Cosmo, the Hacker ‘God’ Who Fell to Earth

Mat Honan, at Wired's Gadget Lab:

“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.” After Mat fell victim to similar social engineering miscreants weeks ago, he has begun investigating how widespread this issue is. What he has found, through a goldmine source, is that this sort of thing is prevalent within the industry. This is a must read article. I applaud Mat for exposing these security issues and hope the MANY companies mentioned in this article will take action to close these vulnerabilities within their systems.

Hashing For Privacy In Social Apps

Matt Gemmell, on the subject of social apps uploading raw user data instead of hashing the data:

From talking to many developers about this privacy intrusion during the past week, it quickly became disturbingly clear to me that many aren’t familiar with hashing at all. This is also predictably (and entirely forgivably) true for the many journalists who have covered the story, unintentionally distorting the issue due to lack of education in the field. This article, therefore, aims to introduce the concept of hashing in a clear, straightforward, and no-degree-required way, suitable for journalists and casual readers as well as programmers and software engineers. I’ll also explain why it’s suitable for preserving the privacy of contact information whilst still allowing for social functionality, and I’ll touch on whether or not you really need to store that contact information (hashed or not) in the first place. He goes on to outline the things he touched on in the paragraph above. This is a must-read article for any web or app developer.

Horrible, Almost Unforgivable Dropbox Authentication Bug Yesterday

Christopher Soghoian emailed Dropbox, posted over on Pastebin telling them how he had discovered a massive security vulnerability on Dropbox in the wee hours of yesterday morning. If you want to read the entire email thread of how he discovered it, do so, but the short of it is, for a period of 4 hours yesterday, anyone could log into any dropbox account without having to know their password. Any password worked for any account. Dropbox says they've fixed the issue, patching the bug just 5 minutes after they found out about it, however that doesn't change the fact that this happened. If you, like me, are worried about if anyone logged into your account during that period, check your Dropbox account event log.

Good Luck With That

John Gruber posted this over at Daring Fireball:

Stuart Sumner for Computing:

Apple cannot continue to lock down its iOS platform and restrict the types of software developed for it, says security firm Kaspersky’s CTO Nikolay Grebennikov. Speaking to Computing, he said: “Apple simply can’t continue with its current closed approach, and in my opinion, to remain competitive it should be looking to open up its platform within a year.” “The Android platform, which is growing its market share, is much more open than the Apple iOS and it’s easier to create new applications for Android, including security software,” said Grebennikov. MacDailyNews’s translation: “We wish Apple would make its platform insecure like Google, so that we can sell ‘security’ to hundreds of millions of iOS users.” The consumer software "security" industry have largely been leeches on the backs of consumers for the past 10 years. In the early 90's when they started out, they were mostly doing good - writing good software that solved a problem. When they stagnated in the mid-90s they began to peddle bloatware and drum up fear around every major virus/trojan that came out in order to scare customers into buying their software. They're new way of competing was to further bloat their products with crap that people didn't near or to 'out-scare' their competitors. Now that Apple is taking hold in the desktop and mobile markets, they're scared shitless because Apple customers simply do not need their crapware any longer. The emperor has no clothes. There are no words to describe how much I cannot wait to see them all go away. Although they'll probably go kicking and screaming on the way down with their cries growing increasingly frantic about how you're all going to die unless you are buy their Norton MacAfee Virus Checker 3000 Deluxe Edition Pro™. Fuck those guys.

Sony Hacked Again: 1 Million+ Accounts Compromised

The same group became infamous for hittin PBS earlier this week has just announced that they've now hit Sony with a SQL injection which allowed them full access to various Sony databases. LulzSec statement:

Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it. Rob Beschizza, writing for BoingBoing: Sony traditionally is run as a set of 'silos', independent departments, divisions and joint ventures that have much autonomy from one another. This might be why there are so many different attacks: there is always another Sony silo which runs its own web infrastructure, where hundreds of dollars worth of web development can go down the drain, just like that. Ouch. As I said last week on Twitter, friends don't let friends create user accounts on Sony networks.

Google's Eric Schmidt, "If you care about security, get a Mac, not a PC."

Google's former CEO and now board Chairman, Eric Scmidt, was interviewed last night at D9 on stage. He made several interesting revelations. Jason Kincaid, writing for Techcrunch:

Today during a keynote interview at AllThingsD’s D9, Google Executive Chairman (and former longtime CEO) made a key announcement: Google has recently renewed its partnership with Apple over mapping and search. In other words, don’t look for a new version of Maps on iOS at next month’s WWDC. So, why is this important? Apple has long shipped every iPod Touch, iPhone, and iPad with a Maps application powered by Google. It’s great (though arguably not as good as its Android counterpart). But Apple and Google are competing fiercely in the mobile market, and every time someone runs a search using Maps from an iOS device, Apple is handing Google a little more data that could be used to further improve their local products. Later on during the interview, Schmidt spoke this gem of a quote: ... Schmidt also puts in a plug for Chrome, saying it is more secure. Walt Mossberg, "What else could you do to promote security?" Eric Schmidt, "You could use a Mac instead of a PC. Viruses are far less likely to affect Mac users."