It has been a tough few weeks for online payments giant PayPal. First came the confirmation that an authentication hack would enable an attacker to access an account once credentials had been phished, bypassing the financial firm’s authentication tools.
For more than a decade now, security experts have had discussions about what's the best way of choosing passwords for online accounts.
According to a report from cyber-security firm ClearSky, Iranian hackers have targeted companies "from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors."
Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot plausibly be mitigated. Avoid encrypted email. Technologists hate this argument.
Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.
The Trump administration has revived the debate over "end-to-end encryption" — systems so secure that the tech companies themselves aren't able to read the messages, even when police present them with a warrant. "It is hard to overstate how perilous this is," U.S.
You have a secret that can ruin your life. It's not a well-kept secret, either. Just a simple string of characters—maybe six of them if you're careless, 16 if you're cautious—that can reveal everything about you.
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
One evening in January last year, Joel Eriksson, a 34-year-old computer analyst from Uppsala in Sweden, was trawling the web, looking for distraction, when he came across a message on an internet forum. The message was in stark white type, against a black background. “Hello,” it said.
Mark Zuckerberg is one of the most powerful men in the world because billions of people give Facebook, which he founded, free access to their personal data. In return, users receive carefully curated snapshots of his life: baby photos, mundane office tours and the occasional 5K.
Look both ways before you cross the street. Wash your hands before leaving the bathroom. Put a seat belt on when you get in the car. Don't eat the yellow snow. These are all common sense tips for safety that people have learned, whether from parents or one really embarrassing moment in the winter.
It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots.
In a nondescript industrial estate in El Segundo, a boxy suburb in south-west Los Angeles just a mile or two from LAX international airport, 20 people wait in a windowless canteen for a ceremony to begin.
If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier.
Remember when a chunk of the internet went dark for more than three hours1 on Oct.
OVER a couple of days in February, hundreds of thousands of point-of-sale printers in restaurants around the world began behaving strangely. Some churned out bizarre pictures of computers and giant robots signed, “with love from the hacker God himself”.
While many people are pretty vigilant about their personal security, be it financial, physical, mental, or otherwise, most of us internet users are far less motivated, and much less educated, when it comes to the security of our data.
This story was originally published by Reveal from The Center for Investigative Reporting, a nonprofit news organization based in the San Francisco Bay Area. Learn more at revealnews.org and subscribe to the Reveal podcast, produced with PRX, at revealnews.org/podcast.
Every vibrant technology marketplace needs an unbiased source of information on best practices as well as an active body advocating open standards. In the Application Security space, one of those groups is the Open Web Application Security Project™ (or OWASP for short).
VideoDespite dozens of witnesses, the murders went unreported and remain a mystery.SHARJAH KHALID PORT, United Arab Emirates — The man bobbing in the sea raises his arms in a seeming sign of surrender before he is shot in the head. He floats face down as his blood stains the blue water.
NEWARK — There have been times over the last two months when Golan Ben-Oni has felt like a voice in the wilderness. On April 29, someone hit his employer, IDT Corporation, with two cyberweapons that had been stolen from the National Security Agency. Mr.
People wait for the reopening of the security check at JFK Airport on August 15, 2016. When the first stampede began, my plane had just landed. It started, apparently, with a group of passengers awaiting departure in John F.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.
The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank.
Your phone is probably the most personal device you own. You carry it with you at all times, and it can access a large chunk of your most sensitive data. Here's how to keep it secure using just the basic tools provided by Google.
MALLORY, W.Va. — For the people of the hollow, opportunity begins where the road ends, and that was where they now went, driving onto a dirt path that vanished into forest.
Larson Studios president Rick Larson and his wife and business partner, Jill Larson, didn’t recognize the number that sent them these two short text messages via their personal cell phones two days before Christmas last year, so they simply ignored them.
Sophie is a physical penetration tester and information security consultant. She specializes in social engineering security assessments including physical, voice (vishing) and text (phishing).
