TIME Security

Google Now Supports USB Security Keys for Two-Step Verification

Most security experts agree that you should secure all your online accounts with two-step verification when you can. It’s an important additional security feature that requires you to have access to a physical item (typically, a mobile phone) to gain access to your online accounts.

After entering your password, you enter a second code from your smartphone to double-verify your identity. With two-step verification enabled, even if someone steals your current password through a hack, they won’t be able to enter your accounts unless they also steal that physical item – a requirement that stops most bad guys in their tracks.

Of course, there are always situations where you may not want to use – or simply don’t have access to – a mobile phone. That’s why Google announced the launch of Security Key. It enables two-step authentication for your Google accounts through the use of a physical USB stick.

“Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google,” the company explains on its official UK blog. “Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.”

Security Key requires a USB drive to work, so it’s not compatible with most mobile phones and tablets. Security Key also requires you to use the Chrome web browser (version 38 or newer) to complete verification. And, of course, there are questions about just how secure the USB format is in general due to the recently discovered BadUSB vulnerability.

If you want to give Security Key a try, you’ll need to purchase a FIDO U2F-certified key to use with the feature. You can buy a basic USB security key on Amazon for $5.99, or something slightly sturdier with a button for $17.99. You can learn how to register and add a Security Key to your Google account by visiting the Google Help page.

This article was written by Fox Van Allen and originally appeared on Techlicious.

More from Techlicious:

TIME Security

China iCloud Attack Could Be State-Sponsored Hacking

Apple Inc. Launches iPhone 6 And iPhone 6 Plus In China
A Chinese man sets up his new iPhone 6 inside an Apple store on October 17, 2014 in Beijing, China. Feng Li—Getty Images

The iCloud attack coincided with the iPhone 6 releases in China

Chinese users recently attempting to access Apple’s iCloud online data storage service may have had their personal information stolen in what one cybersecurity firm claims was a high-level cyberattack backed by Chinese authorities.

GreatFire, an independent Chinese censorship watchdog, said the hack was a “man-in-the-middle” attack, in which hackers get access to users’ files by getting them to enter their login information into a fake login site. The hackers then set in “the middle” of users and the service, grabbing data at it’s transmitted between the two.

Apple confirmed the attack Tuesday, stating that it is “aware of intermittent organized network attacks using insecure certificates to obtain user information.” The firm added that the attacks “don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.”

GreatFire said the hackers involved with the iCloud breaches used servers accessible by only state-run organizations and Chinese authorities, a sign the attacks had the blessing of such authorities. The hack came just as the iPhone 6 was released in China after a delay over the government’s security firms.

The iCloud attack follows a report earlier this month that “a very large organization or nation state” was putting malicious spyware onto iPhones and iPads belonging to Hong Kong’s pro-democracy protestors. GreatFire also previously reported that Chinese authorities had launched attacks on GitHub, Google, Yahoo and Microsoft in an apparent effort to censor those services.

“This is what nation states do to ‘protect’ their citizens. There is nothing surprising or unexpected in this revelation,” said Phil Lieberman, president of cybersecurity firm Lieberman Software. “It would not be hard to find other countries doing similar things.”

TIME Security

Microsoft Patches Computer Bug Linked to Russian Hackers

Microsoft's Windows 8.1 Goes On Sale
An attendant displays a Fujitsu Ltd. Arrows Tab tablet, running Microsoft Corp.'s Windows 8.1 operating system, during a launch event for the operating system in Tokyo, Japan, on Friday, Oct. 18, 2013. Bloomberg—Bloomberg via Getty Images

Microsoft has fixed a series of software bugs, at least one of which was exploited by Russian hackers, according to a new report

Microsoft on Tuesday issued bug patches Tuesday fixing 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net Framework, some of which fixed security holes exploited in attacks against Western targets linked to Russian hackers. The company’s patches fix more than a dozen vulnerabilities that allow remotely located hackers to take control of a target computer, according to a note from Microsoft.

The issues were first revealed by Dallas-based security firm ISight, which said Tuesday that Russia-tied hackers had been using a previously unknown bug in Microsoft Windows Vista through Windows 8.1 to attack NATO, the European Union and targets in Ukraine since September. ISight partnered with Microsoft to report the bug.

The hacks against Western targets are part of a growing wave of cyberattacks linked to Russia amid that country’s ongoing conflict with Ukraine. However, it’s unclear exactly what data hackers took as part of the attack.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” ISight said Tuesday.

