Google has identified and disabled 192 Chrome browser extensions that injected rogue ads into Web pages opened by users without being upfront about it. The company will scan for similar policy violations in future.The action followed a study that the company conducted together with researchers from University of California Berkeley and which found that more than five percent of Web users who accessed Google websites had an “ad injector” installed.The deceptive Chrome extensions were detected as part of that study, but the researchers also found ad injectors affecting browsers such as Internet Explorer and Mozilla Firefox, on both Windows and Mac OS X.To read this article in full or to leave a comment, please click here
Verizon customers can now opt out of having a unique identifier placed on their phones that critics have labelled a ‘supercookie’ because it’s almost impossible to remove.Verizon said in January that it would allow subscribers to opt out of the tracking mechanism, but it didn’t say when. On Tuesday, it said the identifier won’t be inserted for customers who opt out of its mobile advertising program.The move hasn’t satisfied privacy advocates, who say many customers won’t be aware that they need to opt out of the program. The identifier should be “opt in” instead, those advocates say.“This is an improvement, but it doesn’t do nearly enough,” said Jacob Hoffman-Andrews, a senior staff technologist with Electronic Frontier Foundation.To read this article in full or to leave a comment, please click here
A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.To read this article in full or to leave a comment, please click here
A tool for nearly real-time management of clients like desktops, laptops and Windows tablets is now set to take on massive organizations that have millions of endpoints.Tanium is software that can examine and modify all such clients across an enterprise within 15 seconds, according to the company. It’s already being used by customers with more than 500,000 endpoints, and the newly released Version 6.5 is designed to serve some of the world’s largest organizations, especially in the public sector, Tanium says.At the heart of Tanium’s software is the ability to rapidly reach all endpoints throughout an organization, which can speed up both security and IT management tasks. Tanium makes this work by organizing endpoints into linear chains in which they communicate peer to peer.To read this article in full or to leave a comment, please click here
Facebook tracks everyone who visits its site, including people who don’t have an account, and even continues to track users and non-users who have opted out of targeted ads, researchers at two Belgian universities have found.Researchers at the University of Leuven in cooperation with researchers at the Vrije Universiteit Brussel have published an update to a February analysis of Facebook’s new policies and terms. The report, commissioned by the Belgian Privacy Commission, already found in preliminary conclusions in February that Facebook, with its 2015 privacy policy update, likely acts in violation of European law.To read this article in full or to leave a comment, please click here
For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries.The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company’s researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs.Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims’ networks. Instead they target Web servers and use them as initial entry points.To read this article in full or to leave a comment, please click here
It’s not clear if the U.S. government is living up to its promise to disclose serious software flaws to technology companies, a policy it put in place five years ago, according to the Electronic Frontier Foundation.The digital watchdog said on Monday it received a handful of heavily redacted documents from the Office of the Director of National Intelligence (ODNI), which it sued last July after it and the National Security Agency moved too slowly on a Freedom of Information Act (FOIA) request.Last year, the EFF sought documents related to the U.S. government’s efforts to beef up its Vulnerability Equities Process (VEP), a framework for notifying companies about zero-day vulnerabilities.To read this article in full or to leave a comment, please click here
Two former U.S. government agents face charges related to stealing hundreds of thousands of dollars worth of bitcoin while assisting with an investigation of the Silk Road underground online marketplace, with one accused of using a fake online persona to extort money from operators of the site.Facing charges of wire fraud and money laundering are Carl Force, 46, of Baltimore, a former special agent with the U.S. Drug Enforcement Agency, and Shaun Bridges, 32, of Laurel, Maryland, a former special agent with the U.S. Secret Service. Both served on the Baltimore Silk Road Task Force, which investigated illegal activity on the Silk Road website, the Department of Justice said Monday in a press release.To read this article in full or to leave a comment, please click here
Pebble Time breaks Kickstarter record with over $20 million raisedPebble won record support from the Kickstarter crowdfunding community in its second trip to the well, for its next-generation Pebble Time smartwatch, CNN Money reports. It raised $20.3 million from 78,463 people in a campaign ended Friday, making it the most-funded Kickstarter campaign ever by a $7 million margin. When it ships in May, the device will go up against the Apple Watch but offer a week between battery charges (rather than a day) and a lower price of $199.Tim Cook speaks out against “religious freedom” lawsTo read this article in full or to leave a comment, please click here
Remember when network access control (NAC) was all the rage? Remember the competing standards from Microsoft, Cisco, and the Trusted Computing Group? Back around 2006, there were dozens of NAC products, many of which turned out to be buggy and difficult to implement.
Over time, other network-based security products – mobile device management (MDM), intrusion prevention systems (IPS) and next-generation firewalls – came along and squeezed NAC into a narrower part of the market.
