Social Security Administration Now Requires Two-Factor Authentication

Posted on August 14, 2016 by mea

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

Source: Social Security Administration Now Requires Two-Factor Authentication — Krebs on Security

Disable WPAD now or have your accounts and private data compromised

Posted on August 13, 2016 by mea

WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.

The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).

Source: Disable WPAD now or have your accounts and private data compromised | CSO Online

The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”

From Slashdot comments:

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

Click the Start button, and in the search field, type in “regedit”, then select “regedit.exe” from the list of results
Navigate through the tree to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad”
Once you have the “Wpad” folder selected, right click in the right pane, and click on “New -> DWORD (32-Bit Value)”
Name this new value “WpadOverride”
Double click the new “WpadOverride” value to edit it
In the “Value data” field, replace the “0” with a “1”, then click “OK”
Reboot the computer

Rightscorp Threatens Every ISP in the United States

Posted on August 12, 2016 by mea

While Rightscorp was expected to make the most of BMG’s victory in its future dealings with ISPs, the level of aggression in its announcement still comes as a surprise. Essentially putting every provider in the country on notice, Rightscorp warns that ISPs will now have to cooperate or face the wrath of litigious rightsholders.

Source: Rightscorp Threatens Every ISP in the United States – TorrentFreak

Whether this week’s developments will help to pull Rightscorp out of the financial doldrums will remain to be seen. The company has been teetering on the edge of bankruptcy for a couple of years now, and its shares on Wednesday were worth just $0.038 each. Following the BMG news, they peaked at $0.044.

The Next Generation of Wireless — “5G” — Is All Hype.

Posted on August 11, 2016 by mea

“5G” is a marketing term. There is no 5G standard — yet. The International Telecommunications Union plans to have standards ready by 2020. So for the moment “5G” refers to a handful of different kinds of technologies that are predicted, but not guaranteed, to emerge at some point in the next 3 to 7 years. (3GPP, a carrier consortium that will be contributing to the ITU process, said last year that until an actual standard exists, “’5G’ will remain a marketing & industry term that companies will use as they

Source: The Next Generation of Wireless — “5G” — Is All Hype. — Backchannel

Image Kernels explained visually

Posted on August 9, 2016 by mea

An image kernel is a small matrix used to apply effects like the ones you might find in Photoshop or Gimp, such as blurring, sharpening, outlining or embossing. They’re also used in machine learning for ‘feature extraction’, a technique for determining the most important portions of an image. In this context the process is referred to more generally as “convolution” (see: convolutional neural networks.)

Source: Image Kernels explained visually

75 Percent of Bluetooth Smart Locks Can Be Hacked

Posted on August 8, 2016 by mea

Twelve out of 16 Bluetooth smart locks examined could be unlocked by a remote attacker, a researcher said at the DEF CON hacker conference.

Source: 75 Percent of Bluetooth Smart Locks Can Be Hacked

The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

From: http://xkcd.com/538/

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Posted on August 2, 2016 by mea

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday

Spybot Anti-Beacon for Windows

Posted on July 21, 2016 by mea

Anti-Beacon is small, simple to use, and is provided free of charge. It was created to address the privacy concerns of users of Windows 10 who do not wish to have information about their PC usage sent to Microsoft. Simply clicking “Immunize” on the main screen of Anti-Beacon will immediately disable any known tracking features included by Microsoft in the operating system.

Source: Spybot Anti-Beacon for Windows

The Washington Post partners with Twitter, Double Robotics to test robot at 2016 political conventions

Posted on July 18, 2016 by mea

Working with Twitter and Double Robotics, The Post’s robot will provide a live stream of delegates and politicians in Cleveland and Philadelphia via Twitter’s app, Periscope, giving users a guided tour of the convention site and letting them ask questions about the convention experience via Periscope chat.

Source: The Washington Post partners with Twitter, Double Robotics to test robot at 2016 political conventions – The Washington Post

Bucktown Bell

Cut to the chase.