security

Really, what could go wrong here: the system would tell a male customer in his early 20s to order a set meal of crispy chicken hamburger, roasted chicken wings and coke for lunch, while a female customer in her 50s would get a recommendation of porridge and soybean milk for breakfast. This is probably the future whether we like it or not. Face and voice recognition is reaching a tipping point where documenting and influencing individuals without consent is trivial.

From the “the future kind of sucks” files comes this update out of the UK. There’s now a company named for a SQL injection attack. I’m hopeful that the global economy will survive ; DROP TABLE “COMPANIES”;– LTD’s first public offering.

Another great summary from Brian Krebs. No matter which side you fall on politically, this stuff should concern you. The problem isn’t whether there is hacking, the problem is that we can’t even believe the official responses so it leaves a vacuum of information that is readily filled with bullshit. The public might also be deeply suspicious of hacking claims from a government that practically invented the art of meddling in foreign elections.

The recent Evernote privacy policy brought about considerable response from the nerds. Here’s the relevant section many are concerned with (highlighting is mine): The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content, subject to the limits described below, for the purposes of developing and improving the Evernote service. Now I’ve highlighted two points in the policy.

Quincy Larson has a pretty reasonable approach to encrypting your data: And when I use the terms “private” or “secure”, I mean reasonably so. The reality is that — as long as humans are involved — no system will ever be 100% private or 100% secure. His list is short and pretty unobtrusive. For normal people, it’s key to balance the mental cost verses the potential benefit of encrypting everything.

I know many people that are fascinated by the hack of San Francisco’s MUNI. I’m far more fascinated by the white-hat battles against the hacker, which may have resulted in breaching the miscreant’s email accounts. From Brian Krebs: On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.

Brian Krebs continues to follow the analysis of the biggest Botnet attacks the world has ever seen. Tell me this doesn’t sound like a William Gibson plot writing itself: “This is an interesting development because a lot of the response to Mirai lately has been to find a Mirai controller and take it down,” Nixon said. “Right now, the amount of redundant infrastructure these Mirai actors have is pretty significant, and it suggests they’re trying to make their botnets more difficult to take down.

Akamai was the DDoS protection service used by security researcher Brian Krebs. At least until last September when they couldn’t offer pro-bono protection under the weight of new massive attacks. Their latest report details the specific attack on Krebs. As detailed here in several previous posts, KrebsOnSecurity.com was a pro-bono customer of Akamai, beginning in August 2012 with Prolexic before Akamai acquired them. Akamai mentions this as well in explaining its decision to terminate our pro-bono arrangement.

I recently enjoyed a new form of spam: iCloud calendar spam. No, it wasn’t a calendar invitation attached to an email. It appears to be from a source other than email. Here’s the fact pattern: A new event alarm was created in my primary iCloud calendar without my consent. I did not accept the invitation. There was no record of an email invitation in any of my mail folders, including spam.

Once again, Bruce Schneier freaks me out: The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.