Jeremy Kirk

Author Archives: Jeremy Kirk

OpenSSL releases several patches but none for serious issues

The OpenSSL project has released several patches for moderate flaws, including an additional defense against the Logjam vulnerability revealed last month.OpenSSL is widely used open-source software that encrypts communications using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol. SSL/TLS prevents clear-text data from being transmitted across the Web, avoiding high security risks.The patches include three for moderate flaws. Two of these fix flaws that could be used for denial of service attacks, according to an advisory. The third patch fixes a moderate flaw that affects OpenSSL versions prior to a June 2014 release. A fourth patch is for a low severity race condition flaw.To read this article in full or to leave a comment, please click here

Apple Mail flaw could pose risk to iCloud passwords

A security researcher says a vulnerability in Apple’s mobile email application could be used to trick someone into divulging their iCloud password.Prague-based Jan Soucek published proof-of-concept code that shows how he could send an email to someone with HTML code that resembles the iCloud login pop-up window. Soucek then receives an email containing the password.The vulnerability allows remote HTML content to be loaded in an email, which replaces the content of the email message. Soucek wrote he then built a functional password collector using HTML and CSS. He also published a demonstration video.To read this article in full or to leave a comment, please click here

‘Your PC may be infected!’ Inside the shady world of antivirus telemarketing

Scotty Zifka was looking for a sales job. He started one in late May at a company called EZ Tech Support, a small inbound call center in an older building in northeast Portland, Oregon.The first day of Zifka’s unpaid training involved listening in on sales calls. But within three hours, Zifka felt something wasn’t quite right.“Everything about it was so weird,” he recalled.The company’s 15 agents answer calls from people who’ve seen a pop-up message saying their computer may be having problems, and advising them to call a number, which rings at the offices of EZ Tech Support.The agents are instructed to stick to a 13-page script. They ask callers whether they have an antivirus program installed. If they do, Zifka said, callers are usually told that whatever they’re using isn’t a “full-time real spectrum virus protection program.”To read this article in full or to leave a comment, please click here

SweetCAPTCHA users complain of advertising pop-ups

Website owners are complaining that a free security tool started displaying unwanted advertising pop-ups to their visitors.The tool is made by SweetCAPTCHA. It requires users to correctly pick out and match images before they’re allowed to do some action on a website. CAPTCHAs are intended to prevent abuse by spammers and automated registrations by web bots.SweetCAPTCHA was busy Tuesday fielding complaints on Twitter from some who noticed a script that was injecting the pop-up ads. Sucuri, a security company, said the pop-ups promote tech support schemes and bogus dating sites.To read this article in full or to leave a comment, please click here

Mozilla doubles maximum bounty for Firefox flaws to $7,500

Mozilla is giving a raise to security researchers who spot Firefox browser vulnerabilities, more than doubling its maximum reward for information on the most high-risk flaws.The change comes as many major companies have launched lucrative bug bounty programs, which benefit software developers by attracting a more diverse set of eyes on their code.“The amount awarded was increased to $3,000 five years ago, and it is definitely time for this to be increased again,” wrote Raymond Forbes, an application security engineer at Mozilla.To read this article in full or to leave a comment, please click here

Apple moves to six-digit passcode in iOS 9

Apple plans to require six-digit passcodes to unlock its latest mobile devices that use iOS 9, its forthcoming mobile operating system. Users already have the option in iOS 8 of setting a much longer passcode than four digits, which is the current minimum requirement. Symbols and letters can also be used. Increasing the minimum number of digits to six means that there will be 1 million possible combinations rather than 10,000, which “will be a lot tougher to crack,” Apple wrote on its website. The move to longer passcodes is not likely to please U.S. authorities, who have expressed fears that stronger security measures, including encryption, may make it more difficult to obtain information for time-sensitive investigations, such as terrorism.To read this article in full or to leave a comment, please click here

Facebook mandates stronger digital verification of apps

Facebook will require application developers to move later this year to a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.To read this article in full or to leave a comment, please click here

Hola browser extension should be uninstalled, researchers say

Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.The free extension, from Israel-based Hola, is a peer-to-peer program that routes people’s Internet traffic through other Hola users’ computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.Last week, a group of nine researchers launched a website called ”Adios, Hola!” that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.To read this article in full or to leave a comment, please click here

Apple vulnerability could allow firmware modifications, researcher says

A zero-day software vulnerability in the firmware of older Apple computers could be used to slip hard-to-remove malware onto a computer, according to a security researcher.Pedro Vilaca, who studies Mac security, wrote on his blog that the flaw he found builds on previous ones but this one could be far more dangerous. Apple officials could not be immediately reached for comment.Vilaca found it was possible to tamper with an Apple computer’s UEFI (unified extensible firmware interface). UEFI is firmware designed to improve upon BIOS, which is low-level code that bridges a computer’s hardware and operating system at startup.To read this article in full or to leave a comment, please click here

Man charged with selling fake discount coupons on Silk Road

A Louisiana man has been accused of creating counterfeit coupons and selling them on the Silk Road underground websites, potentially defrauding businesses of more than US$1 million, the Justice Department said Thursday.Prosecutors said Beau Wattigney, 30, of New Orleans, created coupons that look like print-at-home coupons from manufacturers, including fake logos. The coupons offered vast discounts on the retail price of some items.He offered one of the coupons, for a $50 Visa gift card, for 1 cent, prosecutors said.To read this article in full or to leave a comment, please click here

