WebProNews

Category: SecurityProNews

SecurityProNews

  • Court Kills EU-US Privacy Shield

    Court Kills EU-US Privacy Shield

    An EU court has struck down a privacy agreement that made it possible to share the data of EU citizens with the US.

    Under the EU-US Privacy Shield, companies could implement higher privacy standards to allow for the transfer of EU citizen data. This was necessary because of the EU’s stricter privacy legislation. In spite of the goals behind the Privacy Shield, privacy groups raised a number of concerns about its effectiveness.

    In particular, advocates were concerned about the privacy threat the US government poses. Thanks to the Edward Snowden leaks, the world is aware of the US government’s long history of digital spying, even on law-abiding citizens. Advocates were concerned that, even if a company met the necessary data sharing privacy requirements, there was no guarantee the US government wouldn’t snoop on any shared data.

    Max Schrems, an Austrian privacy advocate, initially filed the complaint that eventually made its way to the European Court of Justice (ECJ). After considering the case, the ECJ struck down the law.

    This will have major ramifications for many companies with customers in the EU. At the very least, companies will need to use Standard Contractual Clauses. This is a type of non-negotiable legal contract drawn up in the EU that governs data transfers. Specifically, they are used to make sure any data transfer abides by the GDPR privacy laws, especially when transferring the data to a country that does not have the same level of privacy protection.

    The ECJ’s decision is a big win for privacy advocates, and will no doubt put additional pressure on the US to adopt privacy regulation of its own.

  • Check Point Identifies Security Issue With Zoom URLs

    Check Point Identifies Security Issue With Zoom URLs

    Israeli security firm Check Point has worked with Zoom to fix an issue with Zoom vanity URLs.

    Vanity URLs give companies a way to add their branding to their Zoom URLs. Companies could even add a customized website to the service. Unfortunately for Zoom, the vanity URLs had a serious security flaws.

    According to Check Point’s research, “an attacker could have attempted to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim. In addition, the attacker could have directed the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization.”

    This is just the latest in a long string of Zoom security issues that have come to the surface as the platform has gained in popularity. Zoom has been working to close the holes and improve security all around.

    According to Check Point, the vanity URL vulnerabilities “were responsibly disclosed to Zoom Video Communications, Inc. as part of our ongoing partnership and cooperation. This security issue has been fixed by Zoom, so the exploits described are no longer possible.”

  • Google Sued For Tracking Users, Even When They Opt Out

    Google Sued For Tracking Users, Even When They Opt Out

    Google is facing yet another privacy-related lawsuit, this one alleging the company tracks users even after they opt out.

    The lawsuit, filed in the US district court in San Jose, claims that Google uses Firebase to continue monitoring users and tailoring ads to them. Google’s Firebase is used for notifications, alerts, data storage, ads and tracking software glitches, as well as user interactions, such as clicks. Many developers use the tool in their apps.

    According to Reuters, the lawsuit alleges that “even when consumers follow Google’s own instructions and turn off ‘Web & App Activity’ tracking on their ‘Privacy Controls,’ Google nevertheless continues to intercept consumers’ app usage and app browsing communications and personal information.”

    The lawsuit also claims that Google uses Firebase to tailor its ads, effectively using it as an end-run around tracking. The firm filing the lawsuit is seeking class-action status.

    This is not the only lawsuit Google is facing for ignoring opt-out settings. Earlier this year, Arizona Attorney General Mark Brnovich filed a lawsuit against the company for continuing to track users after they opt out.

    Needless to say, this is not a good look for Google when the company is facing increased scrutiny in both the US and the EU for privacy issues and anti-competitive practices.

  • Congressman Lynch Asks Apple and Google to Crack Down on Foreign Apps

    Congressman Lynch Asks Apple and Google to Crack Down on Foreign Apps

    Congressman Stephen Lynch, Chairman of the Subcommittee on National Security, is calling on Apple and Google to provide more transparency regarding foreign apps.

