Navigation Apps With Millions of Downloads Exposed as Just Google Maps With Bonus Ads

https://gizmodo.com/navigation-apps-with-millions-of-downloads-exposed-as-j-1831869725


Image: Sam Rutherford (Gizmodo)

One of the purported benefits of modern day app stores is to make it easier for companies to review and ensure that the software you download isn’t harmful or malicious. But with upwards of 2.1 million apps on Google Play, sometimes things slip through the cracks, which seems precisely how at least 19 different free navigation apps were found to actually be knock-offs based on Google Maps saddled with an extra layer of ads.

First discovered by ESET malware researcher Lukas Stefanko, the 19 apps he tested were navigation apps with over 1 million installs each, totaling a combined install base of more than 50 million. Sadly, despite claims that these apps can help users map their routes or include tools such as a compass or speedometer, every single app ended up relying on Google Maps or its related API to perform the real work.

The main difference between these knock-off apps and real Google Maps usually came down to a redesigned home screen with a tweaked or sometimes stolen UI that functioned as way to serve up ads while also masking the fact the app was really running off of Google’s data all along.

To make things a bit more concerning, a few of these Google Maps clones sometimes asked for permissions to access a device’s phone dialer and other services that a map app typically wouldn’t need, something that could pose a potential security risk.

What’s even more annoying is that despite a number of one star reviews for these apps trying to alert other users that these Google Maps knock-offs weren’t legit, many still maintained overall ratings above 4 stars. Thankfully, it seems many of these apps are in violation of Google Maps’ terms of use, which generally states that customers are not allowed to re-distribute or create substitutes for Google Maps Core Services and pass them off as if they were something else.

Google Maps knock-offs like these often feature misleading screenshots or stolen UI elements to disguise that they are really running off Google Maps.
Screenshot: Sam Rutherford (Gizmodo)

Stefanko has since reported the 19 offending apps he found, and while some like the one pictured above are still available, others have been already been removed from the Play Store.

In the end, the big takeaway from all this may be a reminder that there are only a handful of companies such as Google, Apple, Here, and a few others that actually have the capacity to gather highly detailed mapping info. So unless you really like a specific app’s special features like the crowdsourced alerts you get in Waze (which is owned by Google and relies on Google Maps for general location info), it’s probably best to just go straight to the source and use one of the big map apps instead.

[via Bleeping Computer]

via Gizmodo https://gizmodo.com

January 18, 2019 at 12:27PM

Posted in Family | Tagged , | Leave a comment

Sen. Marco Rubio wants to ban states from protecting consumer privacy

https://arstechnica.com/?p=1443415


Sen. Marco Rubio (R-Fla.) speaking to reporters.
Enlarge /

Sen. Marco Rubio (R-Fla.) speaks to reporters following a closed briefing on intelligence matters on Capitol Hill on December 4, 2018 in Washington, DC.

Getty Images | Zach Gibson

US Sen. Marco Rubio (R-Fla.) has proposed a federal privacy law that would preempt tougher privacy rules issued by states.

Rubio’s announcement Wednesday said that his American Data Dissemination (ADD) Act “provides overdue transparency and accountability from the tech industry while ensuring that small businesses and startups are still able to innovate and compete in the digital marketplace.”

But Rubio’s bill establishes a process for creating rules instead of issuing specific rules right away, and it allows up to 27 months for Congress or the Federal Trade Commission to write the actual rules.

In addition, the bill text says it “shall supersede” any provision of a state law that pertains to the same consumer data governed by Rubio’s proposed federal law. That includes names, Social Security numbers, other government ID numbers, financial transactions, medical histories, criminal histories, employment histories, user-generated content, “unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation,” and other personal data collected by companies.

California last year imposed a privacy law that gives consumers more control over how their personal data is collected, used, and sold by corporations.

“We oppose any attempt to preempt California’s privacy laws,” Sarah Lovenheim, communications advisor to California Attorney General Xavier Becerra, wrote on Twitter yesterday.

Rubio’s bill based on 45-year-old law

Rubio’s bill wouldn’t do much to protect Americans’ data privacy, consumer advocacy group Public Knowledge said. The Rubio bill uses the Privacy Act of 1974 as its framework; the 1974 law applies to federal agencies, but Rubio’s bill would apply similar rules to the private sector.

“The 1974 Privacy Act is fundamentally a transparency and data accuracy law, designed well before the popularization of the Internet and cloud computing,” and not suited to today’s “constant stream of data breaches and scandals,” Public Knowledge Global Policy Director Gus Rossi said.

