11.5 C
Saturday, October 21, 2017
Home Tags Twitter

Tag: Twitter

For the second time in as many months, Twitter is trying to secure itself and its users with a new log-in verification system. Twitter is aiming to improve security for its users with an improved two-factor log-...
For almost as long as there have been Web browsers, there have been Web browser mechanisms to help users store passwords for the sites they visit.

The benefit of the password managers is ease of use for users, but inevitably in my experience, at one point or another, those browser-based password management systems fail in some way. The latest browser to feel the wrath of users about a (possibly) insecure browser password manager is Google's Chrome. Web developer Elliott Kember blogged this week about what he called "Chrome's insane password security strategy." The basic complaint that Kember has is that the passwords can be viewed by the user in clear text that is not encrypted or hidden in any real sophisticated manner. Kember's complaint made it onto the popular Hacker News site, where Justin Schuh, the Chrome browser security tech lead, responded in a somewhat unexpected manner. "The only strong permission boundary for your password storage is the OS user account," Schuh commented. "So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater." As it turns out, Chrome's own FAQ provides an even clearer response as to why Google isn't worried about Kember's issue with the Chrome password manager. The Google Chrome FAQ states: "...

There is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account. ... Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense.

This problem is not special to Chrome­—all applications must trust the physically-local user." On that point I agree with Google, and that's also why I have long advised anyone who will listen to avoid the use of browser-based password management systems. Chrome's current "issue" (whether or not it is a real issue is debatable) isn't the first time and it won't be the last time that browser password management systems are found to be lacking, though it is an issue I personally have not seen pop up all that much in the last six years or so. Back in 2007, when we were only at Firefox (the most recent release is Firefox 23—time flies!), a security researcher argued with Mozilla over password manager flaws in the open-source browser. Those issues eventually were fixed, but the root concern still exists in my opinion—namely, that keeping passwords in your browser relies on your underlying operating system to be secure, which is not always a given. So what should you do? I know it's a pain and I might seem like a luddite for suggesting this, but just DON'T keep passwords in ANY browser management system. Inevitably there is a risk. We can debate what that risk is, but rest assured there is a risk. Instead, keep passwords outside of the browser, perhaps even on a piece of paper (I know, but paper is a backup that doesn't rely on electrical power).

The browser is our conduit to the Web around us, and I would argue that it is the most valuable target on any of our computing devices.

The cliché saying is to not put all your eggs in one basket, and it's a truth that applies to using a browser to keep all your information in as well. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist. ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}
Microsoft Research is collecting data about the usage of Twitter hashtags via a new bot.
Huawei is absolutely a threat and the U.S. has "hard evidence," former CIA and NSA head General Michael Hayden told an Australian newspaper. Chinese telecom provider Huawei represents an unambiguous national security threat to the United States and Australia, Gen. Michael Hayden, the former director of the National Security Agency (NSA) and the Central Intelligence Agency (CIA) and now a security consultant and director of Motorola Solutions, told the Australian Financial Review, according to a July 19 report. In his first in-depth, on-the-record interview since leaving the CIA in 2009, Hayden said that despite Huawei's best efforts to ease his concerns, "God did not make enough briefing slides on Huawei to convince me that having them involved in our critical communications infrastructure was going to be okay." This judgment, he said, was based not on prejudice but a "four-decade career as an intelligence officer." Unable to give specifics, Hayden offered, "I recognize the danger of implants and backdoors in telecommunications networks. Beyond that, just a foreign firm gaining the intimate knowledge they would get by helping build a telecommunications network is a sufficient 'first principles' national security problem to give you serious pause before you even consider the presence of backdoors." When asked to confirm that hard evidence exists that Huawei has spied on behalf of the Chinese government, Hayden said, "Yes." "At a minimum," he continued, "Huawei would have shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with." He added that China targets some companies as "national champions," and Huawei falls into that category. "As an intelligence professional," he continued, "I stand back in awe at the breadth, depth, sophistication and persistence of the Chinese espionage campaign against the West." The U.S. House Intelligence Committee released a paper in October 2012, following a nearly yearlong investigation, warning that Huawei and ZTE posed a national security risk and their telecommunications equipment shouldn't be used in critical infrastructure systems. Huawei, which was founded by a former People's Liberation Army officer, aggressively disputed those claims, as well as Hayden's comments. John Suffolk, Huawei's global cyber security officer, told Reuters in a statement that he is tired of "unsubstantiated, defamatory remarks" and those with so-called evidence should present it. "Huawei meets the communication needs of more than a third of the planet and our customers have the right to know what these unsubstantiated concerns are," Suffolk said in his statement. "It's time to put up or shut up." The U.S. government also does its share of spying on the Chinese, as documents revealed by NSA whistle-blower Edward Snowden revealed.