    Amid the ongoing controversy surrounding TikTok, India’s purge of Chinese apps and the bans on Chinese telecommunications firms, there is increased scrutiny on the potential security risks that foreign apps and companies may pose. In particular, where user data is stored is a big concern. For example, TikTok was recently sued for allegedly uploading an individual’s data to China without consent.

    Both Apple and Google confirmed they do not require app developers to disclose where any stored data will be housed, nor are they required to inform users of such arrangements.

    “As industry leaders, Apple and Google can and must do more to ensure that smartphone applications made available to U.S. citizens on their platforms protect stored data from unlawful foreign exploitation, and do not compromise U.S. national security,” Chairman Lynch wrote. “At a minimum, Apple and Google should take steps to ensure that users are aware of the potential privacy and national security risks of sharing sensitive information with applications that store data in countries adversarial to the United States, or whose developers are subsidiaries of foreign companies.”

    We will continue to monitor this story and provide updates as it develops.

  • Microsoft Releases Patch for 17-Year-Old Bug

    Microsoft Releases Patch for 17-Year-Old Bug

    Better late than never—Microsoft has released an update to a major vulnerability that is some 17 years old.

    Microsoft and security researchers are keen to prevent another WannaCry disaster, which has prompted a renewed focus on Windows vulnerabilities. Israeli security firm Check Point has discovered a vulnerability, called SigRed, that has the potential to be just as bad.

    The vulnerability scores a CVSS Base score of 10, meaning it is as bad of a vulnerability as can exist. Microsoft also describes it as “a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”

    According to Check Point, every version of Windows Server, from 2003 to 2019, are equally vulnerable. This gives hackers an enormous target to take advantage of. Microsoft has released an update today, as part of Patch Tuesday. All organizations are strongly encouraged to update immediately.

    “We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability,” says Check Point. “We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.”

    System admins should waste no time applying this patch, as hackers will waste no time trying to take advantage of SigRed.

  • AMD Takes On Intel Xeon With Threadripper Pro CPU

    AMD Takes On Intel Xeon With Threadripper Pro CPU

    The hits keep on coming for Intel as AMD rolls out its Threadripper Pro CPU, aimed at taking on the Intel Xeon.

    Intel’s Xeon processors are aimed at workstations and offer a number of advanced features not found in their consumer CPUs. In recent years, AMD has been making significant strides against Intel, as the latter has struggled to keep up with demand and move to 10nm processors.

    In particular, AMD’s Ryzen line of CPUs have won almost universal praise, and further illustrated how far Intel has fallen. Now the company has released its Ryzen Threadripper, aimed at the same workstation market as the Xeon.

    “AMD Ryzen Threadripper PRO Processors are purpose-built to set the new industry standard for professional workstation compute performance,” said Saeid Moshkelani, senior vice president and general manager, AMD Client business unit. “The extreme performance, high core counts and bandwidth of AMD Ryzen Threadripper Processors are now available with AMD PRO technology features including seamless manageability and unique built-in data protection5. Even the most demanding professional environment is addressed with the new AMD Ryzen Threadripper PRO line-up, from artists and creators developing breathtaking visual effects, to architects and engineers working with large datasets and complex visualizations, all brought to life on the most advanced professional workstation platform in the world6.”

    AMD is launching the CPU in conjunction with Lenovo, who is offering the chip in the ThinkStation P620.

    “Our customers need class-leading, innovative solutions to power through the most demanding applications,” said Rob Herman, General Manager, Workstation and Client AI Business Unit, Lenovo. “By leveraging the AMD Threadripper PRO Processors for our newest workstation, the ThinkStation P620, we can offer users the smarter solutions to create complex models, render photorealistic imagery or analyze geophysical and seismic interpretations, while offering crucial security and scalability features to ensure safe and effective operation for our professional users.”

    This is great news for IT professionals, AMD and Lenovo. For Intel, this is just the latest in a string of bad news, including the loss of one of their leading chip designers and Apple moving to its own custom silicon.

  • Google Introduces Confidential Computing, a New Way of Encrypting Cloud Data

    Google Introduces Confidential Computing, a New Way of Encrypting Cloud Data

    Google Cloud has introduced Confidential Computing in a bid to help secure data in the cloud.

