Archive

Category Archives for "Network World Security"

First software update for Apple Watch includes security fixes

You might not be used to the idea of a watch endangering your digital life, but you should: Apple’s first update for Watch OS includes 14 security patches, and they’re not trivial.Watch OS 1.0.1, released Tuesday, brings several performance improvements and support for additional languages, but it also fixes 13 vulnerabilities that could enable arbitrary code execution, information disclosure, denial of service, traffic hijacking, privilege escalation and other attacks, and also updates the list of root CA certificates trusted by default on the device.To read this article in full or to leave a comment, please click here

Tech companies ask Senate to pass NSA reform bill

Reform Government Surveillance, an organization that represents large technology companies like Google, Apple and Microsoft, on Tuesday pressed the U.S. Senate not to delay reform of National Security Agency surveillance by extending expiring provisions of the Patriot Act.The House of Representatives voted 338-88 last week to approve the USA Freedom Act that would, among other things, stop the controversial bulk collection of phone records of Americans by the NSA, including by placing restrictions on the search terms used to retrieve the records.To read this article in full or to leave a comment, please click here

St. Louis Federal Reserve forces password change after DNS attack

A branch of the U.S.’s central bank is forcing a password reset after a cyberattack briefly redirected visitors to parts of its website to bogus Web pages.The Federal Reserve of St. Louis found on April 24 that DNS (domain name system) settings had been changed to redirect people to fake Web pages. The bank didn’t name its DNS provider. Those who visited those pages may have been exposed to malware or had their login credentials stolen.“If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password,” an advisory said.To read this article in full or to leave a comment, please click here

New encryption flaw, LogJam, puts Web surfers at risk

Computer security experts said they’ve found a new encryption flaw closely related to one found earlier this year that puts Web surfers’ data at risk.The flaw, called LogJam, can allow an attacker to significantly weaken the encrypted connection between a user and a Web or email server, said Matthew D. Green, an assistant research professor in the department of computer science at Johns Hopkins University.About 7 percent of websites on the Internet are vulnerable to LogJam along with many email servers. A website has been set up with more information.Green was part of a team including experts from the University of Michigan and the French research institute Inria who found LogJam a few months ago.To read this article in full or to leave a comment, please click here

Critical vulnerability in NetUSB driver exposes millions of routers to hacking

Millions of routers and other embedded devices are affected by a serious vulnerability that could allow hackers to compromise them.The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more.NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients.To read this article in full or to leave a comment, please click here

URL-spoofing bug in Safari could enable phishing attacks

The latest versions of Safari for Mac OS X and iOS are vulnerable to a URL-spoofing exploit that could allow hackers to launch credible phishing attacks.The issue was discovered by security researcher David Leo, who published a proof-of-concept exploit for it. Leo’s demonstration consists of a Web page hosted on his domain that, when opened in Safari, causes the browser to display dailymail.co.uk in the address bar.The ability to control the URL shown by the browser can, for example, be used to easily convince users that they are on a bank’s website when they are actually on a phishing page designed to steal their financial information.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Tuesday, May 19

Obama finally claims his Twitter accountU.S. President Barack Obama is on Twitter for real. The @POTUS account is verified, and unlike @BarackObama which is mostly run by staffers, it will feature tweets by the man himself. The first tweet on the account, sent Monday morning, reads “Hello, Twitter! It’s Barack. Really! Six years in, they’re finally giving me my own account.” Now, what’s the protocol for turning over control of the Twitter account to your successor on Inauguration Day? Bill Clinton wanted to know, and Obama tweeted back reassuringly, “The handle comes with the house.”To read this article in full or to leave a comment, please click here

Apple, Google urge Obama to reject encryption back doors

Apple and Google are appealing to U.S. President Barack Obama to reject proposals to allow encryption “back doors” in mobile devices.A letter signed by Apple and Google to be sent Tuesday is aimed at protecting privacy and limiting law enforcement access to encrypted data, according to a report in The Washington Post.“Strong encryption is the cornerstone of the modern information economy’s security,” the paper quotes the letter as saying.Over 140 technology companies, technologists and civil society groups also signed it, calling on the president to not “in any way subvert, undermine, weaken or make vulnerable” security software.To read this article in full or to leave a comment, please click here

Login system supplies fake passwords to hackers

A team of researchers has developed a system that makes it much harder for hackers to obtain usable passwords from a leaked database, which could help blunt the damage from a data breach.The system is described in a research paper that has been submitted for consideration at the 2015 Annual Computer Security Applications Conference, which takes place in Los Angeles in December.Called ErsatzPasswords, the system is aimed at throwing off hackers who use methods to “crack” passwords, said Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.To read this article in full or to leave a comment, please click here

Survey finds most US residents want changes to Patriot Act surveillance

U.S. residents have major problems with government surveillance, and six in 10 want to see the records collection provisions of the Patriot Act modified before Congress extends it, according to a survey commissioned by a civil rights group.Just 34 percent of survey respondents said they’d like to see the Patriot Act preserved as a way to keep the U.S. safe from terrorists, according to the survey commissioned by the American Civil Liberties Union. Sixty percent either strongly or somewhat agreed with a statement saying Congress should modify the Patriot Act to “limit government surveillance and protect Americans’ privacy.”To read this article in full or to leave a comment, please click here

