Pokemon Go security questions addressed, new password sniffing tool puts reused passwords at risk, is electronic voting possible?
Can Nintendo read your email?
With the amazing launch of Pokemon Go, there was a significant amount of alarm about the permissions surrounding the app. Critics were calling out Niantic for asking for more permission than was necessary to allow the running of the incredibly popular Augmented Reality game.
A little history : Pokemon Go is based heavily on Niantic’s Ingress game right down to the landmarks in Ingress making up the Pokestops and Gyms in the Nintendo-branded juggernaut. The Ingress game was originally a Google project that was spun out to Niantic Labs that provided further development of the game.
Seeing the potential for a mixed reality game with the Nintendo brand, Niantic did a deal to use the Pokemon property and launched Pokemon Go.
Even if Niantic had full access to your Google account, Niantic is still essentially a Google property and would most likely still be operating under the Google privacy rules. It is reasonable to expect that any personal information would have remained under Google control and would not have needed to be shared anywhere.
Not satisfied, security researchers looked closer at the security certificates used by Pokemon Go and discovered that even if Niantic wanted to read your email and view your calendar it would have not been possible as the certificates used by Niantic did not have permission to do so. Only basic users information was ever available to Niantic.
More about this here.
Do you reuse your passwords between accounts? Time to worry.
Security researcher Troy Hunt tweeted last week that a new tool was found to be able to search multiple breach databases to sniff out passwords that were reused between breached services making the job of compromising online accounts much easier.
What can you do?
Never reuse passwords between accounts. Ever. This has long been regarded as a poor implementation of an already poor security system. Relying on a username and password to secure an account on a service that can be accessed from anywhere in the world is a bad idea. Using the same credentials on more than one site can effectively leave your online life like a house of cards waiting for a single breach of one service putting your entire online profile at risk.
Use a password manager. I swear by Lastpass. A very cost effective (US$12/year) encrypted password vault complete with 2 factor authentication, a browser plugin that remembers your details and a password generator capable of producing some monster passwords (that you don’t have to remember). Lastpass works on Windows, Mac, IOS and Android. Lastpass even has a handy-dandy security audit tool that can help work out which accounts need attention in the password department.
Where possible use 2 factor authentication. Even if you have strong passwords, you can further lock down your online life by enabling 2 factor authentication. This forces you to enter a code to verify that you are indeed the owner of the account. This system will either ask for a time based code or send a code via SMS to your phone so even if your username and password is stolen your account cannot be accessed without your phone.
Check to see if you are at risk. https://haveibeenpwned.com/ is a great website that can tell you if your account has been included in a number of breached services. This will tell you if you need to update accounts that may have been compromised. If you see any accounts that are listed then you should consider changing passwords for those accounts and any others that share that same password. (See Lastpass, this is a lifesaver.)
Read more about the original story from Sophos here.
Electronic voting for Australia?
We all know that the existing system is showing signs of aging and we showed frustration at the time it took to count the last results from the 2016 federal election using the existing manual system.
Australians take the electoral process very seriously and (rightfully) there is plenty of resistance to moving the process to a digital system for a wide variety of reasons. I believe that be addressed using a technology that is already available to us. More of that here.