But when people use mobile applications, they’re also vulnerable to the same sort of cookie tracking. Many mobile apps are just Web applications wrapped in a package for an app store—they send cookies back to the same server to identify the user and provide location information and other data about a device to the application vendor, third parties, or anyone who happens to be watching network traffic. Taken together with other data, these cookies can be used to track individuals as they wander the world, posing a significant privacy risk.
Microsoft has formally settled legal differences with No-IP, the dynamic domain name host that was kneecapped by a botnet takedown that recently knocked out service to millions of legitimate users.
As we reported, Microsoft surrendered the 23 No-IP domains last week. A bare-bones statement e-mailed to journalists Wednesday morning said the agreement settled a controversial lawsuit Microsoft filed in late June that allowed the software maker to confiscate 23 No-IP domain names before the service provider had an opportunity to oppose the maneuver in court. The malware families targeted in the latest takedown infected more than 7.4 million machines in the past year alone, Microsoft said.
A federal judge approved Microsoft's confidential ex parte motion arguing that the software maker was entitled to seize control of the addresses because No-IP owner Vitalwerks Internet Solutions failed to follow industry practices designed to prevent malware operators from abusing the service. In the course of a few hours, millions of connections from law-abiding users were severed. The statement read in part:
The recent arrest of a Russian hacker by the US Department of Homeland Security is stirring up diplomatic difficulties.
The suspect, 30-year-old Roman Valerevich Seleznev, is the son of a Russian lawmaker. The Russian Foreign Ministry, which says he was arrested in an airport in the Maldives, has condemned the tactics used by the US. Seleznev has now been transported to Guam, where he has made his first court appearance.
"We consider this as the latest unfriendly move from Washington," stated the Ministry, according to a Reuters report. The Russian Foreign Ministry's statement (Russian) describes the event as a "kidnapping."
A serious attack involving a widely used Web communication format is exposing millions of end users' authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.
The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they're executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.
The attack relies on behavior that has existed for years that allows the binary contents of a common shockwave file—a throwback term for Flash files that's better known simply as SWF—to be converted into an equivalent file based solely on alphanumeric characters. The conversion typically happens to compress a SWF file so it works with websites that use a technique known as JSONP—or JSON with padding—to set browser cookies and perform other tasks.
In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.
The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000.
According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.