TIME Security

Watch: What You Need to Know About the POODLE Bug

Third security flaw discovered this year, but researchers say it's not as powerful as Heartbleed

The POODLE bug may sound silly, but it can cause some serious damage.

POODLE, which stands for Padding Oracle on Downloaded Legacy Encryption, makes it possible for hackers to snoop on a user’s web browsing. The problem is an 18-year-old encryption standard, known as SSL v3, which is still used by older browsers like Internet Explorer 6.

SSL protects data exchanged between a website and user, indicated by a green pad lock icon. If you’re a home user, don’t panic — you’re not at high risk. But, just to be safe, one solution is to upgrade your web browser.

TIME Innovation

This $150 Device Just Made It Ridiculously Cheap to Crack Open a Safe

Combination lock Getty Images

The contraption fastens to a dial commonly used to lock ATMs and guesses the combination through trial and error

A pair of Australian-based security experts have developed a $150 safe-cracking device, making a technology normally reserved for defense department budgets accessible to anyone who can afford a smartphone.

The contraption, which was fashioned out of repurposed electronics and 3D-printed components, fastens onto a safe and spins the dial through a series of combinations, gradually cracking the code through trial and error, the Register reports.

Its inventors, Jay Davis and Luke Janke, say it typically takes four days to pop a standard 2-combination lock which is commonly used to secure ATMs, but they suspect that time could be shaved down to a matter of minutes by simply spinning a few of the default codes set by the lock’s manufacturer. Turns out a startling number of customers don’t bother to reset the code to something more personal and secure.

Another tweak would give the device some longer term memory to track untested combinations, “so if you get busted you can run away and come back and try later on,” Davis told the Register, “not that we condone that.”


TIME Security

Microsoft Patches Computer Bug Linked to Russian Hackers

Microsoft's Windows 8.1 Goes On Sale
An attendant displays a Fujitsu Ltd. Arrows Tab tablet, running Microsoft Corp.'s Windows 8.1 operating system, during a launch event for the operating system in Tokyo, Japan, on Friday, Oct. 18, 2013. Bloomberg—Bloomberg via Getty Images

Microsoft has fixed a series of software bugs, at least one of which was exploited by Russian hackers, according to a new report

Microsoft on Tuesday issued bug patches Tuesday fixing 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net Framework, some of which fixed security holes exploited in attacks against Western targets linked to Russian hackers. The company’s patches fix more than a dozen vulnerabilities that allow remotely located hackers to take control of a target computer, according to a note from Microsoft.

The issues were first revealed by Dallas-based security firm ISight, which said Tuesday that Russia-tied hackers had been using a previously unknown bug in Microsoft Windows Vista through Windows 8.1 to attack NATO, the European Union and targets in Ukraine since September. ISight partnered with Microsoft to report the bug.

The hacks against Western targets are part of a growing wave of cyberattacks linked to Russia amid that country’s ongoing conflict with Ukraine. However, it’s unclear exactly what data hackers took as part of the attack.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” ISight said Tuesday.


TIME Security

Dropbox Denies Thousands of Accounts Were Hacked

Key Speakers At The Brooklyn Beta Conference
Dropbox Inc. signage is displayed at the Brooklyn Beta conference in the Brooklyn borough of New York, U.S., on Friday, Oct. 12, 2012. Bloomberg—Bloomberg via Getty Images

"Your stuff is safe," Dropbox tells users after hacking scare

Dropbox said Monday that a list of login credentials posted online early this week was not made public as the result of it being targeted by hackers, but rather because hackers stole usernames and passwords from other services and attempted to use those credentials to access Dropbox accounts.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” said Anton Mityagin of Dropbox’s security team in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.”

Hundreds of username and password combinations allegedly belonging to Dropbox users appeared early this week on the website Pastebin, a common dumping ground for hackers to post such information. An accompanying message alleged that 7 million Dropbox accounts were hacked in total, The Next Web reported Monday, and the hacker or hackers were asking for money before posting the rest of the information. However, Dropbox later said that a larger list of usernames and passwords posted online were “not associated with Dropbox accounts.”

Dropbox also said it recently reset passwords on accounts which showed suspicious login activity, a move it said prevented the service from being breached. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Mityagin wrote. Dropbox also emailed any affected users and advised them to change their passwords on Dropbox as well as other Internet services.

