password – Tech Today w/ Ken May

Top-selling handgun safe can be remotely opened in seconds—no PIN needed

Enlarge (credit: Two Sixes Labs ) One of Amazon’s top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don’t know the password. The Vaultek VT20i handgun safe, ranked fourth in Amazon’s gun safes and cabinets category , allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how. As the video demonstration below shows, researchers with security firm Two Six Labs were able to open a VT20i safe in a matter of seconds by using their MacBook Pro to send specially designed Bluetooth data while it was in range. The feat required no knowledge of the unlock PIN or any advanced scanning of the vulnerable safe. The hack works reliably even when the PIN is changed. All that’s required to make it work is that the safe have Bluetooth connectivity turned on. Read 11 remaining paragraphs | Comments

Follow this link:
Top-selling handgun safe can be remotely opened in seconds—no PIN needed

Updating macOS can bring back the nasty “root” security bug

Enlarge (credit: Andrew Cunningham ) The serious and surprising root security bug in macOS High Sierra is back for some users, shortly after Apple declared it fixed. Users who had not installed macOS 10.13.1 and thus were running a prior version of the OS when they received the security update, found that installing 10.13.1 resurfaced the bug, according to a report from Wired . For these users, the security update can be installed again (in fact, it would be automatically installed at some point) after updating to the new version of the operating system. However, the bug is not fixed in that case until the user reboots the computer. Many users do not reboot their computers for days or even weeks at a time, and Apple’s support documentation did not at first inform users that they needed to reboot, so some people may have been left vulnerable without realizing it. The documentation been updated with the reboot step now. The root bug allows anyone to log in or authenticate as a system administrator on systems running macOS High Sierra by simply typing in the username “root” and leaving the password field blank, in many circumstances. It was a serious bug that drew an uncharacteristically strong apology from Apple, which said its “customers deserve better.” Read 1 remaining paragraphs | Comments

macOS High Sierra bug allows full admin access without a password

If you’re using Apple’s latest macOS High Sierra, you’ll want to be wary of giving people access to your computer. Initially tweeted by developer Lemi Orhan Ergin, there’s a super-easy exploit that can give anyone gain admin (or root) rights to your Mac. Engadget has confirmed that you can gain root access in the login screen, the System Preferences Users & Groups tab and File Vault with this method. All you need to do is enter “root” into the username field, leave the password blank, and hit Enter a few times. Needless to say, this is some scary stuff. Root access allows someone to access your machine as a “superuser” with read and write privileges to many ore system files, including those in other macOS accounts. Luckily, the fix is fairly easy. As developer Colourmeamused tweeted, you need to set a root password: Everyone with a Mac needs to set a root password NOW. As a user with admin access, type the following command from the Terminal. sudo passwd -u root Enter your password then a new password for the root user. Anyone got a better fix? @SwiftOnSecurity @rotophonic @pwnallthethings — colourmeamused (@colourmeamused_) November 28, 2017 Engadget has confirmed that this will secure your macOS High Sierra machine, and keep people from gaining root access as above. We’ve reached out to Apple and will update this post when we hear back. Via: The Register Source: Lemi Orhan Ergin (Twitter) , Colourmeamused (Twitter)

More:
macOS High Sierra bug allows full admin access without a password

Restaurant app Zomato hack leaves 17 million users exposed

If you use Zomato to look up restaurants, you may want to check your account: someone has infiltrated its system and got away with 17 million users’ IDs, usernames, names, email addresses and hashed passwords. The service says no payment information was stolen, since credit card details are stored separately. It also doesn’t have access to your Facebook or Google account, so you don’t have to worry about anything if you simply linked your account instead of making a standalone one for Zomato. But if you did make a standalone one for Zomato, it’s best to change your password ASAP. This is totally separate incident from the WannaCry attacks , and the hacker who infiltrated the company’s system didn’t ask for ransom. He tried to sell his loot on the dark web instead but ended up pulling it down when the company agreed to his terms. They include acknowledging the security vulnerabilities in its system, to work with the ethical hacker community to patch them up and to launch a bug bounty program. Zomato says it will amp up its website’s security measures, especially since it found out that 6.6 million of the stolen hashed passwords can “theoretically [be] decrypted using brute force algorithms.” It also promises to reveal how exactly the hacker got in, which the infiltrator himself revealed to the company, once it’s done fixing the vulnerabilities that made it possible. Via: VentureBeat Source: Zomato

Twitter locks ‘millions’ of accounts with exposed passwords

While Twitter maintains that its servers have not been hacked, the company now says it has “cross-checked” the account data noted by LeakedSource and is taking pre-emptive measures. Particularly notable in light of hacks that have recently affected accounts from Katy Perry to Mark Zuckerberg to the NFL, the social network said it has identified a number of accounts for extra protection. No matter where the information came from, whether via malware or shared passwords revealed in hacks of other services, any accounts with “direct password exposure” have been locked (similar to pre-emptive moves Netflix and others are using when they see account details floating around), and emails were sent to the owner prompting for a password reset. In light of recent events, learn more about account security on Twitter and what we’re doing to keep yours safe. https://t.co/Hug5cLr6r8 — Twitter (@twitter) June 10, 2016 There’s no word on exactly how many accounts in the database checked out, but Twitter told the Wall Street Journal that “millions” of accounts have been notified. If your account is vulnerable then you should’ve already been notified; so if your inbox is empty and you can still sign in then you don’t have anything (more than usual) to worry about. Still, it’s always a good time to reset your password just in case, use unique passwords on every account (a password manager like 1Password or LastPass can be helpful) and enable two-factor authentication wherever available . Source: Twitter Blog

