Mozilla Firefox Account Protection With Two-Step Authentication

Mozilla has publicized that it now supports two-step authentication for Firefox accounts (also known as two factor or 2FA).

“Starting on 5/23/2018, we are beginning a phased rollout to allow Firefox Accounts users to opt into two-step authentication. If you enable this feature, then in addition to your password, an additional security code will be required to log in.”

Mozilla has selected the Time-based One-Time Password (TOTP) authentication standard as its medium. TOTP codes are generated in verification apps like Authy, Duo, Google Authenticator, or open source andOTP.

Single-use recovery codes are supported in case something happens to your phone.

2FA is highly recommended for Firefox users who rely on the browser’s built-in password manager to improve the overall security of their accounts.

What is 2FA?

One-factor authentication is your username and password. Two-factor authentication is an additional identification, your phone in this case.

It is highly unlikely that a hacker gets access to both your phone and username/password. 2FA, therefore, is a significant advantage.

Protecting Your Firefox Account Using 2FA

The process given below is similar to whatever app or platform you use. If you use andOTP, an externally linked page offers advice from its developer on setting it up.

*Note: Android’s security policy prevents taking screenshots of the andOTP app in action.

1. Enable 2FA in Firefox

Go to Options -> Firefox Account -> Manage Account -> Two-step authentication -> Enable.

Mozilla is rolling out 2FA gradually, so you may not see this option right away. No problem, just click this link in Firefox to enable it.

2. You will get a QR code to scan into your authenticator app. In andOTP click on the + icon to the bottom tight -> Scan-QR code. You will get a Security code that you must enter into Firefox. Then hit “Confirm.”

3. Yoo-hoo! You are ready. You will get confirmation that 2FA is enabled (and receive a confirmation email from Mozilla).

You will get some one-time recovery codes. You can enter each once to save you from generating new codes in your authenticator app. Keep them secured! You will get some unique recovery codes. You can enter each once to save you from generating new codes in your authenticator app. Keep them secured!

4. Any time you sign into your Firefox Account be it the same device or new device you will be prompted to give a security code after you have entered your username and password.

Simply open your authenticator app, glance at the Firefox Accounts entry, and enter the code within the allotted time. Easy!

Closing

Two-factor authentication makes your Firefox account more secure, and it doesn’t require much time to setup.

 

 

 

Russia Wants Apple to Remove Telegram from its App Store

Putin’s government is pressuring Apple to remove Telegram from its App Store as part of their continued effort to curb the use of the popular encrypted messenger.

Russia’s telecoms watchdog Roskomnadzor has threatened Apple – warning that if it does not remove Telegram, the App Store itself could be blocked throughout Russia.

The threats come in between revelations that Telegram’s use in Russia remains high despite Putin’s attempts to block it. The blockade is in place because of Telegram founder Pavel Durov’s refusal to give Putin encryption keys that would allow Putin to snoop on communications.

Kremlin reports ISIS uses Telegram to plan attacks. This is a fact that sparked the widespread use of Telegram in Russia in the first place.

Telegram lost its recent court appeal but refuses to hand over the encryption keys, claiming it doesn’t have them.

Block or Be Blocked

Image result for telegram

Roskomnadzor wants Telegram removed from the App Store and also has requested Apple to stop serving Russian Telegram users push notifications. The document reads: “To avoid possible actions by Roskomnadzor to disrupt the functioning of the above services, Apple, Inc. we ask you to inform us in the shortest possible time about further actions of the Company aimed at solving these problem issues.”

So despite Kremlin’s efforts, it appears that many Russians are still using VPNs and Telegram.

Until now, Putin’s government has blocked IP addresses used by Google Cloud and Amazon Web Services in efforts to shut down Telegram. Now, Roskomnadzor has Apple in its sights.

Why the Commotion?

Image result for target

Putin has insisted that he wants access to Telegram messages for national security, but the general perception is that he wants to snoop on political opponents and dissidents as it is believed that opponents often use Telegram to communicate.

News recently broke about French authorities charging a suspect with scheming a terror attack. In that incident, Paris police cited messages sent with Telegram as evidence in the case. This has led to security experts questioning whether French authorities have a Telegram backdoor (or access to the keys directly from Telegram or via UK intelligence/14 Eyes).

If that is true, then one can’t help but wonder whether Durov is secretly working with British, French, and perhaps other government agencies, which would mean there is more to Russia’s Telegram blockade than meets the eye.

What’s Next?

Russia has given Apple a one-month ultimatum.

Russia also blocked another 50 VPN services in May to further restrict Telegram use.

Ghostery GDPR Email Blunder

Ever since EU’s new General Data Privacy Regulation (GDPR) came into effect, GDPR Hall of Shame has named and shamed many companies. It’s a website dedicated to the greatest GDPR blunders to date, and its pages feature hilarious mistakes aplenty.

Ghostery takes the cake for the biggest GDPR email blunder. The error showcases just how quickly even the best of firms can completely screw up while trying to comply with GDPR.

Blooper

 

Ghostery is a privacy-centric browser extension that monitors for trackers while users visit sites using their browser. Digital privacy advocates generally appreciate them. But, in this instance, Ghostery shot itself in the foot landing it on GDPR hot water.

Image result for oops

The embarrassing error was not the email itself, but the carbon copy of over 500 users’ email addresses into each instance of the email. The email itself was completely safe: “We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”

The outcome? Each Ghostery user was provided with 499 fellow users’ email addresses. Private information that is now classified as personal data” by the EU’s new GDPR legislation.

Twitter Complaints

Ghostery users took to Twitter to complain about the howler. A user with the twitter handle @andrewrstine, sarcastically commented:

Another user, @sebastianwaters, Twitted in disbelief:
“Wtf, did @Ghostery really just send out their #GDPR email with users‘ email address visible to everyone?! #GDPRfail”.

