TIME Security

This Website May Have Just Solved Passwords Forever

Now you can sign into Medium with your e-mail

Blogging site Medium has launched a password-free login system that uses only e-mail.

The e-mail login option provides an alternative to Medium’s previous login routes, which included only Facebook and Twitter, according to the site’s announcement. The change arrived after many users said they either did not have social media accounts or preferred not to use them. Other users lived in regions where Facebook and Twitter are blocked.

According to Medium, the feature works similarly to the familiar “forgot password” function. Users simply enter their e-mail addresses on the site, which sends them an e-mail with a link to login within 15 minutes.

Still, the e-mail login feature can’t detect whether a user’s e-mail has been compromised, so if someone has access to the e-mail account, they’ll be able to login.

TIME Instagram

Instagram Users in North Korea Report App Blocked

Pictures appear on the smartphone photo
Thomas Coex—AFP/Getty Images Pictures appear on the smartphone photo sharing application Instagram on April 10, 2012 in Paris.

Instagram users in North Korea have received a "blacklist" warning

Looks like North Korea has blacklisted photo-sharing social network Instagram and is denying access to it from devices in the country.

When users open the app from mobile phones on the North Korean carrier Koryolink, a warning in both English and Korean appears, The Associated Press reported on Monday. “Warning! You can’t connect to this website because it’s in blacklist site [sic],” says the English version. The Korean warning also says that the site contains harmful content.

Similar warnings also appear when accessing Instagram on computers using LAN cables on the North Korean Internet provider. Instagram still worked on some mobile phones, but not all.

The origin of the warning is still unclear. Koryolink customer support employees told The Associated Press that they weren’t aware of any policy changes regarding Instagram and there has been no notice from the government regarding the service. The block could be related to a June 11 fire at a Pyongyang hotel, often used by tourists and foreign visitors, that North Korea’s state-run media has yet to officially report on, despite photos of it leaking on the Internet.

While North Korea is still not allowing its citizens to access the Internet, with a few exceptions, it did decide in 2013 to allow foreign visitors to access 3G Internet through their mobile phones, which requires a local SIM card from Koryolink.

Other social media sites such as Facebook and Twitter are still working fine.

TIME Cyberwar

These 5 Facts Explain the Threat of Cyber Warfare

office of personnel management washington
James Lawler Duggan—Reuters Workers arrive at the Office of Personnel Management in Washington on October 17, 2013.

The disastrous hack of the federal government's Office of Personnel Management is the tip of the iceberg

America has spent decades and trillions of dollars building up the greatest military force the world has ever seen. But the biggest threat to national security these days comes from not from aircraft carriers or infantry divisions, but a computer with a simple Internet connection. That much became clear after the catastrophic hack—most likely by a foreign power—of sensitive federal employee data stored online. These 5 stats explain the evolution of cyber warfare, its astronomical costs and its increasingly important role in geopolitics.

1. Government Threats

The massive breach of the Office of Personnel Management a couple weeks ago made headlines, but Washington has been fending off cyber-attacks for years now. The federal government suffered a staggering 61,000 cyber-security breaches last year alone. This most recent wave of hacks exposed the records of up to 14 million current and former US government employees, some dating back to 1985. Compromised information includes Social Security numbers, job assignments and performance evaluations. This is dangerous information in the hands of the wrong people, which by definition these hackers are. There is a good reason why the U.S. Director of National Intelligence ranks cyber crime as the No. 1 national security threat, ahead of terrorism, espionage and weapons of mass destruction.

(CNN, Guardian, Reuters, Washington Post, PwC)

2. Business Threats

Hackers aren’t only in the game to damage governments—sometimes good old-fashioned robbery is enough. The FBI had to notify over 3,000 U.S. companies that they were victims of cyber security breaches in 2013. Victims ranged from small banks to major defense contractors to mega retailers. An astounding 7 percent of U.S. organizations lost $1 million or more due to cyber crime in 2013; 19 percent of U.S. entities have claimed losses between $50,000 and $1 million over the same span. Hacking costs the U.S. some $300 billion per year according to some estimates. Worldwide that figure is closer to $445 billion, or a full 1 percent of global income. The research firm Gartner projects that the world will spend $79.9 billion on information security in 2015, with the figure rising to $101 billion in 2018—and that still won’t be enough.

