Home Tags Sexy

Tag: sexy

Don’t get too hung up on sexy high-end military tech, MoD...

Department must do more to attract sci and tech innovators The Ministry of Defence needs to stop reflexively demanding rights to its suppliers' intellectual property if it is to attract more private sector tech innovators, according to the Royal United Services Institute.…

Brit military scolded for being too selfish with sexy high-end tech

Armed forces must do more to attract innovators and put an end to demanding blueprints The UK Ministry of Defence needs to stop reflexively demanding rights to its suppliers' intellectual property if it is to attract more private sector tech innovators, according to the Royal United Services Institute.…

How to pwn phones with shady replacement parts

Broke your screen? Avoid dodgy repair shops – your private sexy selfies will thank you later A group of researchers has shown how, for instance, a repair shop could siphon data from Android handsets or infect them with malware with nothing more than a screen repair.…

Destiny 2 PC premiere impressions: Strike harder at 4K/60 FPS

Plus, see the game's first revealed Strike mission captured on PlayStation 4.

At last, a new movie that’s as beautiful and insane as...

Stop everything and watch trailer for Valerian and the City of a Thousand Planets.

Zero-days? Sexy, sure, but crap passwords and phishing are probably more...

Security experts poke holes in RAND vulnerability study A new study from RAND Corporation concluded that zero-day vulnerabilities – security flaws that developers haven't got around to patching or aren't aware of – have an average life expectancy of 6.9 years.…

Americans’ sex lives have gone limp—lovemaking fell ~15% since the ’90s

Decline linked to more singletons and less frisky married couples.

How hackers made life hell for a CIA boss and other...

EnlargeFlickr user Erica Zabowski reader comments 26 Share this story A North Carolina man has pleaded guilty to a conspiracy that illegally accessed the e-mail and social media accounts of Central Intelligence Director John Brennan and other senior government officials and then used that access to leak sensitive information and make personal threats. Justin Gray Liverman, 24, of Morehead City, North Carolina, pleaded guilty to conspiracy to violate the Computer Fraud and Abuse Act, commit identity theft, and make harassing, anonymous phone calls, federal prosecutors said Friday.

Among the 10 people targeted in the conspiracy were Brennan; then-Deputy FBI Director Mark Giuliano; National Intelligence Director James R.

Clapper; Greg Mecher, the husband of White House Communication Director Jen Psaki; and other government officials.

The group called itself Crackas with Attitude, and it was led by a co-conspirator going by the name of Cracka. "She talks mad shit abt snowden," Liverman said on December 10, 2015 in an online chat with Cracka, referring to a target who is believed to be Psaki, according to a statement of facts signed by Liverman and filed in US District Court for the Eastern District of Virginia. (The document refers to Mecher and Psaki as Victim 3 and the spouse of Victim 3 respectively.) "If you come across anything related to [Victim 3's spouse] let me know.
If you find her cell or home number omg gimme." Liverman went on to say he wanted to "phonebomb the shitt [sic] outta" Psaki. The statement of facts shows Liverman discussing other intrusions with Cracka.

After getting a cellphone number Cracka had unlawfully obtained from a breached online account belonging to Victim 2, Liverman dialed it to make sure it belonged to the government official, whose real-world identity couldn't be immediately confirmed by Ars. Liverman "then paid an online service to automatically dial Victim 2's phone number once an hour, for 30 days, and leave a threatening recorded message." "We will keep a close eye on your family" Liverman later sent text messages to the cellphone that read in part: "We will keep a close eye on your family, especially your son." The message included a photo of the son that had been unlawfully obtained from one of Victim 2's compromised accounts.

