Articles

404 ERROR: REQUEST COULD NOT BE FOUND

The page that you have requested could not be found at this time. We have provided you a list of related content below or you can use our site search to find the information that you are looking for.

Facebook Employees Had Access to Millions of User Passwords Stored in Plain Text

In a new blog post entitled "Keeping Passwords Secure" Facebook VP Engineering, Security and Privacy Pedro Canahuati explains how the social media giant accidentally stored Facebook user's passwords on internal data storage systems in plain text. Pedro explains how "these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users." To keep your account safe, Facebook suggests changing your Facebook and Instagram passwords, pick strong passwords, use a password manager, and enable a security key or two-factor authentication. In recent months, Facebook has vowed to clean up its act as it has been accused of sharing user data, one click account takeover bugs, paying minors to harvest their data without parental consent, had its enterprise certificate revoked by Apple, access token hack, Cambridge Analytica, and many more fines and hacks. I would suggest picking a password so long and complex that Facebook employees would get tired from writing it down.

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.

Discussion
Posted by cageymaru March 21, 2019 1:17 PM (CDT)

Passively Cooling the Intel i9-9900K

Der8auer on YouTube has experimented with passively cooling an Intel i9-9900K with the ARCTIC Alpine 12; a passive CPU cooler. The ARCTIC Alpine 12 is only rated to handle 47 watts so Der8auer wasn't expecting much out of the unit. Although the passive cooler showed that it was more capable than its rating, it couldn't keep the Intel i9-9900K properly cooled at stock settings. The Intel chip was throttling, so Der8auer ended up with a stable 3.6 GHz clock speed across all cores which was more than capable of playing games on the system.

I think we could go even higher to 3.8 GHz @0.975 V. Yes, you can actually passively cool a 9900K with some kind of adjustments. You have to undervolt your CPU a little bit; underclock your CPU a little bit.

Discussion
Posted by cageymaru March 11, 2019 9:12 PM (CDT)

Philadelphia Passes Ban on Cashless Stores; Amazon Go Plans Said to Be in Jeopardy

Amazon plans to open a chain of cashierless convenience stores across the country, but don’t expect them in Philadelphia: the city has just signed off on legislation banning cashless stores. While the convenience of technology has convinced many retailers to shift to credit cards and mobile payments only, Philly’s leaders opted for the opposite, citing their 26-percent poverty rate and poor consumers, some of whom do not even have bank accounts.

Nearly 6 percent of residents in the Philadelphia region do not have access to credit or bank accounts in 2017 and roughly 22 percent were considered "underbanked," according to the Federal Deposit Insurance Corporation. Amazon warned Philadelphia officials behind closed doors that a ban on cashless stores would force it to reconsider its potential plans for Amazon Go stores in Philadelphia. Emails obtained by the Inquirer showed that the web giant also lobbied city officials to try to carve itself out of the cash requirement.

Discussion
Posted by Megalith March 09, 2019 1:05 PM (CST)

US Bans Cargo Shipments of Lithium-Ion Batteries on Passenger Planes

To strengthen safety for the traveling public, the US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) and Federal Aviation Administration (FAA) have opted to prohibit the transport of lithium ion cells or batteries as cargo on passenger aircraft. "PHMSA is enhancing passenger safety by permitting personal electronic devices onboard aircraft while ensuring cargo shipments of batteries are transported separately," said PHMSA Administrator Howard "Skip" Elliott.

The FAA has been pushing airlines to reconsider carrying batteries due to the potential fire risk, and the ban theoretically reduces the chances that an incident will put travelers in danger. The cargo ban will mainly affect people who order batteries. You'll likely still get your orders, but they may have to wait for dedicated cargo flights. The battery charge requirement may be another matter. It could mark an end to the days of receiving phones and other gadgets with near-full charges -- you'll probably need to top them up first.

Discussion
Posted by Megalith March 03, 2019 4:05 PM (CST)

The Pentagon Wants to Replace Passwords with the Way You Move or Walk

Steven Wallace is a system innovation scientist at the Pentagon's Defense Information Systems Agency, or DISA. In an interview with The Washington Post, he discussed smartphone technology that the Pentagon is testing that will authenticate smartphone owners by using "the gait of your walk, the tension in your hand or the way your thumb moves across the touch screen." He says DISA is working with industry leaders such as computer chipmakers and smartphone developers to make the technology commercially available by 2020. The technology is expected to be incorporated into the majority of handsets in the USA as the Pentagon wants use mass production to lower the price. The sensors used by the DISA project are already in the smartphones and a "unique profile for how each smartphone user does various things" can be created based on how each owner uses their device. This may include the way the phone is pulled out of a purse or pocket, typing on it, or walking with it. A "risk score" is generated based on a weighted combination of metrics and if this score drops too low, the person is locked out of the phone. At that point the person has to use a more standard way to login such as a conventional password.

