Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

What To Do If Your Account Was Caught in the Facebook Breach

Facebook thumbs 0

Keeping up with Facebook privacy scandals is basically a full-time job these days. Two weeks ago, it announced a massive breach with scant details. Then, this past Friday, Facebook released more information, revising earlier estimates about the number of affected users and outlining exactly what types of user data were accessed. Here are the key details you need to know, as well as recommendations about what to do if your account was affected.

30 Million Accounts Affected... Read More

The Google+ Bug Is More About The Cover-Up Than The Crime

Google spy eye

Earlier this week, Google dropped a bombshell: in March, the company discovered a “bug” in its Google+ API that allowed third-party apps to access private data from its millions of users. The company confirmed that at least 500,000 people were “potentially affected.”

Google’s mishandling of data was bad. But its mishandling of the aftermath was worse. Google should have told the public as soon as it knew something was wrong, giving users a chance to protect themselves and...

Read More

Privacy Badger Now Fights More Sneaky Google Tracking

Google spy eye

With its latest update, Privacy Badger now fights “link tracking” in a number of Google products.

Link tracking allows a company to follow you whenever you click on a link to leave its website. Earlier this year, EFF rolled out a Privacy Badger update targeting Facebook’s use of this practice. As it turns out, Google performs the same style of tracking, both in web search and, more concerning, in spaces for private conversation like Hangouts and comments on Google Docs....

Read More

The Devil Is in The Details Of Project Verify’s Goal To Eliminate Passwords

A coalition of the four largest U.S. wireless providers calling itself the Mobile Authentication Taskforce recently announced an initiative named Project Verify. This project would let users log in to apps and websites with their phone instead of a password, or serve as an alternative to multi-factor authentication methods such as SMS or hardware tokens.

Any work to find a more secure and user-friendly solution than passwords is worthwhile. However, the devil is always in the...

Read More

Facebook Data Breach Affects At Least 50 Million Users

Facebook thumbs 0

If you found yourself logged out of Facebook this morning, you were in good company. Facebook forced more than 90 million Facebook users to log out and back into their accounts Friday morning in response to a massive data breach.

According to Facebook’s announcement, it detected earlier this week that attackers had hacked a feature of Facebook that could allow them to take over at least 50 million user accounts. At this point, information is scant: Facebook does not know who’s...

Read More

You Gave Facebook Your Number For Security. They Used It For Ads.

Facebook zuck 2b 0

Add “a phone number I never gave Facebook for targeted advertising” to the list of deceptive and invasive ways Facebook makes money off your personal information. Contrary to user expectations and Facebook representatives’ own previous statements, the company has been using contact information that users explicitly provided for security purposes—or that users never provided at all—for targeted advertising.

A group of academic researchers from Northeastern University and...

Read More

Facebook Warns Memphis Police: No More Fake “Bob Smith” Accounts

Facebook eyes 1 0

Facebook has a problem: an infestation of undercover cops. Despite the social platform’s explicit rules that the use of fake profiles by anyone—police included—is a violation of terms of service, the issue proliferates. While the scope is difficult to measure, EFF has identified scores of agencies who maintain policies that explicitly flout these rules.

Hopefully—and perhaps this is overly optimistic—this is about to change, with a new warning Facebook has sent to the Memphis...

Read More

ESNI: A Privacy-Protecting Upgrade to HTTPS

Sovereign keys

Today, the content-delivery network Cloudflare is announcing an experimental deployment of a new web privacy technology called ESNI. We’re excited to see this development, and we look forward to a future where ESNI makes the web more private for all its users.

Over the past several years, we at EFF have been working to encrypt the web. We and our partners have made huge strides to make web browsing safer and more privacy through tools like HTTPS Everywhere and the Let’s Encrypt...

Read More

Microsoft Clears the Air About Fighting CLOUD Act Abuses

Cloud intl 1

Five of the largest U.S. technology companies pledged support this year for a dangerous law that makes our emails, chat logs, online videos and photos vulnerable to warrantless collection by foreign governments.

Now, one of those companies has voiced a meaningful pivot, instead pledging support for its users and their privacy. EFF appreciates this commitment, and urges other companies to do the same.

Microsoft’s long-titled “Six Principles for International Agreements...

Read More

Offline: Activists and Technologists Still Face Grave Threats for Expression

A decade ago, before social media was a widespread phenomenon and blogging was still a nascent activity, it was nearly unthinkable outside of a handful of countries—namely China, Tunisia, Syria, and Iran—to detain citizens for their online activity. Ten years later, the practice has become all too common, and remains on the rise in dozens of countries. In 2017, the Committee to Protect Journalists found that more than seventy percent of imprisoned journalists were arrested for online...

