Android apps that use Dropbox for storage and are built using an older version of its SDK are vulnerable to an attack that can steal data, although Dropbox has released a fix, according to IBM security researchers.IBM’s application security research team said Wednesday they had found a way to link their own Dropbox account to an Android app on another person’s phone that connects to the storage service. After a successful attack, any data uploaded by the app is delivered to the attacker’s Dropbox account.Dropbox publishes an SDK (software development kit) for linking its service to an app. The flaw, nicknamed “DroppedIn,” affected Dropbox SDK versions 1.5.4 through 1.6.1 and was fixed in version 1.62, IBM said in a blog post.To read this article in full or to leave a comment, please click here
The private email system used by Hillary Clinton when she was U.S. Secretary of State didn’t encrypt messages during the first two months of use, an Internet security company said Wednesday.That would have left emails sent and received by Clinton in early 2009 vulnerable to eavesdropping—just when British and American intelligence agencies were reportedly spying on world leaders.Internet records show the clintonemail.com domain was first registered on Jan. 13, 2009. Clinton became Secretary of State eight days later, but it wasn’t until March 29 that the first SSL certificate was issued for the domain, according to Venafi, a security company that analyzes encryption keys and digital certificates.To read this article in full or to leave a comment, please click here
As security researchers continue to analyze malware used by a sophisticated espionage group dubbed the Equation, more clues surface that point to the U.S. National Security Agency being behind it.In February, Russian antivirus firm Kaspersky Lab released an extensive report about a group that has carried out cyberespionage operations since at least 2001 and possibly even as far back as 1996. The report detailed the group’s attack techniques and malware tools.The Kaspersky researchers have dubbed the group Equation and said that its capabilities are unrivaled. However, they didn’t link the group to the NSA or any other intelligence agency, despite similarities between its tools and those described in secret NSA documents leaked by Edward Snowden.To read this article in full or to leave a comment, please click here
This may finally be the year that the U.S. Congress gives email and other documents stored in the cloud for several months the same privacy protections from police searches as newer files or paper records stored in a file cabinet, say backers of electronic privacy reform.A coalition of tech companies, digital rights advocates and other groups on Wednesday renewed their call for Congress to change a 29-year-old electronic privacy law called the Electronic Communications Privacy Act [ECPA].Members of the Digital Fourth coalition have been pushing since 2010 for Congress to change ECPA by requiring law enforcement agencies to get a judge-approved warrant before getting access to a suspect’s digital files stored with a third party for more than 180 days.To read this article in full or to leave a comment, please click here
As concern grows about data collection by mobile apps, Apple and companies involved with its new ResearchKit software development framework for medical studies say users of the first five apps have nothing to worry about.Access to health data collected by the apps will be restricted to approved medical researchers and barred from commercial use, and the apps won’t delve into the personal contents stored on a smartphone, according to the companies.Sage Bionetworks, a nonprofit biomedical research organization in Seattle, handles collecting, de-identifying and storing of the health data gathered from the five apps developed with ResearchKit, Christine Suver, principal scientist, head of open science data governance at Sage, said in an email interview.To read this article in full or to leave a comment, please click here
If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.To read this article in full or to leave a comment, please click here
Four out of five retailers don’t meet payment card security standardsIt’s no surprise that so many data breaches involve the disclosure of credit card numbers: 80 percent of retailers failed to meet the Payment Card Industry Data Security Standard (PCI DSS) in a Verizon survey of 5,000 businesses worldwide, Reuters reports. In all the data breaches that Verizon studied, the company involved was not compliant at the time of the incident.The inventor of credit default swaps is new CEO of bitcoin trading companyTo read this article in full or to leave a comment, please click here
Researchers sponsored by the U.S. government have reportedly tried to defeat the encryption and security of Apple devices for years.Several presentations given between 2010 and 2012 at a conference sponsored by the U.S. Central Intelligence Agency described attempts to decrypt the firmware in Apple mobile devices or to backdoor Mac OS X and iOS applications by poisoning developer tools.Abstracts of the secret presentations were among the documents leaked by former U.S. National Security Agency contractor Edward Snowden to journalists and were published Tuesday by The Intercept.To read this article in full or to leave a comment, please click here
A new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login, potentially enabling powerful phishing attacks.The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with security firm Sakurity. It takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login, the service that allows users to log in on third-party sites using their Facebook accounts.Homakov disclosed the issue publicly on his personal blog in January 2014, after Facebook declined to fix it because doing so would have broken compatibility with a large number of sites that used the service.To read this article in full or to leave a comment, please click here
Facebook’s Open Compute Project struts its stuffThe Open Compute Project kicks off its annual Silicon Valley summit on Tuesday, where vendors and customers will show their latest designs for low cost data center hardware. Facebook started the project about three years ago to wrestle some control away from the big vendors and collaborate on open designs that white-box manufacturers can compete to implement. Microsoft, Intel, Canonical and Goldman Sachs will all give updates on what they’ve been building this past year.To read this article in full or to leave a comment, please click here
In an effort to stop the U.S. government from spying on Wikipedia’s readers and editors, the Wikimedia Foundation will sue the U.S. National Security Agency (NSA) and the Department of Justice (DOJ).The lawsuit, due to be filed with a coalition of eight civili liberties organizations later Tuesday, challenges what Wikimedia calls the NSA’s unfounded, large-scale search and seizure of internet communications. Using surveillance techniques the NSA intercepts virtually all internet communications flowing across the network of high-capacity cables, switches, and routers that make up the internet’s backbone, which is used by Wikimedia to connect Wikipedia readers and contributors, the organization said in a blog post signed by its senior legal counsel.To read this article in full or to leave a comment, please click here