(PwC, The Wire, Washington Post, Wall Street Journal)

3. Social Media Threats

With the rise of social media also comes the rise in social media cyber crime. Social media spam increased 650 percent in 2014 compared to 2013. Nearly 30 percent of U.S. adults say one of their social media accounts has been hacked. That number is only set to grow: an estimated 10 to 15 percent of home computers globally are already infected with botnet crime-ware, and over 30,000 new websites are corrupted daily with compromising code. In a day and age where your online presence increasingly defines you to the rest of the world, hackers with access to your accounts can cause untold damage to both your personal and professional life. Back in 2011, Facebook admitted that it was the target of 600,000 cyber-attacks every day. Not wanting to scare off potential users, it hasn’t released official figures since.

(Guardian, Wall Street Journal, Cyber Shadows, Telegraph)

4. Russia

Speaking of social media, cyber threats don’t only come in the form of traditional hacking. Moscow has set up a sophisticated “troll army” under the umbrella of its Internet Research Agency to wage a massive disinformation campaign in support for its invasion of Ukraine, and of the Kremlin in general. These trolls work hard, each one pumping out 135 comments per 12-hour shift. Furthermore, each troll is reportedly required to post 50 news article a day while maintaining at least six Facebook and ten Twitter accounts. That’s a whole lot of misinformation. Despite economic hardship caused by sanctions, Moscow believes in this mission enough to employ a full-time staff of 400 with a monthly budget of $400,000.

(New York Times, Radio Free Europe Radio Liberty, Forbes, New York Times)

5. China

But the single biggest threat to the U.S. remains China. A full 70 percent of America’s corporate intellectual property theft is believed to originate from China. That doesn’t just mean random hackers who operate within China’s borders; we’re talking about elite cyber groups housed by the government in Beijing. China decided long ago that it couldn’t compete with the U.S. in direct military strength. The US already outspends China more than 4-to-1 in that regard, making catch-up near impossible. Beijing has instead decided to focus instead on commercial and government espionage. While exact figures are hard to come by, in May 2013 two former Pentagon officials admitted that “Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets.” That would be really impressive if it wasn’t so terrifying.

(The Wire, International Institute for Strategic Studies, Bloomberg)

TIME Security

There’s a Massive Security Flaw in the iPhone and Mac

Verizon Store Stocks Shelves With New Apple iPhone 6
George Frey—Getty Images Apple's iPhone 6 (R) and iPhone 6 Plus (L) phones are shown together at a Verizon store in Orem, Utah on September 18, 2014 in Orem, Utah.

Malicious app that can steal passwords was approved for the App Store

Apple devices are often thought to be more secure than open platforms such as Windows and Android, but a recent study shows there are still significant malware threats for iPhone and Mac owners.

Researchers from Indiana University, Peking University and Georgia Tech have published a study highlighting security issues with the way apps communicate with each other on iOS and OS X. The researchers created an app that was able to steal users’ data from the password-storing keychain in OS X, as well as pilfer passwords from banking and email accounts via Google Chrome.

The researchers’ app was able to bypass the security measures Apple has in place to ensure one app can’t gain access to other apps’ data without permission. Methods used include hijacking a browser extension so hackers can collect passwords when users type them in and deleting passwords from the OS X keychain so they can be retrieved when the data is re-entered.

The biggest issue regarding the malicious app is that it was approved for placement in the App Store, which is supposed to be pre-screened by Apple staff for potentially malicious apps. Apple did not immediately respond to a request for comment.

The researchers said they informed Apple about the vulnerability in October but were asked to hold off on making the information public for six months. However, according to their study, the problems still persist. A system-wide update to OS X and iOS is the only way to fully protect against the vulnerabilities, according to the study’s authors.

TIME Security

This Tiny Box Is Your Home’s Defense Against Hackers

Bitdefender BOX
Bitdefender Bitdefender BOX

Meet the Bitdefender BOX

In Batman Begins, there’s a scene where the Dark Knight’s nemesis Scarecrow pours psychoactive drugs into the water supply in order to poison the people of Gotham City. Never in my life have I imagined that I’d ever use a Christian Bale movie as a metaphor for the Internet, but I can’t deny the reality that I’ve recently witnessed firsthand. Never mind super-villains — the web is crawling with real criminals continually pouring nastiness into our system of tubes, and as a result, we’re gulping down data from some seriously tainted pipes.

