What if the key to your house was shared with 28,000 other homes?That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”Revealed on March 3, the FREAK flaw can let an attacker weaken a connection that uses the SSL/TLS (Secure Sockets Layer/Transport Security Layer) protocol, making it much easier to break the encryption and view the traffic. It was the latest in a string of flaws found over the last year in widely used open-source software.To read this article in full or to leave a comment, please click here
Don’t worry, be happy. That seems to be the attitude most Americans have toward widespread government snooping on their Internet activities.Numerous leaks illuminating the massive scale of government surveillance programs have not rattled Americans. Relatively few people have made major changes to better secure their online communications and activities, even after the alarming revelations in Edward Snowden’s leaked NSA documents, according to the results of a Pew Research Center survey published Monday.Snowden, a former contractor for the NSA, blew the lid off government monitoring programs starting in mid-2013, leaking documents that reportedly showed how the U.S. government monitored and collected people’s personal data held by Internet and telecom companies.To read this article in full or to leave a comment, please click here
The U.S. Department of State expects its main unclassified email system to be back in operation later Monday after security upgrades, but wider Internet access could take longer to get back online.The department, which says it fights off “thousands” of hacking attacks each day, took its system offline over the weekend “to ensure the integrity” of the network.“It was about further enhancing our security capabilities,” State Dept. spokeswoman Jen Psaki said at a regular briefing on Monday.She said it would take some time for the entire Internet system to be back online at the government department, but email would be the first step and is expected to return on Monday night.To read this article in full or to leave a comment, please click here
Data protection and mass surveillance are high on the agenda for talks between members of the European Parliament (MEPs) and their U.S. counterparts in Washington, D.C., this week.A delegation of 11 MEPs, all members of the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE), are in Washington to discuss major issues. One of them is the renewal of the so-called Safe Harbor deal that regulates the transfer of personal data of EU citizens to the U.S.In the wake of Edward Snowden’s 2013 revelations about U.S. government spying, the European Commission—the E.U.’s executive branch—gave the U.S. 13 demands that it wanted met in order for the Safe Harbor deal to continue. So far, however, no agreement has been reached. A summer 2014 deadline was postponed and the Commission now hopes to conclude talks on the deal by the end of May.To read this article in full or to leave a comment, please click here
In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones.If this sounds like a two-factor authentication system where users need to provide one-time codes sent to their mobile phones in addition to their static passwords, it’s not. Yahoo already had that option.Instead, the new log-in mechanism, which is based on what Yahoo calls on-demand passwords, still relies on a single factor, the user’s phone number.Yahoo users—only those based in the U.S. for now—can turn on the new feature from their account security settings on Yahoo’s site. They will need to provide a phone number and then confirm that they have access to it by inputting a verification code sent to them via SMS.To read this article in full or to leave a comment, please click here
Requests from governments for people’s Facebook account data were overall on the rise in the second half of 2014, though they declined in the U.S. and Germany.The total number of requests rose slightly to 35,051, up from 34,946 in the first half, Facebook said in a post on its updated Global Government Requests Report released Monday.The vast majority of requests relate to criminal cases including robberies and kidnappings, the social networking company said. In many of the cases, the government was seeking basic subscriber information such as name and registration date. In others, law enforcement also sought access to IP address logs or account content.To read this article in full or to leave a comment, please click here
Yahoo released the source code for a plugin that will enable end-to-end encryption of email messages, a planned data-security improvement prompted by disclosures of U.S. National Security Agency snooping.The company is asking security experts to look at its code, published on GitHub, and report vulnerabilities, wrote Alex Stamos, Yahoo’s chief information security officer, in a blog post.The plugin should be ready by year end, wrote Stamos, who gave a presentation on Sunday at the South by Southwest conference in Austin, Texas.To read this article in full or to leave a comment, please click here
BlackBerry is returning to the tablet market—this time with the help of Samsung Electronics, IBM and Secusmart, the German encryption specialist BlackBerry bought last year.This is not the PlayBook 2 that BlackBerry was rumored to be working on last year, but the SecuTablet, developed by Secusmart and IBM for a German government department.The SecuTablet is a Samsung Galaxy Tab S 10.5 LTE 16GB bundled with some software from IBM and SecuSmart’s special MicroSD card, which combines a number of cryptographic chips to protect data in motion and at rest. Samsung’s Knox secure boot technology ensures that the OS on the tablet has not been tampered with, while IBM’s contribution to the security chain is to “wrap” certain apps in an additional layer of code that intercepts and encrypts key data flows using the Secusmart hardware.To read this article in full or to leave a comment, please click here
The U.S. Department of State will shut down its unclassified email system for a short time to clean up malware that may have resided there since late last year.The State Department said Friday it has scheduled a planned outage of the unclassified email system to make security improvements and to respond to “activity of concern” on the network.The State Department’s unclassified email system was compromised by a suspected state-sponsored hacking campaign, possibly originating in Russia, according to media reports from November.To read this article in full or to leave a comment, please click here
Ministers of European Union countries have agreed on a new plan to deal with cross-border privacy cases. Companies and a variety of critics, though, have called the proposal a mess.The plan, at least originally, was supposed to put in place a “one-stop-shop” mechanism that would make it easier for businesses and citizens to deal with privacy-related complaints. The idea of a streamlined approach to resolving privacy issues is a key pillar of EU data-protection reform and member states agreed on a version of such a plan on Friday, said Vra Jourová, European Commissioner for Justice during a press conference.At the moment, companies operating in the EU like Google, Facebook and Apple can be held responsible for privacy issues by national data protection authorities (DPAs). In Google’s case, for instance, this has led to multiple simultaneous investigations into the privacy policy it introduced in 2012. Enforcement actions related to various complaints have been taken in several EU countries.To read this article in full or to leave a comment, please click here