Public Apology

Following public outcry, Ghostery published a blog post apologizing for its horrible mistake.

So, what was the reason behind the error in judgment?

As per the firm, it recently decided to “stop using a third-party email automation platform”. The concept was to “be more secure” by managing “user account emails in our system, so we could fully monitor and control data practices surrounding them.”

Users Forgiving Too Easily?

Image result for forgiving

Luckily for Ghostery, it seems like most users accepted the apology. Gizmodo revealed that most of the Ghostery users it contacted said they would continue to use the anti-tracking extension. Unfortunately, for some, it is a sign that the firm is not adequately equipped to protect their data.

All in all, one has to be critical of Ghostery as anyway there are better anti-tracking tools on the market like Electronic Frontier Foundation’s Privacy Badger.

In Compliance with GDPR, Ghostery will need to report the data leak to the European Commission.

 

 

eFail Attack on PGP and S/MIME Encryption

The EFF backed up by security researchers, have issued a warning over PGP and S/MIME encryption. Stop using at least for now to secure your emails.

PGP is widely regarded as the safest way to send secure emails although it does not encrypt metadata and is not the easiest to use.

 

Sebastian Schinzel, Professor of computer security at Münster University of Applied Sciences, on 14 May tweeted: “We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

Professor Schinzel is a respected security researcher for having uncovered many cryptographic vulnerabilities. His most notable find was 2016 DROWN attack which rendered 33% of all HTTPS servers in the world at risk.

The Electronic Frontier Association (EFF) has confirmed the vulnerability:
“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

It is best to follow the EFF’s advice.

The article then gives links to tutorials on how to disable PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.

There is no mention of removing standalone apps such as Gpg4win or PGP browser add-ons such as Mailvelope.

S/MIME

S/MIME is similar to PGP; the only difference is S/MIME uses predefined encryption standards and public-private critical pairs handed by a trusted authority, whereas PGP users define their own encryption methods and sharing of their private encryption keys.

Closing

You should avoid using PGP and S/MIME to encrypt emails until the issue is entirely fixed.

 

Image credit: By arka38/Shutterstock.

 

Website Bug Enables Anyone to Track US Phones Without Permission

Last week US senator John Wyden issued a formal complaint to the FFC about a phone tracking system. Worryingly, a second more terrifying tracking service has surfaced.

It is called LocationSmart, and it is a phone tracking service that can pinpoint the location of mobile phones connected to carrier networks belonging to Verizon, AT&T, Sprint, and T-Mobile.

Brian Krebs, a security researcher, has revealed that a bug exists in the service.

The free to use API had been allowing anyone with basic coding knowledge to track almost every cell phone in the US.

Location Tracking Demo

The technology was intended to check the location of one’s phone through an SMS message asking the user’s authorization to approximate their phone’s position using mobile tower triangulation.

But, a researcher at Carnegie Mellon University found a way to bypass the SMS authorization process. The online demo tool did the trick.

Easily Exploitable

Robert Xiao from Carnegie Mellon’s  Human-Computer Interaction Institute said he found the bug by chance. In his detailed blog about the virus, he explained just how easy it was to bypass the SMS security check.

Mario Proietti, the CEO of LocationSmart, said the firm would launch an investigation regarding this. The demo tool is no longer available on their website. The CEO said the API was made available for “legitimate and authorized purposes” only.

Legal Conundrum

Krebs claims that it is imaginable the demo was available since 2011 for exploitation, and definitely since January 2017.

Krebs said: “A third-party firm leaking customer location information not only would almost certainly violate each mobile providers own stated privacy policies, but the real-time exposure of this data poses serious privacy and security risks for virtually all U.S. mobile customers.”

The decision from FCC’s investigation is yet to come, but it’s certain this case will not go down meekly.

 

UK Police Reportedly Accessing Phone Records Unlawfully

Privacy International sent a formal complaint against UK’s police forces highly invasive “mobile phone extraction technology.”

In the complaint made to the Information Commissioners Office, the group reports that UK authorities have been accessing the contents of people’s phones unauthorized as in without a warrant. It has also been forwarded to the Home Office and the Independent Office for Police Conduct.

PI in the complaint called for reforms by claiming the practices are “totally unregulated, potentially discriminatory and unlawful.”

Data Mining

Millie Graham Wood, working for Privacy International as an attorney has claimed UK’s police is using Israeli firm’s Cellebrite to download data directly from phones without owner’s knowing it.

Easily Recoverable

Wood claims to have tested the Cellebrite UFED Touch 2 device and that it connects directly to the phone from which it gathers data. He further added that the Cellebrite device was even able to tie back together previously deleted messages from WhatsApp which is an encrypted messaging app.

US Police Can Geolocate Nearly Every Mobile Phone

It has been found out that US police are using a system that allows them to geolocate nearly every phone in the country but some cops are abusing it.

The US police have access to a system called Securus Technologies. The authorities can use it to “ping” a phone’s location when a warrant is acquired. The fear now is that some cops are abusing the system.

Last year Cory Hutcheson, a Missouri deputy, supposedly accessed the Securus system “for the unlawful purpose of spying on Plaintiffs for his own personal gain.”

Flaws in the System

Securus grants police access to ping cell phone locations in real time because of the location data provided by carriers.

Warrants are required to access the phone tracking system, but it seems Securus did not scrutinize requests adequately so and Hutcheson exploited the system.

Securus announced that it requires authorities to upload the proper documentation – a warrant or affidavit – prior to processing a request. However, Senator Ron Wyden (Oregon) has said that Securus does not “conduct any review of surveillance requests.”