All posts in “hacking”

Major internet outage hits the U.S.

Yes, it's down.
Yes, it’s down.

Image: Michael Bocchieri/Getty Images

No, it’s not just you. 

Large swaths of the United States are currently experiencing internet connection problems with several major ISPs apparently affected. Comcast, Verizon, and AT&T all appear to be having issues, with Comcast blaming the outage on an “external network issue.”

This outage falls just after the one-year anniversary of a major DDOS attack on Dyn that crippled the internet for a day in October of 2016. 

According to DownDetector, which tracks internet outages, Comcast customers are experiencing connectivity issues in “Mountain View, Denver, Portland, Chicago, Seattle, New York, San Francisco, Houston, Minneapolis, and Boston.”

There are no firm reports yet as to the cause, although some are already speculating that it might be some sort of attack.

Meanwhile, Level 3 — a major ISP — told Mashable that a “configuration error” caused a 90 minute service disruption. 

“On Monday, Nov. 6, our network experienced a service disruption affecting some customers with IP-based services,” wrote the spokesperson via email. “The disruption was caused by a configuration error. We know how important these services are to our customers. Our technicians were able to restore service within approximately 90 minutes.”

A Verizon spokesperson explained to Mashable over email that “[no] Verizon widescale Internet outages now that I’m aware of.”

We’ve reached out to Comcast and AT&T, and will update this story when and if we hear back.

UPDATE: Nov. 6, 2017, 1:16 p.m. PST Comcast now claims that the still unknown issue has been “resolved for almost all customers.” 

This story has been updated to include statements from Level 3 and Verizon.  

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f82586%2ff7a1eda3 f82d 475d 9236 4c64b475f4c8

Think you can hack Tinder? Google will pay you $1,000.

Image: NurPhoto via Getty Images

Hackers, it’s your time to shine. 

Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. 

Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace. 

Apps usually run their own bounty programs on a smaller scale. This is the first time that Google itself has offered a reward on behalf of developers. 

Here’s how it works. If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. 

Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. 

For HackerOne, it’s about attracting more and better participants in bounty programs. A developer who uncovers a vulnerability in Tinder will now receive a the cash bonus from Google in addition to the money they receive from Tinder’s program. 

“Participating apps that already have a bug bounty program will now have the opportunity to attract an even more diverse set of hackers,” Adam Bacchus, HackerOne’s chief bounty officer, told Mashable.

The 13 apps currently participating were selected based on their popularity among Android users. After a trial period with the small group, Google will open the program to the larger community. e91e 9650%2fthumb%2f00001

IoT will forever be in trouble, but there’s hope

Your coffee pot, refrigerator, thermostat, and in-home security system are all connected to the internet. Or, if they’re not now, they will be one day. Sadly, as the forgotten stepchildren of internet security, these Internet of Things devices are likely doomed to a future teeming with botnets and hackers

But that doesn’t mean there isn’t hope for the ever-expanding IoT universe — even if it just so happens to be a thin one. While default passwords and poor update policies all contribute to vulnerable internet-connected devices, there are steps that both companies and consumers can take to make sure their security cameras don’t end up crashing Twitter (or worse). 

Whether those steps will ever truly secure IoT products is unclear, but they’re at least enough to provide the smallest glimmer of hope in an industry otherwise devoid of much positive news. And it’s a good thing, too, because without that hope the ecosystem is pretty much screwed. 

Bad news for IoT

Let’s take the big security news of the week: KRACK. The recently disclosed vulnerability in the WPA2 Wi-Fi protocol means that a determined hacker can both intercept and manipulate traffic between a Wi-Fi-connected device and the web. Even properly configured sytems are currently at risk, and only switching to an ethernet cable hard line (or updating with a presumably forthcoming manufacturer-issued patch) can keep the bad guys out. While it’s true that an attacker needs some physical proximity to a device to pull this specific attack off — thus reducing the possibility that KRACK would be used to create botnets — there are, and always will be, vulnerabilities discovered in existing devices. 

