Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks


If you thought the Adobe hack was bad, you should see the user data

Posted by Alan at 11:57 AM on November 9, 2013

Computer securityBy now you have likely heard of the attack on Adobe — the one that seemed to grow worse with each new bit of information. What started out sounding like a problem quickly deteriorated into disaster. Originally said to affect some three million customers, the number swelled to 38,000,000 and finally landed at 150,000,000.

But there were bigger concerns than just just that — security firm Sophos analyzed the compromised data and released a case study of its findings. The results are staggering, in terms of what it revealed about the average computer user.

Sophos lodged an almost immediate complaint regarding the situation — “One of our complaints was that Adobe said that it had lost encrypted passwords, when we thought the company ought to have said that it had lost hashed and salted passwords”, the security firm states in the report.

Then the data analysis begins. The number one password, used by 1.9 million customers, was “123456″, while “password” followed in second place. Appearing at the 25th slot on that list was “LetMeIn”. You can’t make this stuff up, folks. One user’s password hint read “try: qwerty123″, while another user cryptically stated his hint as “rhymes with assword”. The sad list goes on.

Sophos points out that “With very little effort, we have already recovered an awful lot of information about the breached passwords, including: identifying the top five passwords precisely, plus the 2.75% of users who chose them; and determining the exact password length of nearly one third of the database”.

Image Credit: Bigstock

Microsoft retreats: tells customers to get third-party AV software

Posted by Alan at 4:40 PM on October 7, 2013

When Microsoft released its Security Essentials software the company claimed it was all the end-user really needed and, for a time, that was mostly right. But the software suite has not entirely been kept up, and is not compatible with Windows 8, though in that OS, it was still present in the background under the name Windows Defender.

Now the Redmond company has officially given up it seems, as in a recent interview it referred to Defender as “baseline software” and claimed that it would “always be on the bottom” of comparison tests — this after failing multiple ones.

Microsoft Windows 8

Now Microsoft claims to be using Defender, which still comes as part of the OS in Windows 8.1, as more of a research tool. “The company is just sharing its virus tracking findings with the security industry so they can develop better anti-virus programs”.

This is not to say that WD will not continue to be updated every patch Tuesday — it will be. However, the software maker is now recommending users supplement the program with a third-part app.

Several good ones are available, both free and paid, but for the average user,  it’s back to square one, as many do not know that they need such a thing, forget to update it even if they have it or just don’t know enough to stay out of trouble. For the tech-savvy, this is likely not a big deal, as many never used AV before anyway.

Battle.net Adds New SMS Protect Service

Posted by JenThorpe at 3:19 PM on October 3, 2013

Battlenet logoGamers who play any of the games by Blizzard Entertainment may want to check this out. Battle.net has introduced a new way to protect your account from hackers. The new service is called SMS Protect. If you currently have your account protected by an authenticator, it is possible that you received an email from Battle.net about this.

It will send a text message to your cell phone every time suspicious activity is detected on your account. You will also get a text if your account is flagged for suspicious login activity, if your password has been changed, or if account security features are added or removed.

In other words, if something nefarious appears to be happing to your account, you won’t have to wait until you get home, and try to log in, to find out about it. You can get a text message about it, while you are away from your computer. All you need is a standard cell phone with a data plan. You also need to be in one of the countries that is currently supported by SMS Protect.

The sooner you know something has gone wrong, the sooner you can try to fix it. If you want to get texts, you have to log into your Battle.net account and enable the texts. (The “default” mode has the texts turned off).

Those of you who play World of Warcraft, Diablo III, or Starcraft hopefully are already using an authenticator to protect your account. The key-fob authenticators are still useful, and so are the mobile authenticators for iPhone, Android and Blackberry. Those will still function as intended. You are not required to change over to the SMS Protect service if you do not want to. SMS Protect is simply one more tool to use to protect your characters and loot from hackers.

Who Can Access Your Dropbox Folders?

Posted by JenThorpe at 3:52 PM on September 10, 2013

folder iconA lot of people use Dropbox as a convenient way to transfer large files from one person’s computer to another. I find it to be extremely helpful for podcasters who need to send an audio file of their voice track to an editor who puts everything together. Today, I learned something rather unexpected about who, exactly, can see the files that are in my Dropbox.

