All posts in “Cybersecurity”

Think you can hack Tinder? Google will pay you $1,000.

Image: NurPhoto via Getty Images

Hackers, it’s your time to shine. 

Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. 

Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace. 

Apps usually run their own bounty programs on a smaller scale. This is the first time that Google itself has offered a reward on behalf of developers. 

Here’s how it works. If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. 

Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. 

For HackerOne, it’s about attracting more and better participants in bounty programs. A developer who uncovers a vulnerability in Tinder will now receive a the cash bonus from Google in addition to the money they receive from Tinder’s program. 

“Participating apps that already have a bug bounty program will now have the opportunity to attract an even more diverse set of hackers,” Adam Bacchus, HackerOne’s chief bounty officer, told Mashable.

The 13 apps currently participating were selected based on their popularity among Android users. After a trial period with the small group, Google will open the program to the larger community. e91e 9650%2fthumb%2f00001

IoT will forever be in trouble, but there’s hope

Your coffee pot, refrigerator, thermostat, and in-home security system are all connected to the internet. Or, if they’re not now, they will be one day. Sadly, as the forgotten stepchildren of internet security, these Internet of Things devices are likely doomed to a future teeming with botnets and hackers

But that doesn’t mean there isn’t hope for the ever-expanding IoT universe — even if it just so happens to be a thin one. While default passwords and poor update policies all contribute to vulnerable internet-connected devices, there are steps that both companies and consumers can take to make sure their security cameras don’t end up crashing Twitter (or worse). 

Whether those steps will ever truly secure IoT products is unclear, but they’re at least enough to provide the smallest glimmer of hope in an industry otherwise devoid of much positive news. And it’s a good thing, too, because without that hope the ecosystem is pretty much screwed. 

Bad news for IoT

Let’s take the big security news of the week: KRACK. The recently disclosed vulnerability in the WPA2 Wi-Fi protocol means that a determined hacker can both intercept and manipulate traffic between a Wi-Fi-connected device and the web. Even properly configured sytems are currently at risk, and only switching to an ethernet cable hard line (or updating with a presumably forthcoming manufacturer-issued patch) can keep the bad guys out. While it’s true that an attacker needs some physical proximity to a device to pull this specific attack off — thus reducing the possibility that KRACK would be used to create botnets — there are, and always will be, vulnerabilities discovered in existing devices. 

It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster

And that’s a problem. It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster. That, plus the propensity for manufacturers to ship devices with default passwords, means that attackers can all too often find and exploit armies of devices for their every nefarious whim. That doesn’t even take into account all the products that are abandoned by bankrupt companies or manufacturers that simply decide they have better things to do than issue patches for years-old smart TVs.

When every IoT device is a potential weapon against a healthy internet, the devices themselves become a threat. And threats are to be eliminated. This very much risks being the permanent status of Internet of Things gadgets, and perhaps the smart consumer is right to be forever wary of camera-enabled refrigerators. However, that doesn’t bode well for the industry and suggests that IoT is structurally flawed. 

Some hope

Thankfully, there are straightforward steps that both consumers and device manufacturers can take to both mitigate the current risk posed by Internet of Things devices and make it so the IoT future isn’t a guaranteed security mess. 

The Department of Homeland Security laid out a series of measures that manufacturers can take that, if followed, would go a long way toward securing the world of IoT. Those suggestions include using “unique, hard to crack default user names and passwords,” “using the most recent operating system that is technically viable and economically feasible,” using “hardware that incorporates security features,” automatically applying security patches, and developing “an end-of-life strategy for IoT products.”

When it comes to some of these recommendations, consumers don’t have to wait for device manufacturers to act. Taking measures into your own hands is a sure fire way to make sure they get done, after all. 

For starters, when it comes to the default passwords devices are frequently shipped with: One of the first things the new owner of a shiny IoT gizmo should do is set a unique password. This should be easy, and will help keep it out of botnets. It should also, in theory, be simple to update a device when patches for security vulnerabilities are released. Security-focused hardware is out there in the world, too. You can buy routers that are specifically designed to monitor for things like suspicious web traffic.  

Perhaps the hardest part, simply from a psychological standpoint, is knowing when to say goodbye. If the company that made your widget goes out of business or stops issuing updates for it, you and your camera-enabled vibrator may just have to part ways. We know it’s sad, but it’s also for the best. 

While, in the end, the smartest security move may be to not to fill your home with IoT gadgets in the first place, that’s a hard sell for people who generally like and find value in their various internet-connected devices. And those people deserve device security just like the rest of us (besides, their unsecured stuff can gunk up the internet for everyone else). 