Hackers often target less secure platforms to steal login information they then use on other websites, as seems to be the case here. That’s why it’s a good idea to use different passwords on different websites as well as activate two-step authentication wherever available.

TIME Security

Snapchat Says Leak of Nude Photos Isn’t Its Fault

The logo of mobile app "Snapchat" is displayed on a tablet on January 2, 2014 in Paris.
Lionel Bonavent—Getty Images

Company says third-party applications were responsible for the breach of as many as 200,000 user accounts

Images from tens of thousands of Snapchat user accounts, many explicit, were leaked onto the internet late Thursday — but the messaging app said the hack wasn’t its fault.

Snapchat said that third-party applications were responsible for the breach of as many as 200,000 user accounts, and that their own servers were never compromised.

A 13GB database of Snapchat photographs taken over a number of years was leaked to online messageboards Thursday. It reportedly includes a large amount of child pornography, from teenage users.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” a statement read. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

The news comes just weeks after the release of nude photos of more than 100 celebrities in a massive hack of photos stored in Apple’s iCloud.

TIME Security

Malware Hack Dips Into Dairy Queen Customer Data

Two-Story Dairy Queen The First To Open In Manhattan
A S'mores flavored blizzard is seen at a Dairy Queen, the first to open in Manhattan, on May 29, 2014 in New York City. There are more than 6,300 Dairy Queens in the U.S. Andrew Burton—Getty Images

Hackers gained access to 600,000 cards

Dairy Queen announced on Thursday that its customer data had been compromised by malware.

The ice cream chain said the breach affected 395 of its over 4,500 locations in the United States. The hacked information contained the names and credit card information of past customers. Fewer than 600,000 cards were affected. Dairy Queen has provided a list of targeted locations.

The company will offer free identity repair services for one year to affected customers and franchise owners, including at Orange Julius locations, John Gainor, president and CEO of International Dairy Queen, said in a statement. “Our customers continue to be our top priority.”

The Backoff malware used to hack Dairy Queen has been used to attack more than 1,000 businesses, the Secret Service reports. Large retailers such as Target and Home Depot have been targeted for larger hacks. Last week, JP Morgan Chase announced a data breach in its system that affected over 76 million households and 7 million small businesses.

TIME Security

Report: Hackers Attacked 9 Other Financial Firms Besides JPMorgan

Officials say hackers with ties to the Russian government were involved in the JPMorgan attack

JPMorgan Chase, which was hit by a massive hack disclosed in August, was just one of 10 financial institutions infiltrated by a group of overseas hackers that may have connections to officials in the Russian government, according to a new report.

Unnamed sources told the New York Times that the hackers who stole addresses, names, email addresses and phone numbers from 76 million households and 7 million small businesses by attacking JPMorgan’s systems appeared to have at least loose connections with officials of the Russian government.

Officials said it was unclear whether the hackers were politically motivated. “It could be in retaliation for the sanctions” placed on Russia, one senior official briefed on the intelligence told the Times. “But it could be mixed motives — to steal if they can, or to sell whatever information they could glean.”

Besides attacking JPMorgan, the group of hackers also hacked nine other financial institutions whose identities have yet to be disclosed.

The security team at JPMorgan, the country’s largest bank by assets, was able to block hackers from compromising the most sensitive information about tens of millions of customers, security experts told the Times.

The bank was only able to halt the attack by the middle of August, and in recent days discovered the full extent of the attack.


TIME Security

Why the JPMorgan Chase Bank Hack Isn’t As Bad As it Sounds

U.S. Banks Post Near-Record Profits In Second Quarter Of 2014
A man walks past JP Morgan Chase's corporate headquarters on August 12, 2014 in New York City. Andrew Burton—Getty Images

Take these steps to protect yourself

JPMorgan Chase said late Thursday that a cyberattack against the bank exposed personal data from 76 million households. Sounds pretty bad for the bank’s customers, right? Well, it is — and it’s awful for the company — but it could’ve been a lot worse.

