adam


An article on the Techdirt website about the ease with which a Smart Kettle can be hacked has highlighted the dire state of device security for the ‘Internet of Things’. The iKettle by allows users to remotely turn it on from anywhere using a Smartphone App.  However, researchers have pointed out that the Kettle is relatively easy to hack especially if the user has not configured the kettle properly.  The company that produces the iKettle has said its associated Android and iOS APPs would be upgraded to eliminate the security vulnerabilities.  However, there is still the wider problem of ‘Internet of Things’ devices opening up vulnerabilities in people’s home networks, especially where device security is an afterthought. The advice the researchers give is to not put ‘Internet of Things’ devices on your network unless you are absolutely sure they are secure.

Easily Hacked Kettle Highlights the Lack of ‘Internet of Things’ ...


2
A team at WP Engine have conducted an interesting analysis of some 10 million passwords that had been collected from various sources such as leaks and dumps of passwords.   Virtually none of the passwords were still in use so the researchers considered that it was ethical to use the dataset in their research. The analysis highlights that people tend to choose passwords based on defined patterns and what comes into their mind when asked for a password.  So it is not surprising that in the 50 most used passwords, the most common text-based password is the word password itself.  However, the use of patterns does often make guessing passwords very easy, especially for password cracking software such as HashCat which can make up to 300,000 guess at a password per second. Other patterns identified were people adding their year of birth to their name to create a password and an […]

What 10 million passwords reveal about the people who choose ...


The BBC news website reports that More than 11 million passwords stolen in the Ashley Madison website hack have been decoded by a password cracking group. Initially, it was thought that the hacked passwords were unbreakable because hashing with bcrypt had been employed which effectively scrambles the password.  However, an amateur password cracking group called Cynosure Prime has discovered that the site had at some point changed the way passwords were stored, which reduced the strength of the bcrypt protection.  As a result the group have been able to crack 11 million passwords scrambled since the changes were made. Exactly, why Ashley Madison changed the way passwords were stored is not known, but it is speculated that it was done to make accessing the site easier. In a previous Newsblog post it has been highlighted that it is often the case that the reputational and financial impact on companies from […]

Flaws found in Ashley Madison password protection



Anna Hodgekiss reports on the Mail Online that a sexual health clinic in London’s Soho has revealed the names of up to 780 HIV positive patients in an e-mail error. The error involved patients who had signed up to the Clinic’s Option E service when a monthly newsletter was sent out. It appears to have occurred when the newsletter was sent out using an open group circulation list rather than as a blind copy. The clinic tried to recall the message using Microsoft Outlook’s recall function and then sent another e-mail apologising for the error and asking recipients to delete the message. Comment from the Newsblog Editor: A mistake like this is easy to make on an e-mail client like Microsoft’s Outlook, where an e-mail list can easily be mistakenly copied into the wrong field and sent out as a CC (carbon copy) to all recipients, rather than as a […]

Hundreds of HIV-positive patients have their identities revealed in e-mail ...


In a very interesting article on the Slate website Kevin Bankston highlights that despite claims by some law enforcement officials that encryption is a tool that will allow criminals to evade justice, the use of strong encryption actually helps to reduce crime. Bankston points out that although it is true that criminals will make use of encryption technology to shield their activities, the use of the technology will overall prevent millions of crimes.  For example smartphone theft is at epidemic proportions, with millions being stolen annually which often involves robberies which are by definition violent crimes.  However, strong encryption will block the criminals from using the commonly available tools to unlock a smartphone, rendering it useless to them. The article also highlights that criminals are increasingly not just interested in the phone, but also the personal and other data contained on it which can for example, allow them to commit […]

Smartphone encryption will help cops more than it hurts them


Mark Stockley reports on the Sophos Naked Security website that the HTML5 battery status API (Application Program Interface) on mobile phones can be used to track the phone user. The technique in a recently released paper, relies on the fact that browsers such as Chrome, Firefox and Opera will provide information about battery status to any website that asks for it, without asking the phone users permission.  The information given up is a series of values covering discharging and charging.  However, it is very unlikely that two or more users will have the same value in a short time frame thus effectively making it a unique identifier for the device. These battery values are usually very short-lived; however, they could last long enough to allow a tracking website to respawn deleted cookies and defeat incognito modes.  Currently the only browser that offers protection against battery tracking is the Tor browser […]

How your Battery Life could be used as an Undeletable ...



The BBC News website reports that HM Revenue and Customs (HMRC) wants to collect information from internet companies to allow it to identify companies and individuals who have not declared income from online sales. The planned powers would cover sites that carry advertising, App stores such as those for Apple and Google, booking intermediaries like Airbnb and also e-commerce sites such as Ebay.  The plan does raise obvious concerns about the potential for fishing expeditions by HMRC, as they plan to cross-reference this third-party information against other records they hold and information supplied by taxpayers themselves, in order to identify individuals and businesses evading tax. HMRC have issued consultation document on the plans which can be found here. Comment from the Newsblog Editor: These proposed powers are interesting in the context of past attempts to increase HMRC surveillance powers.  HMRC was to be one of the chief beneficiaries of the […]

HMRC Plans to Monitor internet Sites and Transactions for Tax ...