    Google and Microsoft are both founding members of the Confidential Computing industry group. The goal of Confidential Computing is to encrypt and secure data while it is being used and processed. This is far different than current encryption methods, wherein data must be decrypted in order to access it. In its current incarnation, Google Cloud encrypts data in transit and at rest, but the data must be decrypted to work with.

    Confidential Computing is a game-changer since it keeps data encrypted at every step of the process, including when the data is being accessed.

    “Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing,” write Nelly Porter, Senior Product Manager; Gilad Golan, Engineering Director, Confidential Computing; and Sam Lugani, Lead Security PMM, G Suite & GCP platform. “Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

    “Confidential VMs, now in beta, is the first product in Google Cloud’s Confidential Computing portfolio. We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure. Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”

    This is an exciting development in the realm of cloud security, and specifically for Google Cloud. As the first major cloud provider to offer Confidential Computing, this is a big win for Google as it battles its larger rivals in the cloud space.

  • UK and Australia Open Joint Investigation Into Clearview AI

    UK and Australia Open Joint Investigation Into Clearview AI

    The UK and Australia have announced a joint investigation into Clearview AI—to cheers of privacy advocates the world over.

    Clearview quickly made a name for itself as a facial recognition firm that had scraped billions of images from millions of websites. Ignoring platform policies and user agreements, Clearview even scraped images from the top social media companies, including Twitter, Facebook and YouTube.

    Things only got worse from there, as the company was found to be monitoring police searches to discourage them from talking to journalists. Despite repeatedly insisting it only sold its software to law enforcement and security personnel, information came to light showing the company had allowed investors and friends to access and use the platform as their own plaything. To top it off, Clearview began selling its software to authoritarian regimes.

    It seems the UK and Australia have had enough, as “the Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO) have opened a joint investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.”

    This is further bad news for the company, but great news for the average consumer and privacy advocate alike.

  • US May Ban Contractors From Using Chinese Equipment

    US May Ban Contractors From Using Chinese Equipment

    The US is ramping up its pressure on Chinese firms, with plans to ban any government contractor from using equipment from five companies.

    Huawei, Hikvision, Hytera Communications Corp, ZTE and Dahua are the five companies that are expected targets of the new regulations. As Reuters points out, the five companies cross a variety of tech sectors. Huawei and ZTE are well-known smartphone and wireless equipment makers. Hikvision and Dahua are top camera and surveillance equipment vendors, and Hytera Communications Corp makes two-way radios.

    If this regulation should pass, it will have far-reaching impacts on the tech industry and government contractors. Each contractor will have to prove they are not using any equipment, goods or services from any of the blacklisted companies, not to mention the cost incurred in replacing any equipment they were using.

    This is just the latest escalation in the battle between the US and Chinese companies, which officials accuse of being a national security risk. This move will likely have an impact on US/China relations, and could well lead to retaliation on the part of Beijing.

  • iOS 14 Outs Major Apps For Snooping On Users

    iOS 14 Outs Major Apps For Snooping On Users

    iOS 14 has a number of significant privacy improvements, one of which has been a source of embarrassment for several high-profile apps.

    Privacy was one of the highlights of Apple’s WWDC 2020 Keynote, with the company outlining the steps it is taking to improve the level of privacy it offers customers. One such feature is clipboard monitoring. In short, iOS 14 will alert a user when an app accesses the data currently held in the clipboard. Given that users often copy and paste bank account numbers, credit card numbers, passwords and other sensitive data, this is an excellent new feature.

    Unfortunately for a number of apps, however, they don’t seem to have gotten the memo. In short order, TikTok, LinkedIn and Reddit and several others have all been called out for reading the contents of the iOS clipboard. These apps were all caught accessing the clipboard even when they were not the app involved in the copy and paste function. Basically, once they were opened, they started reading the clipboard’s contents. In the case of TikTok, it appears to have been accessing the clipboard every 1 to 3 keystrokes.

