Tag Archive for ‘Security’

553 Million Facebook Users Compromised ➝

David Sparks:

Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web.

How do we convince 2.7 billion people to stop using Facebook? It’s clear that the security and privacy angles don’t work. So what will?

➝ Source: macsparky.com

WordPress 5.6, “Simone” ➝

An exciting release, which includes a great new feature:

Thanks to the API’s new Application Passwords authorization feature, third-party apps can connect to your site seamlessly and securely. This new REST API feature lets you see what apps are connecting to your site and control what they do.

This gives you the ability to authenticate an app or service with WordPress using a password created specifically for that connection. And you can revoke that password as you see fit — keeping your site secure without having to change your password and re-authenticate in any app or service connected to your site.

But what’s more exciting is that this opens the door to natively supporting two factor authentication in the future. If that’s something you’d like to add with a plugin now, I use Two-Factor.

And for more information about Application Passwords, there’s an excellent integration guide available.

➝ Source: wordpress.org

Laboratory, a Firefox Add-on for Generating Content Security Policies ➝

I got on a kick of implementing security-related headers on Initial Charge this week. Most of these were fairly easy to add, simply copy and pasting some code from various tutorials into my .htaccess file and then testing. But Content Security Policy was a major pain. It essentially tells the browser what content is allowed to run on webpages and where it can load that content from.

This add-on made the process much easier. Once installed, I opened the add-on’s menu, enabled recording of my site, then browsed to every type of page I could think of — on the front-end and the backend. The add-on kept a running tab on all the different types of content loaded and where it was loaded from. Then I grabbed the markup provided from within the add-on’s menu and added it to the site’s .htaccess file.

I’m using some declarations that are considered unsafe, notably the ability to run inline JavaScript and CSS. But now that I have the header implemented, I can go through the process of adjusting that content to run from safer sources and then change my security headers accordingly.

➝ Source: addons.mozilla.org

Hackers Convinced Twitter Employee to Help Them Hijack Accounts ➝

I’m a bit behind on the Twitter hack story, but Michael Tsai does a great job collecting some of the more interesting takes from around the web.

I’m sure this isn’t a unique thought, but having a single, centralized system for publishing and communication is inherently insecure. It would be wise for high-profile individuals to buy a domain, install some publishing software, and start sharing their thoughts on something they completely control.

If one site gets compromised, it will only effect that single individual. And because they’ll own their own platform, they won’t be beholden to Twitter in regards to what security measures can be put in place.

➝ Source: mjtsai.com

Catalina’s Dialog Bureaucracy ➝

An excellent piece by Nick Heer discussing the terrible state of permissions prompts and security-related dialogs in macOS.

➝ Source: pxlnv.com

Samsung Accidentally Makes the Case for Not Owning a Smart TV ➝

Jon Porter, writing for The Verge:

Samsung has reminded owners of its smart TVs that they should be regularly scanning for malware using its built-in virus scanning software. “Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks,” a (now deleted) tweet from the company’s US support account read alongside a video attachment that demonstrated the laborious process.

It’s amazing to me that this was ever tweeted at all. Imagine if Microsoft was marketing their operating system by sharing tips on how to use malware or virus scanners on Windows. It’s not a good look.

How to Use 1Password as a Digital Will ➝

This is a great suggestion from the folks at The Sweet Setup. I’ve actually had this idea bouncing around in my head recently and I’m glad to see someone has done the legwork to figure out the best way to do this.

Google Collects Android Users’ Locations Even When Location Services Are Disabled ➝

Keith Collins, reporting for Quartz:

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. They were never used or stored, the spokesperson said, and the company is now taking steps to end the practice after being contacted by Quartz. By the end of November, the company said, Android phones will no longer send cell-tower location data to Google, at least as part of this particular service, which consumers cannot disable.

Google only decided to discontinue this practice after getting caught red-handed. But if no one noticed, how much longer would this have gone on?