TIME Security

This Website May Have Just Solved Passwords Forever

Now you can sign into Medium with your e-mail

Blogging site Medium has launched a password-free login system that uses only e-mail.

The e-mail login option provides an alternative to Medium’s previous login routes, which included only Facebook and Twitter, according to the site’s announcement. The change arrived after many users said they either did not have social media accounts or preferred not to use them. Other users lived in regions where Facebook and Twitter are blocked.

According to Medium, the feature works similarly to the familiar “forgot password” function. Users simply enter their e-mail addresses on the site, which sends them an e-mail with a link to login within 15 minutes.

Still, the e-mail login feature can’t detect whether a user’s e-mail has been compromised, so if someone has access to the e-mail account, they’ll be able to login.

TIME Security

This Is What World War III Will Look Like

Houghton Mifflin Harcourt

P.W. Singer is Strategist at New America and August Cole is a Nonresident Fellow at the Atlantic Council. They are the co-authors of Ghost Fleet: A Novel of the Next World War.

An array of science-fiction-like technologies would likely make their debut

U.S. and Chinese warships battle at sea, firing everything from cannons to cruise missiles to lasers. Stealthy Russian and American fighter jets dogfight in the air, with robotic drones flying as their wingmen. Hackers in Shanghai and Silicon Valley duel in digital playgrounds. And fights in outer space decide who wins below on Earth. Are theses scenes from a novel or what could actually take place in the real world the day after tomorrow? The answer is both.

Great power conflicts defined the 20th century: Two world wars claimed tens of millions of lives, and the Cold War that followed shaped everything from geopolitics to sports. But at the start of the 21st century, the ever-present fear of World War III seemed to be in our historic rearview mirror.

Yet that risk of the past has made a dark comeback. Russian land grabs in Ukraine and constant flights of bombers decorated with red stars probing Europe’s borders have put NATO at its highest levels of alert since the mid 1980s. In the Pacific, the U.S. and a newly powerful and assertive China are engaged in a massive arms race. China built more warships and warplanes than any other nation during the last several years, while the Pentagon just announced a strategy to “offset” it with a new generation of high-tech weapons. Indeed, it’s likely China’s alleged recent hack of federal records at the Office of Personnel Management was not about cyber crime, but a classic case of what is known as “preparing the battlefield,” gaining access to government databases and personal records just in case.

The worry is that the brewing 21st century Cold War with China and its junior partner Russia could at some point turn hot. “A U.S.-China war is inevitable” recently warned the Communist Party’s official People’s Daily newspaper after recent military face-offs over rights of passage and artificial islands built in disputed territory. This may be a bit of posturing both for U.S. policymakers and a highly nationalist domestic audience: A 2014 poll by the Perth U.S.-Asia center found that 74% of Chinese think their military would win in a war with the U.S. But it points to how the global context is changing. Many Chinese officers have begun to lament out loud what they call “peace disease,” their term for never having served in combat.

Wars start through any number of pathways: One world war happened through deliberate action, the other was a crisis that spun out of control. In the coming decades, a war might ignite accidentally, such as by two opposing warships trading paint near a reef not even marked on a nautical chart. Or it could slow burn and erupt as a reordering of the global system in the late 2020s, the period at which China’s military build up is on pace to match the U.S.

Making either scenario more of a risk is that military planners and political leaders on all sides assume their side would be the one to win in a “short” and “sharp” fight, to use common phrases. It would be anything but.

A great power conflict would be quite different from the small wars of today that the U.S. has grow accustomed to and, in turn, others think reveal a new American weakness. Unlike the Taliban or even Saddam’s Iraq, great powers can fight across all the domains; the last time the U.S. fought a peer in the air or at sea was in 1945. But a 21st century fight would also see battles for control of two new domains.

The lifeblood of military communications and control now runs through space, meaning we’d see humankind’s first battles for the heavens. Similarly, we’d learn “cyber war” is far more than stealing Social Security Numbers or e-mail from gossipy Hollywood executives, but the takedown of the modern military nervous system and Stuxnet-style digital weapons. Worrisome for the U.S. is that last year, the Pentagon’s weapons tester found nearly every single major weapons program had “significant vulnerabilities” to cyber attack.