Recent research from Distil Networks has shown that 60% of the Internet’s traffic consists of bots, not people. Nearly a quarter of those bots are up to some pretty nasty stuff, like stealing passwords and credit card numbers. It’s an epidemic that’s only getting worse the more we rely on cloud computing. According to the report, the biggest culprits behind this — besides the hackers who unleash these bots on the web — are services like Amazon’s cloud services (where many bad bots make their home) and data networks like T-Mobile (which doesn’t do a great job of monitoring its traffic).

But perhaps the biggest the problem with these bad bots is that most web users never see them. They open their tap, fill their drinking glasses with dirty data, swallow it down, feel refreshed and think all is well. But using Bitdefender BOX, I was able to put my stream of data under a digital microscope. Within minutes, I couldn’t believe the viruses, malware, and other nastiness that had been flowing my way all along undetected.

Smaller than a hockey puck, Bitdefender BOX is an ethernet-connected security device that plugs in between your high-speed modem and your wireless router (it can also be used as a router itself) that will alert you to every attempted intrusion or bad piece of code that comes in from the Internet. Basically, it’s an intrusion detection system.

“Every major company, every major corporation, has a big giant box like this sitting in their network,” says Rami Essaid, CEO of Distil Networks. “It’s analyzing every packet going in, every packet going out.”

The $199 hub is designed to protect all the devices on a home’s network, whether or not they’re loaded with virus-scanning software. It comes with one free year of service, which runs $99 per year afterwards. For that price, BOX customers get continual background upgrades that protect them from the latest and scariest bugs going. The best part is that users don’t have to update virus profiles or run memory-hogging background software on their PCs. It’s a set-it-and-forget-it solution that aims to block everything from fraud to phishing.

I installed BOX on my home network on a Friday evening. Frankly, I put it off as long as possible because my home has a moderately complex Wi-Fi setup, and I didn’t want to spend a work day unraveling a knot of networking problems. I use two Apple Airport Extremes to stretch both 2.4 GHz and 5 GHz networks across my property. I also have the wireless routers run guest networks, which I have configured only my smart home devices to connect to. The only thing I had to do to make BOX work properly for my setup was toggle my primary Airport Extreme into Bridge Mode. Upon doing that, BOX was able to do its thing, and all my devices, from iPhones to lightbulbs, to computers, functioned perfectly, as if BOX wasn’t even there. (Well, sort of. It turned out that BOX didn’t support my guest networks, so all my smart home gear had to be reconnected to my main network. But I suspect this is a problem few other users would encounter, so I wouldn’t slight Bitdefender for it.)

It took Bitdefender nearly 12 hours to recognize my nearly 30 connected devices, but while it was adding and analyzing them, everything worked fine. In fact, as my wife sat poking on her iPad next to me, my iPhone started to light up with notifications like “Dangerous website blocked,” and “A malware attempt was detected.”

These alerts immediately prompted her to wonder if I could monitor what she was browsing online. Generally, I could not, but if an alert popped on the accompanying BOX iOS app, I could see where the dangerous file originated from. But keep in mind, I told her, on the web, vile files flow in from every direction, not just the pages you surf to.

If I have a complaint about Bitdefender BOX, its iPhone app might be it. Though it’s good and generally responsive, it still needs some work. For instance, you have to rekey your password every day. It’s 2015, people — time to use Touch ID, throw in some 1Password/LastKey integration, and make your app as secure as it should be. Also, once inside the app, new alerts don’t get pushed over into the history after they’re viewed, so unless you’re keeping track, you have no idea how many bugs have floated your way since the last time you’ve opened the app.

But if there was one thing that surprised me about BitDefender BOX, it’s the device’s “Private Line” feature. Essentially a Virtual Private Network (VPN) for dummies, Private Line lets users set up a tunnel between your mobile devices and BOX with the flip of a switch. In other words, when I’m out on the town using my AT&T mobile data, my web surfing will go from my handset to my home network, through the Bitdefender BOX to ensure I’m protected, and into the web. While using my iPhone 6 in this mode, I didn’t notice any lag, though there was one huge hiccup: I couldn’t send SMS messages (I could send iMessages). A representative from Bitdefender said she thought the problem might stem from AT&T not allowing messaging connections from servers other than its own. Whatever the root cause, I hope it gets resolved, because it was a Private Line deal-killer for me.