That same day, Liverman publicly posted the cellphone number to pseudonymous Facebook and Twitter accounts and wrote: "This line will be active for only 24hrs, so call/sms it if you want to talk to me ... i also accept sexy nudes lol." Two days later Liverman told Cracka: "if we could get [Victim 2] swatted that would be amazing." Swatting is the term for falsely reporting violent crimes in progress to emergency responders in an attempt to elicit a response from special weapons and tactics police officers. Cracka used Victim 2's official credentials to gain unauthorized access to the Law Enforcement Enterprise Portal, an online database that's supposed to be available only to law enforcement officials.

At Liverman's request, Cracka used his access to obtain a list of more than 80 police officers and law enforcement employees in the Miami area. On January 6, 2016, Liverman posted the list online. The group allegedly also published a 47-page security clearance questionnaire containing highly personal information, which Brennan completed to obtain his post.

Around the same time, the group published a separate spreadsheet containing the personal data of the 29,000 FBI and DHS employees.

A day later, a group member allegedly presented evidence showing it had hijacked accounts belonging to Clapper. According to an affidavit filed in September, the group didn't rely on computer hacking to break into restricted accounts.
Instead, members used social engineering in which they impersonated their targets and various IT support personnel purporting to help the victims. On October 11, 2015, one of the suspects allegedly accessed the account belonging to Brennan by posing as a technician from Verizon.

The suspect then tricked another Verizon employee into resetting the password for Brennan's Internet service. Prosecutors said the suspects went on to take over a Brennan AOL account. The group allegedly used similar techniques to access other accounts.

The affidavit said another group member appeared to gain access to a law enforcement database by calling an FBI help desk and asking that Giuliano's password be reset. Now, Liverman faces a maximum possible sentence of five years in prison at sentencing, which is scheduled for May 12. The statement of facts filed with Friday's guilty plea offers a window into the depravity and viciousness that motivates so many online intrusions.

The perpetrators often succeed not through any technical skill but rather by making fraudulent phone calls that carefully exploit weakness in various companies' customer support services.
It's not the first time social engineering has exacted such a high price, and sadly, it likely won't be the last.

LogMeOnce Password Management Suite Ultimate 5.2

When you can get a seriously full-featured, security-conscious password manager for free, what would entice you to pay? How about even more features, and no limits on existing features? LogMeOnce Password Management Suite Ultimate 5.2 pulls out all the stops, removing limits on the number of shares and beneficiaries, and adding advanced features that include anti-theft and an unusual selfie-based two-factor authentication system. A few quirks in its mobile editions are still being ironed out, but overall, it's a feature-packed password powerhouse.

At $39 per year, LogMeOnce Ultimate costs the same as Dashlane 4.0. Sticky Password goes for $29.99 per year, and LastPass for just $12. But this big, sprawling utility has a ton of features, including some I haven't seen in any competing product.

The free edition doesn't impose any limits on the number of saved passwords, or of synced devices. If you're interested in the product but not sure if you want to pay for it, go ahead and install the free edition, and familiarize yourself with its impressive capabilities. You can upgrade to Ultimate any time the free edition's limits begin to chafe.

Shared Features

The free LogMeOnce Password Management Suite Premium 5.2 is loaded with features, enough that it outperforms many competing products that aren't free. I'll summarize its capabilities here, or you can read my full review of the free edition for more details.

LogMeOnce runs strictly as a browser extension, so it's not limited to a specific platform. If your browser supports extensions, you can use it on Windows, macOS, or even Linux. There are also apps for Android and iOS.

Just about every password manager starts off by asking you to define a strong master password, something that you can remember but that nobody could guess. LogMeOnce now offers password-less authentication as its default. To set this up, you pair your smartphone or mobile device with your LogMeOnce account. Now when you log in on your desktop, you verify when prompted on the mobile device, using a PIN, a fingerprint, or what the company calls PhotoLogin.

Those who've upgraded to Ultimate get more information along with the request for PIN, fingerprint, or PhotoLogin. Swipe left to see the requester's email address, GPS location, IP address, and more, or swipe right to view the location on a map. If you get an unexpected login request, this data may help you figure out who's trolling you.

