The U.S. is investigating a massive data breach that exposed personal information on around 4 million federal government workers, according to news reports Thursday.China is suspected of having a hand in the attack, described by an unnamed official as “one of the largest thefts of government data ever seen,” the Wall Street Journal reported.The attack targeted the Office of Personnel Management, a government agency tasked with hiring and retaining government workers. The same agency was breached last year, but this was apparently a separate attack.To read this article in full or to leave a comment, please click here
The U.S. is investigating a massive data breach that exposed personal information on around 4 million federal government workers, according to news reports Thursday.China is suspected of having a hand in the attack, described by an unnamed official as “one of the largest thefts of government data ever seen,” the Wall Street Journal reported.APOLOGIES: Sorriest Technology Companies of 2014To read this article in full or to leave a comment, please click here
The U.S. National Security Agency is reportedly intercepting Internet communications from U.S. residents without getting court-ordered warrants, in an effort to hunt down malicious hackers.The previously undisclosed NSA program monitors Internet traffic for data about cyberattacks originating outside the U.S., according to a New York Times article published Thursday and based on leaks from former NSA contractor Edward Snowden.President Barack Obama’s administration launched the NSA cybersecurity program without public notice or debate, according to the report.To read this article in full or to leave a comment, please click here
A researcher is warning that a gaming plug-in installed on over 200 million PCs contains a flaw that could let attackers steal users’ data from websites they’re logged into, such as their Web mail and social networking accounts.The technology in question, from Unity Technologies, is used by hundreds of thousands of developers to create online games and other interactive 3D content. The flaw, which the researcher says hasn’t been patched yet, is located in the Unity Web Player, a plug-in that needs to be installed inside browsers in order to display Unity-based Web apps.Unity Technologies, based in San Francisco, didn’t immediately respond to a request for comment.To read this article in full or to leave a comment, please click here
European governments will be able to review the source code of Microsoft products to confirm they don’t contain security backdoors, at a transparency center the company opened in Brussels on Wednesday.The center will give governments the chance to review and assess the source code of Microsoft enterprise products and to access important security information about threats and vulnerabilities in a secure environment, said Matt Thomlinson, Vice President of Microsoft Security in a blog post. By opening the center, Microsoft wants to continue building trust with governments around the world, he added.To read this article in full or to leave a comment, please click here
After years of thorny negotiations, top EU and U.S. officials say they are close to agreement on two privacy accords that would regulate the transfer of personal data of European citizens to the U.S.At stake is the ability of U.S. and European companies and governments to share data about private citizens for commercial and law enforcement purposes.A version of one of the two privacy deals being discussed, the Safe Harbor accord, has been in force for years but is being renegotiated. Failure to reach agreement on how to change the accord would spell serious trouble for companies like Google, Facebook and Twitter, which have relied on it to transmit data on EU citizens to the U.S. for processing and storage.To read this article in full or to leave a comment, please click here
A number of high-profile source-code repositories hosted on GitHub could have been modified using weak SSH authentication keys, a security researcher has warned.The potentially vulnerable repositories include those of music streaming service Spotify, the Russian Internet company Yandex, the U.K. government and the Django Web application framework.Earlier this year, researcher Ben Cox collected the public SSH (Secure Shell) keys of users with access to GitHub-hosted repositories by using one of the platform’s features. After an analysis, he found that the corresponding private keys could be easily recovered for many of them.The SSH protocol uses public-key cryptography, which means that authenticating users and encrypting their connections requires a private-public key pair. The server configured to accept SSH connections from users needs to know their respective public keys and the users need to have the corresponding private keys.To read this article in full or to leave a comment, please click here
Cybercriminals in Japan are targeting iPhone users with an online scam that tricks them into installing a malicious application when they attempt to view porn videos.This type of attack, known as one-click fraud, is not new and has been used for years against Windows, Mac and Android users. However, what’s interesting in this particular case is that it works even against non-jailbroken iPhones.Apple tightly controls how iOS apps are distributed to users by forcing developers to publish them on the official App Store where they are subject to Apple’s review procedures. However, there are exceptions to this rule in the form of special development programs for which participants have to pay extra.To read this article in full or to leave a comment, please click here
If government CIOs want to bring IT out of the shadows, they need to start by understanding what kind of tools agency personnel need to do their jobs.That's one of the chief takeaways from a new study looking at shadow IT in the government -- those unauthorized applications and services that employees use without the permission of the CIO and the tech team.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers
The new analysis, conducted by cloud security vendor Skyhigh Networks, identifies a startling amount of applications in use in public-sector organizations. According to an analysis of log data tracking the activities of some 200,000 government workers in the United States and Canada, the average agency uses 742 cloud services, on the order of 10 to 20 times more than the IT department manages.To read this article in full or to leave a comment, please click here
Senate finally reforms NSA surveillanceNearly two years after former NSA contracter Edward Snowden went public with revelations that the agency was collecting Americans’ phone records in bulk so that it could trawl through them at leisure, the U.S. Senate has finally acted to rein in what at least one court ruled was illegal surveillance. The Senate’s 67-32 vote Tuesday on the USA Freedom Act will allow a limited telephone records program at the NSA, and give it six months to transition its phone records database to U.S. telecom carriers.To read this article in full or to leave a comment, please click here
Facebook will require application developers to move later this year to a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.To read this article in full or to leave a comment, please click here