A total mindshift is required for this new reality. In every fight since 1945, U.S. forces have been a generation ahead in technology, having uniquely capable weapons like nuclear-powered aircraft carriers. It has not always translated to decisive victories, but it has been an edge every other nation wants. Yet U.S. forces can’t count on that “overmatch” in the future. These platforms are not just vulnerable to new classes of weapons like long-range missiles, but China, for example, overtook the EU in R&D spending last year and is on pace to match the U.S. within five years, with new projects ranging from the world’s fastest supercomputers to three different long-range drone-strike programs. And now off-the-shelf technologies can be bought to rival even the most advanced tools in the U.S. arsenal. The winner of a recent robotics test, for instance, was not a U.S. defense contractor but a group of South Korea student engineers.

An array of science-fiction-like technologies would likely make their debut in such a war, from AI battle management systems to autonomous robotics. But unlike the ISIS’s of the world, great powers can also go after high-tech’s new vulnerabilities, such as by hacking systems and knocking down GPS. The recent steps taken by the U.S. Naval Academy illustrate where things might be headed. It added a cybersecurity major to develop a new corps of digital warriors, and also requires all midshipmen learn celestial navigation, for when the high tech inevitably runs into the age old fog and friction of war.

While many leaders on both sides think any clash might be geographically contained to the straights of Taiwan or the edge of the Baltic, these technological and tactical shifts mean such a conflict is more likely to reach into each side’s homelands in new ways. Just as the Internet reshaped our notions of borders, so too would a war waged partly online.

The civilian players would also be different than those in 1941. The hub of any war economy wouldn’t be Detroit. Instead, tech geeks in Silicon Valley and shareholders in Bentonville, Ark., would wrestle with everything from microchip shortages to how to retool the logistics and allegiance of a multinational company. The new forms of civilian conflict actors like Blackwater private military firms or Anonymous hacktivist groups are unlikely to just sit out the fight.

A Chinese officer argued in a regime paper, “We must bear a third world war in mind when developing military forces.” But there is a far different attitude in Washington’s defense circles. As the U.S. Chief of Naval Operations worried last year, “If you talk about it openly, you cross the line and unnecessarily antagonize. You probably have a sense about how much we trade with that country, it’s astounding.”

This is true, but both the historic trading patterns between great powers before each of the last world wars and the risky actions and heated rhetoric out of Moscow and Beijing over the last year demonstrate it is no longer useful to avoid talking about the great power rivalries of the 21st century and the dangers of them getting out of control. We need to acknowledge the real trends in motion and the real risks that loom, so that we can take mutual steps to avoid the mistakes that could create such an epic fail of deterrence and diplomacy. That way we can keep the next world war where it belongs, in the realm of fiction.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME technology

Federal Agency Announces Temporary Shutdown of Hacked Database

Katherine Archuleta
Susan Walsh — AP Office of Personnel Management (OPM) Director Katherine Archuleta testifies on Capitol Hill in Washington. The federal personnel agency whose records were plundered by hackers linked to China says it has temporarily shut down a massive database used to update and store background investigation records.

Hackers linked to China are believed to have stolen records for as many as 18 million current and former employees

(WASHINGTON) — The federal personnel agency whose records were plundered by hackers linked to China announced on Monday the temporary shutdown of a massive database used to update and store background investigation records after newly discovering a flaw that left the system vulnerable to additional breaches.

There is no evidence the vulnerability has been exploited by hackers, agency spokesman Samuel Schumach said in a statement, adding that the Office of Personnel Management took the step protectively. He said the system could be shut down for four to six weeks.

Hackers suspected of working for the Chinese government are believed to have stolen records for as many as 18 million current and former federal employees and contractors last year. Detailed background investigations for security clearances of military and intelligence agency employees were among the documents taken.

The shutdown announced Monday is expected to hamper agencies’ ability to initiate investigations for new employees and contractors, as well as renewal investigations for security clearances, Schumach said.

