aggregator

California Becomes First State With an IoT Cybersecurity Law

Slashdot - Your Rights Online - So, 2018-09-29 15:00
An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

Read more of this story at Slashdot.

Elon Musk Pulled Out of Settlement With SEC At Last Minute

Slashdot - Your Rights Online - So, 2018-09-29 03:00
Sources have shared some new details with CNBC relating to the recent SEC charges against Tesla CEO Elon Musk. Yesterday, U.S. securities regulators sued Musk for allegedly making false statements related to his abandoned efforts to take Tesla Motors private. Now, according to CNBC, Tesla and the SEC were close to a no-guilt settlement but Elon Musk pulled out at the last minute. From the report: Under the deal, Musk and Tesla would have had to pay a nominal fine, and the CEO would not have had to admit any guilt, the sources said. However, the settlement would have barred Musk as chairman for two years and would require Tesla to appoint two new independent directors, CNBC's David Faber, citing sources. Musk refused to sign the deal because he felt that by settling he would not be truthful to himself, and he wouldn't have been able to live with the idea that he agreed to accept a settlement and any blemish associated with that, the sources said. Musk called the SEC's allegations "unjustified" and that he acted in the best interests of investors. "Tesla and the board of directors are fully confident in Elon, his integrity, and his leadership of the company, which has resulted in the most successful U.S. auto company in over a century. Our focus remains on the continued ramp of Model 3 production and delivering for our customers, shareholders and employees," said Tesla's board of directors in a statement.

Read more of this story at Slashdot.

Facebook Faces Class-Action Lawsuit Over Massive New Hack

Slashdot - Your Rights Online - So, 2018-09-29 02:20
Follow the revelations this morning that a hacker exploited a security flaw in a popular feature of Facebook to steal account credentials of as many as 50 million users, a class-action lawsuit has been filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker. "Both allege that Facebook's lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach," reports The Verge. From the report: The lawsuit was filed today in U.S. District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California's Customer Records Act. The plaintiffs want statutory damages and penalties awarded to them and other class members, as well as the providing of credit monitoring services, punitive damages, and the coverage of attorneys' fees and expenses. Although Facebook says it has fixed the issue that resulted in the breach, it still has little to no information to provide on who is behind the attack or when the attack even occurred. As it stands, in addition to this new lawsuit, Facebook is facing pressure from the New York State Attorney General Barbara Underwood, who announced on Twitter this afternoon that, "We're looking into Facebook's massive data breach. New Yorkers deserve to know that their information will be protected." Federal Trade Commissioner Rohit Chopra had a terse public reaction, releasing a simple three-line tweet reading, "I want answers." In addition to Underwood and Chopra, Sen. Mark R. Warner (D-VA) released a statement describing the hack is "deeply concerning" and calling for a full investigation.

Read more of this story at Slashdot.

US Government Loses Bid To Force Facebook To Wiretap Messenger Calls

Slashdot - Your Rights Online - So, 2018-09-29 01:40
An anonymous reader quotes a report from TechCrunch: U.S. government investigators have lost a case to force Facebook to wiretap calls made over its Messenger app. A joint federal and state law enforcement effort investigating the MS-13 gang had pushed a district court to hold the social networking giant in contempt of court for refusing to permit real-time listening in on voice calls. According to sources speaking to Reuters, the judge later ruled in Facebook's favor -- although, because the case remains under seal, it's not known for what reason. The case, filed in a Fresno, Calif. district court, centers on alleged gang members accused of murder and other crimes. The government had been pushing to prosecute 16 suspected gang members, but are said to have leaned on Facebook to obtain further evidence.

Read more of this story at Slashdot.

iPhone XS Passcode Bypass Hack Exposes Contacts, Photos

Slashdot - Your Rights Online - So, 2018-09-29 00:20
secwatcher shares a report from Threatpost: A passcode bypass vulnerability in Apple's new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone. The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple's latest iOS 12 beta and iOS 12 operating systems. Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and "office clerk" based in Spain who has also found previous iPhone hacks. Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish. Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple's newest model iPhone XS. The process involves tricking Siri and Apple's accessibility feature in iOS called VoiceOver to sidestep the device's passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).