 

TIME Security

Dropbox Denies Thousands of Accounts Were Hacked

Key Speakers At The Brooklyn Beta Conference
Dropbox Inc. signage is displayed at the Brooklyn Beta conference in the Brooklyn borough of New York, U.S., on Friday, Oct. 12, 2012. Bloomberg—Bloomberg via Getty Images

"Your stuff is safe," Dropbox tells users after hacking scare

Dropbox said Monday that a list of login credentials posted online early this week was not made public as the result of it being targeted by hackers, but rather because hackers stole usernames and passwords from other services and attempted to use those credentials to access Dropbox accounts.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” said Anton Mityagin of Dropbox’s security team in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.”

Hundreds of username and password combinations allegedly belonging to Dropbox users appeared early this week on the website Pastebin, a common dumping ground for hackers to post such information. An accompanying message alleged that 7 million Dropbox accounts were hacked in total, The Next Web reported Monday, and the hacker or hackers were asking for money before posting the rest of the information. However, Dropbox later said that a larger list of usernames and passwords posted online were “not associated with Dropbox accounts.”

Dropbox also said it recently reset passwords on accounts which showed suspicious login activity, a move it said prevented the service from being breached. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Mityagin wrote. Dropbox also emailed any affected users and advised them to change their passwords on Dropbox as well as other Internet services.

Hackers often target less secure platforms to steal login information they then use on other websites, as seems to be the case here. That’s why it’s a good idea to use different passwords on different websites as well as activate two-step authentication wherever available.

TIME Security

Report: Hackers Attacked 9 Other Financial Firms Besides JPMorgan

Officials say hackers with ties to the Russian government were involved in the JPMorgan attack

JPMorgan Chase, which was hit by a massive hack disclosed in August, was just one of 10 financial institutions infiltrated by a group of overseas hackers that may have connections to officials in the Russian government, according to a new report.

Unnamed sources told the New York Times that the hackers who stole addresses, names, email addresses and phone numbers from 76 million households and 7 million small businesses by attacking JPMorgan’s systems appeared to have at least loose connections with officials of the Russian government.

Officials said it was unclear whether the hackers were politically motivated. “It could be in retaliation for the sanctions” placed on Russia, one senior official briefed on the intelligence told the Times. “But it could be mixed motives — to steal if they can, or to sell whatever information they could glean.”

Besides attacking JPMorgan, the group of hackers also hacked nine other financial institutions whose identities have yet to be disclosed.

The security team at JPMorgan, the country’s largest bank by assets, was able to block hackers from compromising the most sensitive information about tens of millions of customers, security experts told the Times.

The bank was only able to halt the attack by the middle of August, and in recent days discovered the full extent of the attack.

[NYT]

TIME Technology & Media

Facebook Changing Research Methods After Controversial Mood Study

Facebook Inc. Illustrations Ahead Of Earnings Figures
The Facebook Inc. logo is displayed an Apple Inc. iPad Air past water droplets in this arranged photograph in Washington, D.C., U.S., on Monday, Jan. 27, 2014. Bloomberg—Bloomberg via Getty Images

“It is clear now that there are things we should have done differently"

Facebook has issued a mea culpa for a controversial experiment on its users that gained widespread attention over the summer, promising to revamp its research practices going forward.

In a blog post, Chief Technology Officer Mike Schroepfer acknowledged the social network mishandled a 2012 study that altered the types of posts some users saw in their News Feeds to in order to determine whether such a change would affect the emotional tone of their own posts. The results of the study were published this June, angering some users because no one gave prior consent for the study nor did it clear any kind of review board, a step typically undertaken by academic research organizations.

“It is clear now that there are things we should have done differently,” Schroepfer wrote. “For example, we should have considered other non-experimental ways to do this research. The research would also have benefited from more extensive review by a wider and more senior group of people. Last, in releasing the study, we failed to communicate clearly why and how we did it.”

The company is now instituting a new framework for handling both internal experiments and research that may later be published. Research that is studying specific groups of people or relates to “deeply personal” content (such as emotions) will go through an “enhanced review process” before being approved. Facebook has also set up a panel of employees from different parts of the company, such as the privacy and legal teams, that will review potential research projects. The social network will also incorporate education on research practices into the introductory training that is given to new company engineers and present all the public research it conducts on a single website.

