Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks


SpyEye hacker extradited to the U.S.

Posted by Alan at 9:07 AM on May 5, 2013

bigstock-Computer-Hacker-in-suit-and-ti-31750772

The United States has had little luck with landing Kim Dotcom or Julian Assange, but it has managed to grab a hacker. Hamza Bendelladj, known online as Bx1 is an Algerian hacker who was captured and extradited from Thailand. He was arrested back in January while moving through the Bangkok airport on his way from Malaysia.

Bendelladj stands accused of hijacking customer accounts at more than 200 financial institutions using the SpyEye program. Alleged totals of more than 100 million USD over the past five years have been indicated. SpyEye allowed the attacker to alter web pages displayed in a person’s web browser and trick them into entering personal data.

Variants of both SpyEye and Zeus have been used by criminals to automate the process of transferring money.  Bendelladj faces 23 charges from a 2011 indictment. He arrived in Atlanta on Thursday and was arraigned on Friday. He faces up to 30 years in prison and as much as a 14 million USD fine. Security researcher Brian Krebs has posted a PDF of the indictment on his site.

Image: Computer Hacker by BigStock

EFF In the United States we are supposed to have certain rights under the 4th amendment of the U.S. Constitution:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

However in today’s world most of us don’t write letters and our “papers and effects” are online. They are on the social media sites we are members of and the websites we visit. So if the FBI comes knocking at the door of the ISP you use, your favorite search company or social media sites you visit and request they hand over your information to them. Will the company simply hand over the information or do they request a warrant.  Another words which company has your back and which company does not.   That is what the (EFF) Electronic Freedom Foundation investigated. This is the third year they have publish this report.   They took a look at 18 tech companies and looked into their terms of service, privacy policies, advocacy, and courtroom track records, to see how they stack up. They looked at the following 6 criteria

  • Requires a warrant for content
  • Tell users about government data request
  • Publishes transparency reports
  • Publishes law enforcement guidelines
  • Fights for users privacy rights in court
  • Fights for users privacy rights in Congress

 

Out of the 18 companies they investigated only two companies received all six stars, Twitter and Sonic.net. Two companies MySpace and Verizon received zero stars. A full chart is available at the EFF website along with a PDF explaining what they looked for and how they evaluated it. According to the EFF they have notice some progress over the three years they have been doing the report, more companies are now letting individual know when a government entity is requesting information about them. It is nice to see that some companies are doing their part to protect our information from the government. Hopefully next year more companies will have more stars

LivingSocial has been Hacked

Posted by JenThorpe at 4:26 PM on April 26, 2013

LivingSocialAre you using LivingSocial? At the top of their website today is an important notice for customers that says “if you haven’t already updated your LivingSocial password, please update it now”. According to CNN the LivingSocial website, which people use to get daily deals, suffered a cyberattack on some of its servers. Data for more than 50 million users may have been accessed. LivingSocial says that credit card data was not affected by the cyberattack.

AllThingsD has posted the entire email from CEO Tim O’Shaughnessy that was sent to employees of LivingSocial. The email states:

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The same paragraph was in an email sent to users of LivingSocial, along with instructions about how to change their password. Users are encouraged to also change passwords on any other sites in which they used the same, or similar, password as the one they were using on LivingSocial.

I am not a user of LivingSocial, but I know that it is a website that offers people daily deals on a variety of things. There are many other websites, and apps, that also offer special deals to users. When people sign up for these types of things, they are doing it because they want to save money.

Nobody thinks about the potential for their favorite deals website to get hacked. It makes me wonder if the ability to get good deals through services like LivingSocial is really worth the risk of having your personal information out there (potentially accessible to hackers).

Java updated last week, still vulnerable today

Posted by Alan at 11:30 AM on April 23, 2013

java downloads

Oracle’s Java platform seems to be in an endless battle with Adobe Flash to see which can take the crown as the most compromised platform on your computer. Last week Oracle rolled out 42 patches for known security holes — and this was just another day for the oft-attacked software.

Now Security Explorations of Poland has announced it has found a new Reflection API vulnerability that affects all Java versions, including 7u21, which was just released last Tuesday. “It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday.