My husband and I are both podcasters. We have a podcast that we do together. I do a couple of other podcasts without him. He edits some of the podcasts that I do and some podcasts that I am not a part of. As such, both of us use Dropbox to move audio files around.

The computer I use, and the one that my husband uses, are on a home network. He has admin level access to my computer. We find this to be helpful for many reasons – one being that it makes it easier for him to grab the audio file of my voice track for a podcast that he will be editing. Obviously, he and I are both aware that his admin status means that he can access anything on my computer.

It turns out that the admin status also allows him to access my Dropbox. He discovered today that he can use his admin status to gain access to my computer and that it also allowed him to access my Dropbox. He was able to open folders, look at the contents, and remove files.

Now, some of the folders that I have been invited to are the same ones that he has been invited to. For example, today he was editing a podcast that I am involved with. He and I already had access to that particular folder. He could access that one from his own computer.

Surprisingly, he was also able to access folders that he had never been invited to. There is a podcast that I do with a friend of mine. That friend does the editing. My husband has no need to be invited to that particular folder. Even so, my husband was able to open that folder, look at the contents and remove files. He could have put files into that folder if he chose to do so.

Typically, people are very careful about who they allow to access their computer. Admin status should never be given out on a whim. We only give that to people we trust. Before this little experiment, I had no idea that giving a person admin status to your computer also gave that person complete access to your Dropbox.

For me and my husband, this isn’t really an issue. We trust each other. Our network is at home and secure. That being said, it made us both wonder about the potential risks involved with work computers that are accessible by multiple people within one company or business.

Washington Post admits website hack

Posted by Alan at 8:46 AM on August 16, 2013

bigstock-Computer-Hacker-in-suit-and-ti-31750772

Amazon’s Jeff Bezos just purchased the Washington Post — and despite jokes, I am pretty sure he didn’t do it by accidentally clicking the “Buy it Now” button. Plans at this point are unknown, but one thing is certain — there are already problems to deal with. The newspaper has admitted that its web site was recently hacked.

The announcement came in two parts yesterday. The first red simply that “the Washington Post Web site was hacked today, with readers on certain stories being redirected to the site of the Syrian Electronic Army. The group is a hacker collective that supports Syrian President Bashar al-Assad”.

An hour later the organization updated this with additional information — “Washington Post Managing Editor Emilio Garcia-Ruiz: ‘A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our web site were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain. We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site’”.

Welcome to the newspaper industry Mr. Bezos. This is something not experienced at Amazon, but when you run a publication that can post stories on subjects that could be considered politically charged, then things change. Everyone may want to buy a new book or laptop, but not all wish to read opposing views.

Image Credit: BigStockPhoto

Apple Developer Website is Down

Posted by JenThorpe at 9:52 PM on July 21, 2013

Apple Developer LogoIt is never a good sign when you visit a website and see “We’ll be back soon” at the top of the page. Sometimes, it can mean that the site is going through normally scheduled maintenance and truly will be back online in a little while. Not so with the Apple Developer website!

To clarify, the website (at the time I am writing this blog) actually does say “We’ll be back soon”. It also says that it was taken down on Thursday, July 18, 2013. When will it return? At the moment, that is unknown. The situation is undoubtedly causing frustration for developers who need to access the website.

Here are some key points of the message that currently sits on the Apple Developer website:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email address may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

It goes on to say that they are going to be completely overhauling their developer systems, including updating their server software and rebuilding the entire database. If you are a developer who needs that website, all you can do is be patient and wait for the overhauling to be completed.

On the positive side of things, Apple says that if you are a developer, and your program membership was set to expire while this overhaul is happening, not to worry. They will extend your membership and your app will remain on the App Store.

Tumblr had a Security Glitch

Posted by JenThorpe at 10:18 PM on July 18, 2013

tumblr logoTumblr users might want to change their password. The official Tumblr feed announced an important security update for people who were using Tumblr on an iPhone or iPad.

If that describes you, Tumblr suggests that you download an update. There is a link on the Tumblr announcement page that you can click to download the update.