After the first week of running BOX, as its new gadget shine wore off and malware notifications piled up, complacency nearly became another deal-killer. BOX was great, but I wondered if it was doing anything more than my browser already could — after all, properly configured, they can block threats very well. Despite having more than a dozen smart home products on my network, not one of them got a nibble from a hacker.

“There are a lot of people that use bots to see what’s out there,” says Essaid, specifically calling out Dropcams and baby monitors — both of which I run 24-7. “What you’re going to start seeing is a lot of people probing you because you are connected to the web.”

And that’s what Bitdefender is banking on. The big idea behind BOX is that it can stand guard between the bad guys and your smart home gear, most of which is defenseless. In fact, according to a study by ThroughTek, cybersecurity is the number one concern for buyers of smart home products, with 25% of people concerned about their personal data getting out. Until I had this device, I had no idea if someone was trying to digitally break into my home. I just hoped that they weren’t. But the more attacks I see bouncing off my phones, tablets, and computers, the more I’m convinced Bitdefender has the chops to keep all my Internet-connected gear safe. So in that way, Bitdefender may just be the hero the Internet of Things deserves, just not the one it needs right now.

TIME Security

What RadioShack’s Bankruptcy Means for Your Credit Card Data

RadioShack Announces Its Closing Over 1,000 Stores
Justin Sullivan—Getty Images People walk by a Radio Shack store on March 4, 2014 in San Francisco, California.

Your personal information is traded every day, but not like this

When RadioShack declared bankruptcy in February, it marked the potential end for one of the country’s most recognizable brands. But it was also the beginning of a process that stripped the once popular electronics chain for parts. Everything from the company’s name to its batteries was offered for sale along the way — including its trove of customer data. And as disappointed as techies were to see their favorite place for wires and cables shuttered, they were aghast to learn their phone number, address, and even credit card numbers could be sold to the highest bidder. While companies share customer data with each other all the time, it rarely happens like this.

Pretty much every organization — including non-profits, universities, and corporations — has customer data, and it’s among their most valuable assets. Letting others use this information is like handing over your smartphone to someone else. If they’re borrowing it to make a call, you’re better off dialing the number for them and passing the handset along, or else they may paw through all your apps and contacts without your permission. Likewise, the use of others’ customer data is similarly guarded. Companies rent out their lists all the time, though under strict terms and conditions.

Shoppers’ data is big business in the U.S. According to the Direct Marketing Association, sharing customer data added $156 billion in revenue to the U.S. economy in 2012, the most recent year the industry was studied. That’s bigger than the dairy industry. And speaking of putting food on the table, customer data sharing also fueled about 675,000 jobs that year, too. And as we’ve become an increasingly data-driven economy, those numbers are certain to grow.

“Any time there is a customer transaction,” says Senny Boone, the DMA’s senior vice president of corporate and social responsibility, “you’re picking up financial information, things like the date and amount of the purchase, that might help a business to stock its warehouse . . . it is vitally important customer data to a particular company that’s holding that data.”

As a result, companies don’t typically hand over their lists willy-nilly. Instead, they rent them out through a third-party company, and usually saddle the data with a lot of restrictions, like one-time-only use. These third-parties include companies like Experian, which is known to most people as a credit-rating service, and Acxiom, which works with data from companies ranging from United Airlines to Macy’s. Typically, these companies stay within the bounds of safe, smart, and considerate data usage, and watchdog agencies like the Federal Trade Commission watch over them to make sure they do.

On the consumer side, the DMA encourages companies (especially its members) to be accessible for fielding complaints and work with people to make sure their data concerns are met. Consumers should be able to communicate with companies two ways, says Boone. One is through DMAChoice, a service that helps consumers manage the ways companies can send them marketing information. Another way is by contacting companies either through email, postal mail, or over the phone, whatever is in the business’s privacy policy — which should be clearly posted on their website.