But, he added, the federal government will still be able to hire, and in some cases grant clearances on an interim basis.

The database is known as e-QIP, short for Electronic Questionnaires for Investigations Processing.

TIME cybersecurity

U.S. Intelligence Chief Points Finger at China for Data Hack

Director Of Nat'l Intelligence James Clapper Speaks At Council On Foreign Relations
Bryan Thomas—Getty Images Director of National Intelligence James Clapper speaks at the Council on Foreign Relations on March 2, 2015 in New York City.

Large data breach left millions of Social Security numbers exposed

The most senior U.S. intelligence official has openly implicated China in a large hack of U.S. government data.

James Clapper, the U.S. Director of National Intelligence, said Thursday that China was a “leading suspect” in a recent security breach that saw millions of personnel records of Americans stolen from government computers.

Previously, U.S. officials hadn’t named a suspect for the breach, which was disclosed in early June. Clapper mentioned China at an intelligence conference in Washington, D.C. “You have to kind of salute the Chinese for what they did,” he said, noting the difficulty of the attack.

Earlier this year Barack Obama signed an executive order that grants the Treasury greater ability to impose sanctions on countries who conduct cyberattacks against the U.S. China has denied involvement in the attack, which may have exposed as many as 18 million Social Security numbers.

[WSJ]

TIME privacy

WhatsApp Comes Up Short Protecting User Data, Privacy Watchdog Says

Fackbook Acquires WhatsApp For $16 Billion
Justin Sullivan—Getty Images The Facebook and WhatsApp app icons are displayed on an iPhone on February 19, 2014 in San Francisco City.

Electronic Frontier Foundation evaluated the way dozens of companies handle user data

WhatsApp lags behind its consumer tech peers when it comes to protecting user data from government requests, according to a prominent privacy advocacy group.

In its annual Who Has Your Back? report, the Electronic Frontier Foundation awarded WhatsApp just one out of four stars when evaluating it across various categories concerning data protection. According to the EFF, WhatsApp doesn’t publish a transparency report detailing requests it’s received from the government, doesn’t promise to provide users advance notice of government data requests and doesn’t disclose its data retention policies. The messaging app does oppose creating purposeful security weaknesses known as backdoors that let government officials stealthily gather user data. Opposition to backdoor policies has become common among consumer the tech giants.

On the other end of the spectrum, tech companies such as Adobe, Dropbox, WordPress and Yahoo received a five out of five rating from the EFF (unlike most of the companies, WhatsApp was only evaluated in four categories). These firms are doing a good job of providing users with transparency about their interactions with the government, according to the EFF’s evaluation.

Among the major cable, phone and Internet providers, AT&T performed the worst, netting just one star out of four. Sonic.net, an Internet Service Provider in the San Francisco bay area, earned five out of five stars.

Facebook, WhatsApp’s owner, did not immediately respond to a request for comment.

TIME Security

Samsung Says It’s Fixing a Nasty Security Flaw

Samsung Galaxy S6 Active
Samsung Samsung Galaxy S6 Active

Security update will be available in the coming days

Samsung is planning a security update after researchers uncovered a vulnerability that could threaten as many as 600 million Galaxy phones. The company said in a statement Thursday that it will roll out an update in the coming days to address the issue, which makes phones vulnerable when downloading updates for the SwiftKey keyboard.

The vulnerability was discovered by the security company NowSecure last fall and made public this week. The SwiftKey keyboard searches for language pack updates over unencrypted lines, making it vulnerable to attack. In a statement, Samsung noted that the probability of a hacker actually exploiting the vulnerability was low.

Owners of the Galaxy S4 and more recent models will have the security update automatically pushed to their phones. To ensure your phone receives automatic updates, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated. Users of older Galaxy models will have a firmware update made available to them that they can download.

TIME Security

There’s a Massive Security Flaw in the iPhone and Mac

Verizon Store Stocks Shelves With New Apple iPhone 6
George Frey—Getty Images Apple's iPhone 6 (R) and iPhone 6 Plus (L) phones are shown together at a Verizon store in Orem, Utah on September 18, 2014 in Orem, Utah.

