Is My Password Safe? Practices for People Who Know Better

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices for People Who Know Better”

WikiLeaks Unveils Treasure Trove of CIA Documents

The latest from WikiLeaks is the largest collection of documents ever released from the CIA. The release, called ‘Vault 7: CIA Hacking Tools Revealed’, is the CIA’s hacking arsenal.

While Vault 7 is only the first part in a series of leaks of documents from the CIA, this leak is itself massive. The documents, available on the WikiLeaks site and available as a torrent, detail the extent of the CIA’s hacking program.

Of note, the CIA has developed numerous 0-day exploits for iOS and Android devices. The ‘Weeping Angel’ exploit for Samsung smart TVs,  “places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.” This Fake-Off mode enables a microphone in the TV, records communications in the room, and sends these recordings to a CIA server. Additionally, the CIA has also developed tools to take over vehicle control systems. The purpose of such tools is speculative but could be used to send a moving car off the road.

It is not an exaggeration to say this is the most significant leak from a government agency since Snowden, and possibly since the Pentagon Papers. This is the documentation for the CIA’s cyberwarfare program, and there are more leaks to come. It will be a while until interested parties — Hackaday included — can make sense of this leak, but until then WikiLeaks has published a directory of this release.

Header image source (CC BY 2.0)

Leaking water detector from an old smoke alarm

[Thomas Clauser] had his basement flood last year when a hurricane swept over New England. The problem with flooding or leaking water is that chances are you won’t notice until it’s too late. He decided to protect against this in the future by building his own leaking water detector. It’s a simple device that sits on the floor of his basement and triggers an audio alarm if water begins to cover the floor.

He used an old smoke detector for the build; a nice choice since it’s loud, and designed for long-term battery operation. It also has a button for testing if the detector is working. [Thomas] removed the PCB from the smoke detector case and soldered wires onto the test button contacts. He cut a sponge to squeeze it inside of a PVC pipe connector housing. That sits against the floor, with the wires for the test button contacts placed through the sponge. If water is soaked up by the sponge it completes the circuit and triggers the alarm.

A few other design features really make this a nice setup. He notched out the bottom of the PVC connector so that water can flow freely, and added a switch to one of the probe wires lets him kill the alarm when inspecting the damage.

Nokia schematics via Shenzhen

nokia

The silicon hacker behind the Chumby, [bunnie huang], was browsing through the Mobile Phone Megamarket in Shenzhen, China and stumbled upon an unusual repair book. It turns out the book had the schematics to hundreds of Nokia phones. It’s hard to tell if they are legitimate, but the amount of information makes them seem so. [bunnie] claims that the book is a learning experience because it shows how some sub-circuits are implemented. Also, it can be a good reference for sourcing parts. Since Nokia buys millions of each component, the supply of parts they use are stable. There are also editions for other brands, such as Motorola and Samsung.

Palm Pre Mojo SDK leaked

3619377582_fbd65ceaa7_b

Pre Insiders has reported that the Pre’s Mojo SDK has been leaked to the internet. Palm was planning an early access program, eventually releasing the SDK by the end of the summer, but this leak has accelerated the process. They are posting several download links, including torrents, but they warn developers to use the tools wisely.

Related: Palm Pre teardown

[via techmeme]