Here’s an amusing account of what you can do with an Instagram of former Australian Prime Minister Tony Abbott’s boarding pass. It’s a little scary just how easy some systems are to exploit. Not that we ever would, of course.
WFH = working from home. An abbreviation I hadn’t heard of until recently. It seems we’re all at it. Well, not all of us.
The great Zoom divide: How working from home is a privilege – New Statesman
Supporting the WFH and self-isolating economy is an army of factory and warehouse workers who are now busier than ever. There is much awareness and respect, rightfully, for medical staff who are at the frontlines of fighting Covid-19 – but what about those on the industrial frontlines? Who is protecting them? How can we keep essential supplies and functions running without exposing these workers to health risks? Is that even possible?
Avoiding Coronavirus may be a luxury some workers can’t afford – New York Times
For many workers, being sick means choosing between staying home and getting paid. One-quarter of workers have no access to paid sick days, according to Labor Department data: two-thirds of the lowest earners but just 6 percent of the highest earners. Just a handful of states and local governments have passed sick leave laws. Only 60 percent of workers in service occupations can take paid time off when they are ill — and they are also more likely than white-collar workers to come in contact with other people’s bodies or food.
Stykka designs a temporary workstation so you’ll stay the f*** home – Design Milk
When Denmark ordered people to stay home, Stykka got creative knowing many people had to share workspaces at home with their families or had to use the dining table. They challenged themselves to use only cardboard, zip ties, and a laser cutter, and in less than 24 hours, they not only had a prototype but they were ready to ship the desks out. Once received, the desk takes less than 10 minutes to assemble.
Don’t mute, get a better headset – Matt Mullenweg
When you’re speaking to a muted room, it’s eerie and unnatural — you feel alone even if you can see other people’s faces. You lose all of those spontaneous reactions that keep a conversation flowing. If you ask someone a question, or they want to jump in, they have to wait to unmute. I also don’t love the “unmute to raise your hand” behavior, as it lends itself to meetings where people are just waiting their turn to speak instead of truly listening.
As population works from home, Walmart reports increased sales for tops but not pants – CBS News
Men’s fashion brand Suitsupply is getting in on both sides of the trend. The company recently posted a photo on Instagram of a model wearing a button-down, tie and blazer on top — and nothing but underwear on the bottom. “Working from home doesn’t mean compromising on style. Keep your look professional—from the waist up at least,” the brand wrote. Scrolling through the Instagram post leads to a picture that says, “Off-camera?” before featuring the same model, this time wearing a sweatshirt.
Zoom announces 90-day feature freeze to fix privacy and security issues – The Verge
Zoom has never shared user numbers before, but Yuan reveals that back in December the company had a maximum of 10 million daily users. “In March this year, we reached more than 200 million daily meeting participants, both free and paid,” says Yuan. That’s a huge increase that has seen people use Zoom for reasons nobody expected before the coronavirus pandemic.
Security and privacy implications of Zoom – Schneier on Security
In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations. […] Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it’s in the spotlight, it’s all coming out.
Automated tool can find 100 Zoom meeting IDs per hour – The Verge
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting’s Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.
Cyber attacks, like the one that left government workers in Alaska resorting to typewriters, seem increasingly common. But just how easy is it to set up such a scheme and hold organisations to ransom like that? In what reads like a cross between a heist movie and an episode of the IT Crowd, Drake Bennett from Bloomberg gives it a go.
I used dark web ransomware to sabotage my boss – Bloomberg
These days, prospective attackers don’t have to create their own ransomware; they can buy it. If they don’t really know how to use it, they can subscribe to services, complete with customer support, that will help coordinate attacks for them. … In the public imagination, hackers are Mephistophelian savants. But they don’t have to be, not with ransomware. “You could be Joe Schmo, just buying this stuff up,” says Christopher Elisan, director of intelligence at the cybersecurity firm Flashpoint, “and you could start a ransomware business out of it.”
You could even be a liberal-arts-educated writer with a primitive, cargo-cult understanding of how an iPhone or the internet work, who regularly finds himself at the elbow of his office’s tech-support whiz, asking, again, how to find the shared drive. In other words, you could be me. But could you really? I didn’t start out on this article planning to try my hand at ransomware. A few weeks in, though, it occurred to me that if someone like me could pull off a digital heist, it would function as a sort of hacking Turing test, proof that cybercrime had advanced to the point where software-aided ignorance would be indistinguishable from true skill. As a journalist, I’ve spent years writing about people who do things that I, if called upon, couldn’t do myself. Here was my chance to be the man in the arena.
Just be careful, OK?
