re using a password manager…
Don’t use the same password for different accounts
If hackers steal your password, they may try it on any number of accounts. You wouldn’t want intruders to get into your bank account just because you used the same password you used for the Harry Potter fan site Pottermore, would you?
What’s more, some websites take security much less seriously than others. For example, some sites email you your password in plain text when you’ve forgotten it. That’s incredibly easy information for a hacker to intercept. Limit risks caused by one site’s laxness by having a unique password for all your accounts.
It’s also a good idea to…
Change your passwords frequently
Once your password gets stolen, it might go up for sale on the Dark Web, that untraceable series of websites where everything from drugs to your health records might be up for grabs.
That’s what happened to the Comcast passwords. A whopping 590,000 were for sale, but luckily only about 200,000 were up to date. That number could have been lower if Comcast users were changing their passwords more frequently.
And if you’re willing to go that extra step, there’s one more thing that’s easy to do…
Use ‘multiple factors’ to log in
As you can see, there’s no way to guarantee that someone won’t steal your password. That’s why you should take advantage of multiple-factor log-ins when available. Plenty of major Web-based companies will let you turn on this feature, which often sends a code to your mobile phone or email account after you take care of factor one by entering your password. Enter the code next (that’s the second factor) and you’re logged in.
Unless hackers have your phone in hand, or access to your email account, only you will be able to log in.
A new piece of Android malware has been revealed by security firm Lookout, and it’s a clever one. The malware in question is a type of trojan adware called Shuanet, which is masquerading as 20,000 different popular apps. Shuanet doesn’t just display ads, though. It also attempts to root any device it is installed on, allowing the malware to survive factory resets.
Shuanet shares a lot of code with several other adware trojans that Lookout has detected recently known as Kemoge and Shedun. What’s interesting about Shuanet is that it doesn’t seek to wreak havoc on an infected device or clog it with other malware. This is adware first and foremost, so the goal is to get people to use their devices and see the ads.
The malware operators are downloading the legitimate Android APKs of popular apps, then integrating Shuanet and reposting them in third-party app stores. The thousands of apps repackaged by Shuanet include the likes of Facebook, Snapchat, NYTimes, WhatsApp, and more. These apps appear to function normally after being installed, so the user might not even realize anything is wrong. Just a few annoying popup ads, but such is the price we pay for living in a connected world, right?
The aspect of Shuanet that is grabbing headlines is that it roots your device, which is sort of true. It certainly tries to root any Android device it is installed on, but according to Lookout, it’s not using any new secret system vulnerabilities. It’s simply a package of older community-developed exploits that enthusiast users install to gain root access for their own enjoyment. If Shuanet successfully roots a phone, it moves the infected app to the system partition, which means it will survive a factory reset. The only way to remove it would be to use a root-enabled file explorer to find and remove the package. That would be tough if you didn’t know which app was the source of the infection.
This isn’t as calamitous as it sounds at first. As we’ve mentioned in the past, there are no universal root exploits on Android, and all of the public exploits included in Shuanet have been patched (for example ExynosAbuse and Framaroot). Thus, a device is only vulnerable if it’s running a rather old version of Android. Notice how the example image provided by Lookout is a Jelly Bean phone? A newer phone wouldn’t be rooted by Shuanet, but the ad features could still work.
It’s still very hard to get infected with Shuanet. You’d have to disable installation protection, ignore the Google security warnings, then manually install one of these apps from a shady third-party app store instead of simply getting it from Google Play. I’m not sure who would do that, but Lookout says it has seen it happening in the wild. It does not provide a figure for the number of infections, though.
Banks warn users of Apple’s Touch ID that storing partners’ or spouses’ fingerprints will be seen as ‘you failing to keep your details safe’
Banks have warned customers that if they store other people’s fingerprints on their iPhones they will be treated as if they have failed to keep their personal details safe.
This means the bank can decline to refund disputed transactions or to help where customers claim they have been victims of fraud.
Extract from the Ts & Cs applying to debit and credit card customers of First Direct. The same terms apply to customers of HSBC
The banks’ position, typically buried in the detail of bank account Ts & Cs, could trip up spouses, couples, parents and children, for example, where multiple fingerprints have been stored on a phone in order for it to be used by other family members.
This is because Touch ID – Apple’s process of storing encrypted finger prints – works to unlock phones, as well to authorise payments through Apple Pay.