It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster

And that’s a problem. It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster. That, plus the propensity for manufacturers to ship devices with default passwords, means that attackers can all too often find and exploit armies of devices for their every nefarious whim. That doesn’t even take into account all the products that are abandoned by bankrupt companies or manufacturers that simply decide they have better things to do than issue patches for years-old smart TVs.

When every IoT device is a potential weapon against a healthy internet, the devices themselves become a threat. And threats are to be eliminated. This very much risks being the permanent status of Internet of Things gadgets, and perhaps the smart consumer is right to be forever wary of camera-enabled refrigerators. However, that doesn’t bode well for the industry and suggests that IoT is structurally flawed. 

Some hope

Thankfully, there are straightforward steps that both consumers and device manufacturers can take to both mitigate the current risk posed by Internet of Things devices and make it so the IoT future isn’t a guaranteed security mess. 

The Department of Homeland Security laid out a series of measures that manufacturers can take that, if followed, would go a long way toward securing the world of IoT. Those suggestions include using “unique, hard to crack default user names and passwords,” “using the most recent operating system that is technically viable and economically feasible,” using “hardware that incorporates security features,” automatically applying security patches, and developing “an end-of-life strategy for IoT products.”

When it comes to some of these recommendations, consumers don’t have to wait for device manufacturers to act. Taking measures into your own hands is a sure fire way to make sure they get done, after all. 

For starters, when it comes to the default passwords devices are frequently shipped with: One of the first things the new owner of a shiny IoT gizmo should do is set a unique password. This should be easy, and will help keep it out of botnets. It should also, in theory, be simple to update a device when patches for security vulnerabilities are released. Security-focused hardware is out there in the world, too. You can buy routers that are specifically designed to monitor for things like suspicious web traffic.  

Perhaps the hardest part, simply from a psychological standpoint, is knowing when to say goodbye. If the company that made your widget goes out of business or stops issuing updates for it, you and your camera-enabled vibrator may just have to part ways. We know it’s sad, but it’s also for the best. 

While, in the end, the smartest security move may be to not to fill your home with IoT gadgets in the first place, that’s a hard sell for people who generally like and find value in their various internet-connected devices. And those people deserve device security just like the rest of us (besides, their unsecured stuff can gunk up the internet for everyone else). 

The IoT ecosystem has a long way to go before it’s not plagued by zombie coffee makers and easily hackable webcams, but with a serious concerted effort and pressure on manufacturers we may one day get there. Here’s hoping that we do, or the only place your favorite web-browsing toaster will belong is in the dumpster. 40b3 2d2f%2fthumb%2f00001

What the KRACK Wi-Fi vulnerability means for you and your devices

So it turns out your Wi-Fi is vulnerable to hackers. A newly released research paper dropped a pretty sizable security bomb: The security protocol protecting most Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept every password, credit-card number, or super-secret cat pic you send over the airwaves.

So what, if anything, can you do about all this — other than go back to the Ethernet cable-laden Dark Ages? While at present there is no all-encompassing way to protect your Wi-Fi, there are a few steps that you can take to mitigate your risk. And you definitely should. 

First, let’s take stock of just how bad things are. Researcher Mathy Vanhoef, who discovered the vulnerability, explains that it allows for an attack that “works against all modern protected Wi-Fi networks.” That means your home, office, and favorite cafe are all potentially at risk. 

At issue is WPA2 (the standard Wi-Fi security protocol) itself — not how it’s being implemented. Vanhoef realized that he could “[trick] a victim [device] into reinstalling an already-in-use key,” subsequently allowing transmitted information to “be replayed, decrypted, and/or forged.”

Vanhoef has dubbed this method the KRACK attack, which stands for “key reinstallation attacks.”

Importantly, the researcher makes no claim that bad actors are currently exploiting the flaw that he discovered. (That doesn’t necessarily mean they’re not, though.) 

