iCloud not protected by Apple’s two-factor authentication, say researchers

Apple introduced two-factor authentication (or two-step verification if you’d like to call it that) with iCloud back in March, adding an extra layer of security to its cloud backup system. However, security researchers say that iCloud is still vulnerable to a break-in if your password is stolen.

lock

ElcomSoft, a company that specializes in password-cracking software, says that there are security holes in Apple’s two-factor authentication process, saying that “Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.” When you log in to your iCloud account, you’ll have “full information to everything stored there without being requested any additional logon information.”

The company says that they were able to download an iCloud backup using login details without ever using two-factor authentication, and the physical iOS device that the backup came from wasn’t needed for credential purposes. Of course, this doesn’t mean your iCloud data is out in the open. As long as your password is secure, no one can access your iCloud backup.

screen-shot-2013-03-21-at-2-31-03-pm-copy-580x475

ElcomSoft also mentions another security issue, which is the fact that Apple sends verification codes directly to an iOS device’s lockscreen. This means that the verification code is exposed to whoever can turn on the display and look at the lockscreen, meaning that you don’t need to unlock an iOS device in order to see the code. ElcomSoft says that the code should obviously not be displayed on the lockscreen, but rather require users to unlock the device first in order to see it.

However, two-factor authentication does prevents hackers from resetting a user’s Apple ID password, but it doesn’t keep hackers from copying or deleting files that are stored in iCloud. ElcomSoft thinks that Apple’s two-factor authentication “does not look like a finished product,” and “it’s just not as secure as one would expect this solution to be.”

VIA: Ars Technica

SOURCE: ElcomSoft


iCloud not protected by Apple’s two-factor authentication, say researchers is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

How To Keep Watch Over Everyone And Everything, From Anywhere

What happens when you take a standard home video camera and enable it to
a customized video and alarm management platform built from the ground
up?. You get an easy-to-install, souped-up home surveillance system
offering a boatload of features that’ll help you keep an eye on people,
things, and pets. Check it
out and see for yourself.

Sky apps return to Google Play following hack

Broadcaster BSkyB has returned its Android apps to the Google Play store today, after pulling them earlier this month following the hacking of its Twitter account and Play listings by the Syrian Electronic Army. The hack, which took place on May 26, saw the official Sky Twitter account advise subscribers to uninstall the apps – which include Sky Go for on-demand streaming, and Sky+ for remotely managing DVRs – as they had been compromised. However, it was later revealed that there had been no such issue, though BSkyB still pulled its vandalized listings from the store.

sky_apps_google_play

For those who did not uninstall the apps when (erroneously) advised to, the broadcaster was adamant that they were safe to use. “Sky Android apps previously downloaded by Sky customers are unaffected and there is no need to remove them from an Android device” Sky tweeted following the hack.

However, that still left the apps missing for new downloads, a situation which has lingered since the weekend. The hacker group had modified the listings of each application to show its own logo, along with replacing the description of the app with “Syrian Electronic Army Was Here”.

Each of the restored applications, which showed up in the Play store earlier today, is dated May 31, though there’s no specific mention of the hack in any of the listings. The closest BSkyB gets is a reference to generic “bug fixes” in the change-logs.

May was a busy month for the Syrian Electronic Army, with the Sky hack just one of a number of attacks. The group also targeted UK broadcaster ITV, along with newspaper The Financial Times, while The Onion spun several satire stories out of an earlier breach of its own systems.

VIA: Paul O’Brien


Sky apps return to Google Play following hack is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

US Warns Against Self Driving Cars

Google Self Driving CarThe Google self driving car is a project many have great hopes for, but the US government is not satisfied by the technology quite yet, and recommends that states do not let the general public drive them quite yet.

Evernote two-step verification has the brand join the security squad

This week the folks at Evernote have made it clear: they’re not going to be the last ones out there without two-step security. The note-taking app now joins the likes of Gmail and Twitter as security measures step up to the last several years – and exponential up-ramping – of incidents in which this simple push for more secure log-ins would have stopped hacking altogether.

hwwe

Evernote’s implementation of this two-step verification process uses’s Google’s Authenticator app – the same as Gmail. This system has the user enter their password as normal, but requires a code that’s generated separately by the app that’s unique to the user. The app exists on Android and iOS devices – tablets and smartphones alike.

enter-code-white

As Evernote has made clear, “Implementing two-step verification is not trivial.” They’re implementing this system on all of their applications including, but not limited to, Evernote, Skitch, Penultimate, and Evernote Food. As significant back-end work was required to implement this system, Evernote will gladly be accepting feedback from Premium Users first.

This system will be rolling out to premium users first, then eventually to standard users across the board. As Evernote says Premium members are “the most engaged”, it only made sense to begin the rollout with them. Stay tuned as the full system hits apps in the near future.

SOURCE: Evernote

asdfasd
enter-code-white
hwwe


Evernote two-step verification has the brand join the security squad is written by Chris Burns & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Evernote two-step verification now available for Premium and Business users

Evernote implements twofactor authentication, starts with Premium users

Three months after a major database hack, Evernote has finally made good on its promise to implement two-factor authentication as an additional precautionary measure. Following the footsteps of other security-conscious companies, the technique requires not just your username and password, but also a six-digit code provided either via text message or an app like Google Authenticator. Further, you can print out a list of backup codes in case you don’t have your phone handy. Premium and Business users will be the first to get this functionality — it’ll be offered to all users once the system proves to be robust enough.

