Archive

Category Archives for "Network World Security"

About 25 US states oppose sale of RadioShack’s customer data

Several state consumer protection agencies in the U.S. have joined the state of Texas in objecting in bankruptcy court to the proposed sale by RadioShack of personal information of its customers.In a filing Wednesday, the state of Texas said it had received support from 21 governmental consumer protection entities to its objection last week to the planned sale of personally identifiable information (PII) of 117 million RadioShack customers.The state of Texas had earlier objected to the sale citing both the in-store and online privacy policies of the consumer electronics retailer. “All versions of the privacy policy contain an unequivocal provision that consumer PII will not be sold,” state officials said in a filing to the U.S. Bankruptcy Court for the District of Delaware.To read this article in full or to leave a comment, please click here

Facebook’s Like button can still easily be gamed

Facebook’s Like button is a pervasive feature of the Web, a way to gauge the popularity of a website or piece of content. But researchers have found it’s easy to inflate the numbers, undermining its value as an accurate measure of popularity.The problem of bogus Likes has been around for some time, and Facebook has released updates to its software over the last couple of years to cut down on fraudulent ones generated by spammers.But researchers with McGill University’s School of Computer Science in Montreal say the social networking company still hasn’t fixed several major problems with the feature. This week, they released a research paper outlining the problems, which they first told Facebook about in early 2013.To read this article in full or to leave a comment, please click here

Egyptian company says rogue Google SSL certificates were a mistake

An Egyptian company that created unauthorized digital certificates for several Google domains said Wednesday it made a mistake and acted quickly when the error became known.The SSL/TLS (Secure Sockets Layers/Transport Layer Security) certificates would have allowed MCS Holdings of Cairo to decrypt traffic sent by users on its network to Google, a major privacy concern. Google said it doesn’t believe the certificates were misused.But MCS shouldn’t have been able to create digital certificates for Google properties in the first place. It appears MCS and a Certificate Authority (CA) in China both made mistakes, which highlight ongoing problems in the way digital certificates are issued.To read this article in full or to leave a comment, please click here

Microsoft blacklists latest rogue SSL certificates, Mozilla mulls sanctions for issuer

Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.Microsoft’s move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.To read this article in full or to leave a comment, please click here

Zero day, Web browser vulnerabilities spike in 2014

The number of zero-day and Web browser vulnerabilities shot up in 2014, but overall software vendors are patching faster.The data comes from Secunia, a Danish security vendor that releases an annual study of trends in software vulnerabilities, which are used by hackers to compromise computers.Zero-day vulnerabilities—which are software flaws actively being used by attackers when publicly disclosed—rose from 14 in 2013 to 25 last year. Those type of flaws are among the most dangerous and prized by attackers since patches aren’t available from vendors.Flaws in Web browser software increased to 1,035 in 2014, up from 728 the prior year, according to Secunia’s report.To read this article in full or to leave a comment, please click here

Android flaw puts personal data at risk for millions

Nearly half of Android devices are vulnerable to an attack that could replace a legitimate app with malicious software that can collect sensitive data from a phone.Google, Samsung and Amazon have released patches for their devices, but 49.5 percent of Android users are still vulnerable, according to Palo Alto Networks, which discovered the problem. Google said it has not detected attempts to exploit the flaw.A malicious application installed using the vulnerability, called “Android Installer Hijacking,” would have full access to a device, including data such as usernames and passwords, wrote Zhi Xu, a senior staff engineer with Palo Alto.To read this article in full or to leave a comment, please click here

Dell support tool put PCs at risk of malware infection

Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers’ products.A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it’s not clear if the fix closed all avenues for abuse.The application, called Dell System Detect, is offered for download when users click the “Detect Product” button on Dell’s support site for the first time. It is meant to help the website automatically detect the user’s product—more specifically its Service Tag—so that it can offer the corresponding drivers and resources.Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user’s browser.To read this article in full or to leave a comment, please click here

Dutch service providers must delete retained telecom data

Dutch telecom providers have to delete data that had been retained under the now-scrapped data retention law, unless it is needed for business purposes.The Dutch data retention law that required ISPs and telecommunications operators to store customer metadata for police investigations was scrapped by the District Court of the Hague earlier this month for violating fundamental privacy rights.While most providers were quick to stop collecting the data, uncertainty remained about what should happen with the data that was already collected and stored when the law was in force.To read this article in full or to leave a comment, please click here

Flash-based vulnerability lingers on many websites three years later

Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.The vulnerability was unusual because fixing it didn’t just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Tuesday, March 24

Samsung, Dell getting Microsoft appsUses of Samsung’s Android devices are getting more choice in software: the South Korean device maker is giving its customers access to Microsoft services and apps on its flagship phones and tablets, while also letting them delete bloatware they don’t want, Computerworld reports. Samsung has been criticized for shipping its phones with too much pre-installed stuff. Meanwhile, Microsoft also announced a deal to get its apps onto Dell’s Android tablets.To read this article in full or to leave a comment, please click here

Google catches bad digital certificates from Egyptian company

Google said Monday an Egyptian company issued digital certificates that could have been used to intercept data traffic to its services, which did not appear to have been abused.The incident is the latest example of longstanding problems around the issuance of digital certificates, which are used to encrypt data and verify the legitimacy of websites.Google detected on March 20 that unauthorized digital certificates had been issued for several of its domains by MCS Holdings, a Cairo-based networking and security company, wrote Adam Langley, a Google security engineer.To read this article in full or to leave a comment, please click here