Facebook did not provide any detail on what the enhanced review process would look like or whether external auditors would review the company’s research. The company also retains the right to conduct any experiments it deems appropriate through its data use policy.

TIME privacy

Celebrity Lawyer Threatens Google With $100 Million Suit Over Nude Selfies

The Daily Front Row Second Annual Fashion Media Awards - Arrivals
Model Kate Upton attends The Daily Front Row Second Annual Fashion Media Awards at Park Hyatt New York on September 5, 2014 in New York City. Rommel Demano—Getty Images

“Google’s ‘Don’t be evil’ motto’ is a sham.”

Updated 2:54 p.m. ET Thursday

A lawyer representing more than a dozen celebrities whose personal and sometimes nude photos were stolen and shared on the Internet issued a scathing letter to Google that accuses the tech giant of helping the images spread and threatens a $100 million lawsuit.

The letter, written by lawyer Marty Singer and obtained by The Hollywood Reporter, calls Google’s conduct “despicable” for what it says is Google’s failure to remove the images and its “facilitating and perpetuating the unlawful conduct.”

A Google spokesperson said via email Thursday afternoon that “We’ve removed tens of thousands of pictures — within hours of the requests being made — and we have closed hundreds of accounts. The Internet is used for many good things. Stealing people’s private photos is not one of them.”

Indeed, the firm has removed some images from its sites and links to the images from its search engine. Still, the letter says lawyers have asked Google more than a dozen times to remove the images from Google sites like BlogSpot and YouTube, but some of the images are still available several weeks after the initial breach.

Google “has acted dishonorably by allowing and perpetuating unlawful activity that exemplifies an utter lack of respect for women and privacy,” the letter says. “Google’s ‘Don’t be evil’ motto’ is a sham.”

[THR]

TIME privacy

International Hacking Ring Charged With Theft of Xbox Software and Data

Hackers also allegedly stole software used by the U.S. Army to train military helicopter pilots

Four members of an international hacking ring were charged with the theft of over $100 million worth of software and data related to the Xbox One and Xbox Live consoles and other technologies, the Department of Justice announced Tuesday.

The hackers were also charged for stealing data from the unreleased video games Call of Duty: Modern Warfare 3 and Gears of War 3, as well as the U.S. Army’s proprietary software used to train military helicopter pilots, the statement said.

Between Jan. 2011 and March 2014, the four men allegedly hacked into the computer systems of video game makers Microsoft, Epic Games and Valve Corporation, according to court documents. They also allegedly stole software from the U.S. Army and Zombie Studios, which produced helicopter simulation software for the Army.

Two of the charged members, whose ages range from 18 to 28, have already pleaded guilty to charges of copyright infringement and conspiracy to commit computer fraud.

“As the indictment charges, the members of this international hacking ring stole trade secret data used in high-tech American products, ranging from software that trains U.S. soldiers to fly Apache helicopters to Xbox games that entertain millions around the world,” said Assistant Attorney General Caldwell.

Three of the hackers are Americans, while one of the hackers is Canadian, the Department of Justice said. Officials believe the Canadian’s guilty plea is the first time a foreign individual was convicted of hacking into U.S. firms to steal information.

“The American economy is driven by innovation. But American innovation is only valuable when it can be protected,” Caldwell said. “Today’s guilty pleas show that we will protect America’s intellectual property from hackers, whether they hack from here or from abroad.”

TIME Security

Experts Say ‘Bash’ Bug Is a Major Vulnerability But Not a Major Threat

computer virus
Getty Images

Cybersecurity experts explain why the Bash bug might actually not be as risky as the Heartbleed bug discovered earlier this year

When the Heartbleed software bug was disclosed in April, there was no shortage of publicizing its risks and defensive measures—and for good reason. And the Bash bug, discovered Wednesday, is prompting similar widespread fear. The security flaw is named after a vulnerable piece of software, Bash, that’s built into several ubiquitous operating systems, including Apple’s Mac OS X.

“People were taking Heartbleed very seriously,” said Jim Reavis, CEO of cybersecurity firm Cloud Security Alliance. “If people don’t take Bash seriously, it’ll become a self-fulfilling prophecy.”