The IoT ecosystem has a long way to go before it’s not plagued by zombie coffee makers and easily hackable webcams, but with a serious concerted effort and pressure on manufacturers we may one day get there. Here’s hoping that we do, or the only place your favorite web-browsing toaster will belong is in the dumpster. 40b3 2d2f%2fthumb%2f00001

What the KRACK Wi-Fi vulnerability means for you and your devices

So it turns out your Wi-Fi is vulnerable to hackers. A newly released research paper dropped a pretty sizable security bomb: The security protocol protecting most Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept every password, credit-card number, or super-secret cat pic you send over the airwaves.

So what, if anything, can you do about all this — other than go back to the Ethernet cable-laden Dark Ages? While at present there is no all-encompassing way to protect your Wi-Fi, there are a few steps that you can take to mitigate your risk. And you definitely should. 

First, let’s take stock of just how bad things are. Researcher Mathy Vanhoef, who discovered the vulnerability, explains that it allows for an attack that “works against all modern protected Wi-Fi networks.” That means your home, office, and favorite cafe are all potentially at risk. 

At issue is WPA2 (the standard Wi-Fi security protocol) itself — not how it’s being implemented. Vanhoef realized that he could “[trick] a victim [device] into reinstalling an already-in-use key,” subsequently allowing transmitted information to “be replayed, decrypted, and/or forged.”

Vanhoef has dubbed this method the KRACK attack, which stands for “key reinstallation attacks.”

Importantly, the researcher makes no claim that bad actors are currently exploiting the flaw that he discovered. (That doesn’t necessarily mean they’re not, though.) 

“We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” he writes on his website. So while no one may at present be using this method to snoop on your web browsing, it doesn’t mean someone hasn’t in the past or won’t in the future. In other words, it’s past time to take some precautionary measures. 

What to do

Unfortunately, our options right now aren’t great. You can make sure your router configuration is up to date, and you should, but even that may not protect you from KRACK. Oh, and changing your Wi-Fi password won’t do anything to help. However, there is some good news. Notably, the problem can be fixed. That means you shouldn’t have to actually replace your vulnerable devices. 

“[Luckily] implementations can be patched in a backwards-compatible manner,” writes Vanhoef.  “This means a patched client can still communicate with an unpatched access point, and vice versa. […] However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”

Responsible device manufacturers around the world are scrambling to issue patches, and security researcher Kevin Beaumont notes a Linux patch already exists. Other companies are following suit, and Owen Williams of the Charged newsletter has compiled a list of which tech companies are on top of this mess. When patches do become available, you need to update your Wi-Fi-connected gadgets ASAP. 

But wait, there’s another reason you can take a deep breath. Beaumont argues that the level of sophistication required to pull off KRACK on certain devices means the average consumer doesn’t have to freak out right now. Unless they’re running Android, that is. 

“The attack realistically doesn’t work against Windows or iOS devices,” he explains. “The Group vuln is there, but it’s not near enough to actually do anything of interest. There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this. Android is the issue, which is why the research paper concentrates on it.”

So… we’re OK then?

The general consensus coming out of all this appears to be that yes, everything is screwed, but (for now) devices are vulnerable only to really skilled people, and most of those devices can also be protected. Basically, today is not the day that Wi-Fi died. If major providers scramble and release patches (some of which already have), and people actually update their devices, we’ll mostly be OK. 

Sure, some manufacturers won’t issue fixes, and some consumers won’t update, but that’s the ongoing story of online security. 

This is a good opportunity to make sure that your router’s settings are up to date (which, remember, at present still means it’s vulnerable to KRACK), and to set daily reminders to check if the manufacturer of your smartphone, laptop, desktop, tablet, router, smart TV, etc., have released a fix for KRACK. Because the responsible ones will, and when they do it will mean that you can go back to browsing the web one paranoid click at a time

In the meantime, consider digging out that old Ethernet cable for any sensitive online transactions — your credit card number will thank you. 312c 2552%2fthumb%2f00001

Unlock your computer simply by being near it, with the help of this device

Use protection.
Use protection.

Image: gatekeeper

Sometimes passwords, no matter how strong you think they are, just aren’t enough to protect all of the sensitive information stored on your devices. The GateKeeper 2.5 Wireless Bluetooth PC Lock is here to make sure you don’t leave yourself accidentally exposed. 

[embedded content]

This PC lock sounds pretty impressive — because of its powerful Bluetooth wireless key, you can log in to your computer just by entering the room. The key allows you to adjust your login range from mere inches to up to thirty feet depending on the kinds of people you tend to fraternize with. None of your information is stored on the key either, so if you lose it, you don’t risk compromising yourself. 

This PC lock seems to be extremely easy to use. Apparently all you have to do is enter the room and you’re logged in to your PC—the key takes care of everything for you. Whether you’re protecting confidential medical data or some particularly embarrassing selfies with your cat, this PC lock appears to be a security solution that anyone can use and rely on.

