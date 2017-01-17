Security News
Monday's security advisories
Hackers take over microphones on Windows PCs to steal data
Hackers targeting people in Ukraine have come up with something unusual: they use the microphones on Windows PCs to steal audio recordings of conversations, screenshots, documents and passwords.
The cyber security firm CyberX calls it Operation BugDrop because the malware eavesdrops by controlling microphones — bugging its targets — and uses Dropbox to store the data that it steals.
In a blog post, the company said it had confirmed that at least 70 people, from various sectors like critical infrastructure, media and scientific research, had fallen victim to the malware that was carrying out the cyber surveillance.
While malware that takes over video cameras on PCs or laptops can be blocked by placing a piece of tape over the camera, the microphone on a PC or laptop requires dismantling to disable.
Trump’s Cybersecurity Plan is a Big No-Show at Key Event
Tens of thousands of cyber professionals, academics, and a handful of public servants have swarmed downtown San Francisco for the annual RSA Conference — one of the largest digital and cyber security events of its kind.
But trying to find a representative from the 3-week-old White House in the convention halls is like playing a game of Where’s Waldo. None appeared to attend, and panels discussing cybersecurity policy worked off of leaked drafts of an executive order abandoned by President Donald Trump’s administration.
The White House did not respond to a request for comment on whether it had sent a representative to San Francisco for the week, and previous requests for comment on plans for the cybersecurity executive order went unanswered.
Rudy Giuliani serves as White House cyber security adviser, though he has said little publicly on the topic since being appointed.
using yubikeys everywhere
Everybody is getting real excited about yubikeys recently, so I figured I should get excited, too. I have so far resisted two factor authorizing everything, but this seemed like another fun experiment. There’s a lot written about yubikeys and how you should use one, but nothing I’ve read answered a few of the specific questions I had.
It’s not a secret I’ve had a dim view of two factor auth, although many of my gripes are about implementation details. I think a lot of that remains true. Where two factor auth perhaps might succeed is in limiting the damage of phishing attacks. I like to think of myself as a little too savvy for most phishing attacks. That’s sadly true of most phishing victims as well, but really: I don’t use webmail. I don’t have any colleagues sharing documents with me. I read my mail in a terminal, thus on the rare occasion that I copy and paste a link, I see exactly the URL I’m going to, not the false text between the tags. Nevertheless, if everybody else recommends secure tokens, I should at least consider getting on board with that recommendation. But not before actually trying these things out.
To begin with, I ordered two yubikeys. One regular sized 4 and one nano. I wanted to play with different form factors to see which is better for various uses, and I wanted to test having a key and a backup key. Everybody always talks about having one yubikey. And then if you lose it, terrible things happen. Can this problem be alleviated with two keys? I’m also very curious what happens when I try to login to a service with my phone after enabling U2F.