    All three companies have pledged to release an update that will resolve the issue. LinkedIn and Reddit blamed the behavior on bugs, while TikTok said it was a measure designed “to identify repetitive, spammy behavior.” While some users may be willing to give LinkedIn and Reddit a pass, TikTok’s intentional use of the feature does not bode well for a company that is already accused of gross privacy violations.

    Either way, kudos to Apple for helping put an end to this practice. iOS 14 can’t arrive soon enough.

  • EARN IT Act Moves Forward After Addressing Encryption Concerns

    EARN IT Act Moves Forward After Addressing Encryption Concerns

    The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019 (EARN IT Act) has passed the Senate Judiciary Committee after addressing concerns about weakening encryption.

    The EARN IT Act is aimed at protecting children and eliminating online sexual abuse. Many critics, however, were afraid the bill went too far in weakening encryption that law-abiding users rely on.

    The bill addresses the Section 230 protections that limit the liability companies incur from the actions of users on their platforms. In order to maintain their protections, the original bill called for companies to follow mandatory “best practices” outlined by a commission of experts. Many companies and critics warned that these “best practices” could require companies to weaken industry-standard encryption, leaving them little recourse.

    Senator Graham filed an amendment that waters down that provision of the bill, specifically changing the “best practices” to recommendations rather than requirements. In addition, according to The Verge, Senator Patrick Leahy filed an amendment—that was approved—that would “exclude encryption” as a factor that would increase a company’s liability.

    The bill will now move to the Senate floor for a vote by the entire body.

  • California Begins Enforcing New Privacy Law

    California Begins Enforcing New Privacy Law

    Following a six month grace period, California has begun enforcing its new privacy regulation, effective July 1.

    The California Consumer Protection Act (CCPA) was signed into law on January 1. Similar to the EU’s GDPR, the CCPA is a robust set of laws designed to protect individual privacy and give consumers more control over the data companies collect about them. Companies were given a six month grace period before enforcement began, but that grace period ended on June 30.

    The CCPA likely impacts more companies than many realize. It directly applies to companies that do $25 million in annual revenue, companies that derive at least half of their revenue from selling their customers’ data or companies that collect data on at least 50,000 individuals.

    Potential penalties are high enough to ensure compliance. Non-intentional violations could cost as much as $2,500 per incident, while intentional violations could cost as much as $7,500.

    While many companies have struggled to be ready for the new law, privacy advocates have praised it for protecting the interests of consumers.

  • Legislation Would Ban Federal Law Enforcement From Using Facial Recognition

    Legislation Would Ban Federal Law Enforcement From Using Facial Recognition

    Senators Ed Markey and Jeff Merkley have introduced legislation that would ban federal law enforcement agencies from using facial recognition.

    In the wake of several high-profile incidents that have helped spark protests and a renewed focus on racial equality, facial recognition has come under heavy fire. While having some usefulness, facial recognition struggles with bias issues, especially related to race, ethnicity and sex. This doesn’t even begin to address the privacy issues the technology raises. Clearview AI is one company that has increasingly been in the news for blatant abuses of privacy through the use of facial recognition.

    The Facial Recognition and Biometric Technology Moratorium Act, would address these concerns by prohibiting federal law enforcement agencies from using facial recognition tech. In addition, any local or state agencies seeking federal funding would be required to take similar measures.

    “Facial recognition technology doesn’t just pose a grave threat to our privacy, it physically endangers Black Americans and other minority populations in our country,” said Senator Markey. “As we work to dismantle the systematic racism that permeates every part of our society, we can’t ignore the harms that these technologies present. I’ve spent years pushing back against the proliferation of facial recognition surveillance systems because the implications for our civil liberties are chilling and the disproportionate burden on communities of color is unacceptable. In this moment, the only responsible thing to do is to prohibit government and law enforcement from using these surveillance mechanisms. I thank Representatives Jayapal and Pressley and Senator Merkley for working with me on this critical legislation.”

    It’s unknown whether the bill will be able to gain enough support to pass. Should it succeed, however, it could fundamentally alter the privacy debate and have a profound impact on equality.