1
In a land mark case two MPs, David Davis and Tom Watson, have won a High Court judgement that the Data Retention and Investigatory Powers Act (DRIPA) is incompatible with human rights (see this BBC News article here). Legislation is normally subject to significant Parliamentary scrutiny, but the MPs claimed that because DRIPA was rushed through in days, there was no time for proper parliamentary scrutiny, hence the need for the unusual step of judicial review.   The MPs argued before the court that DRIPA was incompatible with the right to a private and family life, and data protection, under both the Human Rights Act and the European Union Charter of Fundamental Rights.  An argument that the court accepted. In the judgement the court has ruled that the unlawful sections of DRIPA can stay in force until the end of March 2016, to allow time for the government to compose new […]

MPs Win Surveillance Powers Legal Challenge, but Government to Appeal


A recent article in The Independent newspaper by Andrew Griffin highlights that Facebook is almost certainly tracking people using its rainbow picture tool, which enables users to change their profile picture to rainbow coloured in support of same-sex marriage. In using the tool many users are probably not aware that they are providing demographic data to Facebook which could be used to target advertising, or be supplied to third parties.  Just as many are not aware that the Facebook “pay with data” financial model, means that all information provided to the site may potentially be used for commercial purposes.  It should also be noted that although Facebook has stated that the information gathered by the tool will not be used for serving advertising, the site is notorious for its ever-changing privacy model, so the assurance probably needs to be taken with a pinch of salt. Interestingly, social scientists have already […]

Facebook Could Use Rainbow Profile Pictures to Profile Users



5
Julian De Vries reports on The Nation website that in the US it is possible for someone to be prosecuted for deleting their browser history or other electronic records, even though the individual has no idea they are under any sort of investigation. The problem lies with the Sarbanes-Oxley Act, which was originally enacted in the wake of the Enron scandal to stop corporations under investigation from shredding or destroying incriminating documents.  However, its application has been broadened out by prosecutors to cover situations way beyond its original aims. One reason why it has been possible to expand its use is that prosecutors do not have to show that an individual deleting material is aware an investigation is underway.  As a result anybody even innocently deleting electronic records such as browser history or text messages, could years later be prosecuted for doing so.  The scenario is not a hypothetical one […]

In the US You Can Be Prosecuted for Clearing Your ...


2
Ellen Nakashima reports in the Washington Post that the recently discovered hack (see previous post here) by the Chinese of the US Office of Personnel Management, has included a database holding sensitive security clearance information on US Government workers and contractors. Joel Brenner, a former US counter­ intelligence official said about the news, “This is potentially devastating from a counter­ intelligence point of view,”  “These forums contain decades of personal information about people with clearances . . . which makes them easier to recruit for foreign espionage on behalf of a foreign country.” Sir Tim Berners-Lee has previously highlighted the dangers of blackmail if foreign spy agencies get hold of data on persons with access to national security information, although in the context of the retention of web surfing and phone records – see here.

Chinese Hack has Compromised US Security Clearance Database


1
David Barrett reports in the Daily Telegraph that telephone masts which can listen to mobile phone conversations without the owner’s permission are being operated in Britain. The devices, technically known as IMSI catchers, but also referred to stingrays, trick handsets into thinking they are genuine mobile phone towers in order to monitor calls and other data including texts and emails.  They have been used in a number of foreign countries to target the communications of criminals, but are difficult to use in a targeted manner and will also hoover up data from innocent people’s mobile phones. Police have refused to discuss whether they are behind the installation of the masts, at least 20 of which were uncovered in London in an investigation by the Sky News television channel.

Fake Mobile Phone Masts Spy on your Calls



Maggie Ybarra reports in the Washington Times that FBI agents cannot identify any major terrorism cases they have cracked using the snooping powers in the US Patriot Act. The revelation is interesting given the claims of its supporters that powers provided by the act such a bulk phone data collection, were critical to national security and had to be retained. The Patriot Act expired on Monday (1st June) and some (see here) of its surveillance powers were incorporated into the USA Freedom Act which was approved by Congress on Tuesday (2nd June).  Amongst the powers transferred was the power to enable bulk phone data collection; however, on a positive note this data can now only be accessed with court permission.

FBI Admits That No Major Cases Cracked by Patriot Act ...


2
Leo Kelion reports on the BBC news website that Google has looked into making internet-connected toys that control smart home appliances. A Google patent describes devices that would turn their heads towards users and listen to what they were saying, before sending commands to remote computer servers to control other devices.  The three-year old patent was spotted recently by the legal technology firm SmartUp.  It described the proposal as: “One of Google’s creepiest patents yet”. The Google patent suggests that the devices could be made into toys to encourage young children to interact with them.  However, campaigners have highlighted the privacy concerns with such devices which rather like Smart TVs send data back to remote servers, data which could potentially include private conversations. Google was unable to confirm if they might go on to develop the devices.

Google Patents ‘Creepy’ Internet Toys to Run the Home