“It’s absurd that the bill would preempt state law and constrain the jurisdiction of specialized agencies like the FCC in exchange for very limited protections for consumers,” Rossi also said.

DOJ says 1974 law difficult to enforce

The Privacy Act of 1974 generally prohibits disclosure of data about an individual without that individual’s consent, but it contains various exceptions, and the Department of Justice says the law is difficult to interpret and enforce.

The Act “can generally be characterized as an omnibus ‘code of fair information practices’ that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies,” the DOJ says in an overview last updated in 2015. “However, the Act’s imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply.”

Despite the DOJ saying the law is confusing, Rubio argued in an op-ed for The Hill that the Privacy Act of 1974 is “widely considered one of the seminal pieces of privacy law in effect today.”

“Any national privacy law must provide clear, consistent protections that both consumers and companies can understand, and the FTC can enforce. That is why my bill leans heavily on the Privacy Act framework,” Rubio wrote.

Rubio’s bill would have the FTC establish a process in which individuals can contact companies to request access to their personal data. Companies would have to either provide the data to consumers or delete the data. If a company lets an individual view the data, the company would have to correct any mistakes if the person demonstrates that the records are “not accurate, relevant, timely, or complete.” Companies would only have to delete the data if they choose not to provide it to consumers upon consumers’ requests.

Upon requests from individuals, companies would also have to tell individuals about instances in which their records have been disclosed to other parties. The FTC would be responsible for enforcing the new rules under its authority to police unfair and deceptive acts or practices.

Rubio wrote that cumbersome regulations might “entrench large, incumbent corporations.”

“Facebook, Apple, Amazon, Netflix, Google (FAANG) and others would welcome cumbersome regulations that prevent start-ups and smaller competitors from challenging the FAANG’s current dominance,” he wrote.

Rubio’s bill instructs the FTC to “establish criteria for exempting certain small, newly formed covered providers from the requirements.”

Rubio justified his proposed preemption of state laws by writing that “a state-by-state patchwork of laws is simply not an effective means of dealing with an issue of this magnitude” and that “Internet data is unquestionably interstate commerce, and it is the responsibility of Congress to take appropriate action.”

Bill delays final rules for up to 27 months

Rubio’s bill would not impose privacy protections immediately upon passage. It would give the Federal Trade Commission six months to submit “detailed recommendations for privacy requirements” to Congress. Congress would have up to two years after the bill’s passage to issue actual privacy requirements. During that time, the FTC would not be able to issue final rules on its own.

If Congress fails to act within two years, the FTC would be authorized to act on its own and would be required to issue final regulations “not later than 27 months after” the bill is enacted.

Congressional Democrats recently proposed a much stricter privacy law, which could issue steep fines to companies and send their top executives to prison for up to 20 years if they violate Americans’ privacy.

via Ars Technica https://arstechnica.com

January 18, 2019 at 12:26PM

Posted in Family | Tagged , | Leave a comment

If Trump Told Cohen to Lie, Impeachment Is Coming

https://www.wired.com/story/trump-impeachment-mueller-cohen


As the government shutdown neared the one-month mark, the political landscape shifted under Washington’s feet Thursday night, dramatically and perhaps permanently altering the path of our nation’s politics. BuzzFeed’s duo of Russia probe reporters posted a blockbuster report that President Trump directed Michael Cohen to lie to Congress about the Trump Tower Moscow Project.

The allegation, which Buzzfeed sourced to two federal law enforcement officials, simultaneously
adds new information to both the “collusion” and “obstruction” sides of the Russia probe. The idea that the President of the United States directed his personal attorney to lie to Congress about his attempt to complete a multi-hundred-million-dollar deal with Vladimir Putin in the midst of the presidential campaign is, in short, as big as it gets.

As senator Sheldon Whitehouse, a former prosecutor, laid out, the accusation at the core of the BuzzFeed report constitutes at least four potential felonies: “criminal obstruction of justice (18 U.S.C. 1505, 1512), subornation of perjury (18 U.S.C. 1622), conspiracy (18 U.S.C. 371) and likely aiding and abetting perjury (18 U.S.C. 2).” Those phrases also meant something specific to students of recent political history: Suborning perjury was part of the articles of impeachment that targeted both Richard Nixon and Bill Clinton.

