Source code mandated to be made available for inspection, other onerous rules
At the end of last year, the Chinese government approved a 22-page set of regulations for the sale of computer equipment to Chinese banks, but that will ostensibly apply to all enterprise sales. The rules require foreign companies to turn over source code, submit to audits, and build "back doors" into hardware and software so that the government can monitor devices. The new rules are expected to be the first in a series to be introduced across the next few months.
Code-Name Levitation collects file download data indiscriminately
Canada's Communications Security Establishment (CSE), the Canadian equivalent to the US's National Security Agency (NSA), has been collecting data from roughly 15 million file downloads per day according to The Intercept journalists Ryan Gallagher and Glenn Greenwald, and CBC News. The surveillance operation, called Levitation, was revealed in a collection of files provided by Edward Snowden.
Vulnerability found in Silent Text app included with BlackPhone
A flaw in a security-focused Android smartphone's software caused it to be susceptible to attack, according to a security researcher. A now-patched vulnerability in an app included on the BlackPhone allowed attackers to read encrypted messages, contacts stored on the smartphone, and to also remotely control device functions.
Apple credits TaiG team in release notes
Yesterday's iOS 8.1.3 update sabotages the TaiG jailbreak tool, users say. The hack was functional through iOS 8.1.2, outdoing Pangu, which stopped working as of v8.1.1. Although the TaiG team itself hasn't confirmed the problem, Apple's notes for v8.1.3 actually credit the group with finding four security vulnerabilities.
Preceding RM-11737 resolved with public notice against blocking
A petition by Marriott, Hilton, and an association of hotel owners asking for permission to block guests from creating their own Wi-Fi hotspots has been resolved today in a public notice by the Federal Communications Commission (FCC). Specifically, the blocking of personal Wi-Fi hotspots is prohibited, and will be "aggressively" investigated and acted against, according to the agency.
Upgrades Time Machine with iCloud Drive browsing
Simultaneous with the launch of iOS 8.1.3, Apple has also released the finished version of OS X 10.10.2. As anticipated, the one feature addition is the ability to browse iCloud Drive items from within Time Machine. Elsewhere, the update is dedicated solely to squashing bugs, such as Wi-Fi disconnects, webpages loading too slowly, and various security and stability problems in Safari.
Generally directed at bugfixes
Apple has released iOS 8.1.3 via iTunes and as an over-the-air download. Though primarily a maintenance update, it does make one important change: reducing the amount of storage that will be needed for future over-the-air upgrades. The amount of space iOS 8 required for an OTA update was a common complaint by users; on 16GB iPhones and iPads, there is frequently too little room left, forcing people to use iTunes instead. Apple hasn't said how much storage will be needed in the future.
Facebook denies downtime caused through Lizard Squad hack
A brief one-hour outage of Facebook and Instagram last night was not caused by hackers, the social network has admitted. Refuting claims by a hacking group that it was behind the downtime, Facebook advises it was caused by an alteration on its systems that it quickly repaired, rather than interference from an outside group attacking its servers.
Update should also fix Wi-Fi, Bluetooth, Mail security problems
[Updated with claims about Thunderstrike fix] Apple has seeded a new beta of OS X 10.10.2 to its workers -- build 14C109 -- that includes release notes explaining the update's major changes. The most significant may be the addition of iCloud Drive browsing within Time Machine, which should let people track related changes and find items that were previously stored in the cloud. Apple has also made a number of fixes though, most notably solving a Spotlight vulnerability that automatically loaded remote content in Mail messages.
All previous versions vulnerable, attacks on un-updated machines seen in wild
Adobe has again had to issue an update to the browser plug-in version of Flash due a critical flaw in the program that allows remote attackers to take over un-updated Macs or PCs, the latter running either Windows or Linux. The company urges users to update to the latest version, first issued on Friday, that patches the problem -- however, all previous versions should be considered at risk, and there are not yet any Chrome browser or standalone updaters available.
Arduous record-keeping required at point-of-sale, will make system less safe
A St. Louis, Missouri governmental official sees weakness in electronic payment security, and is seeking to mandate identification presentation in conjunction with an Apple Pay transaction, or other similar electronic payments. Democrat Joshua Peters from Missouri's state House of Representatives bill will, if passed into law, not only mandate sales staff to verify the identity of the purchaser, but retain this information as well.