  • Comcast Joins Mozilla’s Secure Browsing Initiative

    Comcast Joins Mozilla’s Secure Browsing Initiative

    Comcast has become the first ISP to join Mozilla’s initiative and “provide Firefox users with private and secure encrypted Domain Name System (DNS) services through Mozilla’s Trusted Recursive Resolver (TRR) Program.”

    Mozilla has been one of the companies on the forefront of protecting user privacy. One of the areas they have been focusing on is encrypting DNS traffic, which helps protect browsing activity from collection, interception or manipulation. For this to work, however, it requires partner companies to agree to standard rules about how data is collected, protected and used.

    While companies like Cloudflare and NextDNS have signed on to Mozilla’s TRR Program, Comcast is the first ISP to sign on.

    “We’re proud to be the first ISP to join with Mozilla to support this important evolution of DNS privacy. Engaging with the global technology community gives us better tools to protect our customers, and partnerships like this advance our mission to make our customers’ internet experience more private and secure,” said Jason Livingood, Vice President, Technology Policy and Standards at Comcast Cable.

    “Comcast has moved quickly to adopt DNS encryption technology and we’re excited to have them join the TRR program,” said Eric Rescorla, Firefox CTO. “Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs.”

    This is good news for Comcast and Firefox users. Hopefully Comcast won’t be the last ISP to sign on with Mozilla’s TRR Program.

  • Boston Bans Facial Recognition For Government Use

    Boston Bans Facial Recognition For Government Use

    Boston has joined the growing ranks of US cities that have banned the use of facial recognition by government officials.

    Facial recognition has become one of the most controversial technologies in use. In the wake of George Floyd’s death, organizations have been reevaluating their stand on facial recognition. Companies like Microsoft, IBM and Amazon have changed their policies to exclude selling their facial recognition tech to police.

    Much of this is because of the issues with bias that are prevalent in facial recognition. Despite their best efforts, companies have struggled to keep bias from creeping in on the basis of race, ethnicity and sex.

    These concerns have led cities to take action, banning facial recognition for government agencies. Oakland and San Francisco, California, as well as Cambridge, Massachusetts have already instituted such bans.

    According to Boston.com, “in a unanimous vote Wednesday afternoon, the 13-member body passed an ordinance prohibiting the use of facial recognition technology by Boston police and other city departments, amid evidence that the existing systems misidentify people of color at an exorbitantly high rate.”

    There are some exceptions. Police will still be able to obtain evidence from facial recognition technology, as long as that evidence was gathered by another agency investigating a “specific crime,” and was not at the behest of a Boston city official. Similarly, city officials will not be allowed to use facial recognition provided by third parties.

    Given the current political climate, it’s a safe bet Boston won’t be the last city to take such measures.

  • Sony Announces $50,000 PlayStation Bug Bounty

    Sony Announces $50,000 PlayStation Bug Bounty

    Sony has announced it will pay significant bug bounties for PlayStation 4 bugs.

    Bug bounties are an important part of the cybersecurity and software development scene. Companies pay hackers and researchers bounties to encourage them to find and report bugs and security vulnerabilities. Bounties are often high enough to provide full-time income for dedicated security researchers and hackers.

    In a blog post Sony announced they are taking their program public.

    To date, we have been running our bug bounty program privately with some researchers. We recognize the valuable role that the research community plays in enhancing security, so we’re excited to announce our program for the broader community.

    According to the payout breakdown, PlayStation 4 bugs can pay as much as $50,000. With that kind of money on the line, it’s a safe bet Sony will have no trouble attracting help.

  • Senators Introduce Legislation Attacking Encryption

    Senators Introduce Legislation Attacking Encryption

    Another day, another attack on the encryption standards that protect every single person using the internet and computing devices.

    Senators Lindsey Graham, Tom Cotton and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act in a bid “to bolster national security interests and better protect communities.”

    It’s hard to tell whether the authors are trying to attack encryption, or if they simply don’t understand how it works…or both. Either way, the result is the same: This legislation will gut the end-to-end encryption (E2EE) billions of people rely on.

    Case in point:

    “After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans,” says Graham.

    Similarly:

    ”This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.