While we’ll be unpacking the implications of the apparent revelation for days to come, there are six aspects of the new report which, if true, make clear the scale of the political peril facing the president as of Friday morning:

1. Mueller has the receipts. According to Buzzfeed, special counsel Robert Mueller’s investigators have more than Cohen’s word to support the claim. In fact, the lead instead originated with documents and witnesses inside the Trump Organization, a great sign of how much visibility Mueller has into the private business world of Donald Trump pre-presidency.

Remember that Trump Organization chief financial officer Allen Weisselberg received immunity from prosecutors and is cooperating. To have both your company’s accountant and your personal fixer—Cohen—turn on you usually is criminally fatal. This report from BuzzFeed, as rich in detail as it is, probably represents just the tip of the iceberg of Mueller’s knowledge. Every single indictment and court filing from Mueller has been more detailed, more knowledgeable, and better informed than we imagined. And this is just one of at least 17 investigations targeting the president’s circle right now, run by at least seven different sets of prosecutors. The potential criminal liability remains enormous.

2. The politics just changed in a big way. Any investigation that targets the President of the United States is more a political question than a criminal question. The ultimate judge and jury would almost certainly be Congress or the voters, either in an impeachment trial or a reelection bid.

The president’s family is potentially in lots of legal trouble.

These allegations are about lying to Congress, which makes it harder for Congress to brush them away—and given the new Democratic majority in the House, they’re certainly not inclined to. Democratic congressmen were quick out of the gate hinting at the “I” word (which coincidentally also appears on the cover of the latest issue of The Atlantic, out yesterday). The chairman of the House Judiciary Committee, where impeachment articles would begin, moved further than he has before in discussing the seriousness of the accusation.

The allegation that the president is instructing people to lie to Congress cuts to the heart of its legitimacy as a co-equal branch of government. While they’ve so far seemingly ignored the fact that the president, aka Individual-1, is already an unindicted co-conspirator in Cohen’s campaign finance case, lying to Congress is the kind of violation that gets even staid institutionalists squawking.

3. The obstruction case could be much bigger than Comey. The BuzzFeed report also helps provide context to our evolving understanding of a potential obstruction of justice case focused on the president. Whereas we’ve tended to shorthand that area of the probe as focusing on the firing of FBI Director Jim Comey, it’s quite possible that Mueller won’t in the end focus on any single incident, but instead paint a broader picture of Trump’s apparent years-long effort to hide the truth of his dealings with Russia, during the campaign, the transition, and even into the White House.

We’ve known for some time that Mueller was interested in the cover-up of the June 2016 Trump Tower meeting, as well. As I mentioned in December, he has already pointed us to what worries him: “A specific line from the special counsel’s filing in Cohen’s case also jumps out: ‘By publicly presenting this false narrative, the defendant deliberately shifted the timeline of what had occurred in hopes of limiting the investigations into possible Russian interference in the 2016 US presidential election.’ It’s not hard to imagine that same line cut-and-pasted into a future obstruction case regarding Donald Trump’s personal handling of a false narrative put out by the White House after reports first surfaced of the June 2016 meeting at Trump Tower.”

If Cohen was conspiring with the president, after the fact, to cover up the Trump Tower Moscow project, that would alter the whole timeline of an obstruction case. It would no longer hinge on Trump’s thinking on the precise date in May 2017 when he fired Comey, but instead could point to a pattern of actions and behaviors over nearly three years—up to present day, potentially—that would be hard to explain away as constitutionally valid.

4. The president’s family is potentially in lots of legal trouble. The BuzzFeed report also says that Cohen kept the Trump children up to date on his plans, which was hinted at in the earlier court filings around Cohen’s guilty plea concerning his lies to Congress. We’ve long known that unnamed “executives” of the Trump Organization were involved in both the campaign finance conspiracy surrounding the hush money payments to Stormy Daniels, as well as the Moscow Trump Tower project. The most likely suspects have always been Trump’s children—the idea, after all, that the vaunted “Trump Organization” is anything more in day-to-day reality than a small family business has long been a fiction. It’s Donald Trump and his children. The BuzzFeed reporting now attaches names—Ivanka and Donald Jr.—to that suspicion, and shows that the president’s family and his innermost inner circle are almost certainly going to be wrapped up in the investigation in the days, weeks, or months ahead. That’s doubly true given that the House Intelligence Committee plans to hand over additional evidence to Mueller of other witnesses it suspects lied to Congress—a list that seems likely to include Donald Trump, Jr.

The president has brushed away other targets of Mueller’s probe as coffee boys, short-timers, or people he hardly knew. It’s tougher to do that if it’s your son or daughter, but not impossible given the president’s only casual affiliation to the truth.