Read more of this story at Slashdot.

Google CEO Will Testify Before US House on Bias Accusations

Slashdot - Your Rights Online - Pt, 2018-09-28 22:55
Google CEO Sundar Pichai has agreed to testify before the House Judiciary Committee in November, following the midterm elections. He met with House Majority Leader Kevin McCarthy and other senior Republicans Friday to discuss accusations that Google is biased against conservatives (a charge the company has denied). From a report: "I think we've really shown that there is bias, which is human nature, but you have to have transparency and fairness," McCarthy said. "As big tech's business grows, we have not had enough transparency and that has led to an erosion of trust and, perhaps worse, harm to consumers." Alphabet's Google unit has repeatedly denied accusations of bias against conservatives. Pichai left the meeting without comment. Pichai wrote in an internal email last week that suggestions that Google would interfere in search results for political reasons were "absolutely false. We do not bias our products to favor any political agenda." [...] Asked if Republicans will push to break up Google, McCarthy said: "I don"t see that." He said the hearing will look at privacy, bias issues, China and other matters.

Read more of this story at Slashdot.

Green Bay Packers and Microsoft Win Domain Name Fight After Family Sought Cash, Tickets and Tablets

Slashdot - Your Rights Online - Pt, 2018-09-28 16:45
theodp writes: Last fall, Microsoft and the Green Bay Packers announced a $10 million partnership to build TitletownTech, "an innovation center focused on developing and advancing scalable, technology-enabled ventures," which aims to bring an economic boost to the area near Lambeau Field (Microsoft President Brad Smith hails from the region). Unfortunately for them, they failed to secure their venture's namesake domain name ahead of time. GeekWire reports on the fate of a Wisconsin family that was sitting on the coveted titletowntech.com domain name and offered to give it up in exchange for $750,000 cash, 8 lifetime Packers season tickets, 2 parking passes, and 8 Microsoft Surface Pro tablets (with lifetime MS-Office licenses). The family said the admittedly-ridiculous demand wasn't meant to be taken seriously but was intended to send a message after they received a suspicious $5,000 buyout offer from an anonymous "service" that the Packers engaged to try to recover the fumbled domain. Not amused, Green Bay Packers, Inc. flexed its legal muscle, filing a domain dispute complaint with the World Intellectual Property Organization (WIPO), which ordered the disputed domain name to be transferred to the team shortly after the USPTO issued a Notice of Allowance to the NFL team for a trademark on TitletownTech, leaving the Wisconsin family with zilch. And so the old titletowntech.com ("TitleTown Tech Solutions") was just a bad memory by the time Microsoft returned to Green Bay last week to give an update on the joint venture, including the news that Microsoft will play a key role in the leadership team at TitletownTech, which will also house its TEALS program employees. [...] And as for the domain name, the NFL franchise with more titles than any other team ultimately did what it has done for years -- win.

Read more of this story at Slashdot.

Delta's Fully Biometric Terminal Is the First In the US

Slashdot - Your Rights Online - Pt, 2018-09-28 12:00
In what Delta is calling the first "biometric terminal" in the country, they will reportedly use facial recognition at check-in, security and boarding inside the international terminal at Atlanta's Hartsfield-Jackson airport. Engadget reports: Passengers that want to use facial recognition can approach a kiosk in the lobby and click "Look," or approach a camera at the ticket counter, TSA checkpoint or when boarding. Once a green check mark flashes on the screen, they can proceed. Delta -- which plans to introduce fingerprint scanning to fold, too -- says passengers can use this system instead of the passports to get through these checkpoints, but you'll still need your passport for use in other non-biometric-equipped airports (although maybe one day we'll do away with passports altogether). Privacy advocates are concerned about the security risks present in facial scans, especially as it's an opt-out process. Others, however, say it makes air travel a more streamlined process.

Read more of this story at Slashdot.