According to JPMorgan, the hackers responsible for the heist made off with only customers’ names, addresses, phone numbers and email addresses. That’s a lot of personal data — but it isn’t on the same “uh-oh” level as credit card numbers, bank account numbers or passwords, as it’s all pretty easily found online anyway, no hacking required.

However, there’s still a threat here — albeit one that existed beforehand, too. The information the hacker(s) managed to grab can be used to get that other highly sensitive data and, potentially, access to your accounts. How? It’s a process called “social engineering,” which I promise has a lot less to do with Nazis than it sounds. Through social engineering, hackers use easy-to-get data about you, like a name, a phone number and maybe the name of the obedience school your maternal great-grandmother took her second dog, to work their way through your bank or other account’s security verification questions posing as you. If they do a good enough job, the security folks think that yeah, that’s you, and they can get access to your accounts. Scary stuff!

But if you’re worried about the JPMorgan Chase hack and how it might affect you, here are some practical tips:

1. Change your passwords. You should be doing this regularly even without massive hacks happening.

2. Closely monitor your bank and credit card statements and credit score. Immediately report any irregularities to your bank or other relevant company.

3. You can try locking down your credit score, but this can be expensive and it has drawbacks.

4. Here’s a favorite tip of mine: Memorize and use fake answers to those terrible security authentication questions. Anybody can figure out your mother’s maiden name with some simple Google searching, but it’s much harder to figure out the name you told your bank was actually “Jingleheimer-Smith-Hamburger” rather than “Johnson.”

5. Don’t click any suspicious links in any suspicious emails. Always good advice.

6. Finally, wherever available, turn on Two-Step Authentication. This turns your mobile phone into a sort of secondary password that you carry with you at all times, far away from any nefarious hackers.

TIME Security

JPMorgan Says 76 Million Households Hit by Cyberbreach

Signage for JPMorgan Chase & Co. is displayed atop Chater House in the central business district of Hong Kong on Aug. 29, 2013.
Signage for JP Morgan Chase is displayed atop Chater House in the central business district of Hong Kong on Aug. 29, 2013 Bloomberg/Getty Images

A cyberbreach at the biggest U.S. bank also compromised data from 7 million small businesses

JPMorgan Chase revealed Thursday that a cybersecurity breach disclosed over a month ago affected 76 million households and 7 million small businesses.

The country’s largest bank by assets said in a regulatory filing that the cyberbreach exposed customer names, addresses, phone numbers and e-mail addresses, but that there was no indication that data that could be used to break into customers’ finances had been accessed.

“There is no evidence that account information for such affected customers — account numbers, passwords, user IDs, dates of birth or Social Security numbers — was compromised during this attack,” JPMorgan Chase said.

JPMorgan also said that it has not seen any unusual customer fraud related to the data breach.

The breach at JPMorgan, which was first disclosed in late August, affects more individuals than both the Target attack last year and the recent Home Depot breach, in which data from 40 million and 56 million credit cards were compromised, respectively.

TIME Security

Londoners Unwittingly Exchange First Born Children For Free Wi-Fi

Signed agreement that included a "Herod Clause," in experiment designed to show dangers of unguarded Wi-Fi hotspots

Not reading the small print could mean big problems, as a handful of Londoners who accidentally signed away their first born children in exchange for access to free Wi-Fi recently found out.

An experiment organized by the Cyber Security Research Institute was conducted in some of the busiest neighborhoods in London and intended to highlight the major risks associated with public Wi-Fi networks.

In June, researchers set up a Wi-Fi hotspot that promised network access to users who agreed to a set of terms and conditions. These included a “Herod Clause” offering free Wi-Fi if the user agreed to hand over their eldest child “for the duration of eternity.” The page was disabled after six people signed up.

Finnish security firm F-Secure, which sponsored the research, said it had decided not to enforce the clause. “As this is an experiment, we will be returning the children to their parents,” wrote the Finnish company in its report. “While terms and conditions are legally binding, it is contrary to public policy to sell children in return for free services, so the clause would not be enforceable in a court of law.”

The company urged people to take Wi-Fi security more seriously. Sean Sullivan, security advisor at F-Secure, told The Guardian: “People are thinking of Wi-Fi as a place as opposed to an activity…You don’t do unprotected Wi-Fi at home, why are you doing it in public?”

[The Guardian]

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser