Mark Zuckerberg Is the Most Powerful Unelected Man in America

from NYTs On Thursday, Facebook’s chief executive, Mark Zuckerberg, announced the company’s “New Steps to Protect the U.S. Elections.” They include blocking new political ads in the week leading up to Election Day and attaching labels to posts containing misinformation, specifically related to the coronavirus and posts from politicians declaring victory before all the results are counted. One can — and many will — debate just how effective these measures will be at preventing election night chaos during a pandemic. (So far Facebook’s “misleading post” labels are vague to the point of causing additional confusion for voters. Similarly, blocking new […]

Continue reading

Why Online Voting Is Harder Than Online Banking

from ars technica For a feature last week, I talked to a number of election experts and computer security researchers who argued that secure Internet voting isn’t feasible today and probably won’t be for many years to come. A common response to this argument—one that came up in comments to last week’s article—is to compare voting to banking. After all, we regularly use the Internet to move money around the world. Why can’t we use the same techniques to secure online votes? But voting has some unique requirements that make secure online voting a particularly challenging problem. Every electronic transaction in the […]

Continue reading

The Safest Ways to Log In to Your Computer

from Wired Whether your computer runs Windows, macOS, or Chrome OS, you have options for how you log in. And your choice doesn’t only affect how convenient it is for you to get into your laptop or desktop; it also affects how easily someone else can gain access. These are the different login options that are available and that you need to be aware of, so make sure you choose wisely. The right one for you will depend on how your computer is set up and just how cautious you’d like to be. More here.

Continue reading

China’s New Cybersecurity Program: NO Place to Hide

from China Law Blog The Chinese government has been working for several years on a comprehensive Internet security/surveillance program.  This program is based on the Cybersecurity Law adopted on 2016. The plan is vast and includes a number of subsidiary laws and regulations. On December 1, 2018, the Chinese Ministry of Public Security announced it will finally roll-out the full plan. The core of the plan is for China’s Ministry of Security to fully access the massive amounts of raw data transmitted across Chinese networks and housed on servers in China. Since raw data has little value, the key to […]

Continue reading

Google Play Apps Laden With Ad Malware Were Downloaded By Millions Of Users

from ars technica This week, Symantec Threat Intelligence’s May Ying Tee and Martin Zhang revealed that they had reported a group of 25 malicious Android applications available through the Google Play Store to Google. In total, the applications—which all share a similar code structure used to evade detection during security screening—had been downloaded more than 2.1 million times from the store. The apps, which would conceal themselves on the home screen some time after installation and begin displaying on-screen advertisements even when the applications were closed, have been pulled from the store. But other applications using the same method to […]

Continue reading

Recent Decision: D.C. Circuit Rules That OPM Breach Victims Have Standing to Sue

from Lawfare With data breach incidents on the rise, federal courts are grappling with the issue of standing in class action lawsuits arising from data breaches. As Lawfare has covered previously, there is arguably a circuit split over whether plaintiffs can establish an “injury in fact,” one of three constitutional standing requirements, on the grounds that a breach has put them at a heightened risk of identity theft. In a 2-1 decision this past summer titled In re: U.S. Office of Personnel Management Data Security Breach Litigation, the U.S. Court of Appeals for the D.C. Circuit weighed in on that […]

Continue reading

Encrypted DNS Could Help Close the Biggest Privacy Gap on the Internet. Why Are Some Groups Fighting Against It?

from EFF Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because of this, anyone along the path from your network to your DNS resolver (where domain names are converted to IP addresses) can collect information about which sites you visit. This means that certain eavesdroppers can still profile your online activity by making a list of sites you visited, or a […]

Continue reading

Why You Need a Password Manager. Yes, You.

from NYTs You probably know that it’s not a good idea to use “password” as a password, or your pet’s name, or your birthday. But the worst thing you can do with your passwords — and something that more than 50 percent of people are doing, according to a recent Virginia Tech study — is to reuse the same ones across multiple sites. If even one of those accounts is compromised in a data breach, it doesn’t matter how strong your password is — hackers can easily use it to get into your other accounts. But even though I should […]

Continue reading

Password1, Password2, Password3 No More: Microsoft Drops Password Expiration Rec

from ars technica For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 […]