It comes as growing numbers of consumers embrace Apple Pay to make payments at shops, bars, restaurants and on public transport.
The Apple Pay system was launched in Britain in July.
When the phone is near the payment point, the user’s bank card – which has been previously set up in Apple’s electronic “wallet” – flashes up on the phone screen. The user then authorises the payment by placing his or her registered finger on the phone’s scanner.
The process takes seconds, or even less, and is thought to be highly secure, as payments will only be made where a fingerprint has been scanned and verified.
Most models of iPhone carrying the Touch ID facility allow up to 10 prints to be stored, meaning users have plenty of opportunity to register family members’ prints on their device.
But banks are effectively warning customers that if they want to use Apple Pay, other people’s prints need to be deleted.
Santander, NatWest and Royal Bank of Scotland customers were the first to be able to use their accounts with Apple Pay, with HSBC and First Direct joining later July, the month the system first became available.
Lloyds, Halifax and Bank of Scotland customers were able to use the service from September.
Barclays, which was the only major UK bank not to partner with Apple Pay, has since announced a collaboration is coming “in the future”.
Lloyds Bank said: “If Touch ID is available on your device, you must ensure you only register your own fingerprints (and not anyone else’s).”
Think that picture you’re about to send is temporary? Think again
The beauty of Snapchat is that the photos only last for a few seconds, unless your friend decides to screenshot them.
Even then, you get a notification, so can know exactly which photos of you are owned by someone else.
However, now, the app has changed its terms and conditions so it owns every single photo taken using the app.
Not only this, but if you use it, you’re consenting to the app doing whatever it likes with your photographs.
This means that the photos people take, thinking they are temporary and private, could appear on Snapchat’s promotional material, on its website or even its social media accounts.
Snapchat has faced controversy before, as it claimed that all the photos sent on the device were automatically deleted from its servers.
This lead to a rise in ‘sexting’, where people would send risque images to one another using the app.
People who did this felt confident that the photos would self-destruct.
However, Snapchat admitted to the FTC that in fact the images are never actually truly deleted from a user’s device, and it is actually possible to recover the images.
The app hasn’t suffered from the scandals, however. It is valued at a reported $16 billion (£10 billion).
Evan Spiegel, the co-founder and chief executive of Snapchat, has spoken about what he thinks the app should be used for.
He said: “Historically photographs have been used to save really important memories, major life moments, but today, with the advent of the mobile phone and the connected camera, pictures are being used for talking.
“Now photographs are really used for talking, that’s why people are taking and sending so many photos on Snapchat.”
When a smartphone connects to a mobile network, it is assigned a temporary number called a TMSI (Temporary Mobile Subscriber Identity). The network then uses this eight-digit number to identify a device, rather than a phone number, to make communication more private.
However, a hacker monitoring radio communications could tie this TMSI to an individual by sending them a Facebook message or WhatsApp chat, both of which trigger a special “paging request” from a network that contains specific location information about a particular TMSI number.
Anybody with a Facebook account can send another user a Facebook message. Unless the two users are friends, this message will end up inFacebook’s “Other” folder, a feature most users do not know about that is only accessible on the social network’s desktop version, but sending a user a message will still trigger a paging request.
Likewise, WhatsApp’s “typing notification” – a feature on the chat app that displays when a contact is composing a message – also triggers the connection. If a hacker has a victim’s phone number, they could send them a message on WhatsApp, and if the victim begins to type a response, the network issues a paging request.
Within these paging requests are location data, that on newer 4G networks can be used to track users’ locations to an area of 2km2.
Older 2G and 3G networks would place a particular smartphone within a given “tracking area” of around 100km2, representing less of a security issue, but modern 4G networks place them in smaller “cells” of around 2km2, making it much easier to pinpoint a smartphone.
This allows network issues to be better understood, but in this case, gives away more data about smartphone users.
Cells are much more accurate than tracking areas Photo: Aalto University
It is relatively easy to monitor these signals using easily-available network hardware, according to the researchers from Aalto University, the University of Helsinki, Technische Universitat Berlin and Telekom Innovation Laboratories.
Although TMSIs are supposed to refresh relatively often, in order to protect privacy, they can persist for up to three days, the researchers said.
More aggressive attackers can set up a fake network base station to accurately triangulate users. These stations can request reports from TMSI numbers, typically used in cases of network failure, which can accurately reveal a smartphone’s location. At least one device gave away its GPS co-ordinates after a failure request, the researchers said.
