Video streaming service Plex has reset user passwords after it was breached by a hacker who threatened to release stolen data unless he’s paid a ransom.The company found out on Wednesday that a server hosting its forum and blog had been compromised, Chris Curtis, a Plex support engineer, said in a blog post.Information including IP addresses, email addresses, private forum messages and encrypted passwords were exposed.Someone going by the nickname “Savata” claimed responsibility for the breach and threatened to release the data on torrent networks if a ransom wasn’t paid in bitcoins.To read this article in full or to leave a comment, please click here
Servers could be haunted by a ghost from the 1980s, as hackers have started abusing an obsolete routing protocol to launch distributed denial-of-service attacks.DDoS attacks observed in May by the research team at Akamai abused home and small business (SOHO) routers that still support Routing Information Protocol version 1 (RIPv1). This protocol is designed to allow routers on small networks to exchange information about routes.RIPv1 was first introduced in 1988 and was retired as an Internet standard in 1996 due to multiple deficiencies, including lack of authentication. These were addressed in RIP version 2, which is still in use today.To read this article in full or to leave a comment, please click here
Want an IPv4 address? Get in lineCould IPv6’s day be near? The stockpile of unused IPv4 addresses in North America has fallen so low that there’s now a waiting list. On Wednesday, for the first time, the American Registry for Internet Numbers (ARIN) had to tell an applicant for new Internet addresses to wait. ARIN simply didn’t have any blocks of addresses big enough to satisfy that applicant’s needs.HP makes its PC/enterprise split officialHewlett-Packard has filed paperwork with the U.S. Securities and Exchange Commission to register HP Enterprise as an independent company, an official step on the path to splitting itself in two. The filing shows that HP Enterprise made a profit of $1.6 billion last year on revenue of $55.1 billion, down from a profit of $2.1 billion on revenue of $57.4 billion in 2013.To read this article in full or to leave a comment, please click here
A Drug Enforcement Administration agent intimately involved in the Silk Road investigation admitted on Wednesday he secretly accepted bitcoins from the underground website’s operator and illegally took other funds.Carl Mark Force IV, who was a DEA agent for 15 years, pleaded guilty to money laundering, obstruction of justice and extortion under color of official right, according to the plea agreement, filed in U.S. District Court for the Northern District of California.Force could face up to 20 years in prison on each of the counts.Force, who was based in Baltimore, was part of a multi-agency task force investigating the Silk Road, an underground marketplace for goods such as drugs and fake ID documents. It was shut down in October 2013.To read this article in full or to leave a comment, please click here
It’s become common practice to use virtual private networks for extra privacy and security in this era of mass surveillance, but a study published this week suggests such networks may not be as safe as they’re commonly made out to be.In fact, because of a vulnerability known as IPv6 leakage, many of them can expose user information to prying eyes, according to a paper from researchers at Sapienza University of Rome and Queen Mary University of London.Entitled “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients,” the report describes a study conducted late last year that examined 14 popular commercial VPN providers around the world.To read this article in full or to leave a comment, please click here
A hacker group known as Team GhostShell is publishing snippets of sensitive data allegedly stolen from the databases of hundreds of compromised websites.The group, which previously targeted government organizations, law enforcement agencies and companies from various industries in 2012, announced in March 2013 that it was halting its activities.In a surprise return Monday the group started posting on Twitter the names of websites it claims to have hacked as part of a new campaign, along with links to samples of data extracted from their databases.So far the group has published the names of over 450 websites, but claims that it has hacked many more. The alleged victims range from companies to education institutions and government organizations from different countries.To read this article in full or to leave a comment, please click here
Apple released patches for several exploits that could allow maliciously crafted applications to destroy apps that already exist on devices, access their data or hijack their traffic, but a large number of iOS devices are still vulnerable.The vulnerabilities allow for so-called Masque attacks because they involve the impersonation of existing apps or their components. Three of them were patched in iOS version 8.1.3 that was released in January and two newer ones were patched in iOS 8.4, released Tuesday.In order to attack iOS devices with these flaws, hackers would have to trick their owners into installing rogue apps through the enterprise provisioning system. Companies use this mechanism to deploy in-house developed apps that are not published on the official App Store.To read this article in full or to leave a comment, please click here