- Danger of clicking email links & attachments – Sentinel Computers
- Don’t click on strange links: 6 tips to avoid phishing attacks – Forbes
- How to spot a link you shouldn’t click on – Gizmodo
- Why you can’t get infected just by opening an email (anymore) – How-To Geek
- Why just opening a spam email could open the door for fraudsters – Love Money
It’s 2019 and we’re still having a problem with passwords.
The Disney+ hack shows why you need to up your password game – Wired UK
Although it can still be referred to as a ‘hack’, it wasn’t Disney’s servers that were compromised – but its customers.
“What hackers do is they have a huge list of previously stolen username and password combinations and they use hacking tools to automatically check those username and password combinations against the target website,” says Andrew Martin, CEO of DynaRisk, a cybersecurity company. “They throw hundreds of millions of account details at them, and they see they see what sticks.”
Here’s some essential digital literacy advice that should be a compulsory part of every school’s curriculum. And every company’s induction programme.
The ultimate guide to passwords in 2019 – Fleetsmith
Putting to rest some of the most persistent falsehoods about passwords and what it takes to come up with strong passwords and practice good password security in 2019.
The main points:
- How long should my password be? 10 characters long, minimum, but make it as long as possible. Length is the most important factor to strength.
- Does my password need special characters to be strong? Nope.
- Does my password need numbers to be strong? Nope.
- What about switching numbers for letters(1337 speak)? This does nothing.
- How often should I change my password? Only change it if you think it’s been compromised. Never force users to rotate passwords, this actually lowers security.
- Can I use the same password on multiple sites? Absolutely not. Every service should have its own unique password so that you don’t have to change all of them when (not if) they get breached.
- How can I remember my password? Don’t try to remember your passwords, use a password manager. If you don’t want to, write it down. If you have to make a long, memorable password, use the diceware method. But never reuse a password.
- What about two-factor authentication? Always turn on 2FA if it’s an option. Use the strongest 2FA method you can. A text message is weaker than an authenticator app is weaker than hardware-based authentication. Never give a service your phone number if you can help it.
- What about password recovery questions? Don’t give honest answers to these. For maximum security, generate a secondary random password for each question and store it in your password manager.
Via Khoi Vinh, who goes on to examine the poor user experience of passwords across platforms and products that almost encourages carelessness.
Passwords are a design problem – Subtraction.com
Create six different accounts at six different web sites and you’ll very likely encounter six different approaches to encouraging and enforcing password strength and security, some egregiously lax and others excessively restrictive. That inconsistency alone undermines much of the vigilance that otherwise responsible users might bring to password creation.
I’ve been a fan of the web comic xkcd for a while, so it was sad to read of their recent security troubles.
Hackers breach forum of popular webcomic ‘XKCD’
“The xkcd forums are currently offline. We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration,” the forum administrators wrote.
It does give us the opportunity to share one of their comic strips again, though.
How many more of these stories will we read? Is someone keeping a list?
PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text
Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes effectively as plain-text in log files. As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs.
Major breach found in biometrics system used by banks, UK police and defence firms
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
Or this might happen.
Update Faker allows you to “fake a system update”, it’s the perfect way to prank your friends, family members or colleagues. Especially when they’re working on something rather important.
Yes, it’s just a silly prank (reminds me a little of Hacker Typer), but you could see it as an important security/GDPR lesson.
Ever since the launch of updatefaker.com we’ve been flooded with positive feedback both online and in real life. And everyone who’s ever fallen victim to update faker will never leave their PC unattended again, which certainly is a good thing. You never know what bad things people are up to. This website is literally one of the least bad things that can happen to an unattended PC.
A team of US academics have published research, Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites, which they believe shows the massive prevalence of sneaky user interface tricks designed to catch us out.
The seven deadly sins of the 2010s: No, not pride, sloth, etc. The seven UI ‘dark patterns’ that trick you into buying stuff
Dark patterns – user interfaces designed to deviously manipulate people into doing things – have become common enough on websites and in apps that almost two dozen providers have sprung up to supply behavior persuasion as a service.
And in some cases, these firms openly advertise deceptive marketing techniques, describing ways to generate fake product orders and social messages celebrating those fake orders.
These are their proposed categories of user-interface tricks.
Attempting to misrepresent user actions, or delay information that if made available to users, they would likely object to.
Imposing a deadline on a sale or deal, thereby accelerating user decision-making and purchases.
Using visuals, language, or emotion to steer users toward or away from making a particular choice.
Influencing users’ behavior by describing the experiences and behavior of other users.
Signalling that a product is likely to become unavailable, thereby increasing its desirability to users.
Making it easy for the user to get into one situation but hard to get out of it.
Forcing the user to do something tangential in order to complete their task.
‘Urgency’ and ‘scarcity’ sound like pretty standard advertising methods that we should be very used to by now, but some of those others are very dubious. Here are some screenshots from the research paper.
Fig. 3. Three types of the Sneaking category of dark patterns.