Thorough online and anti-malware security – if you want that kind of thing
Look, it's not that Macs are completely free of risk, but we're not running Windows here. One of the advantages of our platform of choice is that it isn't so riddled with viruses, that there aren't so many malicious applications that you need third-party security software just to be able to sleep at night and work in the day. Macs currently face no known virus threats, and almost no malware (apart from a recent scourge of "adware" that attacks both Mac and Windows web browsers, and the ongoing issues with Flash and Java). So what's the point of a OS X "anti-virus" program like Kaspersky Internet Security?
Third exploit may have already been patched
OS X 10.10.2, still in beta, fixes a pair of zero-day exploits uncovered by Google's Project Zero, reports say. The Project Zero team has newly-published data relating to three OS X vulnerabilities, in accordance with a 90-day disclosure policy; Apple was informed of them in October. One is believed to have already been fixed in OS X Yosemite as of January 8, but in theory the remaining two could be used to attack v10.10.1 users.
Free games, subscription time, compensation offered to US PlayStation owners
Sony is providing compensation to PlayStation Network users in the United States affected by a major breach in April 2011, half a year after agreeing to a settlement stemming from a class action lawsuit. The original attack, resulting in the closure of the online service and Qriocity for close to a month, risked the personal data and payment details of more than 77 million accounts.
Data security sticking point with Chinese government, wants no backdoors
Apple has reportedly accepted a Chinese regulatory agency's demands to run network safety evaluations on products sold in the country. China's Ministry for Industry and Information Technology and the State Internet Information Office demanded the inspections in the wake of spying allegations dating to the beginning of 2014, and the claimed need for China to protect users' information safety and privacy.
Video chat service from Mega touts end-to-end encryption of calls
Kim Dotcom has launched his latest Mega-branded enterprise, providing encrypted chat services. Previously teased by Dotcom, MegaChat is a browser-based video chat service similar to Firefox Hello, allowing users to make and receive calls without installing a separate client, with the main draw being its claim of end-to-end encryption between the conversation participants.
Orwellian law demands passwords if school officials request them
A law that came into effect on January 1 in Illinois is riling up parents of students in the state. Public Act 098-0801, ostensibly passed to cut down on school-age bullying, mandates that school authorities may demand a student -- or a parent -- surrender social media account information, including passwords, if school officials believe that there has been a violation of school rules or procedures. The law applies even to accounts or postings not on school grounds, and made at any time or place. Furthermore, failure to comply will trigger a criminal charge for the student, the parents, or both.
Sondra Arquiett getting paid $134K for use of her likeness without permission
A New York state resident has settled with the US government and the Drug Enforcement Agency (DEA) over a suit involving the law enforcement agency impersonating her on Facebook without her permission. Sondra Arquiett has accepted a $134,000 settlement from the US government, with the agency not admitting to having done anything outside a "legitimate law enforcement purpose."
Attackers can use cell connection to rewrite device; risks range from privacy to 'loss of life and l
Last week at the S4X15 Security Conference, Corey Thuen of Digital Bond Labs presented a talk called "Remote Controlled Cars." The talk outlined security flaws Thuen found in a Snapshot OBD device provided by Progressive Insurance plugged into his Toyota Tundra. Separately, another researcher has found security issues in the Zubie Connected Car service.
Transactions traced between Ulbricht, Silk Road Bitcoin accounts
The latest update in the trial of Ross Ulbricht's involvement with the controversial but now-closed Silk Road contraband market site involves Ulbricht's collection of bitcoins. A researcher who has audited the stash claims that approximately 20 percent of Ulbricht's bitcoin funds were transferred directly from Silk Road to his accounts, a transaction that would have been worth close to $3 million based on the value of the digital currency at the time.
Service previously web-, plugin-, and iOS-based
Password management service LastPass has announced a dedicated Mac client. The software saves logins, credit cards, and other data, and has several unique features as a local app. One of these is Quick Search, which speeds up finding logins and any associated notes. Users can also point their default web browser to a site automatically via a keyboard shortcut; LastPass will automatically fill in login fields.