Hopefully, the takeaway from that post was that you can’t just rely on locks as your only means of home security. You need to utilize other tools and tactics in order to create multiple layers of defense. Each year, there are over 2 million home burglaries committed nationwide.
MOSCOW — The familiar voice on the hotel room phone did not waste words. He checked the reply against his watch and described a place to meet.
Surely at this point in time we all know that cybercrime is a serious issue that affects everyone. We've heard all about password hygiene, hacking that comes from third-party vendors, and data breaches galore caused by phishing and spear-phishing. We know we could all use better password habits.
There seems to be a new data breach in the news every week — a major company hacked, millions of usernames, passwords or credit card numbers stolen. There isn’t much that you, as an individual, can do to stop hackers from stealing the data you entrust to companies.
Palantir hired a cybersecurity firm last year to test its digital defenses. A confidential report shows how the pro hackers were able to dominate the tech company's network.
Alerts you when something happens. You can’t always be watching your video feed. Nest Cam looks for motion and listens for conspicuous sounds, like a boom or the crash of a window breaking. If Nest Cam thinks something’s up, it’ll send a phone alert or an email with a key image from the event.
WASHINGTON/MOSCOW (Reuters) - Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has fo
What: Stop kidding yourself that you only re-use passwords on accounts that don’t matter, or that you have an unbreakable password scheme that no one else can guess. Every single thing with a password needs to have a unique password, shared with nothing else.
Last week we got news of the Rosebutt data breach. This is a very particular class of site and like many others we've recently seen compromised, it's highly likely that members would have preferred to keep their identities secret.
Perhaps Edward Snowden's hoodie should have raised suspicions.
I’ve been doing Information Security (now called Cybersecurity by many) for around 20 years now, and I’ve spent most of that time writing about it as well. So I get a good amount of email asking the following question:
Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online.
Why won’t the password just go away? The silly pet names, movie titles or sports teams that many people punch in to get into their online accounts are a weak spot that hackers continue to puncture.
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a configuration generator to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.
We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren't free. They cost money, of course, but they cost other things as well.
Many people will disagree with this post, not so much because it's flat out wrong but because there are so many different approaches one can take. It's a very subjective realm but I'm going to put forward some suggestions, make some considered arguments and leave it at that.
Marcus Hutchins was still recovering from the night before as he settled into a lounge at the Las Vegas airport one afternoon this past August.
More than 40 years ago, Bill Gates and Paul Allen founded Microsoft with a vision for putting a personal computer on every desk. No one really believed them, so few tried to stop them.
Free, unencrypted wireless is everywhere, but you shouldn’t be checking your bank account on it unless you don’t mind somebody else snooping. The solution? A virtual private network, or VPN.
On a bright April morning in Menlo Park, California, I became an Internet spy. This was easier than it sounds because I had a willing target. I had partnered with National Public Radio (NPR) tech correspondent Steve Henn for an experiment in Internet surveillance.
A FEW years ago, in a supermarket, I swiped my bank card to pay for groceries. I watched the little screen, waiting for its prompts. During the intervals between swiping my card, confirming the amount and entering my PIN, I was shown advertisements.
Editors’ note: This guide was originally published in 2017. But after Marriott disclosed on Friday that the personal information of as many as half a billion people may have been compromised by hackers, the suggestions below were updated, and are as important as ever.
Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery.
Editors' note: This is Motherboard's comprehensive guide to digital security, which will be regularly updated and replaces some of our old guides. There is a version history at the bottom of this post. Last update: November 12, 2018. This is also available as a plaintext file.
Every once in a while, I’ll get an email from an eager stranger asking for advice on how to have a career in security (computer, information, cyber… whatever). This is great! We need more passionate, creative, hard-working people that want to work on making technology safer to use.
Sheera Frenkel, who writes about cybersecurity for The Times, explains how she safeguards her devices, and why passwords remain a weak link for more people.
Nico Sell, the cofounder of a secure communication app called Wickr, has appeared on television twice. Both times, she wore sunglasses to prevent viewers from getting a full picture of what she looks like.