Wallace hopes the cutting-edge identity verification system will be like the Global Positioning System and the Internet itself -- in that they are all tools that were initially developed for military use but ended up benefiting society at large. "I'm not going to say that we're going to create something that's as broad and as grand as GPS or the Internet, but there's a history of the department working on things and those things ending up in consumer devices," Wallace told me.

Discussion
Posted by cageymaru February 26, 2019 8:23 PM (CST)

Android Receives FIDO2 Certification to Usher in a World Without Passwords

The FIDO Alliance has announced that compatible devices running Android 7.0+ are now FIDO2 certified. FIDO2 certification allows these devices to have simpler, stronger authentication capabilities as users can utilize the device's built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites and native applications that support the FIDO2 protocols. Web and app developers can enable support for FIDO with a simple API call. Web browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge already support the standard, while Apple Safari has preview support. FIDO2 is comprised of the World Wide Web Consortium's (W3C) Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. "Collectively, these standards enable users to more easily and securely login to online services with FIDO2-compliant devices such as fingerprint readers, cameras and/or FIDO security keys."

"Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks. Today's announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users," said Christiaan Brand, Product Manager, Google.

Discussion
Posted by cageymaru February 25, 2019 11:25 AM (CST)

Microsoft Is Reportedly Bringing Xbox Game Pass to Nintendo Switch

Nintendo Switch owners who are contemplating the purchase of an Xbox One may want to hold off on that decision, as multiple reports are suggesting Microsoft is bringing its game-subscription service to the portable console. The idea of Crackdown 3, Forza Horizon 4, and Sea of Thieves "running" on a Switch will evidently no longer be a fantasy, but a reality made possible by Microsoft’s xCloud game-streaming technology.

Direct Feed’s report also reveals that Microsoft is working on making some of its published games available on Switch. Ori and the Blind Forest is specifically mentioned as a game that would be a good fit for Switch. This isn’t the first time a Microsoft-published game has made its way onto other platforms, as Minecraft is available on plenty of platforms not run by the company, including Switch.

Discussion
Posted by Megalith February 24, 2019 3:25 PM (CST)

Zilog Z8000 Architect Passes Away

Dr. Bernard Peuto, the mind behind Zilog's Z8000 and Z8 processors, passed away this month, and the Electronic Engineering Journal just posted a writeup on his history with Zilog. Just before the wild success Zilog Z80, the company hired Dr. Pueto as their twelfth employee in early 1976. With mainframe experience under his belt, the report says he quickly went to work on Zilog's 16 bit designs, but the company faced stiff competition from Motorola and Intel. Far more than a simple obituary, the article is a dive into the history of Zilog and their contemporary competitors, and is definitely worth a read. Thanks to cageymaru for the tip.

Despite all of these acquisitions, Littlefuse/Zilog still sells versions of Dr. Peuto's Z8000 and Z8 processors. The Z8 microcontroller was reborn in the early 2000s as the enhanced Z8 Encore! and the Z8 Encore! XP Flash-based microcontroller families. Meanwhile, the 40-pin and 48-pin versions of the Z8000 microprocessor are still available as the Z16C02 and Z16C01, although perhaps not for too much longer, as you really need to dig deep into the Littlefuse/IXYS/Zilog site to find these parts. (Actually, I let Google dig into it.) Part of Dr. Peuto's significant technical legacy is deeply rooted in the Z8000 and Z8 processor architectures. Another part is tied to the Computer History Museum in Mountain View, California where Dr. Peuto served as a trustee for 17 years. He was also a member of the museum's executive and finance committees. As a result of that work, he was named a Trustee Emeritus in 2017. That's not a bad legacy to leave, my friends.

Discussion
Posted by alphaatlas February 21, 2019 10:30 AM (CST)