Attackers can exploit this latest vulnerability to achieve a complete Java security sandbox escape, Gowdiak says, adding that he also sent proof-of-concept code to Oracle demonstrating an exploit.

There is no telling when Oracle will patch this latest flaw, but the company generally follows a Microsoft-like approach, rolling out updates in one big release.

Really, the best solution is to simply uninstall Java if you have no need for the service.  Also, do not confuse Java with Javascript, which is mostly safe. Java can also be disabled within your browser —  a move I recommend you making.

VUDU had a Break-In – Informs Customers 18 Days Later

Posted by JenThorpe at 3:01 AM on April 10, 2013

VUDU logoThose of you who have been using VUDU to watch movies may have received a rather scary email recently. No, the company didn’t get hacked. Instead, what happened was a physical break-in to their offices. Whoever did it walked away with multiple hard drives that contained important data such as customer names, encrypted passwords, addresses, and phone numbers. In other words, the hard drives had some of the personal information that most people would not want a random stranger to get a hold of.

VUDU says that the passwords that were on the hard drives were encrypted, so there’s that. The company also says that there were no full credit card numbers on the hard drives that were stolen. Even so, VUDU has reset customer’s passwords. They posted a blog about the situation that says:

There was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives. Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. If you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While stolen drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. Therefore, we have reset all customer passwords.

March 24, 2013 was…. let’s see… 18 days ago! That’s a really long time to wait before letting customers know that their personal information may, potentially, be in the hands of whomever broke into the VUDU offices and stole the hard drives! Their blog goes on to say:

We are still in the process of sending email messages.

This means that there could very well be some VUDU customers who have not yet been informed about the break-in. That’s rather shocking! Typically, the sooner a company lets customer’s know that their data may be in the hands of thieves, the better. I feel bad for the people who are going to read a blog about the break-in before VUDU contacts them about it. Why did they wait so long? Again, their blog has an answer:

We notified law enforcement immediately when the break-in was discovered, and have worked closely with them on the investigation. We have also worked to reconstruct the information that was included on the drives to ensure we had an accurate assessment.

Perhaps the company is aware of the potential damage customers may face due to the break-in and the length of time VUDU waited before letting people know about it. They have made arrangements for customers to be automatically eligible to receive identity protection services from AllClear ID. You can find out more about the AllClear service, what it provides, and how to enroll on VUDU’s blog. It doesn’t mention if the service is free or if there will be a charge for using it (only that customers are “eligible”).

Evernote User Passwords have been Compromised

Posted by JenThorpe at 8:55 PM on March 6, 2013

Evernote logoUsers of Evernote were recently sent an email that said that the company had decided to implement a password reset. It required 50 million users to reset their passwords. Why? The answer is the usual one when a company urges users to change their passwords – Evernote got hacked over the weekend.

This explains the difficulties that my husband and I had when we went grocery shopping. He uses Evernote to create grocery lists (instead of writing it down on paper). Usually, this works really well. However, when we got to the store and he tried to open Evernote, it wasn’t functioning as he expected it to. Oh, no! Could hackers be reading our grocery lists? If so, then they must be awfully bored.

The email Evernote sent to its users says:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

It goes on to say that this is the reason why they are implementing a password reset. So, if you opened Evernote today, and wondered why it was asking you to reset your password, now you know. Evernote says that they have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. It also says:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted).

There are helpful suggestions on the Evernote website (where the email it sent to users was posted) that give advice about how to create a more secure password. It also points out that you should not click on “reset password” requests in emails, and should instead go directly to the service itself to do that.

Abine shows off better web security

Posted by Alan at 11:00 AM on March 4, 2013

abine logoAbine is a start-up based in Boston that is aiming to enhance the online security of everyday users with things like privacy, encryption and more.

There is a lot involved here and you will likely need to watch the video to understand where Abine is going – alias phone numbers, which the mobile app can block on a per-caller basis. The company also offers Do Not Track, Delete and Encryption services. Some portions of the service Abine runs are free, while others are paid services.

