New versions of OpenSSL will be released on Thursday to patch several security vulnerabilities, one of which is considered highly serious, according to the OpenSSL Project Team.An advisory published on Monday did not give further details of the vulnerabilities, presumably so as to not tip off hackers and perhaps to give some organizations time to patch in the meantime.The updates will be included in OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf, the advisory said.A number of serious problems have been found over the last year in OpenSSL, which is widely used open-source software that encrypts communications using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol, a cornerstone of Web security.To read this article in full or to leave a comment, please click here
What if the key to your house was shared with 28,000 other homes?That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”Revealed on March 3, the FREAK flaw can let an attacker weaken a connection that uses the SSL/TLS (Secure Sockets Layer/Transport Security Layer) protocol, making it much easier to break the encryption and view the traffic. It was the latest in a string of flaws found over the last year in widely used open-source software.To read this article in full or to leave a comment, please click here
Yahoo released the source code for a plugin that will enable end-to-end encryption of email messages, a planned data-security improvement prompted by disclosures of U.S. National Security Agency snooping.The company is asking security experts to look at its code, published on GitHub, and report vulnerabilities, wrote Alex Stamos, Yahoo’s chief information security officer, in a blog post.The plugin should be ready by year end, wrote Stamos, who gave a presentation on Sunday at the South by Southwest conference in Austin, Texas.To read this article in full or to leave a comment, please click here
A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.The privacy breach involves whois, a database that contains contact information for people who’ve bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee.Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.To read this article in full or to leave a comment, please click here
A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.The privacy breach involves whois, a database that contains contact information for people who’ve bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee.Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.To read this article in full or to leave a comment, please click here
A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.The privacy breach involves whois, a database that contains contact information for people who’ve bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee.Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.To read this article in full or to leave a comment, please click here
A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.The privacy breach involves whois, a database that contains contact information for people who’ve bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee.Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.To read this article in full or to leave a comment, please click here
Google’s services were disrupted briefly on Thursday after a broadband provider in India made a network routing error.The provider, Hathway, made a technical change that caused traffic to more than 300 network prefixes belonging to Google to be directed to its own network, wrote Doug Madory, director of Internet analysis at Dyn, which studies global traffic patterns.This type of error is seen daily across the internet. It involves BGP (border gateway protocol), which is used by networking equipment to direct traffic between different providers. Changes in the network are “announced” by providers using BGP, and propagate across the internet to other providers over time.To read this article in full or to leave a comment, please click here
Google’s services were disrupted briefly on Thursday after a broadband provider in India made a network routing error.The provider, Hathway, made a technical change that caused traffic to more than 300 network prefixes belonging to Google to be directed to its own network, wrote Doug Madory, director of Internet analysis at Dyn, which studies global traffic patterns.This type of error is seen daily across the internet. It involves BGP (border gateway protocol), which is used by networking equipment to direct traffic between different providers. Changes in the network are “announced” by providers using BGP, and propagate across the internet to other providers over time.To read this article in full or to leave a comment, please click here
Google researchers have written the first-ever attack code that takes advantage of electrical interference between densely packed memory cells, a unique style of attack that could require changes in chip design.The work builds on a paper published last year by Carnegie Mellon University and Intel, which found it was possible to change binary values in stored memory by repeatedly accessing nearby memory cells, a process called “bit flipping.”DRAM memory is vulnerable to such electrical interference because the cells are so closely packed together, a result of engineers increasing a chip’s memory capacity.To read this article in full or to leave a comment, please click here
Android apps that use Dropbox for storage and are built using an older version of its SDK are vulnerable to an attack that can steal data, although Dropbox has released a fix, according to IBM security researchers.IBM’s application security research team said Wednesday they had found a way to link their own Dropbox account to an Android app on another person’s phone that connects to the storage service. After a successful attack, any data uploaded by the app is delivered to the attacker’s Dropbox account.Dropbox publishes an SDK (software development kit) for linking its service to an app. The flaw, nicknamed “DroppedIn,” affected Dropbox SDK versions 1.5.4 through 1.6.1 and was fixed in version 1.62, IBM said in a blog post.To read this article in full or to leave a comment, please click here
