Initiative adds EMV support to government channels, more identity theft protections, reporting
Last week US President Barack Obama signed an executive order that will help consumers that a victims of identity theft, as well as speed up the adoption of the Europay, MasterCard, and Visa (EMV) chip standard for credit and debit cards. In the executive order signed by the president, parts of the federal government will be adopting EMV measures, as well as strengthening the public's ability to monitor financial health or seek help when necessary.
Users being redirected to dummy sites
China's state firewall is currently hijacking attempts to visit iCloud.com or Microsoft's login gateway, login.live.com, redirecting people to dummy websites, reports say. People visiting iCloud.com through Firefox or Chrome will see a warning page, but visitors with Qihoo -- the most popular browser in China -- are being forwarded directly to a dummy site with no obvious signs it isn't Apple's. It's believed that the Chinese government may be trying to harvest iCloud and Microsoft logins.
Zwipe, MasterCard team up to combine fingerprint authentication, contactless payments
At a press event last week, MasterCard and Zwipe announced a new type of payment card dubbed the Zwipe MasterCard. Where the new card is different from the the standard credit or debit card is in the payment process, looking to biometrics to approve purchases. The Zwipe MasterCard uses authentication via fingerprint for MasterCard contactless payment terminals, while retaining Europay, MasterCard and Visa (EMV) chips on cards.
Hardware appeared to be sourced from Alibaba, software straight OpenWRT
Following allegations casting doubt on the project, the TOR-based Anonabox Kickstarter project has been terminated. Since the launch of the security-minded Anonabox, and nearly instant completion of funding goals, commenters and other figures questioned the source of the hardware, the actual security of the device, and criticized the lack of a promised and complete open-sourcing of the code.
Wi-Fi sync starts automatically once iOS devices are in range
AgileBits has released v5.0 of its password and credit card manager for the Mac, 1Password. The software has been redesigned to match the look of OS X Yosemite, including support for the OS' new dark mode. AgileBits is also exploiting changes to iCloud for "faster and more robust syncing;" the company warns, though, that iCloud sync now requires v5.0 on both iOS and OS X.
Encryption of smartphones hampers security efforts, claims FBI head
The head of the Federal Bureau of Investigation (FBI) has asked for companies to back away from encrypting consumer devices by default. Echoing similar comments made last month, Director James Comey spoke to the Brookings Institute yesterday about the issue, which is claimed will make it difficult for law enforcement officials to collect evidence from mobile devices.
Microsoft Office for Mac 2011 receives security update
Microsoft released a security update for its Office for Mac 2011 software the latest release being v14.4.5. Resolving vulnerabilities, the update prevents the possibility of remote code execution if a specially crafted file is opened in an affected version. Attackers could gain the same user rights as the current user if successful, and subsequently install programs, view, change or delete data; or create new accounts with full user rights. Full details can be found in Mircosoft's latest security bulletin on the matter.
Reddit users suggest Anonabox created from existing routers sold in China
A Kickstarter campaign for a privacy-focused Wi-Fi router has drawn the ire of some Internet users, with the suggestion that all may not be as it seems. Reddit users are complaining about the Anonabox Tor router's claimed "open hardware," with components apparently being sourced from Chinese resellers rather than being designed specifically for the project.
Apple pitching tech to advertisers as an alternative to cookies
Something quietly introduced alongside iOS 8 has been the ability for advertisers to retarget iAds based on in-app browsing actions, a new report says. Apple is, in fact, said to be pitching this to advertisers as a way of circumventing the absence of mobile cookie tracking in iOS. In a given example, someone who adds a pair of shoes to a cart in a retailer's iPhone shopping app -- but decides not to buy them -- may later see an ad for that same pair of shoes from the same retailer, even in another app on his or her iPad. Tapping that ad might redirect the person to their abandoned checkout page and add the shoes back to it.
SSL 3.0 design flaw allows attackers to view contents of encrypted web traffic
Another Secure Sockets Layer (SSL) vulnerability has been discovered by Google, just six months after HeartBleed was first unveiled. Padding Oracle on Downloaded Legacy Encryption ("Poodle") is an issue affecting SSL 3.0, though researchers claim the issue this time is less severe than HeartBleed, despite potentially affecting nearly all browsers and a large number of servers.
Kickstarter campaign for Anonabox vastly exceeds target in first day
Welcome to another edition of Crowdfunding Critic, an article series where the staff of MacNN and Electronista will highlight a new crowdfunded project from sites such as Kickstarter and Indiegogo, with this edition focusing on the popular Anonabox. As always, we are not endorsing a project or warning of any potential funding risks associated with crowdfunded projects, so it is advisable to do your own research before investing.
Third party services likely to blame for Dropbox account leak
Passwords from a supposed pool of 7 million Dropbox accounts have allegedly leaked by hackers, though Dropbox denies its service has been hacked. A thread on Reddit linked to batches of account credentials, with the user hoping to receive Bitcoin donations for the leaks, though the exact source of the leaked account details is unknown.
Kmart offering identity theft protection, credit monitoring
Sears-owned retailer Kmart has declared that it has suffered a massive data breach. The company said late Friday that a malware attack that began harvesting data from it its point-of-sale computer systems in early September was "new form of malware" and "similar to a computer virus." Few details have been released by Kmart, but the company warns that it could include every shopper between September 1 and Thursday, October 9. Online shoppers were not impacted by the breach.