5. Trump’s new attorney general already said it’s a crime. This week, attorney general nominee Bill Barr appears to have already boxed himself in. While much of the questioning around Barr focused on how, when, and what he might make public from a still-theoretical “Mueller Report,” senator Amy Klobuchar zeroed in on what Barr would consider troublesome behavior by the occupant of the White House: “The president persuading a person to commit perjury would be obstruction, is that right?” Barr’s answer was simple: “Yes.” Which is to say, two days before tentative evidence emerged that Trump allegedly did just that, his presumptively incoming attorney general said that behavior would surely represent a crime.

And remember, we again likely only know a fraction of the evidence Mueller could present about the president’s behavior at this point.

6. Trump’s defense team is rattled. Lastly, the president’s TV lawyer, Rudy Giuliani, tried unsuccessfully to move the goalposts of the investigation this week. After months of endlessly repeating the phrase “no collusion,” Giuliani tried to tell CNN’s Chris Cuomo that he’s only meant there was no personal collusion by the president himself—he can’t speak for the rest of the campaign: “I never said there was no collusion between the campaign, or people in the campaign. I said the President of the United States. There is not a single bit of evidence the President of the United States committed the only crime you can commit here, conspiring with the Russians to hack the DNC.”

Most of the umbrage at the absurdity of Giuliani’s statement focused on the first half, but the second half is almost more interesting from the standpoint of how the president’s potential defense is shaping up—evidently, that it would only be a crime if the president actively conspired in advance with Russian intelligence to attack and leak Democratic officials’ inboxes. Of course, that’s absurd. There are any manner of crimes Donald Trump could have committed either before or after the DNC hack—and while we don’t that there’s evidence of such crimes, it certainly seems like the president’s own defenders are worried evidence exists.

Putting it all together, unfortunately, we’re still left with this: The president should almost hope that Robert Mueller concludes he’s a Russian agent, because the alternative might be even worse. As I wrote earlier this week, a lifetime ago in this investigation given Thursday’s new bombshell, “We’ve reached a point in the Mueller probe where there are only two scenarios left: Either the president is compromised by the Russian government and has been working covertly to cooperate with Vladimir Putin after Russia helped win him the 2016 election—or Trump will go down in history as the world’s most famous ‘useful idiot,’ as communists used to call those who could be co-opted to the cause without realizing it.”

Thursday’s revelations—lending new weight to both the obstruction and collusion questions—clear that the answer might be, simply, “Both, all of the above.”


Garrett M. Graff (@vermontgmg) is a contributing editor for WIRED and coauthor of Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat. He can be reached at garrett.graff@gmail.com.


More Great WIRED Stories

via Wired Top Stories http://bit.ly/2uc60ci

January 18, 2019 at 10:51AM

Posted in Family | Tagged , | Leave a comment

Air Force gives 3D-printed rocket company Cape Canaveral launch pad

https://www.engadget.com/2019/01/17/relativity-cape-canaveral-air-force-launch-complex-16/



Relativity Space

Relativity Space, a startup that aspires to create 3D printed rockets, has secured a launch pad at Cape Canaveral. The company announced Thursday a five-year agreement with the US Air Force that will allow the company to operate out of Launch Complex 16 (LC-16) at the at Cape Canaveral Air Force Station in Florida.

The startup is the fourth private company to be given access to LC-16, joining Elon Musk’s SpaceX, Jeff Bezos’ Blue Origin and the United Launch Alliance. By using the existing launch complex, Relativity Space believes it will save about four years that would have been required to build a launch pad from scratch, according to CNBC.

The company is aiming to launch its first payloads into low-Earth orbit by 2020. Its 3D-printed rocket, the Terran 1, is expected to be able to launch payloads of up to 2,700 pounds. Each launch will cost about $10 million, and Relativity Space already has over $1 billion in booked launches according to Axios.

It’s worth noting that Relativity Space CEO Tim Ellis was named by Vice President Mike Pence as a member of the National Space Council’s Users Advisory Group last year. Executives from SpaceX, Blue Origin and the United Launch Alliance are also members of the council.

via Engadget http://www.engadget.com

January 17, 2019 at 03:27PM

Posted in Family | Tagged , | Leave a comment

Google buys $40 million worth of smartwatch tech from Fossil Group

https://arstechnica.com/?p=1442839


Google buys $40 million worth of smartwatch tech from Fossil Group

Valentina Palladino

Wearables have brought Google and the fashion-focused Fossil Group closer together. Today, Fossil announced it will sell intellectual property related to smartwatch technology to Google in a deal worth $40 million. Upon news of the deal, Fossil Group shares jumped about 8 percent today.