    The announcement specifically states:

    “Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of ‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.”

    These statements ignore some of the basic facts involved in the encryption debate. Let’s break this down.

    1. All of the above statements place a great deal of emphasis on a warrant. The encryption debate has never been about tech companies’ willingness or unwillingness to abide by a warrant. The issue, plain and simple, is that you cannot have strong encryption that has backdoors. Experts have been warning about the dangers of weakening encryption for years. They’ve done so here, and here, and here, and here, and here, and here and here, as well as countless other places too numerous to list.

      Ultimately, this is not a case where these senators can ‘have their cake and eat it too.’ Either everyone has strong encryption that protects them, or no one does. Even these senators rely on encryption to conduct their business. Signal is widely considered to be the most secure messaging app on the planet, in large part because of the type of encryption this legislation targets. It is so secure that the Senate specifically encourages Senate staff to use Signal.

      Yet this legislation is so dangerous to the very type of encryption that Signal relies on that the company has already warned that, if it passes, Signal will likely stop being available in the US altogether.

      Again, either everyone has strong encryption or no one does…including the senators targeting encryption.

    2. The legislation wrongly asserts that companies fail to cooperate with law enforcement, “even when criminal activity is clearly taking place.” Again, this is not a matter of intentionally failing to cooperate; it is a technical impossibility.

      Companies simply cannot create strong encryption that can simultaneously be accessed at will, either by the company, law enforcement or anyone else. In many cases, such as Apple, companies cooperate as much as they possibly can, but they cannot change the laws of physics.
    3. The assertion that “‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user” ignores how the technology is frequently used by the “ordinary user.” The fact is, E2EE protects private communication, securing text messages, video chats, emails and voice calls, ensuring people can communicate without fear.

      Businesses rely on E2EE on a daily basis to ensure they can freely discuss internal matters without fear of corporate eavesdropping and espionage. Victims of abuse often rely on these services to communicate with loved ones without their abuser being able to find them. Journalists and activists in areas ruled by oppressive regimes rely on E2EE for their very lives.

    The announcement cites several examples where E2EE thwarted attempts by law enforcement. While true, the question remains: How is that different from any other technology?

    One example encryption proponents cite is shredder manufacturers. Do these companies have to create shredders that reconstitute a document just because some bad actors use paper shredders to cover their tracks? Of course not. While some do use shredders to cover illegal activity, the vast majority of individuals use them for perfectly legal reasons.

    The same is true of E2EE. There will always be those who use any technology for illegal, immoral and unethical reasons. The vast majority, however, will use it as it was intended, for perfectly legal activity.

    If passed, however, this new legislation will punish the whole on behalf of the few.

  • How Does Hacking Impact Password Security?

    How Does Hacking Impact Password Security?

    The average business user has 191 passwords, but are they secure? Likely not. 91% of people know that reusing the same password increases their risk of a security breach, yet 66% do it anyway. So how did hacking come in cahoots with passwords? Since their 1960 invention, passwords had a 28-year run before realizing they could be hacked. With technology like 2-step authentication and biometric features, modern hacking is far more difficult. However, cyberthieves are still in business. With that being said, moving beyond passwords may be our best bet in optimizing our cyber protection.

    Fernando Carbato, creator of the computer password, was on the launching team for MIT’s Compatible Time-Sharing System (CTSS) – the first gadget using password security. CTSS used separate consoles to access a shared mainframe, so multiple users could share one console, but have their own set of files. A personal point of entry for each user necessitated the use of a password. While passwords are weaker than authentication questions, they require far less memory to store – an essential compromise for early computers.

    Furthermore, The first instance of hacking was recorded in 1988, being named The Morris Worm: the first computer worm on the Internet. The historical threat was designed by Robert Tappan Morris, whose father created hashing. Hashing is a technique that allows hackers to remotely translate a user’s password from plaintext to an unreadable string of characters that is impossible to convert back. These unreadable strings are called hashes

    Within 24 hours of The Morris Worm’s release, 1 in 10 networked computers were infected. On top of that, an analysis of the leaked data showed nearly 50% of users had easily guessable passwords – the most common password was “123456.” Although Morris had the intentions of harmlessly experimenting, the incident inspired an entirely new generation of hackers and a new era of cybersecurity. 

