Hacking & Security

Incensing critics, Google engineer ends push for crypto-only setting in Allo

Ars Technica - 20 Květen, 2016 - 23:30

(credit: Yuri Samoilov)

A co-leader on Google's product security team has waved a piece of red meat in front of already frothing privacy advocates by deleting part of a blog post saying he wished the Allo messenger app the company announced Wednesday would provide end-to-end encryption by default.

To critics, the deletion by Thai Duong amounted to tacit admission that his employer was willfully choosing to leave messages sent by the vast number of Allo users open to government surveillance. The critics have argued that because end-to-end encryption will be turned off by default and turned on only in an incognito mode, most users will never avail themselves of the protection.

In a blog post published shortly after Wednesday's announcement, Duong said the move would benefit people who want their messages to be processed by an artificial intelligence agent that would offer auto-replies based on the content of the messages. A built-in digital assistant, for instance, might automatically suggest nearby restaurants or available movies when parties are making plans, but only if the encryption feature is turned off. Then Duong went on to say something that he later deleted from the post:

Read 11 remaining paragraphs | Comments

Kategorie: Hacking & Security

Instagram Patches Brute-Force Authentication Flaws

Threatpost - 20 Květen, 2016 - 21:15
Facebook paid researcher Arne Swinnen a $5,000 bounty for a pair of authentication vulnerabilities in Instagram that enabled brute-force attacks against usernames and passwords.
Kategorie: Hacking & Security

Google Chrome provokes browser backspace security controversy

Sophos Naked Security - 20 Květen, 2016 - 19:56
Who'd have thought that [Backspace] had its own fan club?

Evolving the Safe Browsing API

Google Security Blog - 20 Květen, 2016 - 19:00
Posted by Emily Schechter and Alex Wozniak, Safe Browsing Team 

We're excited to announce the launch of the new Safe Browsing API version 4. Version 4 replaces the existing Safe Browsing API version 3. With the launch of v4, we’re now starting the deprecation process for v2-3: please transition off of these older Safe Browsing protocol versions as soon as possible and onto protocol version 4.

Safe Browsing protects well over two billion internet-connected devices from threats like malware and phishing, and has done so for over a decade. We launched v1 of the Safe Browsing API in 2007 to give developers a simple mechanism to access Google’s lists of suspected unsafe sites.

The web has evolved since then and users are now increasingly using the web from their mobile devices. These devices have constraints less common to traditional desktop computing environments: mobile devices have very limited power and network bandwidth, and often poor quality of service. Additionally, cellular data costs our users money, so we have a responsibility to use it judiciously.

With protocol version 4, we’ve optimized for this new environment with a clear focus on maximizing protection per bit, which benefits all Safe Browsing users, mobile and desktop alike. Version 4 clients can now define constraints such as geographic location, platform type, and data caps to use bandwidth and device resources as efficiently as possible. This allows us to function well within the much stricter mobile constraints without sacrificing protection.

We’ve been using the new protocol since December via the Safe Browsing client on Android, which is part of Google Play Services. The first app to use the client is Chrome, starting with version 46: we’re already protecting hundreds of millions of Android Chrome users by default.

We’ve Done Most Of The Work For You Already

A single device should only have a single, up-to-date instance of Safe Browsing data, so we’re taking care of that for all Android developers. Please don’t implement your own Version 4 client on Android: we’re working on making a simple, device-local API available to prevent any resource waste on device. We’ll announce the availability of this new device-local API as soon as possible; in the meantime, there’s no need to develop a Version 4 client on your own. For those who operate in less resource-constrained environments, using the Safe Browsing Version 4 API directly allows you to:

  • Check pages against the Safe Browsing lists based on platform and threat types.
  • Warn users before they click links that may lead to infected pages.
  • Prevent users from posting links to known infected pages

To make Safe Browsing integration as simple as possible, we’re also releasing a reference client implementation of the new API today, written in Go. It also provides a Safe Browsing HTTP proxy server, which supports JSON.

It’s easy to start protecting users with the new Version 4 of the Safe Browsing API. Sign up for a key and let us know what you think!
Kategorie: Hacking & Security

Google Allo a Clash of Privacy and Functionality

Threatpost - 20 Květen, 2016 - 18:39
Google Allo has an end-to-end encryption capability powered by Signal, but it's not turned on by default because it would interfere with an artificial intelligence powering Google Assistant.
Kategorie: Hacking & Security

LinkedIn Slams Breach Data Reseller With Cease and Desist Order

Threatpost - 20 Květen, 2016 - 18:35
LinkedIn is striking back against websites that are attempting to monetize the 117 million usernames and passwords stolen from the company as part of a 2012 data breach.
Kategorie: Hacking & Security

Threatpost News Wrap, May 20, 2016

Threatpost - 20 Květen, 2016 - 17:46
Mike Mimoso and Chris Brook discuss the news of the week, including a big LinkedIn breach, TeslaCrypt closing up shop, and a breakthrough in random number generation. The two also recap this week's Source Conference in Boston.
Kategorie: Hacking & Security

This wristband gives you an electric shock when you overspend

Sophos Naked Security - 20 Květen, 2016 - 17:30
Nothing like a 255-volt shock to snap you out of a shopping splurge.

