Security roundup (4/5/15)

Here are some top stories from the last month:

• The FREAK bug. You can read the in-depth info here, but the gist of this is that a “man in the middle” could force an encrypted HTTPS web connection to use really old and really weak encryption, thus allowing someone (probably the man in the middle) to break the encryption and eavesdrop. These holes will be plugged soon and they don’t affect many people. The real take-away here is that our government’s policy of purposely weakening encryption standards (a legacy from the Crypto Wars of the 90s) has come back to bite us. These are some of the unintended consequences, and it happened over a decade ago.
• BIOS hacks. There’s an even more fundamental piece of software on your PC than the operating system: it’s the BIOS. The BIOS is built into your computer and it runs before the OS even starts. Most people don’t know it’s even there – and therefore, most people don’t even know it can be updated. But as Bruce Schneier explains here, it’s a very powerful place to hack a system – and it’s in dire need of enhanced security mechanisms. The industry is moving to replace BIOS with UEFI, which is supposed to allow secure booting… but it opens up a whole case of cans containing worms (pun intended). The upshot here is that we need to completely rethink computer security from the ground up, and that’s going to take some time and a lot of transparency. (Fingers crossed.)
• The Surveillance State Repeal Act (HR 1466). Some of the key dragnet surveillance laws in the Patriot Act are set to expire on June 1st unless Congress re-enacts them and the President signs them (which is causing some much-needed debate). However, HR 1466 will go much further. I encourage you to contact your representatives and voice your strong support for meaningful surveillance reforms.
• Opt out of Verizon tracking. Verizon is apparently bowing to pressure and allowing their users to opt out of their nasty super-cookie tracking program. Click here for info.
• Firefox adding new privacy option. Available in the latest Firefox builds is a new, hidden feature that helps users block web tracking. You can read about it here. This hidden option will be revealed in Firefox version 39, supposedly, but you can turn it on right now using the instructions at the link I just gave. This just re-affirms my choice of Firefox as the best current browser for security and particularly privacy.