Information Security News and Events
News, events, views, tips, and hints for keeping your personal information private.
Tuesday, May. 27, 2014
Early Tuesday, a number of Australian iPhone and iPad owners awoke to find their devices locked, with an alert asking for $50 to $100 to give access back.
Moral: It's easier than you think for someone to get into your Apple products -- even if a thief doesn't have the actual iPhone in his or her hands.
How to make yourself much safer?
Start using two-step verification for your Apple ID.
When you enable two-step verification, Apple will make you prove you're actually you whenever you buy anything on iTunes, the App Store or the iBooks Store. It works like this: Apple will text you a code anytime you try to sign into your Apple account to make a purchase. You will then have to input that number to verify your identity. That way, nobody else can access your account unless they have both your password and your device, making it far more difficult to steal your identity and credit card information.
Here's how you do it:
First, go to the Apple ID site, click "Manage your Apple ID" and sign in. From there, click "Password and Security."
From there, you'll see "Two-Step Verification." Under that you should click "Get started..."
There you'll be able to sign up for two-step verification. For security reasons, Apple makes you wait three days after setting up two-step verification for it to take effect. Once you sign up, you'll get an email telling you exactly when you'll be able to use it.
Once you have two-step verification, this is how it works when you sign into Apple to make a purchase:
You'll also get a Recovery Key, which is a 14-digit series of numbers and letters that you can use to access your account if you ever lose access to your iPhone and are unable to receive text messages. Apple recommends you print our your Recovery Key and keep it in a safe place.
Many people don't think about Apple security -- even though the devices and accounts can contain a ton of personal information. Half of iPhone users don't even use their phone's regular passcode, and some people probably still haven't updated their iPhones after a major security flaw was discovered in February. Two-step verification is just one extra way you can protect yourself.
Wednesday, May. 21, 2014
The term "the cloud" can be used to refer to the Internet. Marketers have popularized the phrase "in the cloud" to refer to software, platforms, and infrastructure that are sold as a service. Usually, the seller has servers that host products and services from a remote location, so users don't have to. They can just log on to the network without installing anything. These services may be offered in a public, private, or mixed network. Google, Amazon, IBM, Oracle Cloud, Microsoft Azure, and Dropbox are some examples of cloud vendors.
Cloud services have expanded as more and more users are using the Internet. Cloud services can be quite useful as a cheap "offsite backup". For example, keeping documents or a list of serial numbers of your things in case of a robbery or catastrophic event, such as an earthquake.
Let's use Dropbox for an example.
Dropbox usually requires a username and password to access documents. It even offers a two-factor solution as an option. However, a user can allow others to view a document by sending them a "secret link". But links can be easily leaked. As users rely more on cloud services to share files, with passwords that are too troublesome to set up, leaked links will become more commonplace.
Let's assume that the cloud service works as designed and your username and password is strong enough. But when you share files with other people, you run the risk of others not taking extra care with the files as you would. Their passwords could be weaker than yours or they could share the link onto the Internet.
Although cloud services are good, there are just some information that you shouldn't store into the cloud, such as confidential, personal, finacial, or medical information, unless you encrypt them before uploading.
Here are a couple of ways to "de-cloud" your life:
- Setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
- Run your own mail server: This can be a real pain and even large companies move mail services to cloud providers. But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
- Offsite backup at a friend's or relative's house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
- For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.
Monday, May. 12, 2014
Recently,some people at SCU have gotten unsolicited phone calls offering to fix their computers.If that happened to you,make sure you do not do anything the caller asks you to do.It is most likely a phone scam.Even if you wouldn't be fooled, please warn friends and relatives (especially elderly ones) who might not be aware of scams like this. Victims of this fraud could suffer anything from identity theft to having their computer hijacked and used to send spam or viruses without their knowledge.
Where to Report Phone Fraud
- National Do Not Call Registry
The U.S. National Do Not Call Registry allows you to register your phone number. U.S. telemarketers are legally required to check this list; if they call numbers on it, they're liable for prosecution. Enforcement isn't great, but every bit helps.
- FTC Bureau of Consumer Protection - Consumer Information
The Federal Trade Commission doesn't resolve individual consumer complaints, but if there's enough reports of the same fraud, they may be able to go after the scam and shut it down.
What If They Put a Virus on My Computer?
Wednesday, May. 7, 2014
Authentication methods used by Facebook, Google, and many other popular websites could be redirected by attackers.
A security researcher has uncovered serious security vulnerabilities in the technologies used by many websites to authenticate users via third-party websites. A blog posted late last week revealed the details of security flaws in OAuth 2.0 and OpenID, two technologies that are widely used by the Web's most popular sites to more quickly and easily verify the identity of a user.
The vulnerability was discovered by Wang Jing, a PhD student in mathematics at Nanyang Technological University. If you have ever allowed an application or website to verify your identity using your Facebook, Twitter, or Google account, then you have likely used OAuth or OpenID.
OAuth is an open standard for authorization that gives client applications secure, delegated access to server resources on behalf of a resource owner. OpenID an open standard that allows users to be authenticated by certain cooperating sites using a third party service, eliminating the need for webmasters to provide their own authentication systems and allowing users to consolidate their digital identities. The vulnerability could allow an attacker to redirect the "token" used by OAuth 2.0 to access user information on a third-party site, making it possible to steal information such as the email address, age, or location of a user, the blog says. In OpenID, the vulnerability could enable attackers to collect user's information directly.
Google (which uses OpenID) told that the problem has been tracked, while Linkedin said that the company has published a blog on the matter. Microsoft said an investigation has been done and that the vulnerability existed on the domain of a third party and not on its own sites.
While this issue isn't as severe as Heartbleed, its relatively easy to do so unless the flaw gets patched, which is quite difficult to implement due to third party sites having "little incentive" to fix the problem. Cost is a factor, as well as the view that the host company (such as facebook) bears the responsibilty for making the attacks appear more credible.