Fig. 5. Four types of the Misdirection category of dark patterns.
What can be done? Here’s one idea they discuss in the paper which I like the sound of.
Fig. 10. Mockup of a possible browser extension that can be developed using our data set. The extension flags instances of dark patterns with a red warning icon. By hovering over the icon, the user can learn more about the specific pattern.
Hot on the heels of Facebook’s latest password problem, TechCrunch has news of another online service with a very shoddy approach to data protection – i.e. there wasn’t any.
The app, Family Locator, allows families to track each other’s movements, similar to the location sharing option in Google Maps. But it seems the backend database for their nearly a quarter of a million users wasn’t protected at all.
A family tracking app was leaking real-time location data
Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them — such as “home” or “work.”
They tried to get in touch with the developer, React Apps, but to no avail.
On Friday, we asked Microsoft, which hosted the database on its Azure cloud, to contact the developer. Hours later, the database was finally pulled offline.
The Register nails it, once again.
Let’s spin Facebook’s Wheel of Misfortune! Clack-clack-clack… clack… You’ve won ‘100s of millions of passwords stored in plaintext’
Facebook today admitted it stored “some” of its addicts’ account passwords in a plaintext readable format. For “some”, read hundreds of millions.
The antisocial network quietly made the mea culpa in a statement that followed its breathless announcement of the Oculus Rift S Virtual Reality headset. The password snafu confession was, as far as we can tell, forthcoming from the Silicon Valley giant only after investigative journalist Brian Krebs blew the lid off the blunder.
Why Facebook waited 3 months to disclose its latest privacy screw-up
We reached out to Facebook in an attempt to answer this question, but unsurprisingly received no response as of press time. Troy Hunt, a security researcher perhaps best known for running the breach disclosure site HaveIBeenPwned, was significantly more willing to chat.
“I suspect Facebook decided not to initially disclose the issue as they had no evidence of the data being used maliciously,” he wrote over Twitter direct message. “I can understand that position insofar as whilst the storage was clearly improper, without a compromise of the stored data the impact on customers would have been zero.”
This, of course, assumes that the passwords weren’t improperly accessed. Facebook claims as much in its blog post, but that requires you to trust Facebook. Which, well, you’d be forgiven for not jumping at the opportunity.
They’re all talking about whether these plaintext passwords were accessed by Facebook staff, whether anything malicious happened, but I think they’re missing a question — how did this happen?
Facebook’s own statement:
Or rather, not keeping them secure.
As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.
Obviously not designed well enough, because that didn’t happen this time.
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them.
No it doesn’t.
In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.
Yes yes yes, that’s all well and good, but that didn’t happen this time, because— ? Who knows, perhaps they’ll tell us the next time this happens?
Things aren’t going well in the courts at the moment.
HMCTS suffers major IT issues
Significant IT issues at the HM Courts and Tribunal Service (HMCTS) have caused chaos across the UK’s courts as users have been unable to connect to the network and use IT systems that require access to it.
The issues began last week and are mainly affecting devices trying to connect to the main Ministry of Justice (MoJ) network, which is used by the department as well as all its agencies and several arm’s-length bodies.
Law courts in chaos as IT meltdown disrupts thousands of cases
The communication failures, which started last week, are a significant embarrassment for the Ministry of Justice, which is investing £1.2bn in a high-profile programme promoting online hearings which aims to replace the legal profession’s traditional reliance on mountains of paperwork.
The IT breakdown meant that staff at the MoJ were unable to send emails, wireless connections went down, jurors could not be enrolled and barristers could not register for attendance payments. Courts were left unsure of when some defendants were due to appear and some court files could not be retrieved, leading to prosecutions being adjourned.
The Register had reported on this a few days before, when the problem seemed to be restricted to just their CJSM (Criminal Justice Secure eMail) system.
Lawyers’ secure email network goes down, firm says it’ll take 2 weeks to restore
For reasons that were not immediately clear, Egress Technologies, provider of CJSM, said in an emailed update to users seen by The Register that restoring CJSM would involve wiping their mailboxes for up to two weeks.
It’s now more serious than that.
Nationwide UK court IT failure farce ‘not the result of a cyber attack’ – Justice Ministry
The Ministry of Justice has said a data centre outage was responsible for the widespread collapse of the UK’s civil and criminal court IT infrastructure over the past days.
In a statement to Parliament today, justice minister Lucy Frazer pinned the fault on Atos and Microsoft, saying there had been an “infrastructure failure in our suppliers’ data centre”.