Malicious app that can steal passwords was approved for the App Store

Apple devices are often thought to be more secure than open platforms such as Windows and Android, but a recent study shows there are still significant malware threats for iPhone and Mac owners.

Researchers from Indiana University, Peking University and Georgia Tech have published a study highlighting security issues with the way apps communicate with each other on iOS and OS X. The researchers created an app that was able to steal users’ data from the password-storing keychain in OS X, as well as pilfer passwords from banking and email accounts via Google Chrome.

The researchers’ app was able to bypass the security measures Apple has in place to ensure one app can’t gain access to other apps’ data without permission. Methods used include hijacking a browser extension so hackers can collect passwords when users type them in and deleting passwords from the OS X keychain so they can be retrieved when the data is re-entered.

The biggest issue regarding the malicious app is that it was approved for placement in the App Store, which is supposed to be pre-screened by Apple staff for potentially malicious apps. Apple did not immediately respond to a request for comment.

The researchers said they informed Apple about the vulnerability in October but were asked to hold off on making the information public for six months. However, according to their study, the problems still persist. A system-wide update to OS X and iOS is the only way to fully protect against the vulnerabilities, according to the study’s authors.

TIME Security

Samsung Galaxy Keyboard Bug Exposes Users to Hackers

Samsung Galaxy S6 Phone Goes On Sale
Spencer Platt—Getty Images Samsung's latest flagship smartphones, the Galaxy S6 and the S6 Edge, are viewed at a Samsung store on the day of their release in New York City on April 10, 2015

Hundreds of millions of users of Samsung Galaxy smartphone models S4 through S6 are potentially vulnerable to a computer bug that researchers disclosed at the Black Hat Conference in London on Tuesday.

The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.

The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.

The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.

Two problems with the phones’ updater process contribute to the severity of the vulnerability. On the one hand, SwiftKey does not encrypt those keyboard update files, a weakness that hackers can exploit to install malicious files on a person’s device (as described above). On the other, Samsung grants those updates elevated permissions, allowing attackers to circumvent the phone’s security controls and meddle with all sorts of data and code running on a device.

“Because Samsung phones grant extraordinarily elevated privileges to the updates,” writes Ars Technica security editor Dan Goodin, “the malicious payload is able to bypass protections built into Google’s Android operating system that normally limit the access third-party apps have over the device.”

Andrew Hoog, the CEO of NowSecure, told the Wall Street Journal that his company alerted Samsung to the flaw in November. Two months later, Samsung requested another year to patch the problem. Three months after that, the company claimed to push a software fix out to wireless carriers, like Sprint and Verizon, and said the firm could take its findings public in another three months, reports WSJ’s Danny Yadron.

Realizing that the phones weren’t patched, but believing too much time had elapsed already, the NowSecure team decided to go ahead and present its discovery at the hacker conference, according to WSJ.

SwiftKey pointed out in a statement that its other apps are unaffected by the exploit, and that the current vulnerability—labeled CVE-2015-2865 in the industry’s taxonomical parlance—takes a bit of skill and a lot of good timing to pull off: “a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

Samsung, too, released a statement addressing the bug: “We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” the company said. “Samsung KNOX,” the company’s mobile security solution, “has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy will begin rolling out in a few days.”

“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

For now, NowSecure recommends that users of Samsung Galaxy smartphones affected by the bug (a list of the vulnerable models can be found here) should:

  • Avoid insecure Wi-Fi networks
  • Use a different mobile device
  • Contact carriers for patch information and timing

This article originally appeared on Fortune.com

TIME Security

This Tiny Box Is Your Home’s Defense Against Hackers

Bitdefender BOX
Bitdefender Bitdefender BOX

Meet the Bitdefender BOX

In Batman Begins, there’s a scene where the Dark Knight’s nemesis Scarecrow pours psychoactive drugs into the water supply in order to poison the people of Gotham City. Never in my life have I imagined that I’d ever use a Christian Bale movie as a metaphor for the Internet, but I can’t deny the reality that I’ve recently witnessed firsthand. Never mind super-villains — the web is crawling with real criminals continually pouring nastiness into our system of tubes, and as a result, we’re gulping down data from some seriously tainted pipes.