Letter to Judge Katherine Forrest outlines why government believes questioning is inadmissible
Last Thursday in the trial of United States v. Ross William Ulbricht (also known as the "Silk Road" trial), Ulbricht's attorney, Joshua Dratel, began a line of questioning that suggested his client had been set up by former Mt. Gox CEO, Mark Karpeles, with the latter being the "real" mastermind behind the drugs-and-contraband site, which was shut down in 2013. Today, in a letter the prosecution outlined to Judge Katherine Forrest why it believes the line of questioning is inadmissible.
Profits from stolen phones spent on cars, gold, gambling
Last week in Beijing, three men tunneled underground into a warehouse belonging to an Apple distributor and were able to steal 240 of the latest iPhone 6 and iPhone 6 Plus models. The incident is just the latest in a series of crimes involving the latest iPhone -- resulting in a nickname for the device that translates "Kidney 6," in reference to a case in 2012 when a 17-year-old allowed one of his kidneys to be removed and sold so he could afford to buy an iPhone and iPad.
Public statements first on the matter from the US President
President Obama has, for the first time, publicly acknowledged that encryption is a problem for law enforcement. With UK Prime Minister David Cameron alongside, the President said that there must be both ways to keep citizens' information private, but that there has to be a way to allow law enforcement to surveil both in real-time, as well as decrypt after-the-fact forensically, when a court deems it necessary. "Because this is a whole new world, as David [Cameron] says, the laws that might've been designed for the traditional wiretap have to be updated. How we do that needs to be debated both here in the United States and in the UK," said the President.
Data on 14,241 users with passwords leaked to the Internet following hack
A counter-hack against the Lizard Squad hacking group's distributed denial of service (DDoS) tool LizardStresser has resulted in a customer data theft. Details of 14,241 users of the disruptive hacking tool have been stolen from the group's site, including user names, passwords, and other data stored in plain text, and has now been posted online.
Carrier in home port, no hostilities underway against Chinese
Unknown hackers breached the Twitter accounts of United Press International (UPI) and the New York Post on Fridy. Nearly simultaneously, the Twitter feeds of both accounts reported that the carrier USS George Washington had come under fire by the Chinese Navy, and that Pope Francis had announced the start of World War III.
Accused of DDoS against PlayStation Network, Xbox Live, swatting attempts
Another arrest has been made in the United Kingdom, over distributed denial of service (DDoS) attacks on Sony's PlayStation Network and Microsoft's Xbox Live online services, as well as instances of "swatting." An unidentified 18-year-old man was arrested in Southport this morning, with computers and other electronic devices seized by law enforcement officials for further investigation.
Karpeles, Ulbricht both deny being SR owner 'Dread Pirate Roberts'
Homeland Security special agent Jared Der-Yeghiayan took the stand recently in the trial of Ross Ulbricht, who stands accused of running a drug trafficking website called "The Silk Road" that operated for over two years, largely as a marketplace for illegal drugs, stolen data and other criminal activity. Under cross, the defense attempted to claim that former Mt. Gox chief Mark Karpeles was in fact the real owner, who went by the pseudonymous name "Dread Pirate Roberts."
Smartphone or nearby mobile device replaces extra passwords and dongles
According to digital security provider SAASpass, a requirement to possess a separate physical device as part of accessing digital data -- for example a fingerprint reader or separate dongle -- helps prevent nearly all hacking attacks on computers. To that end, SAASpass has recently unveiled its "Computer Connector" apps to provide on-the-fly two-factor authentication, rather than passwords, using smartphones or mobile devices.
President Obama wants hackers prosecuted under racketeering laws
Last month at his year-end press conference, President Obama responded to the first question with a call for stronger cybersecurity laws. Today, the President released a statement detailing what he would like to see in legislative proposals. Some of it attempts to address concerns plaguing CISPA, which has been floundering since 2011 but is staging a comeback in the new Republican-led Congress, among other plans.