Read More

How to Roll a Strong Password with 20-Sided Dice and Fandom-Inspired Wordlists

D20 1200x600

Here’s the not-so-secret recipe for strong passphrases: a random element like dice, a long list of words, and math. And as long as you have the first two, the third takes care of itself. All together, this adds up to diceware, a simple but powerful method to create a passphrase that even the most sophisticated computer could take at least thousands of years to guess. 

In short, diceware involves rolling a series of dice to get a number, and then matching that number to...

Read More

Back to School Essentials for Security

Sec og 0

Going back to school? This is a perfect time for a digital security refresh to ensure the privacy of you and your friends is protected!

It’s a good time to change your passwords. The best practice is to have passwords that are unique, long, and random. In order to keep track of these unique, long and random passwords, consider downloading a password manager.

As a great additional measure: You can add login notifications to your...

Read More

Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants...

Read More

Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants...

Read More

Sen. Wyden Confirms Cell-Site Simulators Disrupt Emergency Calls

Sls cellsite 2018 notext

Sen. Ron Wyden has sent a letter to the U.S. Department of Justice concerning disruptions to 911 emergency services caused by law enforcement’s use of cell-site simulators (CSS, also known as IMSI catchers or Stingrays). In the letter, Sen. Wyden states that:

Senior officials from the Harris Corporation—the manufacturer of the cell-site simulators used most frequently by U.S. law enforcement agencies—have confirmed to my office that Harris’ cell-site simulators completely disrupt...

Read More

Don’t Shoot Messenger

Fph encryption facebook 0

Update (September 28, 2018): Reuters reports that the court has denied the government's request to force Facebook to assist with the wiretap.

Late last week, Reuters reported that Facebook is being asked to “break the encryption” in its Messenger application to assist the Justice Department in wiretapping a suspect's voice calls, and that Facebook is refusing to cooperate. The report alarmed us in light of the government’s ongoing calls for backdoors to...

Read More

Giving Privacy Badger a Jump Start

Privacy badger student fix 0
Giving Privacy Badger a Jump Start: Teaching new Badgers to block from the get-go

When new users try Privacy Badger, they often get confused about why Privacy Badger isn’t blocking anything right away.  But that’s because Privacy Badger learns about trackers as you browse; up until now, it hasn’t been able to block trackers on the first few sites it sees after being installed.

With today’s update,  however, new users won't have to wait to see Privacy Badger in...

Read More

Sextortion Scam: What to Do If You Get the Latest Phishing Spam Demanding Bitcoin

Phishing2b

You may have arrived at this post because you received an email from a purported hacker who is demanding payment or else they will send compromising information—such as pictures sexual in nature—to all your friends and family. You’re searching for what to do in this frightening situation.

Don’t panic. Contrary to the claims in your email, you haven't been hacked (or at least, that's not what prompted that email). This is merely a new variation on an old scam which is popularly...

Read More

Moving Your Site From "Not Secure" to Secure

Http warning

Maybe you’re a beginner to web development, but you’ve done the hard work: you taught yourself what you needed to know, and you’ve lovingly made that website and filled it with precious content. But one last task remains: you don’t have that little green padlock with the word “secure” beside your website’s address. You don’t yet have that magical “S” after “HTTP”.

You might have heard or noticed recently that something is different on Google Chrome: if your website does not have a...

Read More

Google Chrome Now Marks HTTP Sites "Not Secure"

Http warning

Last week, the movement to encrypt the web achieved another milestone: Google’s Chrome browser made good on its promise to mark all HTTP sites “not secure.” EFF welcomes this move, and we are calling on other browsers to follow suit.

This is the latest in the web’s massive shift from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it...

Read More

Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery

Starttls everywhere banner 0

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this is...

Read More

A Technical Deep Dive into STARTTLS Everywhere

Starttls everywhere banner 0

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this...

Read More

Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

Biometrics

The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.

... Read More

HART: Homeland Security’s Massive New Database Will Include Face Recognition, DNA, and Peoples’ “Non-Obvious Relationships”

Biometric hart 2b
So why do we know so little about it?

The U.S. Department of Homeland Security (DHS) is quietly building what will likely become the largest database of biometric and biographic data on citizens and foreigners in the United States. The agency’s new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics—from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal...

Read More

How To Turn PGP Back On As Safely As Possible

Og efail resized

UPDATE: For more up-to-date information, please see EFF's Surveillance Self-Defense guides.

Previously, EFF recommended to PGP users that, because of new attacks revealed by researchers from Münster University of Applied Sciences, Ruhr University Bochum, and NXP Semiconductors, they should disable the PGP plugins in their email clients for now. You can read more detailed rationale for this advice in our FAQ on the topic, but undoubtedly the...

Read More
Close tooltip