Continue reading

How Cambridge Analytica Sparked The Great Privacy Awakening

from Wired ON OCTOBER 27, 2012, Facebook CEO Mark Zuckerberg wrote an email to his then-director of product development. For years, Facebook had allowed third-party apps to access data on their users’ unwitting friends, and Zuckerberg was considering whether giving away all that information was risky. In his email, he suggested it was not: “I’m generally skeptical that there is as much data leak strategic risk as you think,” he wrote at the time. “I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.” If Zuckerberg had […]

Continue reading

What Every VPN Provider Is Missing

from Fast Company I don’t know a lot about security, but I do know that when I use public Wi-Fi—whether on my phone, tablet, or laptop—I should be protecting my traffic with a virtual private network. For those unfamiliar with VPNs, the concept is basically that you use a simple piece of software to open up a private channel to a trusted server, through which you route all your browsing, email, uploading, and downloading, etc. A good VPN keeps your identity private, your data secure and helps mask your location, even from the provider of the internet connection you’re using […]

Continue reading

Security in a World of Physically Capable Computers

from Schneier on Security It’s no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they’re just the newsworthy tip of a very large iceberg. The risks are about to get worse, because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve. The government needs to step in and regulate this increasingly dangerous space. The primary reason computers […]

Continue reading

Data Breach At Equifax Prompts A National Class-Action Suit

from WaPo The scenario that personal finance and credit experts feared most about the heist of consumer data from Equifax may already be underway: Criminals are using the stolen information to apply for mortgages, credit cards and student loans, and tapping into bank debit accounts, filing insurance claims and racking up substantial debts, according to a major new class-action suit. The suit pulls together dozens of individual complaints from consumers in all 50 states plus the District and suggests that cybercriminals aren’t wasting time using the Social Security numbers, credit card accounts, driver’s license numbers and other sensitive personal information […]

Continue reading

A Hardware Privacy Monitor for iPhones

from Schneier on Security Andrew “bunnie” Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone’s operating system has been compromised. They call it an Introspection Engine, and their use model is a journalist who is concerned about government surveillance: Our introspection engine is designed with the following goals in mind: More here.

Continue reading

Security News This Week: Taser Bets Big on the Surveillance State

from Wired Well, we sent 59 Tomahawk cruise missiles smack into a Syrian airbase this week. But other stuff happened too! The week started off with some clever hack revelations, including a backdoor that Russians have used for two decades, and an ATM hack that just takes a drill hole and $15 worth of gear. And some particularly industrious hackers took over a Brazilian bank’s entire online footprint for a few hours. Spies got their own cool new app that you can’t play with. Top-secret iOS spyware popped up on Android too. And drones are behaving badly again. Then there’s the […]

Continue reading

How Apple and Amazon Security Flaws Led to My Epic Hacking

from Wired IN THE SPACE of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.  In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave […]

Continue reading

No Business Too Small to Be Hacked

from NYTs Just as the holiday shopping season neared, a toy company, Rokenbok Education, was navigating a nightmare situation: Its database files had been infected by malware. Online criminals had encrypted company files, making them unusable, and were demanding a hefty ransom to unlock the data. Rokenbok, a California-based company that uses building blocks and even robotics to teach children how to think like engineers, lost thousands of dollars in sales in two days. Rokenbok’s founder and executive director, Paul Eichen, was already struggling to adapt his seven-employee company to a fast-changing toy world. Even worse, the malware attack was not […]

Continue reading

Google Adopts Single Sign-On For More Desktop, Mobile Apps

from Infoworld Google is expanding its identity service to provide single sign-on for more desktop and mobile applications. With enhanced OpenID Connect Identity Provider support, Google Apps administrators will be able to add single sign-on capabilities to mobile apps and to SaaS apps available through the Google Apps Marketplace, said Shashank Gupta, product manager for Google Apps for Work. Google also added support for Security Assertion Markup Language (SAML) 2.0 for popular SaaS providers and made it easier for administrators to add custom SAML app integrations. Organizations are increasingly adopting single sign-on because it improves corporate application security. Employees don’t […]

Continue reading

Think Your Email’s Private? Think Again

from TED Sending an email message is like sending a postcard, says scientist Andy Yen in this thought-provoking talk: Anyone can read it. Yet encryption, the technology that protects the privacy of email communication, does exist. It’s just that until now it has been difficult to install and a hassle to use. Showing a demo of an email program he designed with colleagues at CERN, Yen argues that encryption can be made simple to the point of becoming the default option, providing true email privacy to all. More here.

Continue reading