Face Scanning In US Airports Is Rife With Technical Problems

Slashdot - Your Rights Online - Pt, 2018-09-28 02:20
Homeland Security's Inspector General has issued a report warning that its airport face scanning system is struggling with "technical and operational challenges." The report says that Customs and Border Protection "could only use the technology with 85 percent of passengers due to staff shortages, network problems and hastened boarding times during flight delays," reports Engadget. "The system did catch 1,300 people overstaying their allowed time in the U.S., but it might have caught more -- and there were problems 'consistently' matching people from specific age groups and countries." From the report: The watchdog also pointed out uncertainty about help from airlines, such as requiring them buy the cameras needed for taking passengers' photos. That represents a "significant point failure" for the face scanning system, the Inspector General said. As a result, the oversight body warned that Homeland Security might not make its target of having the face scanning system completely ready for use in the top 20 US airports by 2021.

Read more of this story at Slashdot.

Alphabet Launches VirusTotal Enterprise

Slashdot - Your Rights Online - Pt, 2018-09-28 01:00
Google launched today a new set of services for enterprise customers of VirusTotal, a website that lets users test suspicious files and URLs against an aggregate of multiple antivirus scanning engines at the same time. From a report: This collection of new tools is part of the new VirusTotal Enterprise service, which Google described as "the most significant upgrade in VirusTotal's 14-year history." As the name implies, this new service is specifically aimed at enterprise customers and is an expansion of VirusTotal's current Premium Services. Google says VirusTotal Enterprise consists of existing VirusTotal capabilities, but also new functionality, such as improved threat detection and a faster search system that uses a brand new interface that unifies capabilities in VirusTotal's free and paid sites. "VirusTotal Enterprise allows users to search for malware samples (using VT Intelligence), hunt for future malware samples (using VT Hunt with YARA), analyze malware relationships (using VT Graph), and automate all these tasks with our API," Google said.

Read more of this story at Slashdot.

SEC Charges Elon Musk With Fraud Over His Statements To Take Tesla Private

Slashdot - Your Rights Online - Cz, 2018-09-27 22:24
U.S. securities regulators have sued Elon Musk for allegedly making false statements related to his abandoned efforts to take Tesla Motors private. Bloomberg News broke the news Thursday, citing docket entry in Manhattan federal court. Last month, Musk had expressed his intentions to take Tesla private, and that he had secured the funding. Taking Tesla private, which would have helped the company avoid making short-term commitments and goals, would be the "best path forward," Musk had said at the time. Even as investors had shown agreement to Musk's move, a few days later, he announced that after further discussions, everyone believes that Tesla should remain public. Amid all of this, some argued that Musk made the "false" claim just to hurt short-sellers. From the lawsuit: This case involves a series of false and misleading statements made by Elon Musk, the Chief Executive Officer of Tesla, Inc. ("Tesla"), on August 7, 2018, regarding taking Tesla, a publicly traded company, private. Musk's statements, disseminated via Twitter, falsely indicated that, should he so choose, it was virtually certain that he could take Tesla private at a purchase price that reflected a substantial premium over Tesla stock's then-current share price, that funding for this multi-billion dollar transaction had been secured, and that the only contingency was a shareholder vote. In truth and in fact, Musk had not even discussed, much less confirmed, key deal terms, including price, with any potential funding source. During a press conference, Stephanie Avakian, co-director of the SEC's division of enforcement, said: A chairman and CEO of a public company has important responsibilities to shareholders. Those responsibilities include the need to be scrupulous and careful about the truth and accuracy of statements made to the investing public, whether those statements are made in traditional forms such as a press release or an earnings call or through less formal methods such as Twitter or other social media. Neither celebrity status nor reputation as a technological innovator provide an exemption from the federal securities laws. In a statement to CNBC, Musk said, "This unjustified action by the SEC leaves me deeply saddened and disappointed. I have always taken action in the best interests of truth, transparency and investors. Integrity is the most important value in my life and the facts will show I never compromised this in any way."

Read more of this story at Slashdot.

Mobile Websites Can Tap Into Your Phone's Sensors Without Asking

Slashdot - Your Rights Online - Cz, 2018-09-27 21:30
When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often access an array of device sensors without any notifications or permissions whatsoever. From a report: That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers -- Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University -- found that the standards allow for unfettered access to certain sensors. And sites are using it. The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.

Read more of this story at Slashdot.