But NAC hasn’t disappeared. In fact, NAC products have evolved and improved as well. For this review, we were able to bring the following five vendors together: Enterasys/Extreme Networks Mobile IAM, Hexis Cyber Solutions NetBeat NAC, Impulse Point SafeConnect NAC, Pulse Policy Secure, and Portnox NAC. (Cisco, ForeScout, Auconet, and Aruba declined our invitation.)To read this article in full or to leave a comment, please click here(Insider Story)
Over the last few days, a large number of British Airways customers have found that reward points they accumulated for flights, called Avios, have disappeared from their accounts. Others have been locked out of their accounts completely.Affected users have gathered on the flyertalk.com forum to share their experiences after calling the company’s call center, which according to reports, has been giving out “contradictory” information at times.It seems that the incident is the result of hackers gaining access to a large number of accounts.To read this article in full or to leave a comment, please click here
Software development platform GitHub said Sunday it was still experiencing intermittent outages from the largest cyberattack in its history but had halted most of the attack traffic.Starting on Thursday, GitHub was hit by distributed denial-of-service (DDoS) attacks that sent large volumes of Web traffic to the site, particularly towards two Chinese anti-censorship projects hosted there.Over the next few days, the attackers changed their DDoS tactics as GitHub defended the site, but as of Sunday, it appears the site was mostly working.A GitHub service called Gists, which lets people post bits of code, was still affected, it said. On Twitter, GitHub said it continued to adapt its defenses.To read this article in full or to leave a comment, please click here
The U.S. Congress is moving forward quickly with legislation that would encourage private companies to share cyberthreat information with government agencies, despite concerns that two leading bills weaken consumer privacy protections.The House of Representatives Intelligence Committee voted Thursday to approve the Protecting Cyber Networks Act (PCNA), just two days after the bill was introduced.The House bill “is a cybersurveillance bill at least as much as it is a cybersecurity bill, and it is written so broadly that it could wind up making the Internet less safe,” Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute [OTI], said by email.To read this article in full or to leave a comment, please click here
Mobile malware is a growing problem, but researchers from University of Alabama at Birmingham have figured out a new way of detecting when shady mobile apps get up to no good, such as trying to call premium-rate numbers unbeknowst to a phone’s owner.The technique relies on using the phone’s motion, position and ambient sensors to learn the gestures that users typically make when they initiate phone calls, take pictures or use the phone’s NFC reader to scan credit cards.Some mobile malware programs already abuse these services and security researchers expect their number will only increase.The technology developed by the UAB researchers can monitor those three services and can check whether attempts to access them are accompanied by the natural gestures users are expected to make. If they’re not, they were likely initiated by malware.To read this article in full or to leave a comment, please click here
The U.K. Court of Appeal won’t block a privacy lawsuit that alleges Google tracked Safari users without authorization, so the three plaintiffs can continue their legal fight against the search company.“These claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months,” reads the decision, released Friday. “The case relates to the anxiety and distress this intrusion upon autonomy has caused.”To read this article in full or to leave a comment, please click here
The Human Rights Council of the United Nations has voted in favor of a resolution backed by Germany and Brazil to appoint an independent watchdog or ‘special rapporteur’ to monitor privacy rights in the digital age.The council said Thursday that the same rights that people have offline must also be protected online, including the right to privacy.The proposed appointment of the rapporteur is likely to be mainly symbolic as the official’s functions will be mainly advisory. But it reflects continuing concerns around the world about privacy in the wake of disclosures of U.S. surveillance by former National Security Agency contractor, Edward Snowden.To read this article in full or to leave a comment, please click here
Open-source software projects are often well intended, but security can take a back seat to making the code work.OpenDaylight, the multivendor software-defined networking (SDN) project, learned that the hard way last August after a critical vulnerability was found in its platform.It took until December for the flaw, called Netdump, to get patched, a gap in time exacerbated by the fact that the project didn’t yet have a dedicated security team. After he tried and failed to get in touch with OpenDaylight, the finder of the vulnerability, Gregory Pickett, posted it on Bugtraq, a popular mailing list for security flaws.To read this article in full or to leave a comment, please click here
Open-source software projects are often well intended, but security can take a back seat to making the code work.
OpenDaylight, the multivendor software-defined networking (SDN) project, learned that the hard way last August after a critical vulnerability was found in its platform.
It took until December for the flaw, called Netdump, to get patched, a gap in time exacerbated by the fact that the project didn’t yet have a dedicated security team. After he tried and failed to get in touch with OpenDaylight, the finder of the vulnerability, Gregory Pickett, posted it on Bugtraq, a popular mailing list for security flaws.To read this article in full or to leave a comment, please click here
A slew of tech companies have joined privacy groups in calling for the U.S. government to reform its surveillance practices.An open letter from the tech industry and privacy organizations urges the government to not renew the provision in the Patriot Act that allows for the bulk collection of metadata. That provision, called Section 215, expires in June.“There must be a clear, strong, and effective end to bulk collection practices,” reads the letter, which was signed by the industry group Reform Government Surveillance, whose members include including Apple, Facebook, Google, Evernote, Twitter and Microsoft. Any data collection efforts need to protect user rights and privacy, the letter said.To read this article in full or to leave a comment, please click here
Cisco Systems released firmware updates for several routers and switches that run its IOS and IOS XE software in order to fix flaws in their autonomic networking infrastructure (ANI) feature.ANI is an automatic device management feature that allows Cisco IOS devices to securely join a domain and be configured without prestaging—setting up the necessary accounts in advance.Cisco’s new patches, released Wednesday, address three vulnerabilities in the way Cisco IOS and IOS XE devices handle autonomic networking (AN) messages.One vulnerability could allow a remote unauthenticated attacker to force a vulnerable device to join a rogue autonomic domain by sending it specially crafted AN messages. This would give the attacker limited control over the device and would prevent it from joining the legitimate domain, Cisco said in a security advisory.To read this article in full or to leave a comment, please click here