During a security presentation at Apple’s Worldwide Developers’ Conference, the company revealed the deadline for all apps in its App Store to switch on an important security feature called App Transport Security — January 1, 2017.
“Today, I’m proud to say that at the end of 2016, App Transport Security is becoming a requirement for App Store apps,” Apple’s head of security engineering and architecture, Ivan Krstic, said during a WWDC presentation. “This is going to provide a great deal of real security for our users and the communications that your apps have over the network.”
App Transport Security, or ATS, is a feature that Apple debuted in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP, which keeps user data secure while in transit by encrypting it.
The “S” in HTTPS helpfully stands for secure and you’ll often see it appear in your browser when logging into your banking or email accounts. But mobile apps often aren’t as transparent with users about the security of their web connections, and it can be hard to tell whether an app is connecting via HTTP or HTTPS.
Enter ATS, which is enabled by default for iOS 9. However, developers can still switch ATS off and allow their apps to send data over an HTTP connection — until the end of this year, that is. (For technical crowd: ATS requires TLS v 1.2, with exceptions for already encrypted bulk data, like media streaming.)
At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. App developers who have been wondering when the hammer would drop on HTTP can rest a little easier now that they have a clear deadline, and users can relax with the knowledge that secure connections will be forced in all of the apps on their iPhones and iPads.
In requiring developers to use HTTPS, Apple is joining a larger movement to secure data as it travels online. While the secure protocol is common on login pages, many websites still use plain old HTTP for most of their connections. That’s slowly changing as many sites make the arduous transition to HTTPS (Wired has been particularly good at documenting the process).
Yahoo admitted today that some of its employees were aware of the theft of 500 million users’ data as early as 2014 — years before Yahoo publicly acknowledged the hack.
The hack, which Yahoo has attributed to an unnamed “state-sponsored actor,” occurred in late 2014, and according to today’s filing with the Securities and Exchange Commission, it seems Yahoo detected it early on.
“In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014,” Yahoo said in the filing.
Yahoo also reported that 23 consumer class action lawsuits have been filed in response to the breach, but that it’s too early to estimate monetary damages. It estimates the hack has led to a loss of $1 million so far.
The question of when Yahoo learned of the breach is essential to its planned sale to Verizon. Verizon has reportedly asked for a $1 billion discount in light of the breach, which was not disclosed until after the September sale even though Yahoo CEO Marissa Mayer allegedly learned of the breach in July. (Disclosure: Verizon owns TechCrunch.)
In today’s filing, Yahoo says it has formed an independent committee to review “the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”
Senator Mark Warner has asked the SEC to investigate what Yahoo knew about the breach and when it knew it, citing an earlier Yahoo filing that claimed the company was not aware of any security breaches. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in a statement.
In the past I’ve tried to emulate Mark Zuckerberg. Become a billionaire, celebrity, philanthropist, wear a sweatshirt or t-shirt everyday, drop out of college and don’t have to go to class anymore, what’s not to like? Sadly, for the most part, it hasn’t worked out so well for me.
For example, after seeing The Social Network I got exceptionally drunk and tried to write a college midterm paper – a la Zuck’s coding of the predecessor to Facebook while toasted. I read my essay the next morning and was genuinely amazed by how few actual words I had used in the six-page paper that I had written. While I was excited that I had created some kind of new language, I also realized that at best I was a J.R.R. Tolkien imitator and, sadly, not a budding Facebook billionaire.
As a result, I realized that maybe emulating Zuck wouldn’t work for me – I decided I probably shouldn’t drop out of college or wear sweats to my next job interview. Luckily there is more than one way to skin a cat. Today we can all be like Mark Zuckerberg and at the same time protect our privacy.
Earlier this year Instagram hit 500 million active users and in commemoration Zuck posted the above photo to his Facebook page. It’s a nice photo and if that was all it was I guess I could write a story about Mark Zuckerberg’s beautiful smile.
Instead, one sharp twitter user – @topherolson – noted that Mark had inadvertently revealed three things:
That his Mac camera is covered with tape.
That his Mac microphone is covered with tape.
That his email client is Thunderbird.