Recent research from Distil Networks has shown that 60% of the Internet’s traffic consists of bots, not people. Nearly a quarter of those bots are up to some pretty nasty stuff, like stealing passwords and credit card numbers. It’s an epidemic that’s only getting worse the more we rely on cloud computing. According to the report, the biggest culprits behind this — besides the hackers who unleash these bots on the web — are services like Amazon’s cloud services (where many bad bots make their home) and data networks like T-Mobile (which doesn’t do a great job of monitoring its traffic).

But perhaps the biggest the problem with these bad bots is that most web users never see them. They open their tap, fill their drinking glasses with dirty data, swallow it down, feel refreshed and think all is well. But using Bitdefender BOX, I was able to put my stream of data under a digital microscope. Within minutes, I couldn’t believe the viruses, malware, and other nastiness that had been flowing my way all along undetected.

Smaller than a hockey puck, Bitdefender BOX is an ethernet-connected security device that plugs in between your high-speed modem and your wireless router (it can also be used as a router itself) that will alert you to every attempted intrusion or bad piece of code that comes in from the Internet. Basically, it’s an intrusion detection system.

“Every major company, every major corporation, has a big giant box like this sitting in their network,” says Rami Essaid, CEO of Distil Networks. “It’s analyzing every packet going in, every packet going out.”

The $199 hub is designed to protect all the devices on a home’s network, whether or not they’re loaded with virus-scanning software. It comes with one free year of service, which runs $99 per year afterwards. For that price, BOX customers get continual background upgrades that protect them from the latest and scariest bugs going. The best part is that users don’t have to update virus profiles or run memory-hogging background software on their PCs. It’s a set-it-and-forget-it solution that aims to block everything from fraud to phishing.

I installed BOX on my home network on a Friday evening. Frankly, I put it off as long as possible because my home has a moderately complex Wi-Fi setup, and I didn’t want to spend a work day unraveling a knot of networking problems. I use two Apple Airport Extremes to stretch both 2.4 GHz and 5 GHz networks across my property. I also have the wireless routers run guest networks, which I have configured only my smart home devices to connect to. The only thing I had to do to make BOX work properly for my setup was toggle my primary Airport Extreme into Bridge Mode. Upon doing that, BOX was able to do its thing, and all my devices, from iPhones to lightbulbs, to computers, functioned perfectly, as if BOX wasn’t even there. (Well, sort of. It turned out that BOX didn’t support my guest networks, so all my smart home gear had to be reconnected to my main network. But I suspect this is a problem few other users would encounter, so I wouldn’t slight Bitdefender for it.)

It took Bitdefender nearly 12 hours to recognize my nearly 30 connected devices, but while it was adding and analyzing them, everything worked fine. In fact, as my wife sat poking on her iPad next to me, my iPhone started to light up with notifications like “Dangerous website blocked,” and “A malware attempt was detected.”

These alerts immediately prompted her to wonder if I could monitor what she was browsing online. Generally, I could not, but if an alert popped on the accompanying BOX iOS app, I could see where the dangerous file originated from. But keep in mind, I told her, on the web, vile files flow in from every direction, not just the pages you surf to.

If I have a complaint about Bitdefender BOX, its iPhone app might be it. Though it’s good and generally responsive, it still needs some work. For instance, you have to rekey your password every day. It’s 2015, people — time to use Touch ID, throw in some 1Password/LastKey integration, and make your app as secure as it should be. Also, once inside the app, new alerts don’t get pushed over into the history after they’re viewed, so unless you’re keeping track, you have no idea how many bugs have floated your way since the last time you’ve opened the app.