Apache Cordova fixes flaw that could cause apps to crash

A fix has been released for a vulnerability in a widely used piece of code in Android devices, which could cause apps to crash or display unwanted dialog boxes.The flaw lies in Apache Cordova, which is a set of APIs (application programming interfaces) that let developers access functions such as a camera or accelerometer using JavaScript, according to its website.Trend Micro, which found the problem, wrote that 5.6 percent of apps in Google’s Play store use Cordova and are vulnerable. iOS is not affected.Apps using Cordova that “don’t have explicit values set in Config.xml can have undefined configuration variables set by Intent,” according to a description of the flaw on the Cordova website.To read this article in full or to leave a comment, please click here

Wi-Fi access point scans can betray a person’s location

Many Android applications collect information on Wi-Fi access points, which researchers contend can be used to figure out where a person is more than 90 percent of the time.The privacy implications of Wi-Fi access point scanning is often overlooked but presents a risk if the information is abused, according to the study, written by the Technical University of Denmark, the Massachusetts Institute of Technology and the University of Copenhagen.Wi-Fi information isn’t considered location data, and Android applications such as Candy Crush Saga, Pandora and Angry Birds routinely collect it.“This makes it possible for third party developers to collect high-resolution mobility data under the radar, circumventing the policy and the privacy model of the Android ecosystem,” wrote Sune Lehmann, an associate professor at DTU Informatics at the Technical University of Denmark, in a blog post.To read this article in full or to leave a comment, please click here

Ads for MacKeeper refunds will run on Facebook

A sizable Internet advertising campaign is planned to alert people to a proposed class-action settlement over MacKeeper, a security program for Macs accused of deceptive practices.MacKeeper’s developer, ZeoBit, was sued in May 2014 in U.S. District Court for the Western District of Pennsylvania. Filed on behalf of Pennsylvania resident Holly Yencha, the class-action suit alleges MacKeeper was deceptively marketed and did not fully function as advertised.Under a proposed settlement, ZeoBit—a company started in Ukraine but now based in California—will put US$2 million into a fund to reimburse customers but admit no fault, which is customary in class-action settlements.To read this article in full or to leave a comment, please click here

Full Adult Friend Finder database offered for $17,000

An unredacted version of a database said to be stolen from Adult Friend Finder is being offered for sale for 70 bitcoins, or around US$17,000.ROR[RG], the nickname of the person who claims to have breached the large online hookup site, wrote on Saturday in an underground forum that “I have had so many people ask me to buy the db today.”Seeking to capitalize on the momentum, ROR[RG]—who claims to live in Thailand—also offered to break into any company or website for 750 bitcoins, worth about $170,000.Fifteen files of data purported to come from Adult Friend Finder were posted to an underground forum in March. The files contained 3.9 million email addresses and in some cases the partner preference, gender, birth date, state, post code, language preference and IP address of users.To read this article in full or to leave a comment, please click here

Freelance hacking site vows to clean up dodgy listings

Charles Tendell is trying to repair a reputation problem for his website, Hacker’s List.The site debuted in November and quickly drew high-profile attention, including a front-page story in the New York Times. It’s an online marketplace where people can list computer-security related jobs for bidding and match them with the right “hacker.”It has been criticized as amateurish since forums where such deals are made are password-protected and generally hard to find for regular Internet users. It has also raised concern since many projects up for bidding appear illegal.To read this article in full or to leave a comment, please click here

Leaked database of Adult Friend Finder still online

Adult Friend Finder, one of the largest online dating sites, may have been breached more than two months ago, and the sensitive files—include names, ages, email addresses, zip codes and more—are apparently still online.British broadcaster Channel 4 reported Thursday that the website had been breached, although information regarding the breach had been trickling out in a low-key way for some time.FriendFinder Networks, a California-based company that owns Adult Friend Finder and other dating websites, said in an advisory that it has contacted law enforcement and is investigating.To read this article in full or to leave a comment, please click here

US proposes tighter export rules for computer security tools

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology.On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period.The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995, aimed at limiting the spread of “dual use” technologies that could be used for harm.To read this article in full or to leave a comment, please click here

Health insurer CareFirst reveals cyberattack affecting 1.1 million

A large U.S. health insurer, CareFirst BlueCross BlueShield, has disclosed it fell victim to a cyberattack that affected about 1.1 million people.The attack, which occurred in June last year, targeted a single database that contained information about CareFirst members and others who accessed its websites and services, the company said Monday.The nonprofit has 3.4 million members, mostly around Maryland, Washington, D.C., and Northern Virginia.“We were the subject of a cyberattack,” a somber looking Chet Burrell, the company’s CEO, says in a video posted to its website.CareFirst said customer names, birth dates, user names, email addresses and subscriber ID numbers may have been stolen. The database did not contain Social Security numbers, medical claims or financial information, it said. And member passwords were encrypted and stored in a different system, CareFirst said.To read this article in full or to leave a comment, please click here

St. Louis Federal Reserve forces password change after DNS attack

A branch of the U.S.’s central bank is forcing a password reset after a cyberattack briefly redirected visitors to parts of its website to bogus Web pages.The Federal Reserve of St. Louis found on April 24 that DNS (domain name system) settings had been changed to redirect people to fake Web pages. The bank didn’t name its DNS provider. Those who visited those pages may have been exposed to malware or had their login credentials stolen.“If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password,” an advisory said.To read this article in full or to leave a comment, please click here

New encryption flaw, LogJam, puts Web surfers at risk

Computer security experts said they’ve found a new encryption flaw closely related to one found earlier this year that puts Web surfers’ data at risk.The flaw, called LogJam, can allow an attacker to significantly weaken the encrypted connection between a user and a Web or email server, said Matthew D. Green, an assistant research professor in the department of computer science at Johns Hopkins University.About 7 percent of websites on the Internet are vulnerable to LogJam along with many email servers. A website has been set up with more information.Green was part of a team including experts from the University of Michigan and the French research institute Inria who found LogJam a few months ago.To read this article in full or to leave a comment, please click here

1 11 12 13 14 15 18