Calls secure chat 'safe space' for terrorists, pedophiles, criminals
In many democratic countries, responses to terrorist attacks usually involve the curtailing of some civil liberties in the name of safety. The hacking of Sony, for example has created momentum for the possible return of CISPA. In the UK, Prime Minister David Cameron has now called for tightening laws around "the internet and new ways of communicating," and specifically hinted at a ban on end-to-end encrypted messaging, in the wake of the terrorist attacks on the Charlie Hebdo magazine offices in Paris.
Security analysts warn of security problems for 60 percent of current users
There comes a time in any piece of software or hardware's life when the company that produced it decides that it's no longer worth providing updates or support for it. That time has apparently come for the version of WebView used by Android Jelly Bean and earlier, which is still installed in roughly 60 percent of Android devices: Google has made the surprising announcement that it will no longer update the default browser technology, opening older devices up to vastly increased security issues.
Google reveals Windows flaw despite Microsoft request to wait
Microsoft is asking for the online security community to better coordinate on the disclosure of vulnerabilities in code, after a publication of a flaw in Windows 8.1 by Google. The search company released details about the vulnerability in the operating system yesterday as part of Project Zero, two days before Microsoft was to offer up a fix in its well-known Patch Tuesday schedule.
Proposals require companies to reveal data breaches within 30 days
President Barack Obama will push for legislation forcing companies to be quicker in revealing major intrusions of their servers, White House officials have advised. In a speech set to take place at the Federal Trade Commission later today, Obama is expected to propose a new law, requiring disclosures over server hacks and other security breaches within 30 days of occurring.
Apple Pay, Google Wallet, Softcard, other NFC-based systems, EMV cards and more
Call it the omni-terminal: point-of-sale terminal maker Verifone has unveiled a new model, the PAYware Mobile e355, which the company says is compatible with all forms of mobile and traditional card payments, from simple magnetic stripe (currently widely used in the US) to chip-and-PIN EMV cards coming this year, and all forms of NFC-based payment systems utilizing iOS, Android or Windows Phone -- including Apple Pay, Google Wallet, Softcard and others.
Hacker group threatens to divulge client identities, bank is unconcerned
Some 30,000 emails from Swiss and foreign clients of the Genevan state bank BCGE have been published by a group or individual calling itself "Rex Mundi." The release of the information occurred on Friday, after the bank declined to give into demands for a payout to keep the information under wraps. The would-be blackmailer provided the bank with a sample of data from two supposed BCGE clients as proof of the hack, and threatened to publish all of the data unless €10,000 ($11,779 US) was not paid by the bank.
Unprotected home, enterprise routers said to be part of Lizard Squad botnet
The attacks against gaming services including the PlayStation Network and Xbox Live over the last month may have been carried out in part by home routers. A report claims Lizard Squad, the hacking group claiming responsibility for the attacks, has access to a large collection of hacked routers, which it is using to bolster its distributed denial of service (DDoS) attacks.
SafeSwitch introduced as hardware-based kill switch system
Qualcomm is going to add a "kill switch" to its mobile processors in the future, with the Snapdragon 810 being the first to receive it. Dubbed Qualcomm SafeSwitch, the technology will allow device producers to offer users the ability to lock down the smartphone or tablet at a deeper level than current equivalents offered in apps or within the operating system.
Service set to automatically load email images despite Mail settings
OS X Yosemite's incarnation of Spotlight is potentially sharing personal data with spammers and possible malicious parties, reports say. An option in Mail lets users turn off the loading of remote content in emails, something security experts recommend in order to avoid letting third parties track behavior. The new Spotlight can search through Mail messages alongside other sources, but in doing so will automatically load remote images, regardless of whether Mail is set to do so or not.
Chinese powerhouse will strengthen anti-counterfeit measures on Tmall, Taobao
In an announcement today on its Alizila News site, the Alibaba Group revealed a plan to work together with Microsoft to crack down on counterfeit and pirated Microsoft products from being sold on Alibaba's Taobao and Tmall online stores in China. The two companies have signed a memorandum of understanding (MoU) which commits them to jointly conduct programs to alert customers to the dangers of using unlicensed software, and help them seek restitution if they were tricked into buying pirated products.