Voting Machine Used in Half of US Is Vulnerable to Attack, Report Finds

Slashdot - Your Rights Online - Cz, 2018-09-27 20:20
Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, WSJ reported, citing a report which will be made public Thursday on Capitol Hill. From the report: The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation's leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio's secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. "There has been more than plenty of time to fix it," he said. While the Model 650 is still being sold on the ES&S website, a company spokeswoman said it stopped manufacturing the systems in 2008. The machine doesn't have the advanced security features of more-modern systems, but ES&S believes "the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real world environment," the spokeswoman said via email. The machines process paper ballots and can therefore be reliably audited, she said. The Def Con report is the latest warning from researchers, academics and government officials who say election systems in the U.S. are at risk to tampering.

Read more of this story at Slashdot.

Uber Settles Data Breach Investigation For $148 Million

Slashdot - Your Rights Online - Cz, 2018-09-27 00:03
An anonymous reader quotes a report from The New York Times: Uber will pay $148 million to settle a nationwide investigation into a 2016 data breach (Warning: source may be paywalled; alternative source), in which a hacker managed to gain access to information belonging to 57 million riders and drivers. The breach included names and driver's license numbers for 600,000 drivers. Rather than disclosing the breach when it occurred, Uber paid the hacker $100,000 through its bug bounty program. [...] The ride-hailing company persuaded him to delete the data and stay quiet about it with a nondisclosure agreement. The incident became public a year later when Uber's chief executive, Dara Khosrowshahi, announced it as a "failure" and fired the two employees who had signed off on the payment. Tony West, Uber's chief legal officer, said the settlement was part of a larger effort inside Uber to remake the company's image. He said the company had recently hired a chief privacy officer and a chief trust and security officer. The $148 million settlement announced Wednesday will be divided among all 50 states and the District of Columbia. "Companies in California and throughout the nation are entrusted with customers' valuable private information," Xavier Becerra, California's attorney general, said. "This settlement broadcasts to all of them that we will hold them accountable to protect that data."

Read more of this story at Slashdot.

Mozilla Rolls Out Recovery Key Option For Firefox Accounts

Slashdot - Your Rights Online - Śr, 2018-09-26 23:25
Mozilla announced today a new recovery option for Firefox Accounts, the user system included inside the Firefox browser. ZDNet: Starting today, users can generate a one-time recover key that will be associated with their account, and which they can use to regain access to Firefox data if they ever forget their passwords. Firefox Accounts is included with all recent versions of the Firefox browser. Most users are familiar with it because of Firefox Sync, the system that synchronizes Firefox data such as passwords, browsing history, open tabs, bookmarks, installed add-ons, and general browser options between multiple Firefox instances. But while Sync does the actual synchronization, Firefox Accounts is at the core of Sync and is the system that manages the identities of Firefox users. Sync works by taking a user's Firefox account password and encrypting the user's browser data on the local computer.

Read more of this story at Slashdot.

Ex-Google Employee Warns of 'Disturbing' China Plans

Slashdot - Your Rights Online - Śr, 2018-09-26 22:45
A former Google employee has warned of the firm's "disturbing" plans in China, in a letter to US lawmakers. BBC: Jack Poulson, who had been a senior researcher at the company until resigning in August, wrote that he was fearful of Google's ambitions. His letter alleges Google's work on a Chinese product -- codenamed Dragonfly -- would aid Beijing's efforts to censor and monitor its citizens online. Google has said its work in China to date has been "exploratory." Ben Gomes, Google's head of search, told the BBC earlier this week: "Right now all we've done is some exploration, but since we don't have any plans to launch something there's nothing much I can say about it." A report by news site The Intercept last week alleged Google had demanded employees delete an internal memo that discussed the plans. Google has not commented on the staff row, but said: "We've been investing for many years to help Chinese users, from developing Android, through mobile apps such as Google Translate and Files Go, and our developer tools." It added: "We are not close to launching a search product in China." Mr Poulson's letter details several aspects of Google's work that had been reported in the press but never officially confirmed by the company. It was submitted to the Senate Commerce Committee, which held a hearing on Wednesday in Washington DC. Google's chief privacy officer, Keith Enright, faced questions from Senator Ted Cruz about the company's intentions to launch a new search engine in China. He confirmed the existence of the project.