Here’s a report from 2016, highlighting the issues the department was facing…
Ministry of Justice IT systems are ‘fragile and precarious’, say MPs
The Ministry of Justice (MoJ) must get to grips with its poor IT systems or risk “further demoralising essential staff”, the Public Accounts Committee (PAC) has warned. […]
“ICT systems in probation are inefficient, unreliable and hard to use,” the PAC said. “In a service that relies on successful joint working between multiple partners, it is essential that ICT supports, rather than frustrates, effective and efficient collaboration. This is far from the case for probation.”
… which led to the £1,000,000,000 plan to “transform courts with better use of technology”.
UK justice system set for ‘wholesale shift’ to digital
The reform programme foresees “a wholesale shift to accessing justice digitally” and flags up two “significant developments” that will affect the way courts and tribunals operate: “The first is our aim for all cases to be started online, whether or not they are scheduled for the traditional system or for online resolution. The second will be the completion of some cases entirely online, which will be much more convenient for everyone involved.”
How was that received? With not much confidence, it seems.
PAC doubts justice system transformation programme will be a success
Public Accounts Committee says it’s difficult to see how the government’s “extremely challenging” £1.2bn project to overhaul courts through use of technology “will ever work”.
I don’t know if that’s related to today’s IT breakdowns there, but it makes you wonder.
More announcements of company data (our data) being stolen. The numbers involved each time are just incredible.
Hackers breach Quora.com and steal password data for 100 million users
Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests and downvotes. […] In a post published late Monday afternoon, Quora officials said they discovered the unauthorized access on Friday. They have since hired a digital forensics and security firm to investigate and have also reported the breach to law enforcement officials.
Whenever these stories are reported, the articles often end with a little summary of other recent snafus. The one above ended with:
Quora’s post is only the latest disclosure of a major breach. On Friday, hotel chain Marriott International said a system breach allowed hackers to steal passport numbers, credit card data, and other details for 500 million customers. In September, Facebook reported an attack on its network allowed hackers to steal personal details for as many as 50 million users. The social network later lowered the number of accounts affected to about 30 million.
A post from The Register, about that massive Marriott breach, concluded with this reminder of previous losses.
Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years
Few hacks of individual firm’s customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees’ breached by hackers.
More hacking schadenfreude, but with an added GDPR element this time.
First, the hapless Tories.
Major security flaw in Tory conference app reveals users’ data
Boris Johnson’s profile immediately vandalised with hardcore pornography in Tory conference app security blunder
The highly serious blunder allowed anyone to access details of hundreds of MPs including Foreign Secretary Jeremy Hunt and Defence Secretary Gavin Williamson – who have police protection and warn regularly of the hacking threat from Russia. But it also gave pranksters an opportunity to have fun with the profiles of prominent Conservatives.
And then Facebook. Again.
Facebook says at least 50 million users affected by security breach
Facebook said the FBI is now investigating. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located. The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.
Facebook hack: Here’s what you need to do to secure your account
Critically, for European users, Facebook has been in touch with the Data Protection Commissioner in Ireland – where it is registered – to inform it of the breach. This will be the first data protection incident from one of the major tech companies since the enforcement of Europe’s General Data Protection Regulation (GDPR) in May. GDPR gives regulators the power to issue huge fines but this is yet to be tested. In a statement the Irish Data Protection Commission said Facebook hasn’t given it many details yet. It is “concerned” that despite Facebook discovering the breach on Tuesday, it hasn’t been able to “clarify the nature of the breach and the risk for users at this point”.
The scale of this still astounds me. All the work that goes into administering and assuring our degrees – let alone the work the students themselves undertake – is put in jeopardy if these fraudulent qualifications are not challenged.
Fake degrees, real news
But as this recent File on Four investigation by the BBC demonstrated, this Diploma Mill business is still booming and, according to the report, over 3,000 fake qualifications have been sold to individuals (and in one case a company) in the UK out of a worldwide total of 215,000 which netted a profit in excess of £37m in 2015. It seems that the investigation in Pakistan has ground to a halt “amid claims of government corruption” and sales are continuing, but now with a new twist: extortion.
As well as the obvious “12345678”, “password” and “qwerty” (I can’t believe people really use those?), it seems people’s names beginning with J are especially common.
Top 500 most common passwords visualized
Most common passwords. Is yours here? Also, after some deep analysis, we’ve discovered that passwords fit into 11 categories. See what they are.
If any of your passwords feature on that chart, please read this and change them. Right now.
The usability of passwords
Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password. It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.
For gadget geek in the Oval Office, high tech has its limits
Mr. Obama is the first true gadget geek to occupy the Oval Office, and yet his eagerness to take part in the personal technology revolution is hampered by the secrecy and security challenges that are daily requirements of his job. What counts as must-have features for many people — high-definition cameras, powerful microphones, cloud-connected wireless radios and precise GPS location transmitters — are potential threats when the leader of the free world wants to carry them around.
A little different from Bill’s time, though I guess Mr Obama doesn’t have these problems any more.