Facebook Sued for illegally Scanning Users' Private Messages

The Hacker News - 20 Květen, 2016 - 15:21
Facebook is in trouble once again regarding its users' privacy. Facebook is facing a class-action lawsuit in Northern California over allegations that the company systematically scans its users' private messages on the social network without their consent and makes the profit by sharing the data with advertisers and marketers. <!-- adsense --> According to the lawsuit filing, Facebook might
Kategorie: Hacking & Security

Test Lab V8: Recon and Dev-test

InfoSec Institute Resources - 20 Květen, 2016 - 14:00

This is the last part of our Test Lab solutions in this article we are going to find two tokens from Recon and Dev-test system. Recon is not any system in the network we will find this token from DNS reconnaissance. Attacking the Recon: So we started with the zone transfer on both gateway IPs: […]

The post Test Lab V8: Recon and Dev-test appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Actor sues Facebook after ex-girlfriend sends nude pics to fake profile

Sophos Naked Security - 20 Květen, 2016 - 13:05
The "John Doe" behind the imposter account allegedly friended Vincent Gallo’s real friends and acquaintances, and pretended to be the actor for online sex chats and to lure Los Angeles women to meet in person

FBI využívá ke sledování díru, která je zřejmě i ve Firefoxu. Mozilla chce chybu znát, ale neuspěla ani u soudu

Zive.cz - bezpečnost - 20 Květen, 2016 - 12:56
** Ve Firefoxu může být vážná bezpečnostní díra a FBI to ví ** Mozilla požaduje, aby z FBI informace prozradili ** Soud rozhodl, že FBI informace poskytovat nemusí
Kategorie: Hacking & Security

Published personal data on 70,000 OkCupid users taken down after DMCA order

Sophos Naked Security - 20 Květen, 2016 - 12:20
They got the "highly identifiable" data with a scraper, without permission of users whose kinks, location and more were exposed.

Google má nový patent. Když jeho chytré auto srazí chodce, přilepí ho na kapotu

Zive.cz - bezpečnost - 20 Květen, 2016 - 11:58
Google si připsal nový patent, který se těch předchozím přeci jen poněkud vymyká, popisuje totiž technologii, jenž má zachránit chodce, kterého srazí jeho autonomní vůz. Přední kapota by měla mít speciální přilnavý povrch, takže když se před vozem ocitne člověk a robot již nestačí zabrzdit, chodce ...
Kategorie: Hacking & Security

Everything We Know About How the FBI Hacks People

LinuxSecurity.com - 20 Květen, 2016 - 11:32
LinuxSecurity.com: Recent headlines warn that the government now has greater authority to hack your computers, in and outside the US. Changes to federal criminal court procedures known as Rule 41 are to blame; they vastly expand how and whom the FBI can legally hack. But just like the NSA's hacking operations, FBI hacking isn't new.
Kategorie: Hacking & Security

Hacker fans give Mr. Robot website free security checkup

LinuxSecurity.com - 20 Květen, 2016 - 11:30
LinuxSecurity.com: The USA Network show Mr. Robot has drawn a good deal of praise for its accurate (relative to other TV shows) portrayal of hacking and computer security. So, naturally, the site for the show has drawn a slightly different sort of adoring fan-"white hat" hackers looking for security holes.
Kategorie: Hacking & Security

Hidden Microphones Exposed As Part of Government Surveillance Program In The Bay Area

LinuxSecurity.com - 20 Květen, 2016 - 11:26
LinuxSecurity.com: Hidden microphones that are part of a clandestine government surveillance program that has been operating around the Bay Area has been exposed. Imagine standing at a bus stop, talking to your friend and having your conversation recorded without you knowing. It happens all the time, and the FBI doesn't even need a warrant to do it.
Kategorie: Hacking & Security

LinkedIn narychlo mění hesla. Čtyři roky po útoku

Novinky.cz - bezpečnost - 20 Květen, 2016 - 08:54
Desítky miliónů uživatelských jmen a hesel, která hacker nabízí k prodeji na internetu, jsou podle všeho pravá. Zástupci profesní sítě LinkedIn totiž začali uživatelům narychlo měnit hesla. A to i přesto, že se útok stal už před čtyřmi roky.
Kategorie: Hacking & Security

Foul-mouthed worm takes control of wireless ISPs around the globe

Ars Technica - 19 Květen, 2016 - 22:14

(credit: Rockydallas)

ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers and a security researcher who is following the ongoing campaign.

San Jose, California-based Ubiquiti Networks confirmed on Friday that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.

Nico Waisman, a researcher at security firm Immunity, said he knows of two Argentina-based ISPs that went dark for two days after being hit by the worm. He said he's seen credible reports of ISPs in Spain and Brazil being infected by the same malware and that it's likely that ISPs in the US and elsewhere were also hit, since the exploit has no geographic restrictions. Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears. Ubiquiti officials have said there are at least two variations, so it's possible that other strains behave differently.

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security

Hacker Steals Money from Bank and Donates $11,000 to Anti-ISIS Group

The Hacker News - 19 Květen, 2016 - 22:06
Meet this Robin Hood Hacker: Phineas Fisher, who breached Hacking Team last year, revealed on Reddit Wednesday that he hacked a bank and donated the money to Kurdish anti-capitalists in Rojava autonomous region in northern Syria that borders territory held by the ISIS (Islamic State militant group). <!-- adsense --> Fisher, also known as "Hack Back" and "@GammaGroupPR," claimed responsibility
Kategorie: Hacking & Security
Syndikovat obsah