Cybersecurity experts like Reavis don’t doubt that the Bash bug is dangerous: it is, and it needs urgent attention. The afflicted Bash software, released in 1989, is an open source software that was built-in to Linux and Mac OS operating systems and then widely integrated into many corporate and personal computer programs, experts said. Preliminary estimates say it could impact up to 50 percent of Internet-connected servers, according to Darien Kindlund, director of threat research at FireEye, a network security company.

“Bash is yet another type of open source software that has been reused, repurposed,” Kindlund said.

But the threat posed by the Bash bug—it could theoretically remotely command computers and extract private information—is overblown, cybersecurity experts told TIME. Average computer users aren’t likely to be directly targeted by hackers, experts said. And for the vulnerability to be triggered, the attacker would need to deliver content to the user, and then get the user to execute Bash with that content, according to Kindlund. Normal web browsing, emailing or other common activities do not involve calling Bash. What average users should be worried about are more traditional hacking techniques, like phishing emails and links to malicious websites, said John Gunn of VASCO Data Security.

“There are so many other methods that have a high degree of success that would take priority over [Bash as a hacking tool],” Gunn said. “The vulnerability really exists for large organizations that may have servers running Linux.”

Companies who have web servers that aren’t updated internally on a frequent basis may be most at risk because they continue to use old technology, according to Kindlund. Some companies who still store private data on Internet-facing servers—an outdated practice, as it makes sensitive information more vulnerable—or do not have strong security may vulnerable as well, but they can take precautions by inspecting each and every of their Linux-based servers, said Tanuj Gulati, CTO of Securonix, a security intelligence firm.

“The Apples or the Amazons or the Googles of the world aren’t the ones I’m worried about the most,” Reavis said. “But it could be some big companies that use this technology, but simply don’t have an awareness budget, or not taking this seriously.”

Still, many companies already have protection mechanisms in place that would prevent Bash from inflicting significant harm. Most servers can detect anomalous traffic and behavior, and many already take precautionary efforts by keeping records offline where they are inaccessible, Gunn said.

“What this Bash vulnerability depends on is a lot of other failures,” Gunn added. “This isn’t a single point of failure, whereas in Heartbleed, it was.”

Numerous patches for the Bash bug have already flooded the market. While security researchers have claimed the patches are incomplete, experts agree that fully fixing the vulnerability would take years. Additionally, that there have not been any known major breaches using Bash has also boosted security experts’ confidence that the bug may not pose a widespread threat.

“Most vulnerabilities of value are either shared or sold in the hacking community,” Gunn said. “If this had been a viable hacking method, it would’ve been exchanged in the hacking community, and it has not.”

But fact that Bash may not pose a major threat to individuals or companies doesn’t mean its danger should be understated, experts agreed.

“You saw a lot of worry about [Heartbleed], and there really wasn’t much that happened. The economy didn’t grind to a halt. Cities didn’t black out,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “It’s a vulnerability. A flaw.”

 

TIME privacy

What We Know About the Latest Nude Celebrity Photo Hack

Kim Kadashian Attends The Kardashian Kollection Spring Launch At Westfield Parramatta
Kim Kardashian attends the Kardashian Kollection Spring Launch at Westfield Parramatta on September 13, 2014 in Sydney. Lisa Maree Williams—Getty Images

And what we don't

More explicit photos were posted on the website 4chan Saturday, this time purportedly showing Kim Kardashian, Vanessa Hudgens, Mary-Kate Olsen, Hayden Panettiere, Kaley Cuoco, Hope Solo and an underage Disney star, among other female celebrities.

Previously unseen photos purportedly showing Jennifer Lawrence, who became the face of the last major celebrity photo hack, were posted, too. The photos quickly spread from 4chan to Reddit, following the same pattern as the previous hack, which leaked private photos of Lawrence, Kate Upton, Ariana Grande and almost 100 other female celebrities.

Here’s what we do and don’t know about the latest nude celebrity photo hack:

Are the photos real?

At least two of the hack’s victims have confirmed their leaked photos are, in fact, real.

Actress Gabrielle Union told TMZ on Saturday that her photos were intended for only her husband’s eyes, and slammed the hackers’ insensitivity. “It has come to our attention that our private moments, that were shared and deleted solely between my husband and myself, have been leaked by some vultures,” Union said.

On Sunday, Actress Meagan Good released a statement on Instagram, saying “I’m definitely in shock… Saddened for everyone who is experiencing this… But I ‘choose’ not to give the persons responsible my power.. At the end of the day—We all know these pictures were for my husband.”