For a limited time, the GateKeeper 2.5 Wireless Bluetooth PC Lock is available in the Mashable Shop. Get it now for $59.99, which is 50 percent off the $119.98 price tag. Mashable readers can also save an additional 15 percent off their order with coupon code: SAVE15.

Huge security flaw leaves Wi-Fi devices wide open to hackers

There’s a hole in Wi-Fi security, and it affects the vast majority of Wi-Fi devices and networks. That very likely means your phone, your home wireless network, your wireless network at work — everything. 

Belgian security researcher Mathy Vanhoef from the imec-DistriNet research group at the KU Leuven university has discovered a vulnerability in the WPA2 security protocol, used by nearly every Wi-Fi device out there. It allows an attacker to remotely extract decrypted data from a protected Wi-Fi network without knowing the password.

Called KRACK, the attack does not actually recover the victim’s Wi-Fi password. It works by reinstalling the encryption key that’s already in use which, due to a flaw in WPA2, can be used to remotely decrypt traffic. 

Since this is a hole in the WPA2 protocol itself, all devices are affected in some way, no matter the software you’re running. Wi-Fi routers, Android phones, iOS devices, Apple computers, Windows computers, Linux computers — all of them. 

The flaw is also present in the earlier, WPA security protocol, and with any encryption suite, including WPA-TKIP, AES-CCMP, and GCMP. 

The vulnerability is extremely dangerous. An attacker could use it to decrypt some or all traffic from a network, including your passwords, credit card numbers, metadata such as cookies etc. In some cases, an attacker could be able to inject malicious data directly into the traffic, like adding malware to a (normally safe) website you’re visiting. 

Depending on the encryption protocols one uses, the attack can range from bad to worse; in some cases, an attacker will only be able to decrypt your traffic. In others, they’ll be able to essentially take over your connection, forging and injecting packets as they please. 

For example, 41% of Android devices and currently in use and numerous Linux variants are vulnerable to a particularly nasty variant of the attack, which according to Vanhoef, “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.”

On the other end of the spectrum are iOS, Windows 7, Windows 10 and OpenBSD, which are only vulnerable to the most basic of attacks.

How screwed we all are, really?

There’s a sliver lining, however. Vanhoef claims that this hole can be patched on current devices in a way that doesn’t break compatibility. In other words, your patched device will still communicate with other, unpatched devices out there. It will take a long time for all vendors to update all devices out there, and some may never receive the update. But news of this vulnerability did not come overnight; it was anticipated and some vendors have already patched their devices. 

Furthermore, this is primarily an attack against clients; devices connected to a network, not routers. This means that, while routers may be vulnerable, the priority for users will be to update clients, such as laptops, smartphones, IoT devices and the like. And getting a macOS, Linux or an Android update will likely be faster than getting an update to that old router you have in the basement. 

Another important bit of news is that some of the attacks described in Vanhoef’s paper are hard to do, meaning there won’t be kid hackers wardriving and stealing your data anytime soon. Generally, an attacker needs to be in the range of the victim’s Wi-Fi network, launch a man-in-the-middle attack against a client connected to that network, spoof its MAC address and change the Wi-Fi channel, all of which can be done today but requires a fair degree of technical knowledge. Then, the attacker would have to launch a script exploiting the KRACK security flaw in some way and collect the decrypted data or inject new data into the network. Very few people possess the technical knowledge to do all this. 

Vanhoef has built a script that exploits this vulnerability on certain Android and Linux devices (see demo video below), but he will only release it “once everyone had a reasonable chance to update their devices.” But given the nature of this security flaw, it likely won’t turn WPA2 into WEP, the earlier Wi-Fi encryption standard, which is thoroughly insecure in all implementations and easily crackable by anyone within minutes. 

In other words, there’s probably no need to turn off your router and disable Wi-Fi on all your devices, at least not yet. You should, however, use HTTPS whenever possible, and a VPN might be a good idea as well. 

[embedded content]

Still, it’s hard to overstate the importance of this news. WPA2 was long thought to be an extremely secure and robust protocol. As Vanhoef explains here, the math behind WPA2’s encryption is still solid; as it often happens, the problem is in the way the WPA2 protocol is implemented. 

But besides being an impressive technical achievement, this is the type of problem that will likely haunt us for many years to come. Once easy-to-use tools that exploit this vulnerability are developed — and they will be — all Wi-Fi capable devices that haven’t been updated with a fix will be at risk. And since a vast number of devices have Wi-Fi connectivity — from your gaming console to your phone to your baby monitor — it’ll be a long time till KRACK stops being a threat. 

Vanhoef’s research paper on KRACK is available here 8838 9699%2fthumb%2f00001