Doing shady things - infosec links December 10, 2014

DEA Sets Up Fake Facebook Page in Woman's Name - Bruce Schneier - Schneier on Security

A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name.

Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine - Robert McMillian - WIRED

The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.

Be Wary of 'Order Confirmation' Emails - Brian Krebs - Krebs on Security

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

This post first appeared on Exploring Information Security.

Snowden aftermath links May 28, 2014

New Al Qaeda Encryption Software - Bruce Schneier - Schneier on Security

There's beginning to be some discourse about the effect of the Snowden released documents and how it's helped enemies of the US. Schneier thinks that this might actually be a good thing as entities try to create their own crypto that might be weaker than what's available for free.

NSA reform falters as House passes gutted USA Freedom Act - David Kravets - ars technica

Hey look! It's the government being the government. Just before the vote things were changed and congress passed what appears to be a much weaker attempt at reigning in some of the governments heinous surveillance programs. It might take more drastic measures for real change to take place.

Disclosing vs. Hoarding Vulnerabilities - Bruce Schneier - Schneier on Security

Vulnerabilities are a balancing act for the government. Do you disclose the vulnerability that could be used to get into an enemies network or do you keep it for future use. I'm with Schneier and believe the the US government should disclose vulnerabilities, because part of their mission is defense, but I still think there is some reason for them to keep some vulnerabilities to help with their offensive mission.

 This post first appeared on Exploring Information Security.

InfoSec Links April 16, 2014

Xbox password flaw exposed by five-year-old boy - BBC

This five-year-old boy is now on Microsoft's page thanking people for finding problems in their software. The boy found that if you hit spacebar multiple times in a password field he could get access to his dad's Xbox live account. Not surprising, his dad works in security.

XPocalypse: Experts Warn of Attackers Hoarding Windows XP 'Forever Days' - Fahmida Y. Rashid - Security Week

Just another reason to upgrade your Windows XP computers to a newer operating system. Attackers are saving their exploits for after support so that they are not discovered and patched.

IRS another Windows XP laggard, will pay Microsoft for patches - Peter Bright - ars technica

That is unless you're the IRS and you procrastinated on upgrading your computers to a newer operating system. It's going to cost $30 million dollars to finish the upgrade. Before they do that though they're going to give Microsoft anywhere from $500K to $11M (actual number to be published later) to continue to support their old XP boxes. Oh, and the IRS made it very clear that this won't be an excuse for you to miss the April 15 tax filing deadline. Hooray government.

This post first appeared on Exploring Information Security.