Samsung is warning customers about discussing personal information in front of their smart television set. The warning applies to TV viewers who control their Samsung Smart TV using its
voice activation feature. When the feature is active, such TV sets "listen" to what is said and may share what they hear with Samsung or third parties, it said. Privacy campaigners said the technology smacked of the telescreens, in George Orwell's 1984, which spied on citizens. Samsung has issued a statement that emphasized the voice recognition feature is activated using the TV's remote control.
Should Pipedot readers be concerned? What assurance is there that voice control systems which involve uploading voice commands to remote servers (Siri included) couldn't be used for surveillance covertly,
as the FBI started doing with OnStar in General Motors vehicles over a decade ago? Samsung is not the first maker of a smart, net-connected TV to run into problems with the data the set collects. In late 2013, a UK IT consultant found his LG TV was gathering information about his viewing habits.
Today, users of Samsung's Smart TVs are also complaining that
advertisements are being inserted into their own videos, without their permission. "Every movie I play, 20-30 minutes in it plays the Pepsi ad. It has happened on 6 movies today." In a statement, a Samsung spokesperson said that the ad placement in third-party apps was a mistake, and that the issue only affected customers in Australia.
Microsoft has admitted that the new
Windows 10 operating system tracks keystrokes and examines audio input. The new operating system, currently a free download for users with Windows 7 and Windows 8 licences, not only tracks how long it takes to open different types of files, the make and model of device you're using, but it's also logging keystrokes and collecting voice recordings. Microsoft will not delete data already collected from Windows 10 users.
A recent report by Germany's Federal Office for Information Security reveals that
hackers caused "massive" damage to an unnamed steel mill. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down. The report doesn't name the plant or indicate when the breach occurred.
This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet, the sophisticated digital weapon the U.S. and Israel launched against control systems in Iran in 2008 to sabotage centrifuges at a uranium enrichment plant. Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks.
ICANN has reported
a major security breach. The organization, which is responsible for managing IP addresses (among other things) for the internet, was hacked late last month. Using basic spear phishing attacks, hackers managed to trick ICANN employees into giving up private credentials upon receiving emails that appeared to come from the organization itself. As a result, several internal systems have been breached.
ICANN reports that not only were internal emails accessed, but also a number of other things including an employee only wiki-page with public data, as well as the database to see who has registered a certain domain. Hackers also accessed the Centralized Zone Data System (CZDS), which allows them access to user names, addresses, emails and other contact/personal data. While certainly the most troubling of them all, the passwords stolen in the CZDS breach were encrypted and not just sitting around as plain text entries.
The organization implemented improved security measures early this year, before the attack. The group now plans to implement additional security measures.
U.S. officials
previously announced plans to relinquish the federal government's control over managing the Internet to a "multistakeholder community" in March, following backlash over revelations about the National Security Agency's surveillance program. The cyber attack could fuel those wary of ICANN's transition to an international authority, who argue the move would compromise the safety of the Internet. Some opponents doubt the organization's ability to manage the Internet for the entire globe.
Microsoft has quietly patched a serious SSL (Secure Sockets Layer) bug that
allows remote code to be executed on any system configured to accept SSL transactions. That is to say, essentially, every Windows system ever made.
The bug is being discussed
on Pastebin, where it is being alleged that Microsoft has seriously understated the seriousness of this bug, potentially in an effort to downplay its use as a potential zero day. The same folks are making threats about what will happen if Microsoft doesn't get around to producing patches for legacy systems as well, given how prevalent SSL technology is in today's web browsing environment.
Those evil ISPs are at it again:
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag-called STARTTLS-from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
Although I wouldn't trust the content of your non-PGP email to ever be secure, this could potentially lead to your email account password being transmitted in-the-clear, depending on how your email client and server are configured.
While last week Apple was being hailed as the white knight of user privacy while this week they are being called on for
uploading files to icloud without sufficient warning. Bad times for Apple, whose blunder was a big one, and is generating a lot of buzz. The Washington Post reports:
[Security researcher Jeffrey Paul] was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function "both dangerous and poorly documented" by Apple.
The criticism was all the more notable because its target, Apple, had just enjoyed weeks of applause within the computer security community for releasing a bold new form of smartphone encryption capable of thwarting government searches - even when police got warrants. Yet here was an awkward flip side: Police still can gain access to files stored on cloud services, and Apple seemed determined to migrate more and more data to them.
TechCrunch reports:
MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC meant to rival newcomer Apple Pay, has been hacked.
CurrentC is still in its pilot phase. Only emails of the early app testers have been stolen. No payment data or other personal informations. Furthermore since the project is still in the pilot phase, many of those emails belonged to dummy accounts.
Since there might be a war coming between CurrentC, Apple Pay, Google Wallet, and perhaps the established credit card companies, it would be easy to construct a nice conspiracy theory. However:
Never ascribe to malice that which is adequately explained by incompetence. And even incompetence does not describe it correctly. The developers of each of those systems on the one side are probably vastly outmatched by the black hats, who try break it, on the other side. And the black hats just need to find one single implementation error, while the developers have to anticipate everything. I cases like this, where real money can be made, the
Linus's Law is definitely applicable.
What does it mean for the customers? They should be extra careful. Neither Apple, nor Google, nor MCX have much experience as payment service providers. Their technologies are new and most certainly will have weaknesses, which is bad. But also for the courts these system will be uncharted waters. For a duped user this might even be worse. So before using one of those shiny new and convenient payment options: Read the fine print in the contracts. Check who carries the risk and the burden of proof in case of a misuse.
Forbes has a lovely if disjointed writeup;
The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.
The makers of Chrome seem to be saying that
the issue has been fixed in Chrome since February, but as of this morning,
the Poodle Test still showed Chrome as vulnerable. Firefox expects to
have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.