Read more of this story at Slashdot.

Facebook Is Giving Advertisers Access To Your Shadow Contact Information

Slashdot - Your Rights Online - Śr, 2018-09-26 22:00
Kashmir Hill, reporting for Gizmodo: Last week, I ran an ad on Facebook targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn't work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office, a number Mislove has never provided to Facebook. He saw the ad within hours. One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way. [...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.

Read more of this story at Slashdot.

In Senate Hearing, Tech Giants Push Lawmakers For Federal Privacy Rules

Slashdot - Your Rights Online - Śr, 2018-09-26 19:35
Another day, another hearing of tech giants in Congress. Wednesday's hearing at the Senate Commerce Committee with Apple, Amazon, Google and Twitter, alongside AT&T and Charter, marked the latest in a string of hearings in the past few months into all things tech: but mostly controversies embroiling the companies, from election meddling to transparency. This time, privacy was at the top of the agenda. The problem, lawmakers say, is that consumers have little of it. From a report: The hearing said that the U.S. was lagging behind Europe's new GDPR privacy rules and California's recently passed privacy law, which goes into effect in 2020, and lawmakers were edging toward introducing their own federal privacy law. AT&T, Apple, Charter and Google used their time in the Senate to call on lawmakers to introduce new federal privacy legislation. Tech companies spent the past year pushing back against the new state regulations, but have conceded that new privacy rules are inevitable. Now the companies realize that it's better to sit at the table to influence a federal privacy law than stand outside in the cold. In pushing for a new federal law, representatives from each company confirmed that they support the preemption of California's new rules -- something that critics oppose. AT&T's chief lawyer Len Cali said that a patchwork of state laws would be unworkable. Apple, too, agreed to support a privacy law, but noted as a company that doesn't hoard user data for advertising -- like Facebook and Google -- that any federal law would need to put a premium on protecting the consumer rather than helping companies make money. But Amazon's chief lawyer Andrew DeVore said that complying with privacy rules has "required us to divert significant resources to administrative tasks and away from invention."

Read more of this story at Slashdot.

India's Top Court Refuses To Scrap Aadhaar, the World's Largest Biometric ID Database

Slashdot - Your Rights Online - Śr, 2018-09-26 18:40
India's top court refused to scrap Aadhaar, the world's largest biometric database, in a ruling announced Wednesday, upholding the validity of the sprawling digital-identity program but also imposing some restrictions on its use and proliferation. Huffington Post reports: The majority judgement of the court read down Section 57 of the Aadhaar Act of 2016, holding that private companies cannot insist on Aadhaar numbers from citizens to provide services. The court upheld the validity of linking aadhaar to PAN cards, suggesting that -- should the government wish it -- anyone who pays income tax will have to an aadhaar number anyway. However, the court held the linking of aadhaar numbers to bank accounts, as mandated by an amendment to the Prevention of Money Laundering Act of 2002, was unconstitutional. The court also held that educational institutions and bodies like the Central Board for Secondary Education (CBSE) and University Grants Commission (UGC), and schools and colleges, cannot ask for Aadhaar details of potential candidates. Chief Justice of India Dipak Misra, and Justices AK Sikri and AM Khanwilkar delivered a concurrent majority judgement, while Justices DY Chandrachud and Ashok Bhushan delivered separate opinions. The majority judgement, read out in a packed courthouse by Justice Sikri, relied heavily on the court's landmark 2017 Privacy judgement. "Today the Supreme Court has passed a historic judgement on Aadhaar," said Supreme Court Advocate Prashant Bhushan. "They have held several parts of the Aadhaar act to be unconstitutional." The court's decision restricting private companies from demanding Aadhaar numbers, Bhushan said, would come as a relief. The ruling could come as a blow for local companies -- like Jio and Paytm -- that rely heavily (or even exclusively) on technologies such as Aadhaar's eKYC (an Aadhaar-enabled Know Your Customer service) to grow their customer base, analysts say.

Read more of this story at Slashdot.

Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate

Slashdot - Your Rights Online - Śr, 2018-09-26 18:00
A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app. [...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.

Read more of this story at Slashdot.