Category Archives: Security

Pacemakers

A new research paper highlights the security risks in pacemakers. In short, some pacemakers can be reprogrammed wirelessly, and their security isn’t good enough to prevent hackers. Someone would have to be standing quite close to the victim for this to happen, but it’s very concerning that it’s possible. The consequences, of course, are deadly.

The summary of the security research is here: http://blog.whitescope.io/2017/05/understanding-pacemaker-systems.html

What can you do? Talk to your doctors, make them aware of the problems. The manufacturers need to feel pressured into improving security.

Google vs Bing

A company called AV Test has been testing Google and Bing, and has found that Google is better with filtering out dangerous websites.

They tested 10.9 million searches on both search engines and found that:

  • Google included 272 websites that were infected with malware
  • Bing included 1285 websites that were infected with malware

This is bad. If you’re searching for something, both Google and Bing test every website and hide any website that have been infected. This protects you from clicking on a website with malware. They found that Google is better at filtering infected sites. So if you want the best security possible, do your searches in Google. Full details here.

Other tips I can add are:

  • Use Google’s Chrome browser. It’s fairly good at blocking malware and resisting hacks
  • Keep your computer updates (e.g. run Windows Update frequently)
  • use a good antivirus program
  • be cautious what you click on
  • don’t believe everything you read in Facebook, emails, Twitter, etc

 

Nokia Xpress Browser

Some older Nokia phones, those running Series 40, use a web browser called Xpress Browser. This browser was previously known as Nokia Browser. It’s just been discovered that Nokia decrypts all HTTPS traffic and passes it through their proxy servers. They do this to increase data performance, and they “promise” they don’t store any data.

But it’s still a little disturbing that they do this. HTTPS web traffic is commonly assumed to be encrypted and safe. And it’s probably OK to trust Nokia since they made the phone and its browser anyway. But the fact that they kept how it works a secret is a little unsettling.

Detailed information can be found here and here.

Any if you’re confused by all of the above, it just means that on some older Nokia phones, all web pages go through Nokia’s servers, even “secure” pages. In theory they could one day read or store these pages and you wouldn’t know. If you’re not comfortable with this change phones.

MS-CHAPv2 Can Be Cracked

This post is a bit technical and isn’t for everyone. I still want to include it in Fraudo.com because it could help someone, someday.

MS-CHAP v2 is an authentication protocol used to secure VPNs and some wireless networks. It’s commonly used with PPTP VPNs and sometimes with WPA2 wireless networks. For the past few years it was considered secure as long as it’s used with a strong password (a complicated password).

Today some researchers at a security conference demonstrated how to crack it in one day. They demonstrated that they can decrypt all data sent across the VPN or over WiFi.

So if you’re setting up a network and come across the MS-CHAP v2 setting, remember that as of today it’s no longer secure. It’s not even slightly secure, or better than nothing. If someone wants to view your encrypted VPN or WiFi traffic and you use MS-CHAP v2 then they can, with very little effort. Full details on cracking MS-CHAP v2 are here.

Yahoo! Passwords Stolen

If you have ever used a Yahoo! service now might be a good time to change your password. Yesterday someone stole a list of passwords from one of Yahoo!’s servers – it contained details of 450,000 accounts. The server was for Yahoo Voice, so if you’ve ever used Yahoo Voice then your account is now compromised. And if you’ve ever used the same password on other web sites then those are vulnerable as well.

Why didn’t Yahoo! use better securty?

Reports say that hackers used a SQL injection attack to steal the list, a common way to hack into web sites. There are many ways of storing passwords on a server and Yahoo! didn’t use the most advanced and secure method. So the passwords were easily converted to plain text. In short, Yahoo!’s programmers got lazy, their security wasn’t good enough.

What can we learn from Yahoo!’s mistakes?

  • Yahoo’s problem is also your problem. Don’t ignore security alerts like this.
  • If you work in software development, don’t be lazy. Block all kinds of SQL injection attacks. And don’t store passwords in plain text, or MD5 hashes, or other simple hashes.
  • Everyone should use good passwords, mixed with numbers and made-up words.
  • You should not reuse a password on other sites.

Update (16 July 2012):

Yahoo! has confirmed the breach and has fixed up the source of the problem. In their words, “We have… now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users”.

You should still change your password.

Facebook Gets Tough On Malware

Facebook are stepping things up a notch and getting tough on malware, in a good way. Their latest initiative can detect malware on your computer. If anything suspicious is found, your Facebook account is temporarily locked (to prevent the malware sending spam using your account), and you’ll be asked to download an anti-virus program called McAfee Scan & Repair. There’s also an option to use Microsoft Security Essentials (MSE).

This new procedure can also be invoked manually, if you suspect your computer might be infected. The link is http://on.fb.me/infectedMSE, and you’ll need to enter your password. Note: when entering passwords, always look at the address bar at the top of your browser and make sure it’s genuine – in this case, it needs to have facebook.com/ in the address.

If your account is temporarily locked because malware was detected or because you manually started the procedure, you won’t be able to unlock the account until you finish the virus scan.

This is all for Windows. OS X users will have a slightly different procedure.

There are more details on Facebook’s web site.

Formspring Password Resets

Formspring is a social network with about 27 million members. Today they had a security breach and have reset all of their members’ passwords. If you see the following notice it’s probably genuine. But to be sure, don’t click on any links – open a new browser tab and sign into your Formspring account.

Dear Formspring user,
For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password.
Thank you for taking the time to reset your password.
The Formspring Team

 

Gmail Detects Hack Attempts

Google has always put a lot of work into making Gmail secure. Their latest feature is interesting.

If Google’s system detects unusual attempts to access an account, they now show a warning on the top of the Gmail screen. They’re calling it a state sponsored attack. It doesn’t mean your account has been hacked, only that it’s the target of an attack.

Google security warning

If you ever see this, you’ll be advised to change your password (make it a strong password), and to enable two step verification – this will use your mobile phone as an additional way of protecting your account.

LinkedIn iPhone App

LinkedIn has an iPhone and iPad app. One of its features is “an opt-in feature which allows users to view calendar entries within the app“.

Some security researchers have been analysing this app and have discovered that when using the calendar feature it sends data to LinkedIn’s servers. It sends all of your calendar events, without explicitly asking for your permission.

This is considered a privacy risk. If you use the LinkedIn app on iOS, turn off the feature.

You should expect LinkedIn to make a statement about this issue, and eventually resolve it. I’ll post any updates here as they happen.

Update 7 Jun 2012:

LinkedIn have responded to these privacy concerns – you can read their comments here. Basically they confirm the privacy issues and justify it. They’ve also made changes to their iOS app to address the issue, the updated version is 5.0.3.

And at the same time someone in Russia claims to have hacked LinkedIn’s servers and has a list of over 6 million hashed password. A hashed password means they can’t read your password yet but given enough time it can be found. This incident is unconfirmed by LinkedIn, but it would be a good time to change your account password.