In addition to the update, Tumblr also suggests that you change your password if you have been using either the iPad or iPhone apps to access Tumblr. The reason for the update (and the suggestion that you change your password) is in response to a security issue. Something in the iPad and iPhone Tumblr apps allowed passwords to be compromised “in certain circumstances”.

It appears that if you only access Tumblr from their website that you won’t need to download the update. It also sounds like people who used the Android app to access Tumblr are unaffected by this security glitch.

I just started using Tumblr fairly recently, but I realize it has been around for quite a while. The biggest benefit I’m seeing so far is that I can “follow” the Tumblr accounts of my friends directly through Tumblr. For me, this means I can take their Tumblr accounts out of the Reader I’m using (FeedWizard). It’s much easier just to check them out through Tumblr itself.

Computer securityVPN (virtual private network) clients have been around for sometime, and are utilized by many corporations. It is a technology that individual users should also take advantage of. Avast hope to make that security option a trend with a new effort to help the average user be more secure when using a laptop or other mobile device at the local Starbucks.

Citing a survey the company carried out, Avast has announced it is now releasing its own VPN client, called SecureLine. The company claims that it polled 340,000 users and 46 percent of worldwide respondents connect via public WiFi. The security firm also listed such numbers as “29 percent in the UK perform security-sensitive transactions such as shopping or online banking despite the risk of hackers accessing their credentials”.

To answer this growing need, Avast announces “We developed SecureLine due to growing demand from our customers”. According to the company’s Chief Executive Officer Vincent Steckler, “half of PC users in the US access unsecured WiFi hotspots. And, about a third of them perform security-sensitive transactions – such as shopping, banking, or anything requiring a password”

SecureLine is now seamlessly integrated into all of Avast’s free and premium products, and when customers connect to unsecured WiFi, they will receive a message that provides them with some insight into the risks of using public and unsecured WiFi, as well as the choice of a secure VPN connection — at a cost of $7.99 per month.

With Avast now claiming usage on more than 184 million computers worldwide, the addition of more secure connections could make a noticeable difference, but it comes down to customer behavior and habits to really make a major impact. That, I am afraid, will not be improving anytime soon.

Photo Credit: BigStock

PayPal is hackable, denies teenager bounty for finding the bug

Posted by Alan at 1:37 PM on May 28, 2013

paypalPayPal, the popular online payment transfer service owned by Ebay, is currently under fire on two fronts. The banking service is vulnerable to attck, thanks to a bug in its system, and also is refusing to pay its standard bounty to the person who found said vulnerability, citing that security researches must be at least 18 years of age, leaving the 17 year old out in the cold.

German Robert Kugler, the security researcher behind the bug, posted details about the vulnerability on the Full Disclosure mailing list Friday.

“Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old” Kugler, who turns 18 next March, wrote on Seclists.

The bug bounty program has been in effect since June of 2012. Other companies, including Firefox and Mozilla have similar programs and PayPal does not list any age requirement in the literature for its standards of this.

As for the flaw, it is in XSS (cross-site scripting) and the company plans to fix the issue, but is refusing comment on the failure to pay the bounty. GNC earlier sent an email to the service, but has received no reply.

Did DHS leak your personal data?

Posted by Alan at 10:13 AM on May 24, 2013

bigstock-Security-word-on-white-keyboar-27134375

This week the U.S. Department of Homeland Security (DHS), an organization we rely on the protect us and keep the country safe, revealed that, perhaps, it has not protected its own employees. According to the security report issued by ThreatPost, the organization has begun the notification process about a possible information leak.

“The Department of Homeland Security this week began notifying up to tens of thousands of employees, contractors and others with a DHS security clearance that their personal data may be at risk” writes TP’s Anne Saita.

In a statement to it’s web site, DHS announced “The Department of Homeland Security (DHS) has recently learned of a vulnerability that existed in the software used by a DHS vendor to process personnel security investigations”. Not exactly the news any employee wishes to hear.

Those impacted included employees, contractors who submitted background investigation information and anyone else seeking a DHS clearance between July 2009 and May 2013, employees at headquarters, Customs and Border Protection and Immigration and Customs Enforcement.

The DHS stresses that it has no indication that data was accessed by any third-party, but is still recommending that those affected, which is thousands, take proper precautions.

Photo Credit: BigstockSecurity word on white keyboard