Twitch hit by possible data breach, resets user passwords

Account information for users of Twitch, the popular live-streaming service for gamers, may have been accessed through unauthorized means, the service warned on Monday.Twitch, which is owned by Amazon.com, has reset users’ passwords and stream keys and disconnected accounts from Twitter and YouTube. Users will need to set up a new password the next time they log in, it said.In a brief blog post, Twitch didn’t say how many accounts were affected, nor did it say exactly what data was accessed, referring only to “user account information.” A spokesman for the service declined to comment further.To read this article in full or to leave a comment, please click here

Case that could overturn EU-US data exchange deal to be heard by top EU court

U.S. companies’ ability to process personal information from European Union citizens will be challenged in the European Union’s highest court on Tuesday.At stake is the Safe Harbor Framework allowing U.S. companies to self-certify that they meet tough EU rules on the processing of personal information.A decision to revoke the deal could have serious consequences for U.S. companies that process EU citizens’ data in the U.S. Earlier this month, Twitter warned that a revocation of the deal could seriously hurt its business.To read this article in full or to leave a comment, please click here

New malware program PoSeidon targets point-of-sale systems

Retailers beware: A new Trojan program targets point-of-sale (PoS) terminals, stealing payment card data that can then be abused by cybercriminals.The new malware program has been dubbed PoSeidon by researchers from Cisco’s Security Solutions (CSS) team and, like most point-of-sale Trojans, it scans the RAM of infected terminals for unencrypted strings that match credit card information—a technique known as memory scraping.This sensitive information is available in plain text in the memory of a PoS system while it’s being processed by the specialized merchant software running on the terminal.Security experts have long called for the use of end-to-end encryption technology to protect payment card data from the card reader all the way to the payment service provider, but the number of systems with this capability remains low.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Monday, March 23

EMC pools enterprise smarts to create data lakesEMC is pulling assets from its conglomeration of businesses to help customers build data lakes using EMC storage, VMware virtualization and Pivotal big-data smarts. The Federation Business Data Lake debuting Monday will ingest and analyze data from diverse sources—and may also show how EMC can make the diverse businesses it owns add up to more than the sum of their parts.New US bill aims to limit use of student dataA new bill to be introduced in Congress on Monday aims to place checks on the collection and possible misuse of student data by tech companies that supply services to schools. The Student Digital Privacy and Parental Rights Act prohibits companies such as online homework portals or email services from using or disclosing students’ personal information for advertisement purposes, according to The New York Times.To read this article in full or to leave a comment, please click here

Cisco small business phones open to remote eavesdropping, calling

You don’t need to be the NSA to tap calls on Cisco’s SPA 300 and 500 IP phones: An authentication flaw allows potential attackers to do that by default.An unpatched vulnerability in the firmware of the SPA 300 and 500 series IP phones, typically used by small businesses, could allow eavesdropping on calls.“The vulnerability is due to improper authentication settings in the default configuration,” Cisco Systems said in a security advisory.Unauthenticated remote attackers could send crafted XML requests to affected devices in order to exploit the flaw and remotely listen to audio streams or make phone calls through them, the company warned.To read this article in full or to leave a comment, please click here

Fake patient data could have been uploaded through SAP medical app

SAP has fixed two flaws in a mobile medical app, one of which could have allowed an attacker to upload fake patient data.The issues were found in SAP’s Electronic Medical Records (EMR) Unwired, which stores clinical data about patients including lab results and images, said Alexander Polyakov, CTO of ERPScan, a company based in Palo Alto, California, that specializes in enterprise application security.Researchers with ERPScan found a local SQL injection flaw that could allow other applications on a mobile device to get access to an EMR Unwired database. That’s not supposed to happen, as mobile applications are usually sandboxed to prevent other applications from accessing their data.To read this article in full or to leave a comment, please click here

China discloses cyberwarfare unit, no one surprised

It came as a shock to just about no one in the cybersecurity industry that China has a cyberware unit, which was acknowledged by the government there this week.While the Chinese government has long denied attacking U.S. targets, U.S. businesses and government agencies have complained for years about attacks originating from China.The Chinese government noted the existence of the country’s cyberwarfare unit in “The Science of Military Strategy,” a publication put out by a research institute of the People’s Liberation Army, according to news reports this week. The U.S. military has acknowledged its own cyberwarfare capabilities for over a decade.To read this article in full or to leave a comment, please click here

Monetizing medical data is becoming the next revenue stream for hackers

The personal information found in health care records fetches hefty sums on underground markets, making any company that stores such data a very attractive target for attackers.“Hackers will go after anyone with health care information,” said John Pescatore, director of emerging security trends at the SANS Institute, adding that in recent years hackers have increasingly set their sights on EHRs (electronic health records).With medical data, “there’s a bunch of ways you can turn that into cash,” he said. For example, Social Security numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures.To read this article in full or to leave a comment, please click here

New attacks suggest leeway for patching Flash Player is shrinking

Cybercriminals are exploiting newly patched vulnerabilities faster, a sign that users and companies need to improve their software updating habits.Researchers from both Malwarebytes and FireEye reported Thursday that drive-by download attacks using the Nuclear Exploit Kit target a vulnerability that was patched last week in Flash Player.The flaw, which is tracked as CVE-2015-0336, was fixed by Adobe on March 12. It affects all Flash Player versions older than 17.0.0.134 on Windows and Mac, 11.2.202.451 on Linux and 13.0.0.277 ESR (extended support release).To read this article in full or to leave a comment, please click here