Spies working for the U.S. National Security Agency and its British counterpart found anti-virus and security software a hindrance to their intelligence gathering processes, and worked to thwart it, according to a report Monday in The Intercept.The efforts, revealed through documents leaked by former NSA contractor Edward Snowden, focused on vendors including Moscow-based security software developer Kaspersky Labs, which claims over 400 million customers worldwide.The NSA and the U.K.-based Government Communications Headquarters monitored web and email traffic between Kasperksy’s software and its servers, the report said, and obtained sensitive customer information in the process.To read this article in full or to leave a comment, please click here
Uber Technologies’ new data collection policy, allowing the ride-hailing company to access a user’s location even when the smartphone app is not actively in use, violates the privacy rights and personal safety of U.S. customers, according to a complaint filed Monday by a privacy group.With upcoming changes to its privacy policy, Uber “will claim the right to collect personal contact information and detailed location data of American consumers, even when they are not using the service,” the Electronic Privacy Information Center wrote in a complaint to the U.S. Federal Trade Commission.EPIC also objected to Uber’s plans to access the information from users’ phones’ address books and send out promotional materials to contacts listed there.To read this article in full or to leave a comment, please click here
LOT Polish Airlines was forced to cancel 10 flights scheduled to depart from Warsaw’s Chopin airport on Sunday after hackers attacked its ground computer systems.The IT attack, which was not described in detail, left the company unable to create flight plans for outbound flights, grounding around 1,400 passengers.The company said that plane systems were not affected and aircraft that were already in the air were able to continue their flight or to land. The incident only affected the ability of planes to depart from the airport for several hours.It’s not clear what kind of attack it was and whether it was the hackers’ intention to ground planes or if the systems were taken offline as part of incident response procedures.To read this article in full or to leave a comment, please click here
Louisiana Governor Bobby Jindal has vetoed legislation that would provide for the pilot use of automatic license plate readers by law enforcement to identify stolen vehicles and uninsured motorists.Like GPS trackers on vehicles and so-called Stingrays or “IMSI catchers” that track the location of mobile phones by mimicking cellphone towers, automatic license plate readers have become a controversial privacy issue, with many civil rights groups opposing their indiscriminate use.In a letter, explaining his decision to return the bill to the state Senate, Jindal said the personal information captured by the automatic license plate reader cameras, which includes a person’s vehicle location, would be retained in a central database and accessible to not only law enforcement agencies but also to private entities for a period of time, regardless of whether or not the system detects that a person is in violation of vehicle insurance rules.To read this article in full or to leave a comment, please click here
Israel-based researchers said they’ve developed a cheaper and faster method to pull the encryption keys stored on a computer using an unlikely accomplice: pita bread.The new study builds on research into what can be learned from the electronic signals that waft from computers while performing computations, often referred to as side-channel attacks.By studying the electronic signals, researchers have shown it is possible to deduce keystrokes, figure out what application a person is using or discover the secret encryption keys used to encrypt files or emails.To read this article in full or to leave a comment, please click here
Hackers who breached a database containing highly personal information on government employees with security clearances had access to the system for about a year before being discovered, The Washington Post reported on Friday.The breach at the U.S. Office of Personnel Management dates back to June or July last year and was only discovered earlier this month.The database in question contains applications for security clearances, which ask for information on all aspects of a person’s life including social security numbers, passport numbers, names of former neighbors, and information on family members. It also asks about, over the past seven years, any contact with foreign nationals and problems with drug or alcohol abuse, debts or bankruptcy, imprisonment and run-ins with law enforcement.To read this article in full or to leave a comment, please click here