Excerpt from:
Twitter locks ‘millions’ of accounts with exposed passwords

Plex Hacked, Change Your Password Now

If you use the Plex media server for your movie and TV library, you’ll need to change your password this morning. The company announced it’s forum servers were hacked, leaving email addresses, forum messages, and hashed passwords vulnerable. Read more…

See original article:
Plex Hacked, Change Your Password Now

Reversible, tiny, faster: Hands on with the USB Type-C plug

Megan Geuss SAN FRANCISCO—Last week, Ars met up with several representatives of the non-profit USB Implementers Forum (USB-IF) to check out some of the first USB Type-C connectors off the assembly lines. The Type-C specification was announced in December and finalized in August , and it’s set to bring a number of improvements to its predecessors, in addition to being smaller than the Type-A USB plugs we’re familiar with today. Considering how many USB Type-A devices are still being actively built out there (over 4 billion USB-compatible products are made each year), this smaller, reversible connector represents a significant jump. Jeff Ravencraft, President and COO of USB-IF, told Ars that USB-IF wanted a connector that worked equally well for large and small devices. “We also understand that yeah the consumer maybe has some trouble with putting in that cable connector,” he added of the Type-C’s new-found ability to be plugged in right-side up or upside down, like Apple’s Lightning connector. The new Type-C connector is also slightly bigger than its proprietary cousin, with Type-C sized at approximately 8.4mm by 2.6mm and Lightning coming in at 7.7 mm by 1.7 mm. Unlike the reversible Lightning, but similar to USB connectors before it, the USB Type-C connector has a mid-plate inside the receptacle that the plug surrounds when it’s inserted. Read 14 remaining paragraphs | Comments

View post:
Reversible, tiny, faster: Hands on with the USB Type-C plug

Texas man must pay $40.4M for running Bitcoin-based scam, court rules

A federal judge in Texas has convicted a local man of conducting a massive Bitcoin-based Ponzi scheme, and ordered him to pay $40.4 million. The court found on Friday that Tendon Shavers had created a virtual bitcoin-based hedge fund that many suspected of being a scam—and it turned out they were right. The Bitcoin Savings and Trust (BTCST) shut down in August 2012, and by June 2013 the Securities and Exchange Commission (SEC) filed charges against its founder . In a statement at the time, the SEC said Shavers “raised at least 700,000 Bitcoin in BTCST investments, which amounted to more than $4.5 million based on the average price of Bitcoin in 2011 and 2012 when the investments were offered and sold.” Judge Amos Mazzant wrote: Read 2 remaining paragraphs | Comments

See more here:
Texas man must pay $40.4M for running Bitcoin-based scam, court rules

Facebook acknowledges news feeds are bad at news, vows to improve

Facebook’s News Feed pays attention to trending topics, right, but news feeds have lately seemed to be lacking in news. Following criticism of the lack of current events in Facebook news feeds, Facebook has announced tweaks to its algorithms meant to help surface timely content. The company plans to do this by giving more value to posts that get interactions, such as likes and comments, and pushing posts when that activity seems to be cresting. In the blog post announcing the changes, Facebook wrote that it often prioritizes posts about “trending” topics that appear in the chart of hashtags posted on the right side of users’ homepages. Facebook also places higher value on posts according to how many interactions (likes, comments, shares) they receive. But as things are, some users have noted that Facebook seems to miss news waves , or is late to them, as with the fatal shooting of Mike Brown and the related protests that played out over weeks in August. When Facebook’s curation methods didn’t acknowledge those events, users noticed the news vacuum in their news feeds. Read 1 remaining paragraphs | Comments

Visit site:
Facebook acknowledges news feeds are bad at news, vows to improve

iCloud for Windows update means PCs can use iCloud Drive before Macs can

iCloud Drive is now available on Windows, but not OS X. Andrew Cunningham Apple officially released iCloud Drive yesterday as part of the iOS 8 update , but it came with a caveat: turning it on disables the “old” way of iCloud syncing, but OS X doesn’t yet support iCloud Drive and won’t until OS X Yosemite is released later this fall. If you use iCloud to sync application data between your phone, tablet, and desktop, this means you’ll need to keep living with the more limited version of iCloud until Yosemite is out (or roll the dice and give the Public Beta a try ). If you’re a Windows user with an iPhone, though, you can go ahead and pull the trigger on that iCloud Drive update now. Apple today released an updated version of the iCloud for Windows application that adds full support for iCloud Drive. Install the program and sign in, and iCloud Drive will appear in your user profile folder and your Favorites menu in Windows Explorer, much like Microsoft’s own OneDrive cloud storage service. This is the first opportunity that Windows users will have to view and directly manipulate iCloud data, not counting the more limited capabilities of the iCloud.com Web apps, and it’s a nice new addition for people who like iOS but don’t care to use Macs. Otherwise, iCloud for Windows continues to be more limited than iCloud on either iOS or OS X. It can sync with your Photo Stream and sync Safari bookmarks with either Internet Explorer, Firefox, or Chrome, and if you have Outlook 2007 or later installed it will also offer to sync your iCloud mail, calendars, contacts, and reminders. However, it can’t use iCloud Keychain to sync passwords, nor does it provide any kind of “Find My Device” functionality as it does in both iOS and OS X. You can’t sync Notes data directly either, though that feature is accessible via iCloud.com. Read 1 remaining paragraphs | Comments

See more here:
iCloud for Windows update means PCs can use iCloud Drive before Macs can