Mark Zuckerburg is clearly worried about his cyber security – he is a high value target who has been hacked before – so instead I’m writing an article about the steps that Mark Zuckerberg takes to protect his privacy and why security experts think we muggles should all do the same.
Why you’re at risk
We live in an age of ever increasing connectivity and reliance on technology. At the same time, and as a direct result, we also live in an age where the NSA has the power to monitor emails and text messages sent by the American people. Not to mention the ability to secretly tap into hundreds of millions of Google and Yahoo accounts worldwide, where nearly one million new malware threats are released every day and where hacking costs the global economy an estimated $575 billion on an annual basis.
So yes, if you have a computer, if you use a phone, if you use email, you are at risk of being hacked.
While it might be easy to conclude that Mark Zuckerberg is your garden variety paranoid, eccentric, billionaire when he tapes over his laptop’s microphone and camera, in reality he is protecting himself against a risk that we all face.
Zuckerberg is protecting against “ratting.” While this might sound like some form of particularly painful medieval torture technique, it is actually slang for a Remote Access Trojan cyberattack (a uniquely modern torture technique). A RAT is a form of malware which, if successful, can give a hacker remote control of your computer – including your webcam and microphone.
Today the risk of this kind of attack is high –
70 percent of malware consists of Trojans and the most easily deployable of these is the RAT whose source code often only costs $10 to $50. Hackers can use this control to do a wide range of bad things to you:
Hijacking control of personal computers.
Watching and logging your keystrokes
Downloading, uploading, or deleting files
Destroying your CPU through overclocking
Installing additional viruses and worms
Editing your Windows registry
Using your computer for a denial of service attack and to otherwise infect friends and family
Stealing passwords, personal identification information, and credit card numbers
Wiping your hard drive
Installing hard to remove boot-sector viruses
And even to spy on victims through remote control of webcams and microphones.
For Zuckerberg this could mean the theft of sensitive Facebook business and personal data which could cause harm to Zuck personally, to employees, to his business, and to customers. However, by taping over his webcam and microphone Zuck has protected himself (and us all) against the worst of cybercrimes – the release of the first Mark Zuckerberg sextape – a true crime against humanity.
Billionaires aren’t the only ones in jeopardy
RAT attacks don’t just happen to those with billions at stake.
Amy Wright, was a 20-year old student at the University of California at Irvine – a far cry from a billionaire executive like Zuckerberg – when she was hit with a RAT attack.
GQ reported that Wright received an IM from mistahxxrightme, asking her for webcam sex. Amy said no. Mistah X IMed her again and said that he knew all about her. He described the color of her dorm room walls, her sheets, the pictures on her wall, her “pink vibrator”, and then finally sent her an image file. It was a picture of her in her room naked and having webcam sex with her boyfriend, James Kelly.
The “sextortion,” as it has been called, didn’t stop there.
Next Mistah X sent an IM to James Kelly’s ex-girlfriend, Carla Gagnon, asking her for webcam sex before sending her a video of her in the nude. Then he contacted Kelly and told him he had control of his computer. Mistah X taunted Kelly.
James tried to talk to Amy, but as soon as he did Mistah X sent him a message – “I know you’re talking to each other right now!” When Amy called the police, and the hacker messaged her, “I know you just called the police.”
It took the involvement of the FBI Cyberdivision to finally catch Mistah X – a 32-year old undocumented immigrant confined to a wheelchair and obsessed with Professor X from The X Men.
In total, he’d sextorted 230 victims and captured 15,000 webcam-videos, 900 audio recordings, and 13,000 screen captures. He was not part of any cybergang, but instead he was just one frustrated and depressed individual with access to a laptop.
Imagine the harm that an organized group of cybercriminals could do – in 2014, a website opened that played live video from thousands of webcams in over 250 countries.
These attacks aren’t going away any time soon
The problem is that RATs are cheap, require relatively little technical skill, and as Scott Aken, a former FBI cyberagent explains, there are too many RATs in existence for law enforcement to bring them all down.
It’s also relatively easy to infect computers with RATs.
Cyberextortionist gang the Cryptolocker managed to gross over $30 million in 2015 alone. Cybercriminals can see the ROI of these kinds of attacks and so they will only increase in number, both on high value targets and on individual consumers – particularly young women.