Password Manager Vulnerabilities Exposed

A report from Independent Security Evaluators (ISE) showed that password manager security is acceptable in non-running states, but are vulnerable to memory attacks when in running states. Products from 1Password4, 1Password7, Dashlane, KeePass, and LastPass were tested in the report. For example, 1Password4 properly scrubbed old password entries from memory when it loaded a new entry; this meant that only one password was exposed at a time. But the master password remained obfuscated in memory and a bug allowed the master password to be stored in memory in a cleartext form; even when locked. In another example, 1Password7 decrypted and loaded all the individual passwords in the running state and didn't scrub the individual passwords, master password or the secret key when transitioning from the unlocked to locked state! Dashlane exhibited good security practices until the user changed an entry. Then it exposed the "entire database plaintext in memory and it remains there even after Dashlane is logged out of or 'locked'." The entries remained in memory for more than 24 hours. KeePass was decent until a simple strings dump from the process memory of KeePass was performed. There it exposed all entries that had been interacted with. LastPass performed as well as KeePass. ISE concluded that while "it is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons." The password manager vendors responded to the report from ISE. LastPass says it patched its issues and KeePass noted that the basic underpinnings of Windows affected its ability to scrub the password entries as "Windows and .NET may make copies of the data (in the process memory) that cannot be erased by KeePass." Dashlane noted that "if an attacker has full control of a device at the lowest operating systems level, they can read any and every information on the device." 1Password's spokesperson took the same stance with "An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer."

In this paper we will examine the inner workings as they relate to secrets retrieval and storage of 1Password, Dashlane, KeePass and LastPass on the Windows 10 platform (Version 1803 Build 17134.345) using an Intel i7-7700HQ processor. We examine susceptibility of a password manager to secrets exfiltration via examination of the password database on disk; memory forensics; and finally, keylogging, clipboard monitoring, and binary modification. Each password manager is examined in its default configuration after install with no advanced configuration steps performed. This paper is not meant to criticize specific password manager implementations; however, it is to establish a reasonable minimum baseline which all password managers should comply with.

Discussion
Posted by cageymaru February 20, 2019 5:10 PM (CST)

Thousands of IoT Refrigerators Worldwide Are Using Default Passwords

Refrigerators worldwide featuring temperature control systems from Resource Data Management still have the default password "1234" as their login. "These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80)." Israeli security activists Noam Rotem and Ran L from Safety Detective research lab discovered the vulnerability in refrigeration systems at hospitals, supermarket chains, pharmaceutical companies, and more. In total, a search on Shodan revealed over 7,400 devices worldwide with vulnerabilities. The researchers were initially criticized for contacting the company via email and social media, but later on a RDM representative told Safety Detectives that it is up to the customer and installer to change the default password.

To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. Its similar to an off the shelf router with default user names and passwords Admin Admin.

Discussion
Posted by cageymaru February 08, 2019 3:28 PM (CST)

Google Launches Password Checkup Extension

Google has announced a new extension for Google Chrome called Password Checkup that will monitor the passwords that you type into websites to see if they have been compromised in a third-party data breach. Google says it has access to over 4 billion credentials that have been compromised and Password Checkup will issue a warning if it detects you using a credential that is known to be unsafe. Google worked with cryptography experts at Stanford University to incorporate protections that ensure your privacy is maintained by encrypting your credentials and making sure that they are never revealed to Google. The tool also has safeguards built-in to keep hackers from abusing it to reveal unsafe usernames and passwords. The Password Checkup extension will be improved over the coming months with better site compatibility and password field detection.

At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding.

Discussion
Posted by cageymaru February 05, 2019 2:13 PM (CST)

New Data Dump Contains Billions of Email and Password Pairs

Following the leak of 773 million records from what security researchers call "Collection #1" earlier this month, experts are now saying that Collections #2 - #5" contain even more information. The Hasso Plattner Institute says that "around 2.2 billion e-mail addresses and the associated passwords circulate through Collections # 1 to # 5," and Naked Security claims the newly uncovered collections represent about 845GB of data covering 25 billion records. Needless to say, if you happen to have an email account, checking to see if other services tied to that account have been compromised with identity checking websites like Have I Been Pwned or HPI's tool is probably a good idea. It's quick and painless, and I just found several compromised accounts across 2 of my email addresses, which is a testament to why you should never re-use passwords. Thanks to schtask for the tip.

The obvious measure of these breaches is how much new data they represent, that which has not already been added to databases such as those amassed by HIBP or HPI. Have I Been Pwned? estimated the unique data in Collection #1 at around 140 million email addresses and at least 11 million unique passwords. HPI, meanwhile, estimates the number of new credentials at 750 million (it isn’t yet clear how many new passwords this includes)... When faced with these sorts of numbers, it's tempting to shrug one's shoulders and move on - most of these data breaches are old, so what harm might they be doing now? Initially, breached credentials are probably traded to give attackers access to the account on the service from which they were stolen. After that, they are quickly traded again to use as fuel for the epidemic of credential stuffing attacks. Credential stuffing thrives on our habit of reusing passwords - credentials for one service will often give a criminal access to other websites too. Remember that while plaintext passwords are pay-dirt for criminals, usernames and email addresses are also valuable because they give them something to aim at when trying a brute-force attack.

Discussion
Posted by alphaatlas February 01, 2019 10:07 AM (CST)