A new phishing campaign uses Google Drive. “A new attack that uses phishing web pages hosted on Google Drive has been discovered by Aditya K Sood, architect of Elastica Cloud Threat Labs, and his research team. The attack lends Google credibility to fool security-trained users exploiting the trust users have with Google. This latest attack was built on previous techniques from last year by adding advanced code obfuscation.”
Twitter is being sued for failing to remove a copyrighted photo. “Award-winning photographer Kristin Pierson has filed a lawsuit against Twitter, claiming that the social network failed to remove one of her photos. In a complaint filed at a federal court in California, Pierson demands a restraining order and compensation for the damage she suffered.”
If you’re really, really worried about privacy online, you can get a browser plugin that randomizes the way your keyed input appears to Web sites. “Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online. The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions…. The prospect of widely available databases that identify users based on subtle differences in their typing was unsettling enough to researchers Per Thorsheim and Paul Moore that they have created a Chrome browser plugin that’s designed to blunt the threat. The […]
Ewww. There is a really nasty Android bug out there. “It’s like something from a bad movie: eager to learn the details of the bad guy’s dastardly plot, the good guys hack his phone armed with little more than knowledge of his phone number. No physical access to the phone, no tricking him into opening some shady application; just a quick message sent to his phone, and bam — they’re in. Alas, that’s essentially how a new Android hack works, according to researchers… and the vast majority of Android devices are vulnerable.”
Speaking of Google … from Mazin Ahmed: Bypassing Google Password Alert With One Line of Code. The blog post includes a demonstration video. Google Password Alert, if you don’t remember, is a Chrome extension to protect you from fake Google login sites.
Google did a study comparing the security practices of security experts and non-expert users. “The study, based on the responses of 231 security experts and 294 non-experts, shows that there is a big discrepancy in the security practices each of these categories follow. For example, security experts have named software updates as the top online safety practice. In contrast, regular users don’t consider software updates a priority when it comes to online safety. Non-experts don’t clearly understand how effective updates are, and some users even believe they are risky because they could contain bugs or hide malicious software.”
This article from The Next Web has the best URL ever, but that’s not why I’m linking to it. I’m linking to it because it points out that movie studios are so lazy about vetting their takedown requests to Google that they’re asking Google to take down stuff from their own computers.
A bunch of MongoDB data has been exposed on the Internet. “A total of 595.2 terabytes (TB) of data is exposed on the internet via publicly accessible MongoDB instances that don’t require any form of authentication. That is the claim of blogger and Shodan developer John Matherly, following an investigation. Shodan is a search engine designed to expose online devices.”
A woman who was recruited by Google and rejected by Google four times has joined an age discrimination lawsuit. “According to the lawsuit, a Google recruiter contacted [Cheryl] Fillekes in 2007 for possible employment in either Google’s engineering and testing group or its software development group. There were a series of phone interviews and an in-person interview at Google’s headquarters in Mountain View, California. In 2010, a different Google recruiter contacted her and said that from her previous interview scores, she was an ideal candidate. This happened again in 2011 and late 2013. In each case, a Google recruiter contacted her and there were a series of phone interviews, concluding with in-person interviews, but no job offer.” Sue them for wasting your time!
What’s the latest company on the transparency report bus? Why, it’s Etsy! “You may notice our report is different than the reports that others have issued. That’s because we want any insights and context we share to reflect Etsy’s unique marketplace, community and mission. We’re not only including information about requests for member information and intellectual property takedowns — which are both generally associated with transparency reporting — but we’re also providing insight into how we strive to keep our marketplace a reliable, trustworthy place to shop and do business as well as how we offer protection to buyers and sellers.”
Unless you’re the US Navy or some similarly exceptional organization, Windows XP support is officially done. “Keeping to its word, Microsoft ended security support for existing Microsoft Security Essentials customers running Windows XP, a little more than a year after support officially ended April 8, 2014. Microsoft said last year that signatures and updates for Microsoft Security Essentials would continue for a limited time, and the Microsoft Malicious Software Removal Tool would also be available for XP users for a limited time.”
The Wikimedia Foundation has released its third transparency report. “In August 2014, we published our first transparency report, which detailed the number of requests we received to disclose user data or alter or remove content from the Wikimedia projects between July 2012 and June 2014. We updated the report in April 2015 with new data, real-life examples of the types of requests we receive, and additional categories such as “voluntary disclosures” and “right to be forgotten” requests. We are happy to continue this tradition with our latest update, covering January to June 2015. During this time, we received 234 alteration or takedown requests and 23 user data requests, none of which we granted.”
The US Office of Personnel Management is launching an information site after the recent hacking of over 21 million social security numbers and other data. “Today, OPM launched a new, online incident resource center at https://www.opm.gov/cybersecurity to offer information regarding the OPM incidents as well as direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online. This resource site will be regularly updated with the most recent information about both the personnel records and background investigation incidents, responses to frequently asked questions, and tools that can help guard against emerging cyber threats, officials said. A call center will follow in the weeks to come, they added.”
Chrome has started blocking major torrent sites. “Over the past few hours the browser has started to block access to several of the most popular torrent sites including KickassTorrents, Torrentz, ExtraTorrent and RARBG. Instead of a page filled with the latest torrents, visitors are presented with an ominous red warning banner.” Unfortunately the story does not, at this writing, have any comment from Google.