Google’s data centers grow so fast it has to build its own networksGoogle has been building its own software-defined data-center networks for 10 years because traditional gear can’t handle the scale of what are essentially warehouse-sized computers. The company hasn’t said much before about that homegrown infrastructure, but one of its networking chiefs provided some details this week about the current network design that powers all of Google’s data centers and has a maximum capacity of a whopping 1.13 petabits per second.To read this article in full or to leave a comment, please click here
Samsung will update the security software on its Galaxy smartphones to address a flaw that researchers warned could let attackers access people’s devices.Earlier in the week, researchers at NowSecure, a mobile security company, identified the flaw in SwiftKey, a keyboard application that comes preloaded on Galaxy smartphones. The flaw could be exploited even when SwiftKey was not used as the default keyboard, NowSecure said.On Thursday, Samsung said it would issue a fix that would roll out over the coming days to owners of the Galaxy S4, released in 2013, and later models. Those devices have Samsung’s Knox security platform installed by default and can receive over-the-air security policy updates. Users must have automatic updates activated in their phone’s settings, Samsung said on its website.To read this article in full or to leave a comment, please click here
Hard on the heels of the release of a newly updated version of SAP Hana, a security researcher has warned of a potentially serious vulnerability in the in-memory platform.“If an attacker can exploit this vulnerability, he can get access to all encrypted data stored in an SAP Hana database,” said Alexander Polyakov, CTO with ERPScan, which presented the details Thursday at the Black Hat Sessions XIII conference in the Netherlands.Polyakov’s firm specializes in testing enterprise resource planning (ERP) software from companies such as Oracle and SAP for security purposes. Last year, it had already found SAP Hana installations to be vulnerable to SQL injection attacks, he said.To read this article in full or to leave a comment, please click here
LinkedIn plans to continue closely vetting researchers for its bug bounty rewards program, saying it reduces the number of distracting erroneous and irrelevant reports.The decision to keep its program private “gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers,” wrote Cory Scott, LinkedIn’s director of information security, in a blog post.Security researchers with vetted backgrounds are invited to participate, which allow them to have the same experience as if they were on LinkedIn’s internal security team, Scott wrote.To read this article in full or to leave a comment, please click here
The Electronic Frontier Foundation released the latest version of its annual “Who Has Your Back” report on tech companies’ data disclosure policies Wednesday afternoon, giving perfect five-star ratings to companies including Apple, Adobe, Dropbox and Yahoo.This year’s publication is the fifth edition of the EFF’s reporting on tech companies’ policies around disclosing information to governments in response to data requests, and it brings major changes to the organization’s framework.“The criteria we used to judge companies in 2011 were ambitious for the time, but theyve been almost universally adopted in the years since then,” the EFF said in its report.To read this article in full or to leave a comment, please click here
Nest Labs, Google’s home sensing unit, made its long-awaited move into the home security market on Wednesday when it unveiled Nest Cam.Nest Cam is based on technology acquired last year when Nest purchased Dropcam. In fact, think of Nest Cam as a very much improved and souped up version of the first generation Dropcam.It will shoot video at full 1080p high definition—higher than Dropcam’s 720p—and is said to be able to better distinguish between different forms of movement in videos and send more relevant alerts to users when something happens inside their home. It’s slimmer than the Dropcam, has better night vision, and a tripod mount.It costs US$199 and is available in seven countries including the U.S., Canada, and parts of Europe like Germany and the U.K.To read this article in full or to leave a comment, please click here
Thanks to a continuous barrage of high-profile computer security scares and reports of cloud-scale government snooping, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager. It's one of the easiest too.A password manager won't shield you against Heartbleed or the NSA, but it's an excellent first step in securing your identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you. A password manager will even randomly generate strong passwords, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables, or brute-force attacks.To read this article in full or to leave a comment, please click here
Say it ain’t so: FBI probes alleged Cardinals-Astros hackEven America’s pastime isn’t safe from cybercrime: the FBI is investigating allegations that the St. Louis Cardinals hacked into computer systems belonging to rival baseball team the Houston Astros. The investigation centers on the baseball operations database, which is said to contain statistics, video and other vital information about players.Airbus joins the Internet satellite crowdCount European consortium Airbus in on the business of delivering Internet service via satellites, the Verge reports. It’s going to design and build 900 orbiters for Richard Branson’s OneWeb, which aims to provide LTE, 3G, and Wi-Fi to rural communities.To read this article in full or to leave a comment, please click here