For PhotoLogin, LogMeOnce snaps a photo with the webcam and sends it to the device. You simply verify that the photo is what you expected. If the computer has no webcam, you can compare a visual one-time password that's sent along with the photo. It's also possible to use PhotoLogin on the mobile device itself, but this isn't quite as secure. It involves you verifying that you are seeing the photo you just snapped; it's a bit self-referential. When I mentioned this to the developers, they quickly modified on-device PhotoLogin to also require entering a PIN.

The free edition captures logins (which it calls applications) as you enter them, and offers to play back your saved credentials when you revisit the site. It also includes a catalog of almost 4,500 known websites. Choose one of these and you can be sure that LogMeOnce will handle it, even if it uses a non-standard login page. However, if you somehow manage to find an oddball login that's not in the catalog, you can't just capture all form fields the way you do with LastPass or Sticky Password Premium. Clicking the browser toolbar button displays all your saved websites. Clicking one of them navigates to the site and logs in.

The password generator defaults to creating 15-character passwords, using all character sets, which yields a very tough password. It also rates any password you type, estimating how long it would take to crack. By default, you must change your master password every three months, without re-using previous passwords. Those using Ultimate can change the password expiry time, in a range from one month to one year.

You can use Google Authenticator, or a workalike such as Duo Mobile or Twilio Authy, for two-factor authentication. Other options in the free edition include receiving a one-time passcode via email, SMS, or voice call. In an unusual move, LogMeOnce charges two credits for each SMS authentication and four credits for each voice call. Those using Ultimate get an allowance of 50 credits per month, with the option to purchase more, $10 for 1,000 credits. I'll cover the Ultimate edition's additional two-factor options below.

An interesting feature called Mugshot gives you a look at anyone who tries to log in on a lost or stolen phone. On any failed login attempt, it snaps photos with the front and rear cameras and sends them to your online dashboard, along with the device's GPS location and IP address. Using this information, you may be able to locate and recover the device. Upgrading to Ultimate gets you a more complete anti-theft system.

LogMeOnce stores personal, address, phone, and company data, for use in filling Web forms. You can save multiple instances of each data type. New since my last review, it also saves and fills credit card data. Like Dashlane, it helpfully displays the saved cards as images, using the color and bank name you specified. It doesn't have the flexibility of form-filling whiz RoboForm Everywhere 7, but it does the job.

Like LastPass and Dashlane, LogMeOnce can display a list of all your passwords, with a strength rating for each, and a flag for any duplicates. In addition, its report page offers several other views on your security, some of which aren't functional in the free edition. If you find you've got weak or duplicate passwords, just click the link next to each one to go change it. For many popular websites, LogMeOnce can even automate the password change process, something few competing products manage.

LogMeOnce includes the ability to securely share passwords with other users. You can choose whether the recipient gets to see the shared password, or just to use it for logging in. There's also an option to define a beneficiary who will receive either your whole account or a specific password in the event of your death. The free edition allows one whole-account beneficiary, five password beneficiaries, and five shared passwords. In the Ultimate edition, there are no such limits.

A productivity dock along the bottom of the screen displays a baker's dozen of live icons that expand when you mouse over them. You can use these icons to quickly reach important features like mugshot or security scorecard. That is, you can if you've paid for the product. Those using the free edition just get a reminder that the productivity dock is only for paid users.

Selfie Two-Factor Authentication

Upgrading to Ultimate unlocks several additional options for two-factor authentication, the most unusual of which is Selfie-2FA. It works like this. You log in to the browser extension, either with the default password-less authentication or a master password. LogMeOnce snaps a webcam photo and sends it to the mobile device you've specified for Selfie-2FA. If the received photo matches what you expected, you simply tap to authorize. MasterCard is exploring a similar type of selfie-based authentication.

What if you're using a desktop device with no webcam? In this case, LogMeOnce sends a generic image with a visual one-time password at the bottom. If the OTP on your mobile device matches the one on your browser, you simply tap to authorize. It's less tech-sexy than using a selfie, but it totally works.

