Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components.Even worse, these software makers wouldn’t be able to tell which of their applications are affected by a known component flaw even if they wanted to because of poor inventory practices.Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository.To read this article in full or to leave a comment, please click here
Civil liberties faction walks out on facial recognition talksU.S. talks aimed at crafting rules on responsible use of facial recognition technology have fallen apart after a united front of civil rights and consumer groups walked out, saying the bare minimum of their demands on behalf of consumers aren’t being met. That position, accord to a statement issued by the coalition, is that “people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement—and identifying them by name—using facial recognition technology.”To read this article in full or to leave a comment, please click here
Nine privacy groups plan to withdraw from U.S. government-hosted negotiations to develop voluntary facial-recognition privacy standards because the groups feel the process won’t lead to adequate privacy protections.Industry representatives at the talks have been pushing to limit consumer control over the facial recognition data collected, the groups said in a letter to be released Tuesday.“We are convinced that in many contexts, facial recognition should only occur when an individual has affirmatively decided to allow it to occur,” wrote the groups, including the Center for Digital Democracy, the Electronic Frontier Foundation and Consumer Action. “Industry stakeholders were unable to agree on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.”To read this article in full or to leave a comment, please click here
A deeper look into the latest version of malware known as Duqu shows it used digital certificates from prominent contract manufacturer Foxconn Technology Group to help mask its activity.Kaspersky Lab, which published a report on Duqu 2.0 last week, wrote in a blog post Monday that a 64-bit driver within the malware employed a digital certificate signed by Hon Hai Precision Industry, also known as Foxconn.Digital certificates are used for encrypting data and verifying the legitimacy of websites and applications. Using a digital certificate issued to a trusted organization makes it less likely that an application is going to be detected as harmful.To read this article in full or to leave a comment, please click here
LastPass users will be prompted to change their master passwords after the online password locker company reported that its network was breached on Friday.The company revealed the breach in a blog post Monday after investigating “suspicious activity” discovered by its security team. According to LastPass, the investigation did not reveal any evidence that the attackers stole encrypted data from users’ password vaults, nor did the intruders gain access to LastPass users’ accounts. That said, the attackers were able to steal account email addresses, password reminders, server per user salts, and authentication hashes.To read this article in full or to leave a comment, please click here
The EU Council has issued a long-awaited, hotly debated plan for online privacy, moving the EU’s reform of data-protection laws closer to reality.The Council says that the plan will give people more control over their personal data, but privacy groups say the proposal actually weakens privacy safeguards.Data protection reform is important for European citizens, tech companies and any business processing personal data in the EU. Current data protection rules stem from a 1995 law and urgently need an update for an era in which cloud computing, smartphones and high-speed Internet access are common.The Council plan revealed on Monday requires, among other things, that companies get unambiguous consent from individuals in order to be allowed to process personal data. Companies will also be obliged to implement appropriate security measures to protect personal data and notify affected people when breaches occur.To read this article in full or to leave a comment, please click here
A Belgian privacy lawsuit targeting Facebook highlights the difficulties national regulators will face policing the activities of international Internet companies until new privacy laws are passed.The Belgian Commission for the Protection of Privacy is unhappy with the way Facebook handles the personal information of the nation’s citizens and in May asked it to change its policies in a number of “recommendations,” which have the force of law in the country.Facebook, though, maintains it doesn’t have to answer to the Belgian privacy watchdog as its international operations are run from Dublin, where the Irish Data Protection Commissioner oversees its compliance with the European Union Data Protection Directive as implemented under Irish law.To read this article in full or to leave a comment, please click here
As Spark faithful gather this week, IBM puts down its betThe hugely popular Hadoop framework for processing big data sets is getting some serious competition from alternative platform Spark, the Wall Street Journal reports, and thousands of the upstart’s acolytes are expected at the Spark Summit in San Francisco this week. IBM is getting behind the Apache open-source project with an investment worth hundreds of millions of dollars in software developers and technology, the New York Times says.To read this article in full or to leave a comment, please click here
Amazon.com has published its first transparency report describing how it has responded to requests from law enforcers for information about its customers.The company fielded 813 subpoenas, 25 search warrants, 13 court orders and fewer than 250 national security requests from U.S. authorities. The Foreign Intelligence Surveillance Act prohibits Amazon from disclosing exactly how many National Security Letters and FISA court orders it has received: the number may have been zero.Despite its reluctance to release the information—companies such as Apple and Google are years ahead of it—Amazon says it is no lackey of the state security apparatus.To read this article in full or to leave a comment, please click here
Single mindednessSince we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. For this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service, Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP, and SmartSignin. Our Clear Choice test winner is Centrify, which slightly outperformed Okta and OneLogin. (Read the full review.)To read this article in full or to leave a comment, please click here
Russian and Chinese intelligence agencies have reportedly decrypted files of former U.S. National Security Agency contractor and leaker Edward Snowden, and have identified British and U.S. secret agents.MI6, the U.K.’s secret intelligence service, has withdrawn agents from overseas operations in hostile countries, according to a report in the Sunday Times of London, citing U.K. government officials and Western intelligence agencies.The report contains some apparently contradictory information. Although The Sunday Times quoted a U.K. Home Office official saying that Snowden has “blood on his hands,” it also quoted a government source saying that there was no sign that agents have been hurt.To read this article in full or to leave a comment, please click here