The Mark Zuckerbergs of the world and mere mortals alike need to protect themselves from these attacks. It is important to take steps to beef up the security of your devices by:
Ensuring your antivirus software is installed and always on.
Regularly changing secure passwords (and especially changing from the factory password)
But in the end security experts – along with Mark Zuckerberg – think that, however secure your device is, it won’t be enough to stop a determined cybercriminal.
Last year NTT tested the top antivirus products and concluded that 50 to 70 percent of malware made it past their virus scanners – new types of malware are being created faster than security companies can detect or protect against them. And when you might be up against the NSA – whose GCHQ program selected random Yahoo webchat users to surveil, the FBI, and increasingly organized (and often state-sponsored) cybercriminal gangs, it’s safe to assume that their attacks could be more powerful than your defense.
As a result, experts think that we should all steal a page from the paranoid billionaire playbook and take the basic security measure of covering our webcam and microphone when they are not in use. Lysa Myers, a security researcher at the Data Security firm ESET said in an email to the NYTimes:
Covering the camera is a very common-sense security measure. If you were to walk around a security conference, you would have an easier time counting devices that don’t have something over the camera.
So let’s all do the smart thing and copy the security experts and the boy genius – FBI director James Comey is doing the same. Comey told NPR that he covers his laptop camera and microphone, “because I saw somebody smarter than I am had a piece of tape over their camera.”
And it’s easy to do. You can cover your camera and microphone with a post-it note, duct tape, painters tape, cute cat stickers, invisible tape, washi tape, or even spring for a sticker expressly designed for laptop camera and microphone security (to the tune of only $10).
While this might make you look paranoid, it’s an easy step to protect your privacy from the growing threat of cyberintrusion.
On the other hand, for those of you who think that you have nothing to hide, you can always follow the example of Matthew Green: “Because I’m an idiot,” replied Matthew Green, an encryption expert at Johns Hopkins University when asked why he doesn’t cover his cameras.
I have no excuse for not taking this seriously… but at the end of the day, I figure that seeing me naked would be punishment enough.
Black Mirror on Netflix– an anthology series that tackles our relationships with technology and how each bright moment today could potentially go awry tomorrow. With them, we’re exploring current and future tech trends; including the possible ramifications on personal relationships. This is the “bright side” of technology.
Hackers used internet-connected home devices, such as CCTV cameras and printers, to attack popular websites on Friday, security analysts say.
Twitter, Spotify, and Reddit were among the sites taken offline on Friday.
Each uses a company called Dyn, which was the target of the attack, to direct users to its website.
Security analysts now believe the attack used the “internet of things” – web-connected home devices – to launch the assault.
Dyn is a DNS service – an internet “phone book” which directs users to the internet address where the website is stored. Such services are a crucial part of web infrastructure.
On Friday, it came under attack – a distributed denial of service (DDoS) – which relies on thousands of machines sending co-ordinated messages to overwhelm the service.
The “global event” involved “tens of millions” of internet addresses.
Security firm Flashpoint said it had confirmed that the attack used “botnets” infected with the “Mirai” malware.
Many of the devices involved come from Chinese manufacturers, with easy-to-guess usernames and passwords that cannot be changed by the user – a vulnerability which the malware exploits.
“Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords,” explained cybersecurity expert Brian Krebs, “and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
The owner of the device would generally have no way of knowing that it had been compromised to use in an attack, he wrote.
It has emerged that the BBC’s website was also briefly caught up in Friday’s attack. The BBC is not a customer of Dyn itself, but it does use third-party services that rely on the domain name system hosting facilities provided by Dyn.
I understand that these include Amazon Web Services – the retail giant’s cloud computing division – and Fastly – a San Francisco-based firm that helps optimise page download times.
Both companies have acknowledged being disrupted by the DDoS assault. Only some BBC users, in certain locations, would have experienced problems and they did not last long.
It serves as a reminder that despite the internet being a hugely robust communications system, there are still some pinch points that mean a targeted attack can cause widespread damage.
The incidents mark a change in tactics for online attackers.
DDoS attacks are typically aimed at a single website. Friday’s attack on Dyn, which acts as a directory service for huge numbers of firms, affected several of the world’s most popular websites at once.
The use of internet-connected home devices to send the attacking messages is also a relatively new phenomenon, but may become more common.