Have you ever heard stories about malicious USB thumb drives frying laptops and thought they were far fetched? An electronics engineer heard them too, and then set out to create a prototype.The “USB Killer” device was created by a do-it-yourself hardware enthusiast who described his project, complete with pictures and technical details, on a Russian blogging platform in February. An English-language version was posted on a different site earlier this week.The malicious USB thumb drive uses an inverting DC-to-DC converter to draw power from the computer’s USB port in order to charge a capacitor bank to -110 Volts (negative voltage). The power is then sent back into the USB interface via a transistor and the process is repeated in a loop.To read this article in full or to leave a comment, please click here
A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.The privacy breach involves whois, a database that contains contact information for people who’ve bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee.Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.To read this article in full or to leave a comment, please click here
A Google software problem inadvertently exposed the names, addresses, email addresses and phone numbers used to register websites after people had chosen to keep the information private.The privacy breach involves whois, a database that contains contact information for people who’ve bought domain names. For privacy reasons, people can elect to make information private, often by paying an extra fee.Craig Williams, senior technical leader for Cisco’s Talos research group who discovered the issue, said the data will make it easier for cybercriminals to draft phishing emails that try to trick victims into divulging information or clicking on malicious links.To read this article in full or to leave a comment, please click here
A U.S. Senate committee has voted in secret to approve a controversial bill that seeks to encourage businesses to share information about cyberthreats with each other and with government agencies.The Senate Intelligence Committee, meeting behind closed doors, voted 14-1 late Thursday to approve the Cybersecurity Information Sharing Act [CISA], even though Senator Ron Wyden, who cast the lone vote against the legislation, said it doesn’t adequately protect privacy.“If information-sharing legislation does not include adequate privacy protections, then that’s not a cybersecurity bill—it’s a surveillance bill by another name,” Wyden said in a statement. The bill would have a “limited impact” on U.S. cybersecurity, he added.To read this article in full or to leave a comment, please click here
Google’s services were disrupted briefly on Thursday after a broadband provider in India made a network routing error.The provider, Hathway, made a technical change that caused traffic to more than 300 network prefixes belonging to Google to be directed to its own network, wrote Doug Madory, director of Internet analysis at Dyn, which studies global traffic patterns.This type of error is seen daily across the internet. It involves BGP (border gateway protocol), which is used by networking equipment to direct traffic between different providers. Changes in the network are “announced” by providers using BGP, and propagate across the internet to other providers over time.To read this article in full or to leave a comment, please click here
A new malware program attempts to extort money from gamers by encrypting game saves and other user-generated files for popular computer games.The new threat, which claims to be a variant of the notorious CryptoLocker ransomware, targets 185 file types, over 50 of which are associated with computer games and related software.This is the first ransomware program to specifically target games, according to researchers from security firm Bromium, which recently found it. It was distributed via a drive-by download attack from a compromised website that directed users to the Angler exploit kit.The malicious program encrypts game saves, maps, profiles, replays, mods—in other words, custom content that users would not be able to recover by simply reinstalling the game.To read this article in full or to leave a comment, please click here
European legislators are about to reopen a debate on whether Facebook and Twitter should be subject to the same rules as power grids and payment services for protecting critical IT infrastructure and the data it carries.The proposed rules require providers of essential energy, transport, banking and healthcare services to protect their communications networks from hacking and intrusion, and to disclose security breaches. “Key Internet enablers” such as e-commerce platforms and search engines might also have to comply with the rules.Which companies the new law will cover, though, is a focus of upcoming negotiations between the three European Union law-making bodies.To read this article in full or to leave a comment, please click here
High-end phones on the way with LG, Huawei next in lineIf you were disappointed with the shortage of new flagship smartphones at Mobile World Congress last week, just hang on until next month. LG Electronics is expected to announce the highly anticipated successor to its good-looking G3—the G4?—that may sport a 1620 x 2880 pixel display. Huawei has started to post teasers for an event on April 8 for its P8, likely to offer a screen that’s a bit larger than the Ascend P7’s 5 inches, better battery life and an improved camera. Even Sony, which badly needs a big hit, may jump in the fray, with the Xperia Z4.To read this article in full or to leave a comment, please click here
Google researchers have written the first-ever attack code that takes advantage of electrical interference between densely packed memory cells, a unique style of attack that could require changes in chip design.The work builds on a paper published last year by Carnegie Mellon University and Intel, which found it was possible to change binary values in stored memory by repeatedly accessing nearby memory cells, a process called “bit flipping.”DRAM memory is vulnerable to such electrical interference because the cells are so closely packed together, a result of engineers increasing a chip’s memory capacity.To read this article in full or to leave a comment, please click here
Twitter has amended its policies to ban the posting of intimate photos and videos taken without the person’s permission.“You may not post intimate photos or videos that were taken or distributed without the subject’s consent,” the company added to its rules on Wednesday. Twitter otherwise allows pornographic content, but not in people’s profiles, headers or background images.Content that is identified as violating Twitter’s policies will be hidden from public view, and users posting it will have their accounts locked. Users will be required to delete the content in question before they can return to using the site.To read this article in full or to leave a comment, please click here