Interview by Jeffrey Powers of Geekazine and Scott Ertz of F5 Live

Support our coverage sponsors:
Dropcam.com watch life High-Def streaming of your home or anywhere
today!
Gazelle - Sell your Gadgets for Cash
25% off your order @ Godaddy.com: Promo Code go25off5
50% off new hosting plans with a free domain! Promo Code: 50host7
50% off 1st year of Business Website Builder & free domain Promo Code: 50wsb7
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

FinderCode

Posted by KL Tech Muse at 1:20 PM on February 26, 2013

FinderCodeFinderCode is a lost and found recovery system. It works off of QR codes tags. A single kit is $24.5 and comes with seven tags in it, there is a medium tag that is a keyring for keys, a small tag with a ring for cameras, binoculars and other gear and five adhesive tags. You can put a tag on any personal item. You then register the item at the FinderCode website. If you lose the item, then the person who finds it can scan the QR code or enter the alpha numeric text into the web site. Once they do that a text is then sent to you telling you the item is found and because the geo-location is embedded in the tag where the item is. There is the option to use Fed Ex if you can’t easily get to the location.

The FinderCode runs $24.95 per package at is available through the website and through Office Depot

Interview by Jeffrey Powers of Geekazine. and by Scott Ertz of F5 Live.

Support our coverage sponsors:
Dropcam.com watch life High-Def streaming of your home or anywhere today!
Gazelle - Sell your Gadgets for Cash
25% off your order @ Godaddy.com: Promo Code go25off5
50% off new hosting plans with a free domain! Promo Code: 50host7
50% off 1st year of Business Website Builder & free domain Promo Code: 50wsb7
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

Rocstor Encrypted External Hard Drives

Posted by Andrew at 6:12 PM on February 25, 2013

Rocstor LogoRocstor specialise in data storage and secure encryption solutions: that’s encrypted external hard drives to you and me, but it’s an increasingly important market. Andy and Scott talk to Anthony Rink from Rocstor about how their products can keep your data safe.

Rocstor offers a range of external data storage products with real-time encryption built-in as standard. The encrypted drives meet FIPS Level 2, meaning that it’s hardware-encrypted (not software) and that any tampering of the drive to get at the crypto keys is obviously apparent. To suit different circumstances, some models use tokens, others PINs and some use both with ruggedised and waterproof units also available. Depending on features, $250-$300 gets you 1 TB of secure external storage.

Interview by Andy McCaskey of SDR News and Scott Ertz of F5 Live for the TechPodcast Network.

Support our coverage sponsors:
Dropcam.com watch life High-Def streaming of your home or anywhere today!
Gazelle - Sell your Gadgets for Cash
25% off your order @ Godaddy.com: Promo Code go25off5
50% off new hosting plans with a free domain! Promo Code: 50host7
50% off 1st year of Business Website Builder & free domain Promo Code: 50wsb7
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

 

ViperSmart car security and a lot more

Posted by Alan at 6:36 AM on February 24, 2013

viper logoViperSmart stopped by TPN recently to discuss SmartStart, which can start, lock, unlock and monitor your car from anywhere. Those controls can all be handled from a smartphone app — either Android, iPhone or Blackberry. In fact the company president demonstrated that he could unlock his car, located in California while sitting in Las Vegas.

The app also receives trouble codes from the engine and alerts you to these, essentially monitoring your vehicles health, including if your battery is running low. It will alert you if your doors are unlocked or if your trunk is open, locate your car and monitor the speed of travel (in case your teen borrows it).

The plan is on a per-car basis, not a per driver and it runs about $3 per month, though the charge is actually annual. Some features are separate and can add a bit to the price. The app itself is free. Users will need to install the system in their car and the entry level version is $299.

Interview by Andy McCaskey of SDR News and RV News Net and Daniel J Lewis of  Audacity to Podcast

Support our coverage sponsors:
Dropcam.com watch life High-Def streaming of your home or anywhere
today!
Gazelle - Sell your Gadgets for Cash
25% off your order @ Godaddy.com: Promo Code go25off5
50% off new hosting plans with a free domain! Promo Code: 50host7
50% off 1st year of Business Website Builder & free domain Promo Code: 50wsb7
GoDaddy Promo Codes always save you money, check out my Promo Codes Today