The Mirai software used in these attacks was released publicly in September – which means anyone with the skill could build their own attacking botnet.
On social media, many researchers and analysts expressed frustration with the security gap being exploited by attackers.
“Today we answered the question ‘what would happen if we connected a vast number of cheap, crummy embedded devices to broadband networks?’” wrote Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute.
Jeff Jarmoc, head of security for global business service Salesforce, pointed out that internet infrastructure is supposed to be more robust.
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” he tweeted.
Today, half of America’s internet shut down when hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s still unclear exactly who carried out the attack and why, but regardless, the event served as a demonstration of how easily large swaths of the web can be wiped out if attacked by determined hackers.
Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.
It’s horrific to know that major websites like Twitter, Spotify, Reddit, Etsy, Wired, and PayPal can all be taken offline in an instant. The exact process hackers used is so far unknown—aside from the DDoS detail—but it’s important for every internet user to understand because it has to do with how exactly the internet works. With that in mind, here is how some of the most popular websites in the world can be taken offline in a flash.
What is the technology?
Domain Name Servers (DNS) act as the internet’s phone book and facilitate requests to specific webpages. They make sure you end up in the right place every time you type a website into your browser. Hackers will occasionally attack DNS providers in order to bring down the sites they are serving. Today, that happened to be Twitter, Reddit, PayPal and more.
That’s a really basic overview. But if you really want to understand how DNS works at a deeper level, you have to follow the complete order of operations. A typical internet user starts at one of many computers in a large network connected through underground cables (such as your laptop). The individual nodes on these networks communicate by referring to each other with numbers known as IP addresses. DNS is used to translate a request like a URL into an IP address.
When you enter a URL—such as www.Gizmodo.com—your browser starts trying to figure out where that website is by pinging a series of servers. It’s very detailed, and we won’t bore you with the complete chain of events. There are resolving name servers, authoritative name servers, domain registrars, and so on. The system is precisely configured to get you from browser bar to website seamlessly. The process is a little crazy, but perhaps the most insane part is that it all happens almost instantly. Anytime you’re browsing the web, opening dozens of tabs, requesting a bunch of different websites, your computer is pinging servers around the world to get you the right info. And it just works—until it doesn’t.
How does it break?
A DDoS attack is a common hack in which multiple compromised computers are used to attack a single system by overloading it with server requests. In a DDoS attack, hackers will use often use infected computers to create a flood of traffic originating from many different sources, potentially thousands or even hundreds of thousands. By using all of the infected computers, a hacker can effectively circumvent any blocks that might be put on a single IP address. It also makes it harder to identify a legitimate request compared to one coming from an attacker.
In the case of this morning’s attack, hackers brought down the servers of Dyn, a hugely popular DNS host that manages sites like Basecamp, CNN, Etsy, Github, Grubhub, HBO Now, Imgur, Paypal, Playstation Network, Reddit, Squarespace, and Twitter.
When the servers of Dyn were taken down, browsers essentially couldn’t figure out where to go to find the information to load on the screen. This type of attack happens every so often when hackers create a little army of private computers infected with malicious software known as a Botnet. The people that are often participating in the attack don’t realize their computer has been compromised and is part of a zombie army of attackers. In 2014, a hacker group called Lizard Squad shut down the Playstation Network and Xbox Live using this method. In 2015, a trojan virus called XOR DDoS helped hackers create a powerful botnet capable of taking down almost any server or website.
Defending servers against DDoS attacks can be difficult, but there are ways to prevent outages. According to Network World, one of the most common methods used is flow sampling, in which the system samples packets and identifies trends in network traffic. A flow analytics device evaluates traffic streams and identifies potentially bad traffic.
How do we protect ourselves?
Looking ahead, one big question stands out. How can we avoid attacks like this stealing internet access away from millions of Americans and losing companies millions of dollars in revenue?
The answer is complicated. As soon as security companies come up with new ways to protect companies like Dyn, hackers come up with new ways to attack them. In the case of DNS infrastructure, however, many point out that the best way for a website to avoid getting brought down by an attack on one host is simply to subscribe to multiple hosts. This is called DNS redundancy, and it’s probably the reason that some sites (like Pornhub) survived the attack unscathed.