The U.S. Senate has passed legislation intended to rein in the National Security Agency’s bulk collection of domestic telephone records, sending the bill to President Barack Obama for his signature.The Senate’s 67-32 vote Tuesday on the USA Freedom Act restores a limited telephone records program at the NSA to resume after the old bulk collection program expired Sunday night. After Obama’s signature, the NSA will have six months to transition its phone records database to U.S. telecom carriers.The USA Freedom Act, aimed at ending bulk collection of telephone records, was needed after revelations about the program by former NSA contractor Edward Snowden in mid-2013, supporters said. Some digital rights groups have blasted the bill as “fake reform,” but the bill’s limits on the NSA will help restore the U.S. public’s trust in government surveillance efforts, said Senator Patrick Leahy, a Vermont Democrat and sponsor of the bill.To read this article in full or to leave a comment, please click here
Google stores, manages and sometimes sells an astonishingly large and complex amount of user data. Unfortunately, that digital information isn't always kept secure or private, but Google puts some degree of control in the hands of its users. To offer you a little more control, Google this week rolled out an updated online hub designed to help manage privacy settings, called My Account, as well as a pair of tools that streamline the process of safeguarding user data.A brief history of Linux malware
The My Account hub gives Google users more context on how and where their information is shared, when they can opt to remain private and the types of ads they see on Google or elsewhere online. Google redesigned My Account to display its many user settings in a more intuitive way, and the Security Checkup and Privacy Checkup tools show users how to control and manage some of the data they share with Google.To read this article in full or to leave a comment, please click here
In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers.The researchers performed the manual security review in preparation for their master’s thesis in IT security at Universidad Europea de Madrid in Spain. They published details about the vulnerabilities they found Sunday on the Full Disclosure security mailing list.The flaws, most of which affect more than one router model, could allow attackers to bypass authentication on the devices; inject rogue code into their Web-based management interfaces; trick users into executing rogue actions on their routers when visiting compromised websites; read and write information on USB storage devices attached to the affected routers; reboot the devices, and more.To read this article in full or to leave a comment, please click here
Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.The free extension, from Israel-based Hola, is a peer-to-peer program that routes people’s Internet traffic through other Hola users’ computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.Last week, a group of nine researchers launched a website called ”Adios, Hola!” that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.To read this article in full or to leave a comment, please click here
In a recent blog post, I examined some of the new features available in the Cisco Adaptive Security Appliance (ASA) 9.3 code and promised to cover some of these here at the blog. With that said, let's examine the Backup and Restore functionality that is now built in to these devices. The first question we will tackle is what exactly is backup up through this process. The answer is just about everything you could want on your system! Here is the complete list:
The Running-configuration
The Startup-configuration
All security images, including the Cisco Secure Desktop and Host Scan images, Cisco Secure Desktop and Host Scan settings, AnyConnect (SVC) client images and profiles, and AnyConnect (SVC) customizations and transforms
Identity certificates (includes RSA key pairs tied to identity certificates; excludes standalone keys)
VPN pre-shared keys
SSL VPN configurations
Application Profile Custom Framework (APCF)
Bookmarks
Customizations
Dynamic Access Policy (DAP)
Plug-ins
Pre-fill scripts for connection profiles
Proxy Auto-config
Translation table
Web content
Version information
So you have just made some configuration changes and you are ready to backup your device. Here are some things to keep in mind:To read this article in full or to leave a comment, please click here
Google has launched a centralized hub that lets users manage the privacy and security controls of all its services, and introduced a site with information about these topics.The hub, called My Account, is not the first effort from Google to centralize settings: in 2009, it introduced a dashboard to let users control settings on most services on one page.On My Account, people can control settings for Search, Maps, YouTube, Gmail and other products in one place, Google said in a blog post on Monday.To read this article in full or to leave a comment, please click here
Some Facebook users should soon be able to receive encrypted emails from the social networking site if they add PGP public keys to their profiles.
Facebook called the PGP feature “experimental” and said it is slowly rolling it out, although a timeline wasn’t provided. The PGP key details will be added to the “contact and basic info section” of a person’s profile under “contact information.”
Facebook sends messages to private email accounts to inform users when they have a private message or friend request, for example. It currently uses TLS to establish secure connections to a person’s email provider, but this won’t keep the details of an email private from prying eyes.To read this article in full or to leave a comment, please click here
Once again, reports have Intel near a deal with AlteraIntel may announce a deal to acquire FPGA maker Altera on Monday, the Wall Street Journal reports, after the two companies returned to the bargaining table following a failure to come to terms earlier this year. The buy would strengthen Intel’s already dominant hand in the server market at a cost of about $17 billion.NSA surveillance powers expire as Senate delays voteA controversial program allowing the U.S. National Security Agency to collect millions of domestic telephone records expired Sunday night after the Senate failed to vote on a bill to extend the authority for the surveillance. But senators moved closer to bringing the USA Freedom Act to a vote; that bill gives the agency limited power to obtain data on American residents under investigation. Some are still calling for more reform and better oversight.To read this article in full or to leave a comment, please click here
A zero-day software vulnerability in the firmware of older Apple computers could be used to slip hard-to-remove malware onto a computer, according to a security researcher.Pedro Vilaca, who studies Mac security, wrote on his blog that the flaw he found builds on previous ones but this one could be far more dangerous. Apple officials could not be immediately reached for comment.Vilaca found it was possible to tamper with an Apple computer’s UEFI (unified extensible firmware interface). UEFI is firmware designed to improve upon BIOS, which is low-level code that bridges a computer’s hardware and operating system at startup.To read this article in full or to leave a comment, please click here