Along with the IP, a section of Fossil’s research and development team focused on wearables will join Google. However, the announcement highlights Google and Fossil’s “shared investment in the wearable industry,” which likely means that this deal will not quell Fossil’s wearable efforts entirely. Fossil Group—which includes Diesel, Armani, Skagen, and Michael Kors—has launched smartwatches running Wear OS and hybrid smartwatches across 14 of its brands.

Greg McKelvey, Executive Vice President and Chief Strategy and Digital Officer at Fossil Group, said the following in a statement:

Fossil Group has experienced significant success in its wearables business by focusing on product design and development informed by our strong understanding of consumers’ needs and style preferences… We’ve built and advanced a technology that has the potential to improve upon our existing platform of smartwatches. Together with Google, our innovation partner, we’ll continue to unlock growth in wearables.

According to a report from Wareable, McKelvey stated the deal will bring about a “new product innovation that’s not yet hit the market.” This is reportedly based on technology that Fossil acquired from wearable company Misfit when it bought the startup for $260 million back in 2015.

All of Fossil’s digital-faced smartwatches run on Google’s Wear OS, so the two companies have already worked together for quite some time. But Fossil is one of many companies to develop “hybrid” smartwatches, most of which have analog faces and resemble traditional timepieces in most aesthetic ways.

However, they still have the internal tech necessary to track daily activity and sleep, as well as deliver smartphone alerts through vibrations, custom watch-hand movements, and other subtle techniques. These are features that Misfit devices already had when Fossil purchased the company. Some Misfit smartwatches and trackers even used side buttons to control smartwatch functions, like taking a photo with the phone’s camera or pausing music playback. While hybrid smartwatches don’t have touchscreen interfaces, run apps, or store music like Wear OS devices can, they excel in longevity by having battery lives that last months to years.

It’s possible that Google wants to look into the “hybrid” side of smartwatches. Google, strangely, hasn’t made its own Pixel smartwatch yet, so the company may want to see if and how it can incorporate some of Fossil’s technology into its next Google-made wearables.

Stacey Burr, Vice President of Product Management, Wear OS by Google said in a statement:

Wearables, built for wellness, simplicity, personalization and helpfulness, have the opportunity to improve lives by bringing users the information and insights they need quickly, at a glance. The addition of Fossil Group’s technology and team to Google demonstrates our commitment to the wearables industry by enabling a diverse portfolio of smartwatches and supporting the ever-evolving needs of the vitality-seeking, on-the-go consumer.

Embracing the “simplicity” of Fossil’s hybrid smartwatches could give Google an edge. The tech required to produce a hybrid smartwatch doesn’t need to be as advanced as that of a Wear OS device. Google may be able to grab the attentions of those who don’t want devices (like Wear OS watches or the Apple Watch) but rather more traditional, fashion-forward devices with a few high-tech abilities.

Currently, the battle between Wear OS and watchOS appears to favor Apple’s OS. Wear OS has the advantage of many styles and price points thanks to OEMs on both the tech and fashion ends creating smartwatches that run the OS. But watchOS has the advantage of Apple-made chips, meaning the Watch isn’t held back by Qualcomm’s apparent disinterest in making competitive wearable SoCs.

The deal is set to be finalized later this month.

via Ars Technica https://arstechnica.com

January 17, 2019 at 03:31PM

Posted in Family | Tagged , | Leave a comment

Apple loses patent case appeal, owes VirnetX $440M in FaceTime dispute

https://arstechnica.com/?p=1442331


Group Facetime for up to 32 simultaneous participants, coming to iOS 12.1.

Group Facetime for up to 32 simultaneous participants, coming to iOS 12.1.

A federal appeals court has upheld a landmark patent judgment brought by VirnetX against Apple, affirming a

$440 million judgment

in a years-long patent dispute.

On Tuesday, the US Court of Appeals for the Federal Circuit denied Apple’s efforts to overturn a 2016 verdict that imposed $302 million in damages. That figure has since risen to encompass enhanced damages, interest, and more. Many would dub the Nevada-based VirnetX a “patent troll,” as it has no meaningful source of income outside of patent litigation.

Previously, a jury found that Apple’s VPN on Demand and FaceTime features infringed VirnetX patents. But the Patent Trial and Appeal Board has already invalidated VirnetX’s patents, which VirnetX is appealing.