In the case of the Dyn servers, it’s unclear exactly how they solved the problem, but the company is now reporting the issue resolved—about one hour after the problem started.
Millennials aren’t as savvy online as they might lead on. A new survey found that half of all tech support scam victims were 18- to 34-year-olds. For comparison sake, the next age group (36 to 54) made up just over a third (34 percent), and the old-timers (over 55) were only 17 percent as likely to be conned.
The recent Ipsos poll took place in 12 countries and surveyed 1,000 people on behalf of Microsoft. Two out of three had experienced a tech support scam over the last year.
Tech support scams have been around a while, but they’re increasingly common. The scam typically involves a third-party that calls, emails, or instant messages, claiming to be with Microsoft, Apple, Dell, HP, or any number of other well-known computer companies. They’ll explain that your machine has a problem — typically malware — and that they can take care of it remotely.
Once the user clicks a link giving the representative access to their machine, they’ll then use that window to install malware or create problems requiring pricey fixes — like ransomware, which hijacks your PC until you pay a ransom to get it back.
Millennials being the most-affected group isn’t surprising, but I’d wager that it’s less about being un-savvy and more about a flaw in polling methodology.
To be clear, I’m not doubting millennials are bad at spotting online threats — the entire population is, and younger people use their devices far more often than any other age group.
Here’s the rub.
The survey of 1,000 people didn’t take representative samples from each age demographic, meaning a small sample size of any (most likely the older age groups) wouldn’t be a good representative of the group as a whole.
With Millennials being the world’s largest generation, statistically speaking, you’d assume they’d also make up the largest percentage of respondents. With fewer people who are 55-plus — and a huge percentage of those not using computing devices with anywhere near the same frequency of a Millennial — you’d expect the data to be slightly skewed. The same would be true of the 18- to 36-year-old demographic, although on a smaller scale.
So, I’m not 100-percent certain I buy this.
Anecdotally, my mom once tried to give her email password to a guy on a plane to fix something on her iPhone — hence my hesitation in blindly accepting older people are more savvy in a technical sense.
SAN FRANCISCO — At the annual San Francisco WordCamp, WordPress creator Matt Mullenweg told the audience a fascinating stat about the service.
In a talk that also included details on the next two versions of WordPress, Mullenweg said, “We’re now up to 18.9 percent of the web running WordPress. … We’re going to see the number of people who have WordPress as part of their daily habits grow exponentially.”
Around 66 percent of those sites and blogs are in English. Monthly pageviews for all WordPress sites and blogs rose to a massive 4 billion in 2013.
Mullenweg also said around 30 percent of respondents in a recent survey from WP Engine were aware of WordPress as an entity or brand.
The service just celebrated its tenth anniversary in May, and parent company Automattic took a sizable $50 million funding round, also in May.
According to the latest data from web application performance management firm New Relic, Microsoft’s Internet Explorer 10 on Windows 8 currently has the fastest response time of any browser on Windows, leading the company – and Microsoft – to conclude that IE10 is currently the fastest browser on Windows. Looking at the 40 billion web pageviews it monitors every month, New Relic’s data shows that IE9 comes in second, followed by Firefox 15, Safari 5 and Chrome 21.
On the Mac, interestingly, an older version of Chrome (19) showed a faster average response time than any of the newer versions (New Relic’s data doesn’t include measurements from Chrome 23, though, as it was only released today).
As Hurricane Sandy delivers a glancing blow to New York City, the power company pulls the plug on parts of lower Manhattan, and some Web sites without redundant servers go down.
Power outages caused by Hurricane Sandy show why it’s good to have a duplicate Web server located somewhere far away from New York City right now.
Related posts
The local power company, Consolidated Edison shut down power to portions of lower Manhattan this evening in an effort to prevent damage to underground equipment.
That coincided with when Gawker.com and Gizmodo.com went offline. In a Twitter update at 4:21 p.m. PT, Gizmodo said: “We’ll be back soon! There was a data center battery failure after the power went down in Lower Manhattan. Generators powering up.”
Buzzfeed.com is also down, saying: “Our site is down. Problems with NY-area servers due to Sandy.” Livestream.com says it’s experiencing “a major outage.”