My LogMeOnce contact pointed out that you can make it even harder for an attacker to beat this system by being unpredictable. Just keep changing which of your devices is the one authorized to respond to Selfie-2FA.

Those who've paid for the program can prepare a USB flash drive for use as a physical second authentication factor. There's also an option to add an X.509 Certificate as an authentication factor, but this is more logical in a business setting.

You can enable as many of the two-factor options as you wish, and log in using whichever is logical at the time. For example, if you logging in on a mobile device with no socket for your USB authentication key, you could opt to receive a code via SMS or email, or get a code from Google Authenticator. True Key by Intel Security also offers multiple authentication options, but goes further by letting you require more than just two of them for authentication.

Device Management and Anti-Theft

The free edition receives the GPS location of any failed login attempt, but the paid edition lets you check device location whenever you like. The Device Map page in the Security section displays the location of all your registered devices. Clicking on a device gets you more information, along with a button that remotely logs out of any active LogMeOnce session on the device.

The separate Device Management page lists all the devices you've configured for use with LogMeOnce. If you've lost or replaced a device, you can remove it from the list, thereby disconnecting it from your account. You can flip a switch to define whether each mobile device can accept password-less login requests.

When you select a device from the list, other actions become available. You can send a request to locate a mobile device. A Details tab displays a huge amount of information for iOS devices, quite a bit less for Android devices. However, for Android devices only, you can view a list of installed apps.

The Commands tab appears for both Android and iOS devices, but the available commands differ. You can remotely cause an Android smartphone to ring at top volume, handy in case you've simply misplaced it, and you can lock it remotely using the system lockscreen. You can even change the lockscreen password remotely before locking it down.

On both Android and iOS, you can send a message, perhaps something like, "I've seen your mugshot, phone thief, and I'm coming for you!" But don't get too excited about this feature. Unless you've enabled viewing notifications on the device's lockscreen, the only way a phone thief could read the message would be by logging in to LogMeOnce, which shouldn't be possible.

That brings me to the final command, available on iOS and Android, the Kill-Pill. This dramatically named feature simply wipes all personal LogMeOnce data. I sent the Kill-Pill command to my Apple iPad Air and watched as LogMeOnce reverted to the initial setup screen, with no sign of my email address or any other configuration data. Oddly, sending the same command to my Nexus 9 never worked; it timed out repeatedly in my testing. My company contact confirmed that while the feature works on most Android devices, it doesn't yet work on a Nexus 9. Gotta love Android fragmentation!

Using a trusted mobile device as part of the authentication process is becoming more and more common. Like LogMeOnce in password-less mode, oneID skips the master password in favor of device-based authentication. You can configure True Key to use other forms of authentication, including a trusted device, in place of a master password. But LogMeOnce is the only product I've seen that adds anti-theft features to protect the security of that trusted device. It's a smart move.

Enhanced Reporting

Even the free edition of LogMeOnce lists all your passwords ordered by strength, rates your total security status, and displays what it calls a hybrid identity score. If you've paid, you also get an overall password strength rating, with a breakdown of statistics such as the number of passwords of at least 15 characters, and the number that contain at least one of each character type.

The Live PasswordTracker chart is another paid-only feature. It takes two weeks to get a baseline for reporting, so I didn't see its full capabilities. For starters, it charts a solid line that's your overall password strength each day. If you're using the product correctly, that line should only go up. It also charts what the company calls a heartbeat line. Solid line segments represent days that you used LogMeOnce, dotted segments days that you did not. The line's height above the axis is based on the strength of the passwords you used on that day. The purpose of the chart is to encourage you in proper password hygiene, replacing weak passwords with strong ones and always relying on the password manager to keep track.

A Few Oddities

In testing the free edition, I glossed over the few little quirks I ran into, given the fantastic features that you get for free. Running into those same quirks—and a few new ones—in the paid edition, I'm slightly less forgiving.