    In the meantime, hackers continued to get smarter. In 2009, RockYou suffered a massive password breach. Hackers accessed the unencrypted login credentials for 30 million RockYou accounts. It was found that the business’ social networking apps began routinely using the same username and password as each individual’s webmail account. Even worse, 90,000 credentials for personnel including military, State Department, Homeland Security, and private contractors were leaked in 2011’s Military Meltdown Monday. On top of that, Anonymous hacked Booz Allen Hamilton, a contractor for the Department of Defense.

    Although modern hacking invents far more challenges for hackers, cyberattacks are still common. As a result, data scientists are pushing toward a future without passwords for enhanced security. Jim Clark, Co-founder of Netscape and Chairman and Co-founder of Beyond Identity says, “Passwords are easy to guess, often, and you have to share it with the site you are logged into so the site has a copy, you have a copy and all it takes is the breach of a site [to be compromised].” So, how strong are your passwords?

  • Zoom Charts Path Toward End-to-End Encryption For All Users

    Zoom Charts Path Toward End-to-End Encryption For All Users

    Zoom is adding end-to-end encryption (E2EE ) for all users, reversing a decision made just weeks ago to reserve the highest security for paid plans.

    Zoom has been in hot water more than once in recent months over its encryption claims and policies. Originally, the company’s marketing led customers to believe it provided E2EE when it did not. Once the company finally rolled out the upgraded encryption, it said it would only be for paid subscribers.

    The rationale for the decision was that free plans were more likely to be used for illegal activities, and the company wanted to be able to work with the FBI and local law enforcement. Needless to say, the stand was not a popular one.

    It appears the company has changed direction, and charted what it believes will be a compromise solution that will allow it to offer E2EE to free users.

    “To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” writes CEO Eric S. Yuan. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”

    The move is measured solution that will likely satisfy most critics.

  • Ransomware Attack Shuts Down Knoxville’s Network

    Ransomware Attack Shuts Down Knoxville’s Network

    Knoxville, TN has suffered a major ransomware attack, forcing it to shut down its entire network.

    According to BleepingComputer, a notice was sent out to city employees Thursday morning informing them of the issues.

    “Please be advised that our network has been attacked with ransomware,” reads the notice.

    “Information Systems is currently following recommended protocols. This includes shutting down servers, our internet connections, and PCs. Please do not log in to the network or use computer applications at this time.”

    So far, Knox County government computers were not impacted. Police and fire department operations are intact, although neither can access the network.

    As BleepingComputer points out, no group has yet claimed responsibility, although the FBI is investigating the incident. At the same time, officials said no personal data or credit card information was accessed or stolen.

    Ransomware has become one of the biggest threats to online security, with attacks costing the US an estimated $7.5 billion in 2019. Knoxville is just the latest example of the problems these attacks can cause.

  • Microsoft Joins IBM & Amazon, Won’t Sell Facial Recognition Tech to Police

    Microsoft Joins IBM & Amazon, Won’t Sell Facial Recognition Tech to Police

    Microsoft has become the third major tech company to announce it will not sell facial recognition technology to police.

    In the wake of George Floyd’s death, the US has been gripped by mass protests, with protesters, civil rights leaders, critics and politicians alike calling for police and social justice reform. Companies are also taking a fresh look at how the technology they invent is being used by police.

    IBM was the first major company to announce a moratorium on selling facial recognition software to police, with Amazon quickly following suit. Now Microsoft has made a similar announcement.

    “We will not sell facial-recognition technology to police departments in the United States until we have a national law in place, grounded in human rights, that will govern this technology,” company president Brad Smith told The Washington Post.

    IBM and Amazon likewise called on government to better regulate the technology. Facial recognition software is particularly vulnerability to abuse, as studies have shown it struggles to be unbiased when factoring in age, race and sex.

    While the government has yet to put strong safeguards in place, it seems tech companies are now self-regulating to an unprecedented degree.