Reuters noted Tuesday that Apple has vowed to appeal.

As Ars has previously reported, VirnetX had won three separate jury trials against Apple, all in the Eastern District of Texas, a longtime hotspot for patent-holding companies seeking to sue tech companies. The first was in 2012, when a jury awarded $368 million in damages and the judge granted an ongoing royalty of one percent. Both holdings were overturned on appeal, however.

In February 2016, the jury in a second trial sided with VirnetX in a $625 million verdict against Apple. But that verdict was thrown out by the trial’s judge, who didn’t approve of VirnetX lawyers’ references to the 2012 trial. A third trial was held in September 2016, and it resulted in a $302 million verdict, which is what the judge added to in his October 2017 judgment.

The case began way back in 2012 with four of VirnetX’s patents (1, 2, 3, 4), all of which originated at a company called Science Applications International Corporation, or SAIC.

via Ars Technica https://arstechnica.com

January 16, 2019 at 04:51PM

Posted in Family | Tagged , | Leave a comment

Monster 773 million-record breach list contains plaintext passwords

https://arstechnica.com/?p=1442517


Monster 773 million-record breach list contains plaintext passwords

Getty Images

Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever—a list that includes almost 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites.

According to Have I Been Pwned founder Troy Hunt in a post published Wednesday, the monster list is a compilation of many smaller lists taken from past breaches and has been in wide circulation over the past week. It was also posted to the MEGA file sharing site. At least one of the included breaches dated back to 2015. Dubbed “Collection #1,” the aggregated data was likely scraped together to serve as a master list that hackers could use in credential stuffing attacks. These attacks use automated scripts to inject credentials from one breached website into a different website in hopes the holders reused the same passwords.

The 773 million email addresses and 21 million passwords easily beat Have I Been Pwned’s previous record breach notification that contained 711 million records. But there are other things that make this latest installment stand out. In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords. Also significant: the list—contained in 12,000 separate files that take up more than 87 gigabytes of disk space—has 2.69 billion rows, many of which contain duplicate entries that Hunt had to clean up.

About 663 million of the addresses have been listed in previous Have I Been Pwned notifications, meaning 140 million of the addresses have never been seen by the service before. Hunt said that some of his own credentials were included in Wednesday’s notification, although none were currently in use. Have I Been Pwned has now begun the non-trivial task of emailing more than 768,000 individuals who signed up for notifications and nearly 40,000 people who monitor domains. Anyone who hasn’t signed up can still check the status of an email address here.

A little reminder

“People will receive notifications or browse to the site and find themselves there and it will be one more little reminder about how our personal data is misused,” Hunt wrote. If—like me—you’re in that list, people who are intent on breaking into your online accounts are circulating it between themselves and looking to take advantage of any shortcuts you may be taking with your online security.”

Hunt said that one of the questions he gets asked the most is if he will divulge the password that accompanied the email address in a breach. He has steadfastly refused for a variety of good reasons. First, a lookup service that pairs user names and passwords would undoubtedly make his service a major target of hackers. It would also require him to store passwords in clear text, which is something no site should ever do. Have I Been Pwned does allow people to use this page to check if a specific text string has ever shown up in a breach notification, but for obvious reasons, it decouples the password from the email addresses that used it.

There’s no doubt Collection #1 is huge, but it can’t be precisely compared to other massive breaches. It’s tempting to compare it to hacks of Yahoo 

in 2013

and

again in 2014

that compromised 3 billion and 500 million accounts respectively, a hack in 2016 that revealed account details for

412 million accounts

on sex and swinger community site AdultFriendFinder, and the breach of Equifax that allowed hackers to steal data belonging to

147.9 million consumers

. But that’s in many respects an apples-to-oranges comparison, because Collection #1 was seeded by many smaller breaches, many of which were likely already disclosed.

That’s not to say Collection #1 isn’t significant. Despite its recycling of previously breached credentials, the widely available megalist no doubt makes it easier than ever for even unskilled miscreants to capitalize on the bevy of breaches that have occurred over the past decade.

The most effective thing people can do to secure their online accounts is to ensure that each one is protected by a long, randomly generated password that’s unique to each account. For most people, this means using a reputable password manager, although many security experts (including Hunt) say an old-fashioned notebook will work. The second most important thing people can do is to use multi-factor authentication on every site that allows it. Hunt has more advice about passwords here.

via Ars Technica https://arstechnica.com

January 17, 2019 at 06:59AM

Posted in Family | Tagged , | Leave a comment