LogMeOnce is a work in progress, in a good way. While working on this review, I confused the PhotoLogin feature with what was then called Photo-2FA. Overnight, the developers renamed it to Selfie-2FA, to avoid confusion. Because I mused about the possibility of an unauthorized person picking up a phone that was left unlocked, they changed the local-only PhotoLogin to also require PIN entry. This is an agile team, indeed.

On the other hand, I also ran into some oddities that aren't yet fixed. I couldn't make the Kill-Pill personal data erasure work on my Android device. To use Selfie-2FA from my all-in-one desktop PC, I had to crank the webcam brightness to the max, so high that Skype images appeared washed out. On an iPad, the iOS edition runs in the dated 2x mode, just a blown-up version of the iPhone edition. And even though a paid account should be ad-free, the "Go ad-free" link still appears, and I saw ads on some mobile screens. Pending updates for the Android and iOS apps should fix at least some of these oddities. Overall, though, this utility's breadth of features and its inclusion of innovative, security-focused features overshadows these few quirks.

Passwords Plus

LogMeOnce Password Management Suite Ultimate takes the vast feature set of the free LogMeOnce password manager and kicks it up to the next level. I haven't seen another product offering selfie-based two-factor authentication, or a built in anti-theft system. It lacks the ability to manage password for applications, but it checks just about every other box. On the flip side, you get almost all of these features in the free edition, and for some the vast array of features may prove off-putting.

LastPass Premium comes the closest to matching LogMeOnce's breadth of functionality, though with the latest edition LogMeOnce has taken a significant lead. For those who are more into simplicity and ease than a prodigious number of features, Dashlane 4 does everything you could want, with flair. LogMeOnce joins these two as an Editors' Choice for commercial password managers.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

‘Toyota dealer stole my wife’s saucy snaps from phone, emailed them...

Texas pastor and spouse sue automaker, sales boss cuffed A Texas couple is suing Toyota and one of its car dealerships after one of its staff allegedly stole saucy snaps off their cellphone and emailed them to a swingers website. Last year, pastor Tim Gautreaux and his wife Claire were shopping for a Toyota Prius at a nearby car dealership in Grapevine, Texas.

To expedite the sale, Gautreaux had documents already approving him for a loan for the vehicle stored on his smartphone, and claims the salesman asked to show the device to his manager. The phone was out of the couple's sight for about five minutes, they say, but when the pastor got it back he saw that an image was on the top screen – one of a couple of sexy snaps he'd taken of his wife as she was getting into and out of the bath. Subsequent investigation showed that the pictures had been emailed to an account at a website for swingers, the couple claims, and they called the police. Matthew Luke Thomas, the dealership's sales director, was arrested last month and charged with allegedly breaching a computer's security, a class B misdemeanor. Thomas is out on bail. Meanwhile, the Gautreauxs have now hired high-powered human rights lawyer Gloria Allred and are suing Thomas, Texas Toyota of Grapevine and Toyota Motor North America, claiming [PDF] breach of contract, intrusion, negligence and public disclosure of private facts.

The couple took their case to the Dallas County court on December 1, claiming the photos were swiped in January 2015, and have asked for more than a million bucks in relief. "Undoubtable this is not the first time that this has happened," Allred claimed during a news conference on Thursday, the Dallas Morning News reports. "But we hope the public awareness will help to put a stop to it." ® Sponsored: Customer Identity and Access Management