When Matthew Rothenberg created a new website in early February, he let about two dozen people know about it through an unlikely medium: postcards.The unorthodox method was fitting for an unorthodox website called Unindexed. It was the latest project from Rothenberg, a 35-year-old based in Brooklyn, who has created a portfolio of interactive web installations and performance art projects around technology.Unindexed is no more. The website was coded to erase itself once Google added it to its search index. It lasted a little over three weeks, disappearing forever on Feb. 24.Rothenberg has done stints as head of product for Flickr and Bitly but for the last couple of years has focused on consulting and his art-technology side projects. His goal for Unindexed was to create a site where people could post comments safe in the knowledge that no record of those posts would ever exist again. It was also coded to prevent Google from caching it.To read this article in full or to leave a comment, please click here
A collection of computer Trojans that have been used since 2009 to steal data from government agencies, military contractors, media organizations and other companies is tied to cyberespionage malware possibly created by French intelligence agencies.Researchers from several antivirus companies have found links between the malware programs, which they call Babar, Bunny, Casper, Dino, NBot and Tafacalou. Some share the same command-and-control servers and some use the same implementations for Windows process listing, process blacklisting or export hashing.In January, German news magazine Der Spiegel published several secret documents about the malware activities of the U.S. National Security Agency and its closest partners, the intelligence agencies of the U.K., Canada, Australia and New Zealand—collectively known as the Five Eyes intelligence alliance.To read this article in full or to leave a comment, please click here
The Internet of Things is based on sensors and controls in all sorts of devices. When those types of devices are used to create a smart home, they can give residents unprecedented control and insight. The proliferation of smart devices, however, also opens the door to new dangers and threats.According to research architect Brandon Creighton, with application security provider Veracode, “At the end of the day, you’re installing a device that is really just a tiny computer.” Even with something as simple as a smart light socket that you can control remotely with your phone, what makes that possible is the little computer in the switch that can talk to the Internet—which means that Internet users can talk back.To read this article in full or to leave a comment, please click here
Some people who use uTorrent, the popular BitTorrent client, are up in arms over the presence of cryptocurrency mining software on their computers which they say was installed without their permission.The mining software, made by the company Epic Scale, started appearing for some people earlier this week after they updated to the latest version of uTorrent, a program made by BitTorrent for downloading files. In forums online, users have likened the software to bloatware, as it taxes their computer processor without their consent. Cryptocurrency mining software is used to release bitcoins and other digital currencies by having computers persistently perform complex mathematical calculations.To read this article in full or to leave a comment, please click here
Two Vietnamese men have been indicted, with one pleading guilty, for hacking into eight U.S. email service providers and stealing 1 billion email addresses and other confidential information, resulting in what’s believed to be the largest data breach in U.S. history, the U.S. Department of Justice announced.The attacks, running from February 2009 to June 2012, resulted in the largest data breach of names and email addresses “in the history of the Internet,” Assistant Attorney General Leslie Caldwell said in a statement. After stealing the email addresses, the defendants sent spam emails to tens of millions of users, generating US$2 million in sales, according to the DOJ.To read this article in full or to leave a comment, please click here
British law enforcement agencies arrested a 23-year-old man suspected of being involved in a hacking attack last year against a satellite communications system operated by the U.S. Department of Defense.The network intrusion occurred on June 15 and resulted in data being stolen from Enhanced Mobile Satellite Services (EMSS), a system operated by the U.S. Defense Information Systems Agency (DISA) that provides U.S. troops and other DoD employees with global communication capabilities, including data transfers and voice calls.The stolen data included contact information for about 800 people, like names, titles, email addresses and phone numbers, as well as the identifying numbers (IMEIs) for 34,400 devices, the U.K. National Crime Agency (NCA) said Friday in a press release.To read this article in full or to leave a comment, please click here
A cryptographic library used in all Windows versions is affected by a recently disclosed vulnerability in SSL/TLS implementations that allows man-in-the-middle attackers to force clients and servers to use weak encryption. Internet Explorer and other programs using the library are affected.The FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability stems from a decision made in the 1990s to limit the strength of RSA encryption keys to 512 bits in SSL (Secure Sockets Layer) implementations intended for export in order to meet U.S. government rules on exports of encryption systems.Those “export” cipher suites are no longer used today, but a team of researchers recently discovered that many servers still support them and some SSL/TLS clients, including Web browsers, can be forced to accept them because of bugs in the crypto libraries they rely on.To read this article in full or to leave a comment, please click here
Luxury hotelier Mandarin Oriental has removed malicious software that was used to steal credit card data from some of its hotels in the U.S. and Europe, the company said Thursday.The security codes for the cards were not compromised, it said, although it wasn't clear if that referred to the cards' PIN (personal identification number) or the three-digit CVV code on the back. No other personal information was taken, the company said in a statement.An investigation is underway by law enforcement and forensic specialists. An "isolated number of hotels in the U.S. and Europe were affected," but none in Asia, the company said.To read this article in full or to leave a comment, please click here
Bill targeting data brokers rises from the deadTheir last try failed to pass in 2014, but four U.S. senators have brought back legislation to rein in the data broker business. The law would allow consumers to see and correct personal information held by data brokers, and let them put a halt to having their information shared or sold for marketing purposes. The Data Broker Accountability and Transparency Act, introduced Thursday, is needed because data brokers are a “shadow industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans,” Sen. Edward Markey said.To read this article in full or to leave a comment, please click here