According to the South China Morning Post, Snowden said that the NSA hacks Chinese cell phone companies to reads the SMS (short message service) data of Chinese citizens. "I fully admit: We steal other country's secrets.

And frankly, we're quite good at it," said Hayden. "But the reason we steal these secrets is to keep our citizens free and to keep them safe. We don't steal secrets to make our citizens rich. Yet, this is exactly what the Chinese do." He added, later in the interview, "I don't think China is an enemy of the United States.

There is no good reason for China to be an enemy.

There are logical, non-heroic policy choices available to the leaders of both nations that will allow the relationship to remain competitive, if occasionally confrontational."   Follow Michelle Maisto on Twitter. 
Oracle's July Critical Patch Update includes 89 patches, which seems like a lot. Is it? Unlike Microsoft, which provides its users with a monthly regular patch cycle, Oracle uses a quarterly Critical Patch Update (CPU) approach. The July CPU is now out, and it's a big one. It provides no less than 89 security fixes across a wide swath of Oracle products including database, Fusion Middleware, MySQL, Oracle VM and Solaris. The update does not include any new fixes for Oracle's much maligned Java, which is currently patched on a separate cycle. Oracle plans to align its scheduled Java patch release cycle with the CPU starting in October. Oracle's namesake database  received six patches this CPU, only one of which is remotely exploitable without authentication. Oracle's open source MySQL database didn't fare quite as well, with a total of 18 new security flaws, two of which are classified as remotely exploitable without authentication. Oracle got the MySQL technology as part of its acquisition of Sun in 2010, though Oracle classifies other Sun technologies in the CPU under the title of the Sun Systems Products Suite. That suite includes the Solaris UNIX operating system that received a total of 16 new security fixes, with eight reported as being remotely exploitable without authentication. The Fusion middleware suite is tagged for 21 fixes, with 16 of those being remotely exploitable without authentication. Fusion is Java middleware and includes the JRockit Java Virtual Machine.

The flaws in the July CPU include a number of issues that Oracle already patched in its June Java CPU. Oracle patched 40 different issues as part of that update. "With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated," Eric Maurice, director, Oracle Software Security Assurance wrote in a blog post. Too Many Vulnerabilities? The overall number of vulnerabilities, as well as the method by which those vulnerabilities were found is a cause for concern, according to Tripwire security researcher Craig Young. “The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code," Young said.