Back in August, the NSA released an updated advisory that was at once interesting and expected: It said that the world had to prepare for the oncoming impact of quantum computers, and the possibility that these devices could render existing computer cryptography almost completely obsolete. They called for the cryptographic community to invest heavily in developing so-called post-quantum cryptographic solutions that could survive this hypothetical watershed invention. And, as you might imagine, this advisory has very nearly driven the internet insane. Now, two security researchers have published a paper compiling all the various theories surrounding this advisory, and trying to make sense of the situation.
Remember that quantum computers have obsessed internet weirdos for as long as the concept has existed. Try really looking into the Deep Web sometime, and you’ll quickly come up against the idea of a quantum deep web, a deep deep deep web, that can only be accessed by/through Illuminati-style quantum networks that, of course, don’t actually exist. Much of this lore is simply gleeful trolling by people who love to mislead noobs, but don’t kid yourself — many of the most entrenched People Of The Internet really do believe this crap.
So, unsurprisingly, now they believe this crap. The biggest issue springs for a single passage (emphasis mine):
For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommendnot making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.
The reason this has surprised so many people is that the NSA has been a long-time supporter of several of what we might call pre-quantum cryptographic solutions, new and highly advanced algorithms that shore up problems with current solutions, but which would probably not be secure in the event of real quantum computing. In particular, NSA has been a booster of Elliptical Curve Cryptography (ECC), which makes this back-pedaling announcement a bit confusing. They’re now saying that this ECC is a stopgap solution waiting to be made obsolete by quantum research — but that’s what it’s always been, so what’s changed?
However, while it’s certainly possible that NSA has a secret, super-successful quantum computer behind closed doors, that looks very unlikely at this point. Not only does NSA seem to lack the sheer volume of pure-science research talent that would be necessary to compete with the major, openly admitted research bodies, but the Edward Snowden leaks revealed absolutely no indication that NSA has or soon expects to have access to post-quantum capabilities.
And so, those viewing the situation have slid down to a possible explanation that’s at once more and less realistic: a conventional computer algorithm that can break modern computer encryption through sheer mathematical efficiency. This is more realistic, since it could theoretically come from the mind of just a single brilliant analyst, and thus it could come from the NSA, out of the blue and with no help from the private sector. On the other hand, conventional wisdom in cryptography says that such a classical code-breaking system is impossible, with a digital computer.
The fact is that “NSA Has Quantum!” is a bit like the tech-world’s equivalent of “Half Life 3 Confirmed” — it’s basically a joke at this point, but beneath the sarcasm lies an understanding that the cliche does have to come true eventually, even if not for a very, very long time. That’s why both memes have been so long-lived: Quantum computers seem like they will come into existence at some point, so no matter how many times they cry (or hint) wolf, you’ve still got to be wary — every single time.
The Cybersecurity Information Sharing Act, known as CISA, could make it easier for the government to abuse citizens’ civil liberties, opponents say.
The Cybersecurity Information Sharing Act, known as CISA, could make it easier for the government to abuse citizens’ civil liberties, opponents say.
In contrast, Minnesota Democrat Al Franken was among the 21 senators voting against CISA and quickly expressed his disappointment. “There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security: this bill doesn’t do that,” he said in a statement.
Apple, Twitter and Dropbox declined to comment on the passage of the bill, though they all opposed the bill before its passage.
The vote Tuesday marks the end of a five-year struggle to encourage companies to share information about cyberthreats with the Department of Homeland Security. CISA was first introduced in 2014 but failed to reach the Senate before that session of Congress ended. Two years ago, the Cyber Intelligence Sharing and Protection Act (CISPA) was approved by the House, but died in the Senate.
President Barack Obama said he supports the bill.
High-profile cyberattacks on government agencies and companies such as Sony, United, and Ashley Madison might have prompted the Senate to approve the bill, security experts say.
“With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity,” Mark Jaycox of the Electronic Frontier Foundation said in a statement Tuesday. “It chose to do the wrong thing.”
At issue is the fact that CISA allows companies to share information directly with law enforcement and intelligence organizations. Even more troubling, that information can include email, text messages and other data that can identify individuals. Companies are supposed to delete that information before they send it, but there’s always the chance that our “personal identifiers” could still slip through.