“We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” he writes on his website. So while no one may at present be using this method to snoop on your web browsing, it doesn’t mean someone hasn’t in the past or won’t in the future. In other words, it’s past time to take some precautionary measures. 

What to do

Unfortunately, our options right now aren’t great. You can make sure your router configuration is up to date, and you should, but even that may not protect you from KRACK. Oh, and changing your Wi-Fi password won’t do anything to help. However, there is some good news. Notably, the problem can be fixed. That means you shouldn’t have to actually replace your vulnerable devices. 

“[Luckily] implementations can be patched in a backwards-compatible manner,” writes Vanhoef.  “This means a patched client can still communicate with an unpatched access point, and vice versa. […] However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”

Responsible device manufacturers around the world are scrambling to issue patches, and security researcher Kevin Beaumont notes a Linux patch already exists. Other companies are following suit, and Owen Williams of the Charged newsletter has compiled a list of which tech companies are on top of this mess. When patches do become available, you need to update your Wi-Fi-connected gadgets ASAP. 

But wait, there’s another reason you can take a deep breath. Beaumont argues that the level of sophistication required to pull off KRACK on certain devices means the average consumer doesn’t have to freak out right now. Unless they’re running Android, that is. 

“The attack realistically doesn’t work against Windows or iOS devices,” he explains. “The Group vuln is there, but it’s not near enough to actually do anything of interest. There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this. Android is the issue, which is why the research paper concentrates on it.”

So… we’re OK then?

The general consensus coming out of all this appears to be that yes, everything is screwed, but (for now) devices are vulnerable only to really skilled people, and most of those devices can also be protected. Basically, today is not the day that Wi-Fi died. If major providers scramble and release patches (some of which already have), and people actually update their devices, we’ll mostly be OK. 

Sure, some manufacturers won’t issue fixes, and some consumers won’t update, but that’s the ongoing story of online security. 

This is a good opportunity to make sure that your router’s settings are up to date (which, remember, at present still means it’s vulnerable to KRACK), and to set daily reminders to check if the manufacturer of your smartphone, laptop, desktop, tablet, router, smart TV, etc., have released a fix for KRACK. Because the responsible ones will, and when they do it will mean that you can go back to browsing the web one paranoid click at a time

In the meantime, consider digging out that old Ethernet cable for any sensitive online transactions — your credit card number will thank you. 312c 2552%2fthumb%2f00001

How to hold private companies accountable for data breaches

Image: Lili Sams/Mashable

Another day, another data breach.

That would definitely be an apt catch phrase for 2017, with major, high-profile hacks or breaches coming with disturbing regularity. Equifax and HBO were all hit hard, and the WannaCry ransomware crippled infrastructure around the globe. Even Instagram wasn’t spared.

With every breach, another refrain is typically heard: That it was preventable. If only the people in charge had invested more in cybersecurity, or updated their systems, or simply weren’t incompetent, then the hack never would have happened. Yet those same people often face little or no direct consequences.

Some people want to change that. One of them is Todd Thibodeaux, CEO of CompTIA, a technology association that promotes standards and helps guide the IT industry. Thibodeaux thinks, when it comes to poor network security, accountability for private companies needs to happen at the highest level: the board of directors.

Joining the MashTalk podcast, Thibodeaux goes into detail how such an approach would work and shares his thoughts on why it feels like breaches and hacking — especially ransomware — have taken a sharp rise. He also takes a minute to clarify that there actually is a framework for cybersecurity standards that any company can use, but clearly not nearly enough do.

Follow MashTalk on Twitter.

You can subscribe to MashTalk on iTunes or Google Play, and we’d appreciate it if you could leave a review. Feel free to hit us with questions and comments by tweeting to @mashtalk or attaching the #MashTalk hashtag. We welcome all feedback.

Listen on Google Play Music

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f82008%2f502ecf28 56d3 4016 830c 530163c2d0f1