SecOps failure: GPG+Gmail on OSX Mavericks may store unencrypted drafts

A plaintext draft of an encrypted e-mail saved on Gmail servers, despite settings for no drafts to be saved.

If you're sending encrypted e-mail with the default Mail app on OS X Mavericks, your setup may be saving plaintext messages on the mail server. Mac-based users of the GPG encryption app began noticing this unfortunate behavior in October when using Gmail. Even after unchecking the "Store draft messages on the server" and "Store sent messages on the server" checkboxes, the changes would mysteriously vanish.

On Thursday, independent privacy and security researcher Ashkan Soltani was shocked to make the same discovery after finding that GPG-protected e-mails he received from others were stored unencrypted in the drafts folder of his Gmail account. The messages had been automatically saved immediately after he hit the reply button, just below where he would type his response. Like other Mavericks users, he had specifically configured his system not to save such messages when using the Internet Message Access Protocol (IMAP) in Gmail. Without warning, the unchecked checkmarks inexplicably reappeared.

"This is an example of things falling apart at the seams at the integration points," Soltani told Ars. "A lot of people don't use the Gmail browser. They just use Gmail for IMAP. I just happened to have Gmail in the browser opened. Most people wouldn't know about it. I was really shocked."

Read 3 remaining paragraphs | Comments

Multiple gaming platforms hit with apparent DDoS attacks

The servers for Steam, Origin, Battle.net, and League of Legends were brought down temporarily overnight by apparent DDoS attacks that seem to be related to a swatting attack on an individual known for streaming games. All of those services appear to be working normally as of this writing.

A hacker group going by the handle DERP Trolling claimed responsibility for the Origin attack on Twitter, saying it used a "Ion Cannon" DDoS tool it's calling the "Gaben Laser Beam," after Valve founder Gabe Newell. DERP claimed responsibility for similar attacks on Battle.net, League of Legends, World of Tanks, EA.com, and more earlier this week. Meanwhile, a pair of Twitter users are claiming responsibility for last night's attack on Steam.

All of these efforts to take down various games and platforms seem to be related to a swatting attack directed at YouTube user PhantomL0rd. A thread on reddit lays out how those attacks advanced from targeting the games PhantomL0rd was playing (and monetizing through ads) to more personal harassment after his address and details were released online. In a recent stream, PhantomL0rd reported on being handcuffed after having police called to his address.

Read 2 remaining paragraphs | Comments