An Austrian court has dismissed a class action suit concerning Facebook’s privacy policy, saying it has no jurisdiction over the case.The decision is a blow to Europe-v-Facebook, the privacy campaign group whose front-man, Max Schrems, filed the suit, and to the 25,000 Facebook users who had assigned their claims against the company to the case.Schrems, an Austrian national, filed suit against Facebook in the Vienna Commercial Court, which referred the case to the Vienna Regional Court.To read this article in full or to leave a comment, please click here
Court says NSA can keep collecting phone records even after Congress told it to stopThe National Security Agency just doesn’t want to stop collecting records of U.S. telephone calls. Congress told it to stop—but left a loophole in the USA Freedom Act so the courts could let it carry on. Now a U.S. surveillance court has approved a request from the FBI to extend the telephone records dragnet until Nov. 29. As the judge noted in his order: “The more things change, the more they stay the same.”Vandal cuts cable after opening manhole: FBI looks into itTo read this article in full or to leave a comment, please click here
China has adopted a new security law that gives the government control over its Internet infrastructure, along with any critical data.On Wednesday, China’s legislature passed the national security law, which covers a wide range of areas including military defense, food safety, and the technology sector.A full text of the law’s final draft has yet to be released, but it calls for better cybersecurity, according to a report from China’s state-controlled Xinhua News Agency. The country’s key information systems and data will also be made “secure and controllable” under the law.Previous drafts of the legislation don’t state in detail what that control might mean, exactly. But U.S. trade groups have expressed ongoing concern that China’s security policies are going too far, and could push foreign businesses out of the country.To read this article in full or to leave a comment, please click here
A U.S. surveillance court has extended a controversial telephone records dragnet while the National Security Agency works to wind down the program on orders from Congress.Congress voted in June to rein in the NSA’s mass collection of U.S. telephone records, but the USA Freedom Act allowed for a six-month transition away from the program. On Monday, the Foreign Intelligence Surveillance Court approved an FBI application to continue the records collection program until December.To read this article in full or to leave a comment, please click here
Recent concerns from tech luminaries about a robot apocalypse may be overblown, but artificial intelligence researchers need to start thinking about security measures as they build ever more intelligent machines, according to a group of AI experts.The fields of AI and robotics can bring huge potential benefits to the human race, but many AI researchers don’t spend a lot of time thinking about the societal implications of super intelligent machines, Ronald Arkin, an associate dean in the Georgia Tech College of Computing, said Tuesday during a debate on the future of AI.“Not all our colleagues are concerned with safety,” Arkin said during the debate, which was hosted by the Information Technology and Innovation Foundation (ITIF) in Washington, D.C. “You cannot leave this up to the AI researchers. You cannot leave this up to the roboticists. We are an arrogant crew, and we think we know what’s best.”To read this article in full or to leave a comment, please click here
Potentially saving the world from another online security disaster like last year’s Heartbleed, Amazon Web Services has released as open source a cryptographic module for securing sensitive data passing over the Internet.The software, s2n, is a new implementation of Transport Layer Security (TLS), a protocol for encrypting data. TLS is the successor of SSL (Secure Sockets Layer), both of which AWS uses to secure most of its services.The AWS engineers who designed s2n, short for signal-to-noise, reduced the amount of code needed to implement TLS, with the hopes of making it easier to spot potential security vulnerabilities.To read this article in full or to leave a comment, please click here
Cisco Systems plans to pay $635 million in cash to buy OpenDNS, a company that leverages the Domain Name System (DNS) to provide security services including Web filtering, threat intelligence and malware and phishing protection.The DNS is a core Internet protocol. It’s used to translate Web addresses that are easy for people to remember, like website names, into numerical IP (Internet Protocol) addresses that computers need to communicate with each other.OpenDNS customers configure their computers or networks to use the company’s DNS resolution servers instead of the ones provided by their ISPs and this allows OpenDNS to provide additional services.To read this article in full or to leave a comment, please click here