Let’s Encrypt, a project aimed at increasing the use of encryption across websites by issuing free digital certificates, is planning to issue the first ones next month.Digital certificates are used to encrypt data traffic between a computer and a server using SSL/TLS (Secure Sockets Layer/Transport Layer Security) and for checking that a website isn’t a spoof.Let’s Encrypt is run by the Internet Security Research Group (ISRG), a new California public-benefit corporation. Its backers include Mozilla, the Electronic Frontier Foundation, Cisco and Akamai.The first certificates will not be valid unless administrators install the organization’s root certificate in their client software, wrote Josh Aas, ISRG’s executive director, in a blog post.To read this article in full or to leave a comment, please click here
Dozens of misspelled domain names that spoof major brands are leading unsuspecting PC users to a questionable tune-up application called SpeedUpKit.Since people are unlikely to seek out the application, its promoters rely partly on people misspelling the domain name for prominent brands to lead them to it. If you try to access the obituary website legacy.com from a Windows PC in the U.S., for instance, but type “legady” by accident, you’re likely to end up on a page promoting SpeedUpKit.The practice, known as typosquatting, can sometimes violate consumer protection laws or constitute trademark infringement. Big brands police the web for such misspellings, and domain name registrars often try to stop the practice, but it still happens.To read this article in full or to leave a comment, please click here
Two recently disclosed data breaches at the U.S. Office of Personnel Management (OPM) could endanger national security and the lives of federal workers in intelligence or other sensitive jobs, according to some lawmakers.One of the attacks compromised a database containing files of U.S. government workers and job applicants who filled out applications for security clearances, and other governments could use those files to identify federal employees in sensitive positions, members of the U.S. House of Representatives Oversight and Government Reform Committee said during a hearing Tuesday.To read this article in full or to leave a comment, please click here
Security remains a big concern for businesses considering cloud storage, but Dropbox hopes to further calm their fears by integrating its service with enterprise mobile management products.Dropbox for Business users will get the new EMM capability via upcoming applications from partners including AirWatch and MobileIron, resulting in safer mobile device access, Dropbox said Tuesday.EMM will be enabled through the Dropbox for Business API, launched late last year to help companies integrate the cloud storage service into their core IT processes. Dropbox has since expanded the API access with features such as tools for managing groups and shared folders.To read this article in full or to leave a comment, please click here
Federal law enforcement officers are investigating whether the St. Louis Cardinals, one of the biggest teams in U.S. Major League Baseball, sought to gain advantage over rival Houston Astros by hacking into its computer network and accessing a key database.If the hacking is confirmed, would be the first known example of a major U.S. professional sports team hacking into the systems of a rival.The investigation centers on the baseball operations database which is said to contain statistics, video and other vital information about players.The federal investigation was confirmed by both Major League Baseball and the St. Louis Cardinals in brief statements.To read this article in full or to leave a comment, please click here
VMware is hoping to convince CIOs to centralize single sign-on access to all kinds of apps with Identity Manager, which can run in the cloud or on-site and also offers application provisioning and a self-service catalog.For better or worse, the switch to cloud-based services on a larger scale and the introduction of bring-your-own devices is forcing enterprises to rethink most aspects of how IT is run. Part of that change is how users are authenticated and given access to applications.The transformation from a client-server, perimeter-based infrastructure to a cloud-based model requires taking on systems outside of the firewall, according to VMware. To help tackle this, the company has launched Identity Manager. Enterprises can choose between an on-site version of the software or a cloud-based service hosted on vCloud Air. The initial launch uses U.S. data centers, but hosting in European and Asia Pacific regions will be offered from the third quarter.To read this article in full or to leave a comment, please click here