The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim’s bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim — he said it would probably be an email — which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.
Read the full article @ Computer World.
I have not tried this so I’m not actually recommending it. However, I’d love to give one a try for just $49. You wouldn’t post your home address just anywhere online. So why give it out to every website you visit? When you browse the Internet, every site you visit knows your IP address...Read more →
The folks at LastPass have a simple way to search the database of hacked passwords (and password hints) released by the recent Adobe hack. Please check, and change accordingly. (Mine was and I did.)Read more →
The article is a bit technical but the bottom line is this: There’s a giant back door in many D-Link Wifi routers!
In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings (a DI-524UP is shown, as I don’t have a DIR-100 and the DI-524UP uses the same firmware):
Based on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D-Link devices are likely affected:
Additionally, several Planex routers also appear to use the same firmware:
Read the full article @ /dev/ttyS0.
Amy Goodman at Democracy Now interviewed Ladar Levison, founder/owner/operator of Lavabit, the security-focused email service Edward Snowden used to invite attendees to a Moscow press conference; the service was abruptly closed last week with an explanation pointing to US government interference. He joined the show from Washington DC with his lawyer, Jesse Binnall. Goodman...Read more →