In desperation, many ransomware victims plead with attackers

The shamelessness of ransomware pushers knows no bounds. After encrypting people’s files and then holding them to ransom, they portray themselves as service providers offering technical support and discounts to their “customers.”Researchers from FireEye recently collected messages from a Web site set up by the creators of a ransomware program called TeslaCrypt to interact with their victims. The messages offer a rare glimpse into the mindset of these cybercriminals and the distress they cause.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Monday, May 18

Security researcher took over airplane systems via inflight techSecurity researcher Chris Roberts apparently told the FBI that he had successfully hacked into an airplane’s inflight systems numerous times over the last four years and took control of engine functions, according to a search warrant filed in court last month. Agents said that Roberts told them he hacked into in-flight entertainment systems by connecting an ethernet cable to an electronics box under the airplane seat in front of him, and issued a command that caused the aircraft to climb.To read this article in full or to leave a comment, please click here

FTC recommends conditions for sale of RadioShack customer data

The U.S. Federal Trade Commission has weighed in on the contentious issue of the proposed sale of consumer data by bankrupt retailer RadioShack, recommending that a model be adopted based on a settlement the agency reached with a failed online toy retailer.The state of Texas, which is leading action by several U.S. states, has opposed the sale of personally identifiable information by RadioShack, citing the online and in-store privacy policies of the bankrupt consumer electronics retailer.Apple and some wireless carriers have opposed the sale of some of the customer data, which it said was collected from their respective customers and was governed by their privacy policies.To read this article in full or to leave a comment, please click here

Security researcher’s hack caused airplane to climb, FBI asserts

The FBI contends a cybersecurity researcher said he caused an airplane’s engine to climb after hacking its software, according to a court document.The researcher, Chris Roberts, was questioned by the FBI on April 15 after he wrote a tweet that suggested he was probing aircraft systems on a United Airlines flight he took earlier that day.The FBI interviewed him after he flew into Syracuse, New York, and seized his electronics. Two days later, the agency then filed an application for a search warrant to examine Roberts’ gear, which has been published in federal court records.To read this article in full or to leave a comment, please click here

Sally Beauty confirms second payment card breach

Sally Beauty Holdings has confirmed that hackers broke into its payment systems and stole customer card data. About a year ago the retail chain suffered a similar intrusion.The company launched an investigation in early May after receiving reports of unusual activity involving payment cards used at some of its stores. While it now has sufficient evidence to confirm an illegal intrusion, the company declined to comment on the breach’s scope until the forensics investigation is complete.To read this article in full or to leave a comment, please click here

United launches bug bounty, but in-flight systems off limits

United Airlines is offering rewards to researchers for finding flaws in its websites but the company is excluding bugs related to in-flight systems, which the U.S. government says may be increasingly targeted by hackers.The bug bounty program rewards people with miles that can be used for the company’s Mileage Plus loyalty program as opposed to cash, which web giants such as Google, Facebook and Yahoo pay.Many companies have launched reward programs to attract independent researchers to investigate their software code and confidentially report flaws before hackers discover them.To read this article in full or to leave a comment, please click here

Reddit’s new anti-harassment rules anger some users

Upon learning of Reddit’s plan to change its rules to prohibit harassment and make the site friendlier, some users reacted with resentment and confusion.Reddit, known for the unconstrained nature of its discussions among people who post anonymously, said on Thursday that it will also now let users contact Reddit employees to report abusive posts. The changes were made to balance free expression with privacy and safety, and improve the quality and range of discourse on the site, according to the company.But in a discussion thread on Reddit, some users called the changes vague because they didn’t clarify what constituted harassment. Others said the changes would destroy free expression on the site, or characterized them as a ploy to attract advertisers.To read this article in full or to leave a comment, please click here

Critics blast NSA phone records bill as ‘fake reform’

A lopsided vote in the U.S. House of Representatives this week to rein in the National Security Agency’s domestic telephone records dragnet won muted praise, with many supporters calling on Congress to take stronger action.Critics, meanwhile, slammed the USA Freedom Act for extending the section of the antiterrorism Patriot Act that the NSA has used to collect the telephone records of nearly all U.S. residents. The bill, passed by a 338-88 vote late Wednesday, would end the NSA’s bulk collection of domestic telephone records, while allowing the agency to continue to collect phone and other business records in a more targeted manner.To read this article in full or to leave a comment, please click here

Asian nations increasingly hit by espionage groups

Multiple cyberespionage groups are specifically targeting government and military organizations from countries in Asia and the Pacific region with the goal of gathering geo-political intelligence, according to new security research.Some of the groups have been active for years, but the extent of their operations are only now coming to light.One Chinese-speaking group, dubbed Naikon, has been operating for five years and has had a “high volume, high profile, geo-political attack activity,” researchers from Kaspersky Lab said Thursday in a report.The group has targeted top-level government, military and civilian organizations from the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar (Burma), Singapore, Nepal, Thailand, Laos and China.To read this article in full or to leave a comment, please click here

China-based hackers used Microsoft’s TechNet for attacks

Microsoft has taken steps to stop a China-based hacking group from using its TechNet website as part of its attack infrastructure, according to security vendor FireEye.The group, which FireEye calls APT (advanced persistent threat) 17, is well-known for attacks against defense contractors, law firms, U.S. government agencies and technology and mining companies.TechNet is highly trafficked website that has technical documentation for Microsoft products. It also has a large forum, where users can leave comments and ask questions.APT17—nicknamed DeputyDog—created accounts on TechNet and then left comments on certain pages. Those comments contained the name of an encoded domain, which computers infected by the group’s malware were instructed to contact.To read this article in full or to leave a comment, please click here