Security News This Week: You Can Now Lock Down Your Facebook With a Handy Dongle
One week into the Trump presidency, and already some people have mistakenly tweeted some passwords and brought some unsecured Android phones into some places where they probably don’t belong (you know, the White house). Digital rights activists lauded Trump’s decision to kill the Trans-Pacific Partnership. And the military contemplated purchasing cool, off-the-shelf tech, like quadcopters, and placed a bit order for new modular pistols.
Meanwhile, WIRED looked at a controversial new program that is working to diffuse extremism and reform American ISIS recruits. Monero, the cryptocurrency criminals love for its focus on anonymity, is doing better than ever, a cybersecurity firm bought a $15 million quantum computer to see if it gives them a defensive edge, and researchers are advocating for encrypted voting technology to defend democratic systems and, let’s face it, reduce drama. Finally, some unsolicited advice. Brush up on tips for how to document marches and protests on social media without feeding potential law enforcement surveillance, and make sure you download iOS 10.2.1 to get important security fixes if you use mobile devices from Apple. Whew, a lot doin’.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Facebook Adds Support For Physical Authentication
It’s abundantly clear at this point that passwords alone are not enough to protect online accounts, but adding a “second authentication factor” or additional element that helps prove you are who you claim can have pitfalls of its own. So this week Facebook added support for a strong “second factor” that has been gradually gaining momentum. Physical dongles that you keep plugged into your computer or carry with you are a quick and easy second piece of proof for logging into your account; Facebook will now support any physical security key that uses the open source Universal 2nd Factor standard developed by the FIDO Alliance. Sure, it’s possible to lose these dongles, but they’re robust because physical objects are hard to surveil and replicate remotely.
200,000 Services and Devices Still Vulnerable to Heartbleed
Shodan is know as the “search engine for the Internet of Things” because it allows users to do tailored searches for particular kinds of computers currently connected to the internet. That means Shodan can be used to find vulnerable devices, including 200,000 servers and such that are still contain the Heartbleed vulnerability. First discovered and publicized in 2014, system administrators quickly patched a lot of devices and services to reduce the prevalence of the bug, which affects a popular cryptographic web protocol. But almost three years later, a not insignificant number of devices and servers is still unpatched and vulnerable to Heartbleed exploitation. And the open targets aren’t all from random backwaters of the internet—the domains associated with the most vulnerable devices were Amazon Web Services and Verizon Wireless.
Firefox and Chrome Now Call Out Insecure HTTP Connections
As part of a large push to encrypt all web connections using HTTPS, the new versions of Firefox and Chrome now prominently list some HTTP connections as insecure next to their URL in the address bar. The reprimand shows up when an HTTP page has a form on it with fields for things like credit card numbers or passwords. The goal is to promote the use of encrypted connections between browsers and web servers to reduce situations where hackers can eavesdrop on what a user is doing on a page or typing into a field.
Kaspersky Incident Response Chief Arrested
The cyber forensics researcher Ruslan Stoyanov, who has worked at the Russian cybersecurity giant Kaspersky Lab since 2012, was arrested in December. Information about the situation is only beginning to emerge now. Forbes reports that Stoyanov is charged under article 275 of Russian criminal code, requiring a clandestine military tribunal. Some sources say that the case has to do with money Stoyanov received from foreign entities. Kaspersky Lab wrote in a statement that, “The case against this employee does not involve Kaspersky Lab. The employee, who is Head of the Computer Incidents Investigations Team, is under investigation for a period predating his employment as Kaspersky Lab. We do not possess details of the investigation.” Before Kaspersky, Stoyanov worked at various other cybersecurity companies. He was a major in the Russian Ministry of Interior’s Moscow cybercrime unit from 2000 to 2006.