Password reset warrior arrested for popping 1050 student accounts

And once he was in, this creep searched for sexy emails An Arizona man has been arrested for hacking 1050 email accounts at two united States universities, plus attempts to do so at some 75 other educational institutions. Jonathan Powell, 29, is alleged to have used password reset features to change logins for some 1050 accounts at the universities before breaching connected social media accounts for the likes of Facebook, LinkedIn and Google. Reuters reports Powell searched email accounts for embarassing content using keywords 'horny' and 'naked'. New York's Pace University contacted the Federal Bureau of Investigation after finding password change attempts for 2054 accounts since October last year. The hacker is alleged to have changed passwords for 15 accounts held by Pennsylvania University from some 220 attempts. The university has taken down its password reset page as of the time of writing. It is unknown if Pace University's login system had some form of security vulnerability that afforded the exceptionally high near 50 percent password reset hit rate. Ordinary brute force password guessing would yield a vastly higher ratio of password attempts to successful resets, well exceeding Powell's alleged success. His alleged 2054 password attempts should have set off a variety of alarms at the university which appear to have been absent or unmonitored. ® Sponsored: Customer Identity and Access Management

Wave your false flags!

 Download the full report (PDF) As a new VirusBulletin is upon us, it’s once again time to deep dive into interesting topics in anti-malware research.

This time around, we’ve chosen to focus on attribution in APT research, its methods and complications, and how intermediate-to-advanced attackers are already manipulating attribution indicators in an attempt to mislead researchers and squander limited incident response resources.

False flags and deception tactics have always been discussed as possibilities in this space, but we wanted to put out a wealth of examples to advance the conversation. Our hope is that we can further the dialogue regarding attribution to involve more nuanced and daunting questions that have yet to be conclusively addressed. When reading some of the examples, keep in mind that this was written back in February to submit to the VirusBulletin call for papers.

At the time, deception techniques were a topic discussed in private between researchers, but never publicly substantiated.
Since then, events over the summer have made this topic commonplace to the infosec community, if still a matter of contention and skepticism.

The paper is extensive (but not exhaustive) and we hope that those of you interested in the subject will take some time to go through the reasoning and examples.

The following are some takeaways we hope will pique your interest and get a dialogue going regarding the nuances of attribution as it’s currently being done: There’s nothing straightforward about ‘whodunnit’ From the perspective of threat intelligence producers, there exist complications regarding attribution and its practical purpose.

As any honest anti-malware company should admit, no institution has complete or perfect visibility into the activities of any threat actor.

Different companies see different fragments; different types of service providers compliment that visibility with other types of data.

This is a research space rewarded by cooperation and data exchanges.

As such, when attempting to describe the activities of a threat actor, it’s difficult to suggest that a single threat intelligence product can stand as the exhaustive final chapter on any of the threat actors we investigate. Much less, provide a definitive picture of their identity, activities, and resources. The true value of a threat intelligence product is its actionable potential, its ability to help detect and mitigate attacks, to provide clear avenues for proactive defense and improved defensive posture against a persistent and shadowy adversary, and to provide understanding to institutions and individuals outmatched and outwitted by the topdogs of the cyber espionage space.

And even then, we have to consider that when it comes to wide dissemination of this information for the benefit of the public, it’s not just victims that are reading threat intelligence products.

As our paper sets out to demonstrate, attackers too are keenly consuming threat intelligence research, learning from researcher methods as well as other APT groups and incorporating that information to better their own operations. What can attribution do for you? Threat Intelligence has come a long way in the last five years or so, and with that, more and more attribution is being done publicly by companies selling this as a product.

Before that, attribution was only really done within governments and kept private or classified.

These days, journalists and commentators are after the ‘sexy’ part of the story and are heavily focused on the “who” and not the “why”. While we are not arguing for or against companies performing attribution and publicly sharing their discoveries, we do pose some questions around how deep attribution really needs to go based on the role of the organization defended and its ability to take action.

For governments, the most fidelity is justifiably needed, especially when the outcome of the attribution results in diplomatic sanctions, offensive operations, or demarches.

But for a private company consuming threat intelligence is that level of attribution really needed to protect that organization against these attacks? We hope the paper proves thought-provoking to threat intelligence producers and consumers alike, aligning needs and expectations, and preparing the infosec community for increasingly deceptive and manipulative interactions with our adversaries.