In the last celebrity hack, many victims confirmed that the photos were indeed authentic. Cuoco, whose photos were also released in the previous hack, said Thursday on Jimmey Kimmel Live! that she was disturbed to realize the photos were real, but ended up making a “joke about it,” because “you have to make fun of yourself.” Other reactions were less lighthearted: Lawrence’s rep called it a “flagrant violation of privacy.”

What about the other celebrities?

Most have not released statements, or have declined to speak. A rep for Kardashian has declined to comment about the leaked photos to multiple publications. There’s also no word from Panettiere, Olsen, Solo or Hudgens.

But many are wondering about Hudgens, and what approach she’ll take now that she’s not the young Disney starlet of the High School Musical franchise. In 2007, after being shamed for a leaked nude photo, the 18-year-old actress apologized to fans, while Disney followed up and told People that “We hope she’s learned a valuable lesson.”

How did it happen?

No one knows yet, but experts told TIME they believe it’s similar to the last celebrity photo leak, when Apple confirmed that it was a “very targeted attack on user names, passwords and security questions,” and a not system-wide breach of iCloud or Find my iPhone, as was first widely believed. (TIME has reached out to Apple for comment regarding the most recent hack.)

Bob Stasio, Vice President of Threat Intelligence at CyberIQ Services, said the most probable cause is that hackers obtained access to photos by answering security questions to recover or reset passwords—a common tactic and the one apparently used last time. Last year, Michelle Obama’s and other celebrities’ financial records were accessed by hackers who knew enough personal identifying information to impersonate them, according to CNBC.

“The problem with celebrities is that a lot of their information is publicly available,” Stasio said.

Once the passwords have been reset, the hackers can access the celebrities’ e-mail accounts to obtain the passwords to enter iCloud. Hackers will have previously gained access to the stars’ computer servers, thus their e-mails, either physically or remotely through backdoors planted in their systems, Stasio said. These backdoors may have been planted through targeted emails that tempt the users to click on a link or download an attachment.

“That’s really how hacking works,” Stasio said. “It’s all very iterative. You get to one spot, and you have to get to the next spot.”

Can the hackers be found?

They haven’t been found yet, and security experts believe it will be difficult, but not impossible, to track down the hackers. If iCloud accounts were accessed, then Apple can use a record of logins to determine the IP address, Stasio said. But hackers would likely hide their IP address by routing through a different one in another country, which complicates the process. Another method would be to track who had originally posted the pictures on 4chan.

In fact, experts say photo-leaking culprits are often caught, and the fact that both Apple and law enforcement are already involved make the investigation even more likely to turn up results. In 2011, for example, a hacker used the “forgot my password” function to access and leak nude photos and other personal information of Scarlett Johansson, Mila Kunis and Christina Aguilera. An FBI investigation resulted months later in a Florida man being sentenced to 10 years in federal prison, according to CNN.

“The success rate is very high. People doing this are very foolish, thinking they’re going to get away with it,” said Phil Lieberman, President of Lieberman Software Corporation. “For a period of time, they’re the hero. Once they’re caught, they’ll become the zero.”

So why haven’t we found the hackers yet?

In short, it takes time.

“If someone’s life is in danger, law enforcement moves very quickly,” Lieberman said. “But pictures of celebrities don’t rise to the level of kidnapping, murders or serious violent crimes. They’re seen more as economic crimes or invasions of privacy, which are serious, but go on a little slower track.”

Moreover, the fact that Apple’s weak iCloud security was patched only recently means that several intruders may have been in the system for quite a while, experts said, which would add additional layers to the investigation.

Will it happen again?

Experts say yes: This is the second major celebrity photo hack in one month, and it’s part of a rising trend. When Target was hacked last year, Stasio said, a group of hackers sent e-mails to other companies saying they’d detected a similar vulnerability, offering help through a clickable link, which, if opened, would’ve infected the company’s system.

“Not only have the trends of the actual hacks spread, but people use the awareness of the hack itself to try to use it as an infection,” Stasio said.

And there’s likely more photos that have been accessed but not yet shared. Lieberman said that for hackings in the commercial world, the average time the hacker or hackers have spent in the system is 200 days. This suggests the intruders could’ve had months to amass a large collection of explicit photos.

“This may not even be different than the first one,” Lieberman said. “This may in fact be the same group of people with the same set of data, just simply taking another bite of the apple.”

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser