Categories
Crypto Privacy Security

HTTPS for all: Let’s Encrypt reaches one billion certificates issued

Let’s Encrypt, the Internet Security Research Group‘s free certificate signing authority, issued its first certificate a little over four years ago. Today, it issued its billionth.

The ISRG’s goal for Let’s Encrypt is to bring the Web up to a 100% encryption rate. When Let’s Encrypt launched in 2015, the idea was pretty outré—at that time, a bit more than a third of all Web traffic was encrypted, with the rest being plain text HTTP. There were significant barriers to HTTPS adoption—for one thing, it cost money. But more importantly, it cost a significant amount of time and human effort, both of which are in limited supply.

Let’s Encrypt solved the money barrier by offering its services free of charge. More importantly, by establishing a stable protocol to access them, it enabled the Electronic Frontier Foundation to build and provide Certbot, an open source, free-to-use tool that automates the process of obtaining certificates, installing them, configuring webservers to use them, and automatically renewing them.

Full Article: https://arstechnica.com/gadgets/2020/02/lets-encrypt-issued-its-billionth-certificate-today/

Categories
Crypto Security

Android malware can steal Google Authenticator 2FA codes

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.

Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user’s smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

Full article: https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

Categories
Privacy Security

Facebook sues SDK maker for secretly harvesting user data

Data analytics firm OneAudience allegedly paid app developers to include its SDK in their code so it could harvest data from Facebook users.

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm.

The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK’s code to harvest data on Facebook users.

According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store.

“After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts,” the complaint reads.

Full article here: https://www.zdnet.com/article/facebook-sues-sdk-maker-for-secretly-harvesting-user-data/

Categories
Messenging Privacy Security

Reddit CEO: TikTok is ‘fundamentally parasitic’

TikTok is one of the hottest social media platforms but the CEO of Reddit had some harsh words for the popular app, calling it “fundamentally parasitic” at an event Wednesday.

The comments from Reddit CEO and co-founder Steve Huffman were some of the more controversial offered up during a panel discussion with former public policy exec Elliot Schrage and former Facebook VP of Product Sam Lessin. During a brief conversation about the feature innovations of TikTok, Huffman pushed back hard on the notion that Silicon Valley startups had something to learn from the app.

“Maybe I’m going to regret this, but I can’t even get to that level of thinking with them,” Huffman said. “Because I look at that app as so fundamentally parasitic, that it’s always listening, the fingerprinting technology they use is truly terrifying, and I could not bring myself to install an app like that on my phone.”

Full article here: https://techcrunch.com/2020/02/26/reddit-ceo-tiktok-is-fundamentally-parasitic/

Categories
Privacy Security

Clearview AI Reports Breach of Customer List

Facial recognition company Clearview AI notified customers that an intruder had gained “unauthorized access” to its entire list of customers, The Daily Beast reports.

Clearview gained widespread attention in recent weeks after a wave of media coverage, starting with The New York Times in January. The company stands out from others due to its use of a database of over 3 billion photos the firm constructed by scraping images from Facebook, Twitter, Instagram, and other social networks and websites.

Clearview sells its product to law enforcement clients particularly in the U.S. The company’s app allows a customer to point their phone’s camera at a subject, or upload a photo into the system. Then, the system provides links to other photos and related social media profiles of the suspected person online.

Full article here: https://www.vice.com/en_us/article/bvgyqa/clearview-ai-customer-list-data-breach-hacked

Categories
Security

Flaw in billions of Wi-Fi devices left communications open to eavesdropping

SAN FRANCISCO — Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.

Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely.

Full article here: https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/

Categories
Open Source Security

Internal Docs Show Why the U.S. Military Publishes North Korean and Russian Malware

A previously secret document obtained by Motherboard shows how, and why, CYBERCOM is publicly releasing malware from adversaries.

Newly released and previously secret documents explain in greater detail how, and why, a section of the U.S. military decides to publicly release a steady stream of adversarial countries’ malware, including hacking tools from North Korea and Russia. Cyber Command, or CYBERCOM, publishes the malware samples onto VirusTotal, a semi-public repository that researchers and defenders can then pore over to make systems more secure.

Full Article here: https://www.vice.com/en_us/article/5dmwyx/documents-how-cybercom-publishes-russian-north-korean-malware-virustotal

Categories
Open Source Privacy Security

Firefox to enable DNS-over-HTTPS by default to US users

icon design for cyber security

Mozilla  will bring its new DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks, the browser maker has confirmed.

It follows a year-long effort to test the new security feature, which aims to make browsing the web more secure and private.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can’t be intercepted or hijacked in order to send a user to a malicious site.

Full Article at https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/

Categories
Privacy Security

How schools are using kids’ phones to track and surveil them

Teachers often lament that phones can be a distraction in classrooms. Some governments have even banned phones outright in schools. But a few school administrations see phones in schools as a benefit because they can help keep track of students more efficiently.

At least 10 schools across the US have installed radio frequency scanners, which pick up on the Wi-Fi and Bluetooth signals from students’ phones and track them with accuracy down to about one meter (just over three feet), said Nadir Ali, CEO of indoor data tracking company Inpixon. 

Full article here: https://www.cnet.com/news/how-schools-are-using-kids-phones-to-track-and-surveil-them/

Categories
Messenging Privacy Security

Google search is showing invitations to private WhatsApp groups

Your private WhatsApp group might not be as private as you’d like. DW journalist Jordan Wildon has noticed that Google is indexing at least some WhatsApp group invitations in its search, making it possible to slip into groups that owners might not want to be public. While many of these are fairly innocuous, some include sensitive data. Motherboarddiscovered one group apparently aimed at UN-accredited non-governmental organizations where it was possible to see the list of all 48 participants, including their phone numbers.

Full article here: https://www.yahoo.com/now/2020-02-21-google-indexes-whatsapp-group-invitations.html

Categories
Cloud Compliance Privacy

UK Google users could lose EU GDPR data protections

Google is to move the data and user accounts of its British users from the EU to the US, placing them outside the strong privacy protections offered by European regulators.

The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading General Data Protection Regulation (GDPR) and therefore with less protection and within easier reach of British law enforcement.

Full article here: https://www.theguardian.com/technology/2020/feb/20/uk-google-users-to-lose-eu-gdpr-data-protections-brexit

Categories
Messenging Privacy Security

Elon Musk trashes WhatsApp as coming with ‘a free phone hack’

Elon Musk has some thoughts about WhatsApp

Specifically, the Tesla CEO thinks the Facebook-owned messaging app is a hackable piece of garbage. He made that much clear in a Thursday morning tweet that both highlighted a new emoji and pointed out that the WhatsApp-specific version comes with a not-so-special bonus. 

“New emoji,” wrote Musk. “Last one comes with free phone hack.”

Full article at https://mashable.com/article/elon-musk-whatsapp-emoji-hack/?europe=true