In the case of RadioShack, the company’s brand and data was eventually bought by hedge fund Standard General, which is partnering with Sprint to keep some locations open as combination RadioShack/Sprint stores. Still, because Standard General didn’t craft the company’s original privacy statement, it caused concern on many fronts, not just with consumers but also with companies like Apple and AT&T, whose phones and services were sold at the store.

“If you are selling an asset, whoever is purchasing that asset will have full control as the owner,” says Boone. In RadioShack’s case, those assets included Social Security numbers, dates of birth, phone numbers and other details for some 117 million customers. Alarm over the future of that personally identifiable information caused the FTC and 40 states’ attorneys general to act to stop the sale. Thankfully for RadioShack customers, the bankruptcy judge involved in the case severely limited the amount and kinds of shoppers’ data Standard General could buy in the deal — it would get no credit card data, Social Security numbers or dates of birth; Standard also promised to abide by RadioShack’s original privacy policy when dealing with the remaining information.

So the next time you get a telemarketing phone call or a catalog from a company you’ve never done business with before, keep in mind that your name probably came from a company you have done business with previously. But don’t blame RadioShack — its not only out of business, but with its list in tatters, it’s now also out of commission.

TIME Security

Edward Snowden: Privacy Remains ‘Under Threat’

FRANCE-US-EU-SURVEILLANCE-SNOWDEN
Frederick Florin—AFP/Getty Images U.S. National Security Agency (NSA) whistleblower Edward Snowden speaks to European officials via videoconference during a parliamentary hearing on improving the protection of whistleblowers, at the Council of Europe in Strasbourg, eastern France, on June 24, 2014.

"Technology companies are being pressured by governments around the world"

Edward Snowden has penned a new op-ed celebrating recent reforms of the National Security Administration.

President Barack Obama this week signed into law tighter restrictions for the agency, barring the organization from mass collection and storage of American phone records. Snowden, the man who revealed these practices to the public, is in the New York Times Friday, celebrating the work of Congress and the President as a “profound” achievement, and “a historic victory for the rights of every citizen.” Still, Snowden believes surveillance reform has a long way to go.

Here are some other choice quotes from the article:

  • Snowden had worried at one point that he might have, “put [his] privileged lives at risk for nothing — that the public would react with indifference, or practiced cynicism, to the revelations.” But the changes to the law have, in part, vindicated his decision to risk imprisonment by leaking classified information
  • He calls this weeks events, “only the latest product of a change in global awareness,” citing other events like The U.N. declaring “mass surveillance an unambiguous violation of human rights,” as evidence of a broader movement to curtail spying powers.
  • He also laments that there is more work to do. Writes Snowden: “the right to privacy . . . remains under threat. Some of the world’s most popular online services have been enlisted as partners in the N.S.A.’s mass surveillance programs, and technology companies are being pressured by governments around the world to work against their customers rather than for them.”

Check out the full article over at The New York Times.

TIME Apple

Here’s Apple’s Fix for a Catastrophic iPhone Bug

Apple Starts iPhone 6 Sales In Germany
Sean Gallup—Getty Images A shopper ltries out the new Apple iPhone 6 at the Apple Store on the first day of sales of the new phone in Germany on September 19, 2014 in Berlin, Germany.

A more permanent solution is on the way

Calling all iPhone users: you can breathe a sigh of relief.

Thursday night, Apple published a temporary fix to a strange bug that causes a user’s messaging app to unexpectedly quit after receiving a “specific series of unicode characters,” that appear to be a combination of symbols and arabic-language characters. If this happens to you, just follow these simple steps. (Yes, you’ll have to get Siri involved):

  1. Ask Siri to “read unread messages.”
  2. Use Siri to reply to the malicious message. After you reply, you’ll be able to open Messages again.
  3. In Messages, swipe left to delete the entire thread. Or tap and hold the malicious message, tap More, and delete the message from the thread.

Apple plans to permanently fix the bug in an upcoming software update.

TIME Security

How Bad Bots Are Destroying The Internet

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

The web is at war, and the good guys are losing

The Internet has been described in many different ways over the years. We don’t use the term “information superhighway” much anymore, but a recent report may make you reconsider where and how you cruise around on it, regardless. That’s because a quarter of the cars on this road with you, dear reader, are being driven by mindless bandits looking to steal anything they can. Now, imagine traveling a road like that in the real world. No thanks, I’d rather walk.