An encryption flaw called the Heartbleed bug is already being dubbed one of the biggest security threats the Internet has ever seen.
SSH, or secure shell, is a secure protocol and the most common way of safely administering remote servers.
Aaron Swartz once said, "It's no longer OK not to understand how the Internet works.
The Secret War: Infiltration. Sabotage. Mayhem. For years, four-star general Keith Alexander has been building a secret army capable of laynching devastating cyberattacks. Now it's ready to unleash hell.
Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post.
As email, documents, and almost every aspect of our professional and personal lives moves onto the “cloud”—remote servers we rely on to store, guard, and make available all of our data whenever and from wherever we want them, all the time and into eternity—a brush with disaster
It’s easy to be worried about people simply spying on your confidential data. iCloud and Google+ have your intimate photos; Transport for London knows where your travelcard has been; Yahoo holds every email you’ve ever written. We trust these people to respect our privacy, and to be secure.
Chances are that when you bought a Wi-Fi router, you probably did not prioritize strong network security. After all, when we think about wireless connectivity in our homes, most of us generally care more about speed of data transmissions and how much range the router can cover.
tl;dr: In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account
For a more detailed analysis of this catastrophic bug, see this update, which went live about 18 hours after Ars published this initial post.
In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.
The National Security Agency is lying to us. We know that because data stolen from an NSA server was dumped on the Internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers.
Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that).
In August, the editor of the Guardian rang me up and asked if I would spend a week in New York, reading the GCHQ files whose UK copy the Guardian was forced to destroy.
With Thanksgiving behind us, the holiday season in the US is officially underway. If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home.
Raise your hand if you've shared a username and password with someone over IM? Ever share a document with your SSN or other extremely sensitive information without protecting it? How about if you've sent, erm...
Naturally, I passed it on because let's face it, that's some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here's the thing - it's feasible.
SAN FRANCISCO — A security loophole that would allow someone to add extra steps to the counter on your Fitbit monitor might seem harmless. But researchers say it points to the broader risks that come with technology’s embedding into the nooks of our lives.
In 1984, a science fiction movie starring an up-and-coming Austrian-American actor took the box office by storm. A cybernetic organism is sent back in time to seek out and kill the mother of a great war hero to prevent his subsequent birth.
It's interesting work, especially because it looks at security problems in something that is supposed to improve security. I've long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack.
The past few years have seen an absurd amount of companies getting hacked, from simple passwords to entire databases of email.
Social Security is already a hot-button issue, and recent changes have people really freaking out about it, which makes it tough to get past the outrage and just navigate the facts. Here’s what you should know about the changes.
Until early May, when The Verge confidentially disclosed the results of my independent security tests, the “web annotator” service provided by the tech startup Genius had been routinely undermining a web browser security mechanism.
Facebook-owned WhatsApp, which has about one billion users, has not made it widely known that there is an aspect of WhatsApp that results in some messages being re-encrypted and resent automatically, without first giving the sender an opportunity to verify the recipient.
I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice. First, know that there are many subspecialties in computer security.
As a pentester, I love server-side vulnerabilities more than client-side ones. Why? Because it’s way much cooler to take over the server directly and gain system SHELL privileges. <(￣︶￣)>
You’ll never have more ideas about how to protect your identity than the minute after you realise it’s been stolen. Suddenly, you can see in painful detail all the doors left unlocked and breadcrumbs scattered across the internet for a hungry thief to find.
Some of the most powerful espionage tools created by the National Security Agency’s elite group of hackers have been revealed in recent days, a development that could pose severe consequences for the spy agency’s operations and the security of government and corporate computers.
The Internet of Things is a security problem. The Mirai botnet attacks drove the point home in October, but security experts have been warning about these weaknesses for years, providing endless demos about how a hacker might break into your baby monitor or seize control of your thermostat.
Government officials have been vague in their testimony about the data breaches—there was apparently more than one—at the Office of Personnel Management.