Tuesday, May 06, 2014

drag2share: US to start testing universal internet IDs to combat fraud

Source: http://www.engadget.com/2014/05/06/nstic-government-internet-id/

In 2011, the government started concocting a plan to issue Americans one online ID they can use across multiple agencies' websites -- sort of like an OpenID for the government. Now, that plan's wheels are turning, and pilot testing's slated to begin this May in Pennsylvania and Michigan. The initiative, called National Strategy for Trusted Identities in Cyberspace (NSTIC), was originally devised as a means to prevent fraud and make it easier to verify identities quickly. This initial rollout only involves websites for those applying for government assistance, as it's merely meant to test whether the idea's feasible. But the government hopes this universal ID can replace people's logins for various places on the internet in the future. Obviously, not everyone will be thrilled by this development; after all, we're now very much aware of the NSA's love for snooping. Plus, it's risky using just a single log-in for various services like banking and social security. If you're one of those people, then cross your fingers and hope that NSTIC's completely voluntary, like what the government promised during the project's inception.

Filed under:

Comments

Via: TechDirt

Source: GCN

---
drag2share - drag and drop RSS news items on your email contacts to share (click SEE DEMO)

Read More...

Monday, May 05, 2014

drag2share: How Facebook Connect (And Other Social Logins) Can Expose You To Hackers

Source: http://readwrite.com/2014/05/04/social-login-covert-redirect-openid-oauth-facebook-google-amazon

Be careful if you're signing in to Web services or apps that let you log in using an ID from Facebook, Twitter, or Google. A flaw in widely-used open-source systems known as OAuth 2.0 and OpenID could enable an attacker to covertly redirect you to a malicious site and get access to your data and private information.

Chinese doctoral student Jing Wang publicized the “covert redirect” vulnerability Friday morning. The vulnerability has been known for some time, but fresh attention could make attacks more common—and might also intensify pressure for a fix.

The vulnerability stems from a flaw in OAuth 2.0 and OpenID technology that lets you use your login from Facebook, Google, or Amazon (among others) to access other sites and services. Because of the flaw, an attacker can trick a user into thinking he or she is signing in via Facebook or Google and then redirect them to a malicious website. From there, depending on the level of access granted, it can expose your personal information, your contacts, your friends list, or in the case of Google Apps, stored data.

"This is often the result of a website's overconfidence in its partners," Wang wrote.

Not The Next Heartbleed

"It's not the next Heartbleed, it's not the end of the world, but at the same time, it's something that should be paid attention to," said Kevin O'Brien, director of product marketing for CloudLock. "What's new about it is the socialization," he added, referring to Wang's public campaign to draw attention to the flaw. Once a vulnerability is widely exposed, attacks frequently follow.

Wang discovered the flaw in February, he said via email. "I am not sure whether someone has used the vulnerability or not."

Social login services appeal to developers for several reasons. Amazon, for instance, describes its "Login with Amazon" service to developers as an opportunity to “securely connect with millions of Amazon customers and personalize their experience.” Social logins easy to integrate with Web services or Android and iOS apps, in turn making it simple for customers to sign into their accounts using their Amazon credentials.

The idea here, of course, is that if you trust Amazon, you can trust third parties that use its login system. That lets developers focus on what they do best, quickly, without having to build their own authorization system. Instead, they leave the security to the open source-developed secure OAuth 2.0 protocol.

Yet Another Shortcut Turns Into A Security Flaw

Which isn't an unreasonable thing to do. It just turns out that the problem here isn't merely the vulnerability in OAuth itself; it's also how companies like Facebook, Google and Amazon have implemented it.

Facebook, for instance, recommends developers use a whitelist that would effectively close the OAuth loophole by limiting redirections to safe and secure URLs. But Facebook doesn't require a whitelist, and as a result, many developers don't use one.

