Morse code, really?

In super happy awesome news, the FCC announced that Net Neutrality has won! Well until the dirty stinking paid-off-by-Comcast-Congress gets a hold of it...

In a very partisan vote, 3-2 democrats over republicans, the vote passed and the new rules mean that companies cannot discriminate against traffic (except for exceptions for reasonable network management.)

The core net neutrality provisions are bans on blocking and throttling traffic, a ban on paid prioritization, and a requirement to disclose network management practices. Broadband providers will not be allowed to block or degrade access to legal content, applications, services, and non-harmful devices or favor some traffic over others in exchange for payment. There are exceptions for "reasonable network management" and certain data services that don't use the "public Internet." Those include heart monitoring services and the Voice over Internet Protocol services offered by home Internet providers.

This is huge because it protects consumers from big bad evil corporations that want to charge Netflix, et al. more to provide "fast lanes" and yet still provides for QoS (Quality of Service) for VoIP (Voice over Internet Protocol) aka using your data lines for telephone calls.

In more ridiculous news, Verizon responded to the FCC's vote by using Morse code in their press release. Classic example of someone not getting their way and having a tantrum. I do believe it is time for their nap...let me go get their blanket and "binky."

This doesn't necessarily have much to do with InfoSec but it is HUGE and IMPORTANT news that just had to be shared...and if it is important for the people and for the freedom of the internet, then it is important for IT professionals and those in security to know about and, hopefully, celebrate.

Lenovo or is it Le Oh No?

There has been a lot of interesting information coming out lately regarding Superfish and man-in-the-middle attacks.

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said. - Ars Technica

The CEO of Superfish maintains in a statement that there is no security flaw in the software, which pretty much every other person with any knowledge of SSL and certificates can see is false. It has now even been found that it is even easier to perform a man-in-the-middle attack than previously thought.

The latest update has Lenovo CTO Peter Hortensius saying in an interview with The Wall Street Journal that they "didn't do enough." They are also in the process of writing software that will completely remove all code and data associated with the adware.

In case you wanted to know, if you bought a Lenovo between October 2014 and December 2014 and it is a model in the list below, you probably have Superfish signing certificates and are vulnerable:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

It was almost the end of the world again...

...and we're back to Facebook and how the world almost ended again.

This time because of a bug that could have opened the door to deleting every single photo on Facebook. While I don't believe it would have happened without a beast of a processor, I do think that it could have caused some major damage.

There was a bug in the code for Graph API, "a developer platform that allows websites and applications to tap into Facebook's data."

The Graph API does not allow one user to delete another person's photos or albums. But by manipulating an access token from his mobile device, he was able to convince Facebook that the album belonged to him -- effectively allowing him access to read, write, and delete the album. - Zack Whittaker, ZDNet

The bug was so potentially damaging that Facebook had a fix out within two hours, and they rewarded the person that discovered the bug the highest reward offered, $12,500. Not a bad days work in my opinion!

Taxes and death...

It is that time of year again; people all over the country are receiving their W-2's and filing their taxes. It is also time for fraudsters to come out of the woodwork and work their magic.

Tax software goliath Intuit had an issue last week with Turbo Tax and state tax filings. The issue had some people logging in to file their taxes and finding their state taxes already completed when they hadn't done so themselves.

The faked filings was not due to a security breach which makes me happy since I have used Turbo Tax for the last 10 years. At this point I have already files and received my returns (however paltry they were this year...damn you scholarships and the American Opportunity Tax Act!!)

Fraudsters can easily go to an underground website to purchase personal data suitable for filing bogus tax claims, an identity-management specialist noted in comments to USA Today.

Intuit has instituted additional security measures and anyone that was affected by the by this tax fraud is being offered identity protection services and free credit monitoring.