Chrome-saved passwords in plain text not a flaw, according to Google

August 7, 2013 – 6:34 PM

Go into the password section in Google Chrome’s settings panel and you can see that the popular web browser displays saved passwords in plain text. Many consider this a flaw – but not Google.

Software developer Elliott Kember may not be the first one to realize this, but he learned about it for the first time just recently and decided to write about it in a blog post that is gaining some attention.

More often than not, Kember is found using Safari on his Apple computer – a web browser he said does not reveal passwords in plain text – but he occasionally gives Chrome a whirl and decided he would try to import his bookmarks from Safari for consistency.

It struck him as odd that he was not able to uncheck a “Saved passwords” option on the import setting menu that popped up, which quickly led him to discover that all saved passwords can be displayed in plain text in the Chrome settings panel.

“There’s no master password, no security, not even a prompt that ‘these passwords are visible,’” Kember wrote in his post.

The response in the media and on internet forums has been negative, but Google maintains this is not a flaw. Passwords are encrypted on Google servers, but Justin Schuh, Chrome browser security lead, responded to Kember in a post of his own by likening boundaries on a user computer to “theater.”

Schuh said any attacker who gains access to an account can dump all session cookies, grab history, install monitoring software or install malicious extensions to intercept browsing activity. His point is that “once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”

Source:
http://www.scmagazine.com/chrome-saved-passwords-in-plain-text-not-a-flaw-according-to-google/article/306470/

TOR Project: Stop using Windows, disable JavaScript

August 6, 2013 – 5:11 AM

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network.

The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network.

“Really, switching away from Windows is probably a good security move for many reasons,” according to a security advisory posted Monday by The TOR Project.

The TOR Project’s reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

People using Linux and OS X were not affected, but that doesn’t mean they couldn’t be targeted in the future. “This wasn’t the first Firefox vulnerability, nor will it be the last,” The TOR Project warned.

The JavaScript was likely planted on certain websites that the attacker wanted to see who came to visit. The script collected the hostname and MAC (Media Access Control) address of a person’s computer and sent it to a remote computer, the exact kind of data that TOR users hope to avoid revealing while surfing the Internet.

Source:
http://news.techworld.com/security/3462476/tor-project-stop-using-windows-disable-javascript/

Mailvelope: use OpenPGP encryption on Gmail, Yahoo, Hotmail and other webmail services

August 4, 2013 – 2:30 PM

If you prefer to use a webmail interface such as those provided by Gmail, Hotmail or Yahoo! Mail, you probably know that you cannot really secure your data directly when you are using those services. The majority of popular webmail services do not support email encryption for instance which would protect the content of messages from being read by automated tools and anyone else with access.

Mailvelope is a free browser extension for Google Chrome and Mozilla Firefox that introduces OpenPGP encryption to webmail services that you may be using. The extension ships with support for Gmail, Yahoo! Mail, Outlook and GMX by default, and options to integrate other web-based email providers as well.

Setup is a little bit complicated, especially if you have never worked with PGP before. After you have installed the extension in your browser of choice, it is necessary to either create a new encryption key or import an existing one.

Source:
http://www.ghacks.net/2013/08/04/mailvelope-use-openpgp-encprytion-on-gmail-yahoo-hotmail-and-other-webmail-services/

The FBI uses the microphone and camera on phones to spy on people

August 3, 2013 – 9:00 AM

Do you carry your cell phone with you wherever you go? Of course you do. Indeed, a study even showed that 75% of people actually use their phone while in the bathroom! So is it any surprise that the best way to get information on suspected criminals would be to snoop on them via their own phone?

A report from the Wall Street Journal is claiming that, via unnamed sources, the FBI is doing just that, by tricking suspected criminals into clicking links that install malware on the device. An interesting tidbit of note is that the organization only uses this method on non-technical suspects; they fear that a computer expert would be able to identify and release details of the malware to the public. In addition, a search warrant should be required before the malware is installed on a phone, but the line gets blurry if the attack is aimed at only gathering metadeta. There’s no word on how many people are targeted, what the barrier is to install the software, or how it’s removed once the investigation is complete.

As we said earlier, if the government can spy on you via your phone and laptop, why should we care if the upcoming Xbox One can do the same thing? And lest you think this is an issue only in the United States, remember that other countries have their own monitoring services in place. The privacy genie is already out of the bottle, so how do we put it back in? An even more important question is whether the majority of the world even cares anymore.

Source:
http://www.neowin.net/news/the-fbi-uses-the-microphone-and-camera-on-phones-to-spy-on-people

Wi-Fi routers: More security risks than ever

August 3, 2013 – 8:06 AM

More major brand-name Wi-Fi router vulnerabilities continue to be discovered, and continue to go unpatched, a security researcher has revealed at Defcon 21.

Jake Holcomb, a security researcher at the Baltimore, Md.-based firm Independent Security Evaluators and the lead researcher into Wi-Fi router vulnerabilities, said that problem is worse than when ISE released its original findings in April.

The latest study continues to show that the small office and home office Wi-Fi routers are “very vulnerable to attack,” Holcomb said.

“They’re not a means to protect your network and your digital assets,” he cautioned.

Holcomb is a relatively young researcher, in his mid-20s, who turned his lifelong interest in computer security into a professional career only in the past year. Previously, he was doing network security for a school district in Ohio.

The new report details 56 new Common Vulnerabilities and Exposures, or CVEs, that Holcomb and the other ISE researchers have found in popular routers. These include the Asus RT-AC66U, D-Link DIR-865L, and TrendNet TEW-812DRU, for which Holcomb plans on demonstrating vulnerabilities at Defcon on Saturday and Sunday.

Source:
http://news.cnet.com/8301-1009_3-57596851-83/wi-fi-routers-more-security-risks-than-ever/