Other apps in the Evernote clan, including Skitch, Penultimate and Evernote Food will need to be updated and certain third-party apps might need to be given their own dedicated passwords as well. Aside from the double-step verification, Evernote has also introduced the ability to view your account’s access history and a list of authorized applications; you can revoke any device from your account settings if necessary. All of these added layers of security are totally optional, of course, but you might want to set yourself a reminder to check them out.

Filed under:

Comments

Source: Evernote

August Smart Lock wants to make your front door intelligent

Your smartphone has advanced security, why shouldn’t your front door? Startup August is aiming to change that, with its Smart Lock security system replacing your traditional deadbolt with one that can be controlled from your smartphone, including allowing temporary or permanent guest access for visitors, dog walkers, or babysitters.

august_lock_0

The Smart Lock uses Bluetooth LE (low energy) to connect with a nearby smartphone, with “virtual keys” that can be kept to the homeowner, or shared out with others. Each of those share invitations can be optionally time-limited, so that visitors only get access when the homeowner wants them to.

August – a collaboration between Yves Behar (who also designed the OUYA) and Jason Johnson – is said to work with 90-percent of home lock systems in the US, and take a couple of minutes with some screwdriver handiwork to fit. There’s no WiFi connection or external power needed, so even if the electricity goes out the door is still secure. A standard key means that, even if the batteries are flat, you can still get in.

august_lock_4

The Smart Lock will automatically ping out a message to you whenever a guest enters and exits, and entry permission can be removed at any time. The control on the inside – which rotates to lock and unlock manually – has a built-in LED indicator to show lock and permissions status, and also makes different noises depending on whether it’s locking or unlocking.

As for the app, that can be used to send out invitations individually or to a group, and a guestbook can be used to leave notes for visitors or for them to add messages back.

august_lock_2

It’s all part of a growing effort to make home security more technologically advanced, at the same time bringing the functionality down from what have historically been high price points. August isn’t the only company doing smart locking systems; AT&T, for instance, rolled out a 15-market trial of its Digital Life service last month, which includes lock control as well as CCTV and water leak monitoring.

August expects the Smart Lock to begin shipping later in 2013. It’s up for preorder now, priced at $199; there are no ongoing fees for the “core functionality” August says.

VIA Gizmodo Australia

august_lock_0
august_lock_4
august_lock_3
august_lock_2
august_lock_1


August Smart Lock wants to make your front door intelligent is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Twitter CEO on security: “we haven’t moved quickly enough”

Twitter CEO Dick Costolo spoke at the D11 conference today and discussed a wide range of topics involving the social media serivce, including Twitter’s new two-factor authentication that they just recently started rolling out. Twitter was one of the few big services to play catch-up with the security feature, and Costolo knows it.

twitter

Costolo says that the company takes security issues “super seriously,” and he notes that Twitter has a “responsibility to helping these organizations that people view as authorities.” Of course, he’s referring to the recent hackings of high-profile Twitter accounts, like the AP, which a bogus tweet was sent out onto their feed.

Costolo says that security is “going to be an ongoing challenge,” saying that Twitter has “a bunch of security people working diligently on it.” He also admitted that the company hasn’t “moved quickly enough there,” pointing to the goal that he wants to improve Twitter’s security team and prevent further hacks in the future.

Costolo admitted that Twitter was extremely late to the game when it came to rolling out two-factor authentication for the social media service, but he says that he wants to do more about Twitter’s security. He didn’t say what things that he wanted to get done nor what the expect from the company in the future, but we can guess that Twitter will soon become more secure as time goes on.

Accounts getting hacked certainly isn’t anything new, and it happens on all popular social media services, but Twitter has seen an alarming number of account hijacks recently, with popular brands getting hacked, as well as authoritative news outlets, including BBC and CBS. Jeep, Burger King, and Fisker also had their Twitter accounts hacked recently.

SOURCE: AllThingsD


Twitter CEO on security: “we haven’t moved quickly enough” is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Pentagon report: Chinese hackers accessed F-35B and other advanced US weapons systems

Pentagon report China hacked F35B and other advanced US weapons systems

Many of the Pentagon’s most advanced weapon systems — including the F-35 Joint Strike Fighter and PAC-3 Patriot missile system — were compromised by Chinese hackers, according to a classified document obtained by the Washington Post. The list of weapons was part of an earlier DoD report condemning Chinese cyber-espionage activities, but had been confidential until now. Other systems hacked are said to include the Terminal High Altitude Area Defense (THAAD), the Navy’s Aegis ballistic-missile defense system, the F/A-18 fighter, V-22 Osprey and the Littoral Combat Ship used for shore patrol. Many of these form the foundation of defense systems from Europe to the Persian Gulf — and their breach goes a long way toward explaining Washington’s unprecedented dressing-down of China.

Filed under:

Comments

Via: The Verge

Source: Washington Post

Your Passwords Are Weak

LockOur lives are increasingly online, but are your digital accounts safe from hackers? Here is why what you thought was a good password may not be.