Last year was the first time in history that bots outnumbered people on the web. According to research from Distil Networks, almost 60% of 2014’s web traffic consisted of automated bits of code, 23% of which exist to do dirty work for fraudsters and hackers. “It’s getting worse,” says Rami Essaid, Distil’s CEO. “Over the past ten years, they went from just kind of being out there and easy to detect to being really, really sophisticated.”

Computer programs that have been coded to either automate a task or pretend to be a person, bots have probably been on the Internet longer than you have. They can be either good or bad. For instance, Facebook uses bots to grab the headline, first paragraph, and image from a story when you share it on your news feed. Meanwhile, Google uses bots to crawl and catalog the web so when you run a search, the site can deliver appropriate results.

But hackers also use bots for all sorts of nefarious reasons, from lifting credit card numbers from an online store to scraping the text off an article and posting it on some random blog. (The nerve!) In fact, digital publishers get hit hardest by bad bots, with almost one-third of the traffic crawling on sites like this being malicious programs. (Sorry about that.) Travel sites, online stores, and real estate pages also abound with compu-critters.

Surprisingly, smaller websites are more vulnerable to bots than larger ones. Hackers target them more often in order to get usernames, passwords, and other credentials because these sites are less secure.”They don’t really care about actually stealing the money from small businesses,” says Essaid. “They care about stealing the information, because at the end of the day, people use the same usernames and passwords all over the place.”

While websites large and small should do more to battle bad bots, Distil’s report tosses blame at some surprising sources — like Amazon, China, and T-Mobile. Bad bots make up 78% of the traffic put out by Amazon, whose simple-to-setup cloud services power much of the web. “They’ve also made it real easy for bad guys to spin up servers, create bots, and do all sorts of bad things — and they don’t police it,” says Essaid.

Meanwhile, T-Mobile, China Mobile, China Telecom, and China Unicom are being overrun by bad bots on the mobile web. This is a huge problem because there isn’t yet a lot of virus protection for mobile Internet devices, and last year there were more mobile than desktop web users for the first time in history. As a result, hackers are racing to exploit smartphones and tablets. In 2013, less than a percentage point of mobile traffic was bad bots. In 2014, that figure skyrocketed to between 6-8%. That’s a scary number because there are many more mobile devices than there are computers, so a vast majority of handhelds haven’t encountered a bot — yet.

“It’s like an unharvested field of potential bots and the bad guys are now moving towards harvesting,” says Essaid.

So until the Internet cleans up its own act, bot-dodging users like you and I will need to take an “every man for himself” approach. For mobile users, that means not jailbreaking devices, making sure to research apps before you install them and closing programs that you’re not running. On the desktop, it means never using the same username and password combination twice, only entering your credit card information on secure sites, keeping your software (including browser plugins) up to date, and actually installing virus software. “You might be a zombie bot that’s ending up hurting somebody else,” says Essaid.

Zombies? Bots? Things were a lot better back when the Internet was overflowing with cats.

TIME Smartphones

This Creepy New Malware Tracks Your Subway Ride

Passengers read their smart phones in Beijing on March 8, 2015.
Zhang Peng—Getty Images Passengers read their smart phones in Beijing on March 8, 2015.

Even if you don't have cell phone service underground

A team of Chinese researchers has developed a way to surreptitiously track your subway rides by tapping into your smartphone data.

The Nanjing University scientists designed software that captures your smartphone’s motion sensor data and matches it to a subway map, inferring your location with up to 92% accuracy, according to the report published last week. Since accelerometers aren’t as protected as other phone functions like GPS, hackers may still be able to steal data even if there’s limited cell service underground, the study suggests.

Researchers emphasized that their results highlight how vulnerable motion sensors are to hacking. “If an attacker can trace a smartphone user for a few days, he may be able to infer the user’s daily schedule and living/working areas and thus seriously threaten her physical safety,” the authors wrote. “Another interesting example is that if the attacker finds Alice and Bob often visit the same stations at similar non-working times, he may infer that Bob is dating Alice.”

Other research has shown how hackers can steal accelerometer data to determine what a smartphone user is typing.

 

Your browser is out of date. Please update your browser at http://update.microsoft.com