WIRED

How to Share Files Securely Online

WIRED

Illustration: Elena Lacey

If you need to share documents and files with other people over the internet, you want to be able to do it quickly, securely, and with as little friction as possible. Thankfully, plenty of apps and services meet those three criteria.

Whether it’s tapping into the tools included with the cloud storage app you already use, or simply dragging files into an open browser window, you’ve got several options to weigh up.

All these services encrypt files in transit and when stored, stopping hackers and third parties from getting at them. However, only Firefox Send uses end-to-end encryption, which means not even Firefox can see the files. The others retain the right to access your data if compelled by law enforcement, or if it’s needed to manage the cloud services themselves. It’s also important to make sure the sharing links you generate are closely guarded, as these act as decryption keys giving access to your files.

Full article

The Hacker News

Flaw in Philips Smart Light Bulbs Exposes Your WiFi Network to Hackers

The Hacker News

There are over a hundred potential ways hackers can ruin your life by having access to your WiFi network that’s also connected to your computers, smartphones, and other smart devices.

Whether it’s about exploiting operating system and software vulnerabilities or manipulating network traffic, every attack relies on the reachability between an attacker and the targeted devices.

In recent years, we have seen how hundreds of widely used smart-but-insecure devices made it easier for remote attackers to sneak into connected networks without breaking WiFi passwords.

Full article

Naked Security

Someone else may have your videos, Google tells users

Naked Security

As the well-worn internet saying goes – there is no cloud, it’s just someone else’s computer.

This week, an unknown number of Google Photos users were alarmed to find that this can turn out to be true in surprisingly personal ways.

According to an email sent to affected users, between 21 and 25 November 2019 anyone using the Google ‘Download your data’ service might have experienced a serious glitch:

Unfortunately, during this time, some videos in Google Photos were incorrectly exported to unrelated users’ archives. One or more videos in your Google Photos account was affected by this issue.

Conversely, being a two-way issue, affected users might notice any videos in their archive not belonging to them.

The service is part of Google Takeout (or Google Takeaway) and can be used to download copies of a wide range of data relating to Google services, including photos and videos.

Google doesn’t state how many users this relates to but it’s safe to assume that if you used the function between those dates, you are probably affected.

Full article

Cybersecurity Insiders

Twitter suspects state-funded data breach on its database

Cybersecurity Insiders

Twitter on an official note declared yesterday that it has discovered attempts to data breach its database by some state-funded actors. The social media giant suspects that the infiltration was done to access phone numbers linked to the user account after a security researcher whistle blew a flaw hidden in the “contacts upload” feature in December last year.

Full article

WIRED

Watch Out for Coronavirus Phishing Scams

WIRED

Photographer: Tyrone Siu/Reuters

As coronavirus infections spread this week, the World Health Organization classified the outbreak as a global emergency on Thursday. On Friday, United States officials placed 195 people in a two-week federal quarantine at a California military base after evacuating them from Wuhan, China. Amidst international efforts to contain transmission of the virus, online scammers have already begun exploiting the uncertainty and fear.

A sample phishing email from Tuesday, detected by security firm Mimecast, shows attackers disseminating malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease. “Go through the attached document on safety measures regarding the spreading of corona virus,” reads message, which purports to come from a virologist. “This little measure can save you.”

Full article

The Register

Remember the Clipper chip? NSA’s botched backdoor-for-Feds from 1993 still influences today’s encryption debates

The Register

More than a quarter century after its introduction, the failed rollout of hardware deliberately backdoored by the NSA is still having an impact on the modern encryption debate.

Known as Clipper, the encryption chipset developed and championed by the US government only lasted a few years, from 1993 to 1996. However, the project remains a cautionary tale for security professionals and some policy-makers. In the latter case, however, the lessons appear to have been forgotten, Matt Blaze, McDevitt Professor of Computer Science and Law at Georgetown University in the US, told the USENIX Enigma security conference today in San Francisco.

In short, Clipper was an effort by the NSA to create a secure encryption system, aimed at telephones and other gear, that could be cracked by investigators if needed. It boiled down to a microchip that contained an 80-bit key burned in during fabrication, with a copy of the key held in escrow for g-men to use with proper clearance. Thus, any data encrypted by the chip could be decrypted as needed by the government. The Diffie-Hellman key exchange algorithm was used to exchange data securely between devices.

Full article

WIRED

Everything We Know About the Jeff Bezos Phone Hack

WIRED

Photograph: Andrew Harrer/Bloomberg/Getty Images

On November 8, 2018, Amazon CEO Jeff Bezos received an unexpected text message over WhatsApp from Saudi Arabian leader Mohammed bin Salman. The two had exchanged numbers several months prior, in April, at a small dinner in Los Angeles, but weren’t in regular contact; Bezos had previously received only a video file from the crown prince in May that reportedly extolled Saudi Arabia’s economy. The November text had an attachment as well: an image of a woman who looked like Lauren Sanchez, with whom Bezos had been having an unreported affair.

That message appears to have been a taunt; American Media Inc., publisher of The National Inquirer, would several months later make details of the affair public. But it’s the initial contact, in May, that has set off another firestorm with MBS at the center. That video file was likely loaded with malware, investigators now say. The crown prince’s own account had been used to hack Bezos’ phone.

Such brazen targeting of a private citizen—the richest man in the world, no less—is alarming to say the least. It underscores the dangers of an unchecked private market for digital surveillance, and raises serious questions about other prominent US figures who have known relationships with the crown prince, like White House adviser Jared Kushner and President Donald Trump himself.

Full article

The Register

Safari’s Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler

The Register

Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser.

In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.

Full article

Naked Security

Big Microsoft data breach – 250 million records exposed

Naked Security

Microsoft has today announced a data breach that affected one of its customer databases.

The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.

Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claims it was to the order of 250 million records containing “logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019“.

According to Comparitech, that same data was accessible on five Elasticsearch servers.

Full article