When Matthew Rothenberg created a new website in early February, he let about two dozen people know about it through an unlikely medium: postcards.The unorthodox method was fitting for an unorthodox website called Unindexed. It was the latest project from Rothenberg, a 35-year-old based in Brooklyn, who has created a portfolio of interactive web installations and performance art projects around technology.Unindexed is no more. The website was coded to erase itself once Google added it to its search index. It lasted a little over three weeks, disappearing forever on Feb. 24.Rothenberg has done stints as head of product for Flickr and Bitly but for the last couple of years has focused on consulting and his art-technology side projects. His goal for Unindexed was to create a site where people could post comments safe in the knowledge that no record of those posts would ever exist again. It was also coded to prevent Google from caching it.To read this article in full or to leave a comment, please click here
When Matthew Rothenberg created a new website in early February, he let about two dozen people know about it through an unlikely medium: postcards.The unorthodox method was fitting for an unorthodox website called Unindexed. It was the latest project from Rothenberg, a 35-year-old based in Brooklyn, who has created a portfolio of interactive web installations and performance art projects around technology.Unindexed is no more. The website was coded to erase itself once Google added it to its search index. It lasted a little over three weeks, disappearing forever on Feb. 24.Rothenberg has done stints as head of product for Flickr and Bitly but for the last couple of years has focused on consulting and his art-technology side projects. His goal for Unindexed was to create a site where people could post comments safe in the knowledge that no record of those posts would ever exist again. It was also coded to prevent Google from caching it.To read this article in full or to leave a comment, please click here
Luxury hotelier Mandarin Oriental has removed malicious software that was used to steal credit card data from some of its hotels in the U.S. and Europe, the company said Thursday.The security codes for the cards were not compromised, it said, although it wasn't clear if that referred to the cards' PIN (personal identification number) or the three-digit CVV code on the back. No other personal information was taken, the company said in a statement.An investigation is underway by law enforcement and forensic specialists. An "isolated number of hotels in the U.S. and Europe were affected," but none in Asia, the company said.To read this article in full or to leave a comment, please click here
A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browserOpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.To read this article in full or to leave a comment, please click here
Hundreds of hacked domain name accounts registered through GoDaddy are being used as part of a highly effective campaign using the Angler exploit kit to infect computers with malware.The attackers are using the accounts to create subdomains that shuttle Web surfers to websites hosting Angler, wrote Nick Biasini, an outreach engineer with Cisco Systems.The owners of the accounts are usually unaware of the activity, which Cisco calls “domain shadowing,” since they may rarely log into their accounts. Hundreds of GoDaddy accounts that have several thousand domain names assigned to them have been compromised, Biasini wrote.To read this article in full or to leave a comment, please click here
Experts are warning of a serious security flaw that has apparently gone undetected for years and can weaken encrypted connections between computers and websites, potentially undermining security across the Internet.The flaw, which has been dubbed FREAK, affects the widely used Secure Sockets Layer protocol and its successor, Transport Layer Security, and can allow an attacker to intercept supposedly encrypted traffic as it moves between clients and servers.The flaw affects many popular websites, as well as programs including Apple’s Safari browser and Google’s Android mobile OS, security experts say. Applications that use a version of OpenSSL prior to 1.0.1k are also vulnerable to the bug, detailed in this advisory.To read this article in full or to leave a comment, please click here
It seems there can be further indignity foisted onto people who’ve had their iPad or iPhone stolen.Symantec has discovered a campaign that aims to unlock Apple devices after they’ve been lost, which requires either the device’s passcode or the credentials for a person’s iCloud account.To get in contact with victims, the criminals appear to be relying on information displayed on the lost device, wrote Joji Hamada of Symantec in a blog post.Apple’s Find My iPhone feature has a “Lost Mode” that allows users to display a message on the screen of their lost device, such as a phone number, he wrote.To read this article in full or to leave a comment, please click here
Some smartphone manufacturers are not configuring devices running the latest version of Android to automatically encrypt personal data, which Google had said would scramble data by default.Google has apparently left it up to manufacturers to turn encryption on or off, a surprising change that came after the company pledged last September to strengthen defenses around personal data.It’s unclear why Google did not publicize the change, although it is possible some hardware devices will not perform as well with encryption turned on. Analyst Canalys tweeted it was a wise move for Google, as many devices do not have the right hardware to accommodate it.To read this article in full or to leave a comment, please click here
D-Link issued fixes on Monday for flaws that could allow remote access to one of its routers, and will patch several other models in the coming week.The vulnerabilities were found by Peter Adkins, a systems engineer in Canada who said he alerted the company to the issues in early January and decided to publicize them last week after falling out of contact with D-Link.D-Link acknowledges Adkins’ findings in its advisory, which included three new firmware versions for its DIR-820L router. The company expects to release firmware updates in the next week for the DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-826L, DIR-830L and DIR-836L.To read this article in full or to leave a comment, please click here