Government personnel agency takes background check system offline for background checksHoping to avoid a third strike against it, the U.S. Office of Personnel Management has taken offline a system used for performing background checks on potential new hires. The agency discovered a security flaw in the web app, E-QIP, while auditing its IT systems after two spectacular hacks resulted in the theft of personnel records of millions of government employees and the security clearance questionnaires of many others. There is no evidence the flaw was exploited, OPM said Monday, but it will keep the system offline for up to six weeks while it checks it out.To read this article in full or to leave a comment, please click here
A federal employees union has filed a lawsuit against the U.S. Office of Personnel Management, its leadership and a contractor, alleging that their negligence led to a data breach that compromised the personal information of millions of current, former and prospective government employees and contractors.Since at least 2007, the OPM has been warned by its Office of Inspector General of significant deficiencies in its cybersecurity protocol, according to the proposed class-action suit filed Monday by the American Federation of Government Employees in the U.S. District Court for the District of Columbia.However, OPM failed to take measures to correct these issues, despite handling massive amounts of federal applicants’ private, sensitive and confidential information, it added. The data handled by the OPM included a 127-page form, called Standard Form 86, which requires applicants for security clearances to answer questions on their financial histories and investment records, children’s and relatives’ names, foreign trips and contacts with foreign nationals, past residences, and names of neighbors and close friends, according to the filing.To read this article in full or to leave a comment, please click here
The developers of a mobile app called Prized that secretly mined cryptocurrencies on people’s mobile phones have settled with the U.S. Federal Trade Commission after being accused of deceptive trade practices.Equiliv Investments and Ryan Ramminger, both of Ohio, settled for US$50,000, of which $44,800 will be suspended upon payment of $5,200 to New Jersey regulators, the agency said in a news release Monday. The suit was filed in U.S. District Court for the District of New Jersey last Wednesday.To read this article in full or to leave a comment, please click here
Problems for the U.S. Office of Personnel Management aren’t letting up. The government agency said Monday it had suspended a system used for background checks after a security flaw was discovered in the Web-based app.The agency said there’s no evidence the system was hacked. It discovered the vulnerability during an ongoing review of its IT systems, it said, which is being carried out in the wake of at least two serious security breaches.Still, it’s a big inconvenience. The system, called E-QIP, is used by multiple agencies to carry out background checks on potential new hires, and it will be offline for four to six weeks, the OPM said.“The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited,” the agency said, calling the decision to take E-QIP offline a proactive measure to ensure ‘the ongoing security of its network.”To read this article in full or to leave a comment, please click here
Like visiting a junk yard to find cheap parts for an aging vehicle, researchers from the Massachusetts Institute of Technology have come up with a way to fix buggy software by inserting working code from another program.Using a system they call CodePhage, the researchers were able to fix flaws in seven common open-source programs by using, in each case, functionality taken from between two and four “donor” programs.Fixing such errors can help make code more secure, since malicious hackers often exploit flaws to gain entry to a system. CodePhage can recognize and fix common programming errors such as out of bounds access, integer overflows, and divide-by-zero errors.To read this article in full or to leave a comment, please click here
Just four days after Adobe Systems patched a vulnerability in Flash Player, the exploit was adopted by cybercriminals for use in large-scale attacks. This highlights the increasingly small time frame users have to deploy patches.On Saturday, a malware researcher known online as Kafeine spotted a drive-by download attack done with the Magnitude exploit kit that was exploiting a Flash Player vulnerability patched Tuesday.The flaw, tracked as CVE-2015-3113 in the Common Vulnerabilities and Exposures database, had zero-day status—that is, it was previously unpatched—when Adobe released a patch for it. It had already been exploited by a China-based cyberespionage group for several weeks in targeted attacks against organizations from the aerospace, defense, construction, engineering, technology, telecommunications and transportation industries.To read this article in full or to leave a comment, please click here