But if there was one thing that surprised me about BitDefender BOX, it’s the device’s “Private Line” feature. Essentially a Virtual Private Network (VPN) for dummies, Private Line lets users set up a tunnel between your mobile devices and BOX with the flip of a switch. In other words, when I’m out on the town using my AT&T mobile data, my web surfing will go from my handset to my home network, through the Bitdefender BOX to ensure I’m protected, and into the web. While using my iPhone 6 in this mode, I didn’t notice any lag, though there was one huge hiccup: I couldn’t send SMS messages (I could send iMessages). A representative from Bitdefender said she thought the problem might stem from AT&T not allowing messaging connections from servers other than its own. Whatever the root cause, I hope it gets resolved, because it was a Private Line deal-killer for me.

After the first week of running BOX, as its new gadget shine wore off and malware notifications piled up, complacency nearly became another deal-killer. BOX was great, but I wondered if it was doing anything more than my browser already could — after all, properly configured, they can block threats very well. Despite having more than a dozen smart home products on my network, not one of them got a nibble from a hacker.

“There are a lot of people that use bots to see what’s out there,” says Essaid, specifically calling out Dropcams and baby monitors — both of which I run 24-7. “What you’re going to start seeing is a lot of people probing you because you are connected to the web.”

And that’s what Bitdefender is banking on. The big idea behind BOX is that it can stand guard between the bad guys and your smart home gear, most of which is defenseless. In fact, according to a study by ThroughTek, cybersecurity is the number one concern for buyers of smart home products, with 25% of people concerned about their personal data getting out. Until I had this device, I had no idea if someone was trying to digitally break into my home. I just hoped that they weren’t. But the more attacks I see bouncing off my phones, tablets, and computers, the more I’m convinced Bitdefender has the chops to keep all my Internet-connected gear safe. So in that way, Bitdefender may just be the hero the Internet of Things deserves, just not the one it needs right now.

MONEY privacy

1 in 4 Americans Would Share Their DNA With Their Bank

test tube with DNA sequence
Zmeel Photography—Getty Images

We'd do just about anything to keep fraudsters at bay.

For most Americans, the username-password security feature isn’t good enough anymore. A quarter of consumers said they’d share their DNA with their bank, if it meant greater security for their personal and financial information, according to a survey from Telstra, a telecommunications and information services company in Australia.

About two-thirds of Americans surveyed also said they would prefer their smartphones use biometrics (i.e. a fingerprint) as the gatekeeper of secure information.

The Telstra data is based on a survey of 318 financial services executives in Europe, the U.S. and the Asia Pacific region and 4,272 consumers in seven countries — it’s unclear what share of the responses came from the U.S. or what the margin of error is.

According to the data, more than half of U.S. consumers said security of their finances and personal information is their top priority when choosing a financial institution, over things like interest rates and ease of accessing funds, which are traditionally important considerations when choosing a bank. Given the increasing popularity of mobile banking — a recent report from Javelin Strategy & Research said only 17% of consumers prefer to visit a bank branch to access their checking accounts — it makes sense that consumers would want to know there’s more than a username and password between whoever is holding their phones and their financial information.

Biometric security includes things like voice, facial, fingerprint and iris recognition, ideally ensuring only you can access your bank account on the mobile device. Many of the newest smartphones are capable of biometric security, making the features seem within reach for financial institutions.

Even if your banking app isn’t yet asking for your fingerprints, there are a lot of things you can do to increase your security. First, it’s a good idea to password-protect your phone, because your personal information isn’t limited to your banking app, and you don’t want anyone accessing that without your permission. On top of that, it’s crucial you look at information security from multiple angles: Monitor your bank accounts and credit information for signs of unauthorized activity, because despite your best efforts, it’s likely a fraudster will access and abuse your personal information at some point. As soon as you identify suspicious activity — for example, you’re checking your credit score and it dropped dozens of points for no reason you can think of — immediately investigate the problem. The sooner you alert your financial service providers and the credit reporting agency to unauthorized activity, the faster you’re likely to recover from any damage the fraudster caused. You can monitor your credit scores for free on Credit.com every month.

More From Credit.com:

Your browser is out of date. Please update your browser at http://update.microsoft.com