The sudden shutdown of a computer tech support call center has left some of its employees wondering if they will be paid.EZ Tech Support, based in Portland, Oregon, took calls from people who had advertising software installed on their computers that warned of possible security and performance problems. The programs implored people to call the company’s number, which was displayed amid warnings.The company stopped taking calls earlier this week, according to two former EZ Tech Support employees. Contacted by email, its general manager, Gavynn Wells, said he was no longer worked there and was “unclear as to the direction the company will be going into.”To read this article in full or to leave a comment, please click here
A second major cyber breach that might reveal far more personal and damaging information appears to have hit the U.S. government’s Office of Personnel Management (OPM).The breach was apparently carried out by hackers with connections to China and targeted a database containing copies of the government’s Standard Form 86, according to news reports citing unnamed government officials. The form, available online, is a 120-page questionnaire that’s answered by people seeking a national security clearance.Those filling out the form are asked to provide highly personal details about their lives that go far beyond their birth dates and social security or passport numbers. Among the questions asked are details of former residences, names and addresses of neighbors and detailed information about family members.To read this article in full or to leave a comment, please click here
Twitter CEO Costolo steps downEmbattled Twitter CEO Dick Costolo will leave his post atop the micro-blogging company on July 1, bowing to intense pressure from investors disappointed with slow revenue growth and the failure to turn a profit. Co-founder and Chairman Jack Dorsey will serve as interim CEO while the company looks for a new boss; Costolo will remain on Twitter’s board of directors.Oculus launches a consumer Rift headset, Xbox controllerIn advance of the E3 gaming expo next week, virtual reality headset maker Oculus on Thursday took the wraps off a consumer version of its Rift headset, which will ship next March with a wireless Xbox controller. The company also showed prototypes of two ring-shaped controllers that will let players interact with objects in games like they might in real life.To read this article in full or to leave a comment, please click here
Google must respect the European Union’s ‘right to be forgotten’ court ruling on all its sites, not just those it says target EU countries, the French data protection authority has ruled, giving the company 15 days to comply.The French National Commission on Computing and Liberty (CNIL) ordered Google to remove the affected search results on all its domains, including google.com, or face a fine of up to €300,000 (about $337,000). So far, Google has only removed such results from those of its sites it says target EU users, including google.fr or google.de. French residents need only click the “Use Google.com” link on the google.fr homepage to have access to unfiltered search results.To read this article in full or to leave a comment, please click here
The OpenSSL project has released several patches for moderate flaws, including an additional defense against the Logjam vulnerability revealed last month.OpenSSL is widely used open-source software that encrypts communications using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol. SSL/TLS prevents clear-text data from being transmitted across the Web, avoiding high security risks.The patches include three for moderate flaws. Two of these fix flaws that could be used for denial of service attacks, according to an advisory. The third patch fixes a moderate flaw that affects OpenSSL versions prior to a June 2014 release. A fourth patch is for a low severity race condition flaw.To read this article in full or to leave a comment, please click here
A union representing U.S. government workers says it believes detailed personal information on millions of current and former federal employees that was stolen by hackers was not encrypted.The American Federation of Government Employees (AFGE) said the attack on the Office of Personnel Management (OPM) resulted in the theft of all personnel data for every federal employee.In a letter sent Thursday to Katherine Archuleta, director of the OPM, from David Cox, president of the AFGE, the union says it believes hackers targeted the government’s Central Personnel Data File, an expansive database with information on government workers except those in the military or intelligence fields.To read this article in full or to leave a comment, please click here
Windows 10 will have a new mechanism that will allow software developers to integrate their applications with whatever antimalware programs exist on users’ computers.The goal of the new Antimalware Scan Interface (AMSI) is to let applications send content to the locally installed antivirus product to be checked for malware.According to Microsoft, this can have important benefits when dealing with script content in particular, because malicious scripts are commonly obfuscated to bypass antivirus detection. Scripts also typically get executed in the memory of the applications that are designed to interpret them, so they don’t create files on disk for antivirus programs to scan.To read this article in full or to leave a comment, please click here
The group behind the Duqu cyberespionage tool has compromised at least two telecommunications operators and one electronic equipment manufacturer, in addition to a cybersecurity firm and venues that hosted high-level nuclear negotiations between world powers and Iran.On Wednesday, Moscow-based antivirus firm Kaspersky Lab, which has been deeply involved in exposing sophisticated cyberespionage campaigns over the past few years, revealed that it too fell victim to such an attack.The company discovered in early spring that several of its internal systems were infected with a new version of Duqu, a sophisticated malware platform believed to be related to the Stuxnet worm used to sabotage Iran’s nuclear enrichment centrifuges at Natanz.To read this article in full or to leave a comment, please click here
A security researcher says a vulnerability in Apple’s mobile email application could be used to trick someone into divulging their iCloud password.Prague-based Jan Soucek published proof-of-concept code that shows how he could send an email to someone with HTML code that resembles the iCloud login pop-up window. Soucek then receives an email containing the password.The vulnerability allows remote HTML content to be loaded in an email, which replaces the content of the email message. Soucek wrote he then built a functional password collector using HTML and CSS. He also published a demonstration video.To read this article in full or to leave a comment, please click here