This month’s CPU credits 18 different researchers coming from more than a dozen different companies. " Young added that it's also noteworthy that every Oracle CPU release this year has plugged dozens of vulnerabilities. "By my count, Oracle has already acknowledged and fixed 343 security issues in 2013," Young said. "In case there was any doubt, this should be a big red flag to end users that Oracle's security practices are simply not working." Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.
Even Hova himself said of the privacy problems: "sux must do better."    
Twitter is the latest major web service to beef up its security two-factor authentication (2FA). The security feature is a pretty simple and effective approach - and one the notorious Mega kingpin Kim Dotcom claims today to have invented back in the '90s. Two-factor auth is a simple process for verifying that the user accessing a service is legitimate. A random code...
Security-watchers don't appear overly impressed with Twitter's introduction of two-factor authentication (2FA) to its service. While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations - many of which have fallen victim to recent hijacking attacks. On 22 May, users of...
Saudi telecom seeks help monitoring encrypted Twitter data according to e-mails.
There's an old adage that on the internet, nobody knows you're a dog. It's been previously used to demonstrate that it's hard, if not impossible at times, to determine whether someone really is who they say they are — be it man, woman, or dog — but it equally applies to hackers. Although offline, it's easy enough to connect with someone's day-to-day personality, it doesn't offer any insight into who they are and how they act online. Let's face it, as much as Hollywood might lead us to believe that hackers gain their street cred from hacking via sophisticated 3D-modelled file systems, or that two people typing on one keyboard doubles a computer's hacking abilities, the more boring reality is that it's mostly done by typing commands into a terminal shell (and I don't mean "access security"). Just as image is everything for some people offline, so too is it online. It's why sites like Zone-H exist, showcasing what websites online attackers have defaced.

And just like in the offline world, many will take credit for others' work, make up successful attacks, or twist simple attacks into what seem like more nobler causes. Which is what may have happened with the Commonwealth Bank of Australia (CBA) recently.

A hacking group going by the name LatinHackTeamReborn, presumably trading off the name of the former LatinHackTeam group, claimed to have breached CBA's UK site. It posted the alleged email addresses, hashed passwords, and names of users on the site, stating that it made its attack by "rerouting after attacking the firewall", and that it was "striking back after what you did to us". The only problem is, it's not CBA's data. "We have done a thorough investigation, and we can confirm that no Commonwealth Bank systems have been hacked and no customer data has been compromised.

The CBA customer information is safe and secure," a spokesperson for the bank told us. It's clear from the leaked data that it's not banking information. CBA uses numerical codes for it online banking system, not email addresses, and the passwords, while hashed, were done using MD5 with no salt.

If such a method of securing passwords was used on a live banking system, it would certainly raise eyebrows, but CBA denies that it belongs to it. But the email addresses do appear to be valid, and, worryingly, of a UK and Australian nature. It's not unheard of for a hacked organisation to lie to the media, and for the information to actually be from a lesser-known and not mission-critical system (we might as well throw "developed by a third party" in here as well). But, digging deeper, I'd be more inclined to trust CBA's word. That's not just because of the damage to its reputation should it be proved that it lied, but because it would really mean trusting a hacker group that only created its Twitter account a few hours prior to the attack, which for some reason decided to include the #stopglobalwarning (yes, warning) hashtag in its attack, and opted for the cryptic, Hollywood-esque method of "rerouting" after attacking a firewall. Wherever this data came from, it didn't happen by picking different routes. It most likely resulted from improper access to a database, probably by using SQL injection. And what has CBA got to do with whatever happened to LatinHackTeam anyway? Nothing, as far as I can tell. It's a bank — and hackers breaking into banks is a sure-fire way to improve your image and gain credibility. Which is probably why the hacking group also claimed to have attacked the Bank of Israel. That would be a significant feat itself; only the email addresses, hashed passwords, and organisations named have nothing to do with the Bank of Israel.

They are actually from leaks posted by others, on previously compromised websites; in this case, the Ontario Imported Wine-Spirit-Beer Association. It runs its site off WordPress, which, if not maintained to the current version, is an easy target for even the most novice attackers, thanks to the wealth of information freely available online. Most of the time, impersonators are going to get away with it because there are few consequences for being named and shamed, and fewer who have the time or inclination to do it ("Bank not hacked" is not a headline, after all).

Even when it does happen, this is the internet, where creating a new alter ego is as simple as a few clicks, and a teenager, or an industry veteran, can be born again as a political greenie against global warning, a freedom fighter, a North Korean official, or perhaps all of them at once. It's true that on the internet, nobody knows if you're a dog, but also, most times nobody knows you're really a dog pretending to be some sort of bank-robbing hacker.