House Democrat from Maryland hopes to build on momentum from Sony hack
The Cyber Intelligence Sharing and Protection Act (CISPA) is a bill that, if signed into law, allows for the sharing of Internet traffic information purportedly to allow for the investigation of threats to the security of networks and "cybercrime." The bill failed in both 2012 and 2013, amid concerns of "broad language" and threats to privacy, but Representative Dutch Ruppersberger (D-Maryland) plans to reintroduce the controversial bill this Friday.
Cites ongoing problems with Apple's developer agreement
Internet advocacy group the Electronic Frontier Foundation (EFF) released a new app today, allowing Android users an easy way to access its action center and get involved. As part of the announcement, the organization explained there would not be a similar app for iOS, citing issues with the Apple developer agreement. Some elements of the disputed agreement have been around since 2010.
Exchange temporarily closed to migrate site to a more secure host
European Bitcoin exchange Bitstamp suffered a theft yesterday with its operational wallet, used for customer transactions being drained of around 19,000 Bitcoins (roughly $5 million in US dollars) in seconds. While the vast majority of the company's coffers are in cold storage, the service has temporarily shuttered, and warned its users to not deposit any of the virtual currency to previously-used Bitstamp addresses.
Blocks hacking tool just one day after release, locks accounts if iDict is attempted
Apple appears to have fixed a flaw in its password security just one day after a hacker announced a new tool that could conceivably breach the existing protection against "brute force" attacks on accounts by taking advantage of an exception. On January 1, a new tool called iDict emerged in a rough state that could bypass repeated password-attempt blocking due to an exception made for iPhones. On January 2, Apple closed that exception and began locking accounts iDict was being used against.
Water Sensor will track household utilities use
Belkin has announced several new sensors for its WeMo home automation line, including the Door and Window Sensor, the Keychain Sensor, and the Alarm Sensor, the last of which triggers if an existing security system goes off. Another addition is a new Room Motion Sensor, which can track heat signatures up to 30 feet away within a 90-degree arc. The unit should ignore pets, and (through the WeMo app) not only let people set alerts or links with other devices, but check the last detected movement in a given room.
New rules are said to contain Title II regulation plans
US Federal Communications Chairman commissioner Tom Wheeler is reportedly planning on unveiling a new set of net neutrality rules in the beginning of February. The new rules, which are said to be more aggressive than originally proposed, which should incorporate feedback from the public comment process, should come to a vote at the February 26 meeting - and may finally include Title II regulation of broadband, which would apply oversight to ISPs similar to that of utilities, such as water and power.
'The Interview' now top-selling movie on Apple's iTunes Store
On Friday, US President Barack Obama placed new sanctions on North Korea as a "first measure" of retaliation against the country's cyber-attacks on Sony Pictures through an executive order that targets individuals and companies or other entities affiliated with the North Korean government. Obama referred to the North Korean government as "destructive and coercive," and painted the incident as an attack on both a US company and at attack on the right of free expression. The movie that North Korea objected to, The Interview, has since been released and sailed to the top of the iTunes movie charts.
Tool would require more complex implementation to be useful
A new hacking tool available on GitHub is claimed to be able to brute-force access to an iCloud account in a way that avoids Apple safeguards. Dubbed iDict, the tool performs "dictionary" attacks on target iCloud email addresses. Normally these would be stopped by Apple's rate-limiting measures for logins, but iDict disguises itself as an iPhone, a device which for whatever reason is exempt from those limits. At present, the malware offers little threat, but could become more menacing.
Only 7000 coins claimed to have been taken by external theft
Citing sources close to the law enforcement investigation, Japanese media are reporting that the Mt. Gox Bitcoin exchange theft was largely an inside job. A report published today claims that of the 650,000 purloined Bitcoins, only about 7,000 are missing as a result of external theft, with the rest having been stolen by a source internal to the exchange. However, the newspaper stops short of naming any specific suspects in the case.
Restaurant chain will eat losses if banks do not compensate customers for any breach
A rash of credit and debit card fraud cases have been tracked back to accounts that were all used at various Chick-Fil-A locations around the US. The fast food restaurant joins the ranks of retailers with point of sale security issues. This particular breach appears to have run from December of 2013 to September of 2014.