When Wang reported the problem to Facebook, the company said it understood the risks with OAuth 2.0. "However, short of forcing every single application on the platform to use a whitelist, [fixing the vulnerability] isn’t something that can be accomplished in the short term,” he wrote.

Wang also reported the vulnerability to Google, LinkedIn, Microsoft, Yahoo, PayPal, Weibo, Taobao, GitHub, and QQ, he said via email. Here are some of their responses:

Google said "[they] are aware of the problem and are tracking it at the moment."

LinkedIn [has] "have published a blog post on how [they] intend to address [the problem]." (Blog address: https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls)

Microsoft answered after they did an investigation and concluded that the vulnerability exists in the domain of a third-party, different from the one reported by me (login.live.com). They recommended me to report the issue to the third-party instead.

Weibo said that they thought this vulnerability was serious and would ask their developers to deal with this situation.

Taobao just closed my report without giving any reason.

Yahoo and Paypal did not reply me months after my report.

I did not contact VK.com, Mail.Ru and so on because I do not know their email address related to security.

Until there’s a fix, be careful when a site or application asks you to connect via Facebook, Twitter, Google, or other sites that use OAuth 2.0. Pay attention, O'Brien said. If you're looking at a site and get a sudden request for your social-login information when you're not expecting one, "that's the time to step back," he said.

---
drag2share - drag and drop RSS news items on your email contacts to share (click SEE DEMO)

Read More...

drag2share: Zipcar Is About To Get A Lot More Convenient

Source: http://jalopnik.com/zipcar-is-about-to-get-a-lot-more-convenient-1571811769/+ericlimer

Zipcar Is About To Get A Lot More Convenient

Zipcar, the rent-by-the-hour car sharing service of choice for broke urban Millennials, has one hugely glaring and annoying flaw: after you check out a Zipcar, you have to put it back where you found it. Now they're about to unveil a new program that will fix that.

Read more...

---
drag2share - drag and drop RSS news items on your email contacts to share (click SEE DEMO)

Read More...

drag2share: Google Now has got a fancy new trick.

Source: http://gizmodo.com/google-now-has-got-a-fancy-new-trick-if-you-walk-past-1572084895

Google Now has got a fancy new trick. If you walk past a store that caries a product you've been researching online, it'll let you know. Talk about instant shipping. Hopefully it's just a little more spot-on than those targeted ads that are always showing you the thing you just bought.

Read more...

---
drag2share - drag and drop RSS news items on your email contacts to share (click SEE DEMO)

Read More...

drag2share: AMD plays both sides of the CPU wars with chips that use the same socket

source: http://www.engadget.com/2014/05/05/amd-project-skybridge/?utm_source=Feed_Classic_Full&utm_medium=feed&utm_campaign=Engadget&?ncid=rss_full

AMD Project Skybridge

Typically, you can't reuse many parts when you switch processor technologies; if you change chips, you change the entire motherboard at the same time. That won't be true for AMD in the future, though. It's working on a common chip framework, Project Skybridge, that will let 2015-era ARM and x86 system-on-chip processors share the same pin layout. In other words, a basic motherboard design could handle both CPU types.

This doesn't mean that you'd get to walk into a computer store, buy a motherboard and use your choice of ARM or x86 hardware in your new desktop. Rather, Project Skybridge would be for mobile and embedded gadgets -- neither AMD nor device makers will have to reinvent the wheel just because they're thinking of building x86-based Android tablets or ARM-based industrial gear. It's also a hedge against obsolescence. AMD sees the computing world shifting toward ARM, and it doesn't want to be stuck supporting only Intel's x86 technology in the long run.

That's just the start of the semiconductor firm's expanded ARM plans, too. A 2016 core, K12, will be AMD's first 64-bit ARM design. Most of its details are a mystery, but AMD says that the new processor focuses on high frequencies (clock speeds) and expanding ARM's sphere of influence. That suggests that K12 will target heavy-duty tasks. It may not wind up in your pocket, then, but it could handle more duties that were previously reserved for desktops.

Read More...