August infection subjects customers of 395 stores to data theft
Restaurant chain Dairy Queen has confirmed that 395 of its 4,500 US locations have been affected by the "Backoff" malware, which has in turn, compromised customer's credit card information. Restaurants in 46 states were affected, with customers in Hawaii, Louisiana, Rhode Island and Vermont escaping the malware.
Breach from either Android app or third party web tool SnapSaved
Some supposedly ephemeral messages sent through the SnapChat service have been leaked to the Internet. Private photos collected for years through the either the SnapChat archiving Android app Snapsave or the shuttered SnapChat web client SnapSaved have been stolen, and posted en masse to chat forum 4chan, and other similar locations.
Two publicly traded companies will emerge in areas of security, information management
Rumors of Symantec's possible company split look to be true, as the company announced today that a plan was voted on to break the company up. The company, which is known for its line of Norton security products, said that its board of directors unanimously approved a new plan that would create two publicly traded companies, each with their own focus.
Information on ePubs sent in plain text over unencrypted channels to Adobe servers
If Adobe didn't enough problems with its reputation for security because of the frequency of the company's products being used for attack vectors, then the claim that the company collects detailed, personal data through Digital Editions 4 will undoubtedly further alienate some customers. The program, which is used to enforce digital rights management on borrowed books from libraries or other online avenues, is reporting details on the use of the ePub files back to Adobe - and is unencrypted, inviting further privacy and security issues.
List of affected Belkin devices, cause of incident both unknown
Some of accessory manufacturer Belkin's router customers are experiencing connectivity issues, predominantly with older models. For reasons unknown, possibly due to a silent, automatic firmware update, some Belkin networking products are refusing connection to the Internet, but maintaining local area network connectivity. Some models can be restored by pointing Domain Name Services to Google's or other providers' services.
Letter to Vermont attorney general advises of August intrusion
AT&T has admitted that it has suffered a data breach, and is warning customers about the intrusion. The communications provider has written to the Vermont attorney general about the breach, which took place in August, though unlike similar breaches at Home Depot, Target, and itself, this was instigated by an employee rather than an outside force.
Latest 1Password improves Touch ID support, adds iPhone 6 Plus support
A new version of password manager 1Password has been released for the iPhone and iPad, offering support for the iPhone 6 and iPhone 6 Plus in the form of 3x higher resolution images and improved icons. The update also improves Touch ID support to be more reliable, and simplifies the app's security settings. A new option has been added to disable third-party keyboards inside the 1Password app (since theoretically such keyboard could transmit keystrokes), and users can now create tags to help sort data. The app itself is free, but a "pro" in-app purchase to unlock additional features costs $10.
Should halt further infections
Apple has issued a silent update to Xprotect, the anti-malware system in OS X, to detect and block the inaccurately-named "iWorm" trojan uncovered last week. The new definitions actually mention three variants, identified as "OSX.iWorm.A," "OSX.iWorm.B," and "OSX.iWorm.C." It's not clear what the differences between them might be.
Search engine has scrubbed 'tens of thousands' of links to stolen photos
Google has responded to the letter threatening legal action should Google not purge the Internet of stolen, and sometimes intimate, photos of celebrities. The search engine has denied that it is intentionally profiting on the scandal, and instead has acted quickly and appropriately to takedown requests by removing "tens of thousands" of images from Google search results.
Scope of theft makes consumer protection agencies wary of uptick in phishing
Despite JP Morgan Chase claiming that it isn't seeing enhanced fraud activity, two states have launched an investigation of the event that caused the reveal of 76 million household's information, with the promise of more to come. A recent regulatory filing showed the leak, with customers' names, addresses, phone numbers, and email addresses stolen -- the bank, however, claims no financial information was stolen.
iOS and 'free-to-play' game blamed
A 15-year-old from Antwerp, Belgium has managed to accumulate over 37,000 euro ($46,000) in iTunes charges on a credit card through in-app purchases, according to local publication Nieuwsblad. The teenager was reportedly playing a free-to-play iOS game called Game of War: Fire Age; several months in, his mother asked him to buy some e-books using her credit card. The boy then discovered he could buy virtual gold in-game using real money, greatly accelerating his progress. The title even has a casino minigame.
Formerly used Reddit as go between to steal user data
[Updated with corrected information and further details] A new Trojan threat, possibly disguised as a fake unauthorized build of OS X 10.10 Yosemite, is making the rounds by taking in users who attempt to pirate software. The new malware, dubbed "iWorm" by Russian research firm "Dr. Web," has supposedly been installed by duped users on over 17,000 unique IP addresses worldwide thus far. Users would have had to have downloaded and installed the software in order to be victimized by the Trojan, which is mostly aimed at gathering user data.
Google chairman defends company against implied Tim Cook remarks
Google chairman Eric Schmidt has fought back against comments over the company's security and privacy, following comments laid out by Apple CEO Tim Cook. In an interview which touched upon a recent open letter about privacy from Cook, Schmidt claims "Someone didn't brief [Cook] correctly on Google's policies. It's unfortunate for him."
Number of people affected revealed more than three months after breach discovered
A filing made with the United States Securities and Exchange Commission (SEC) Thursday revealed new information on the scope of the breach that JPMorgan Chase witnessed earlier in the summer. In July the company, along with at least four other financial institutions, discovered an attack by hackers that reportedly resulted in gigabytes of data stolen after they gained high-level access to 90 of JPMorgan Chase's servers worldwide.
Tests reveal keylogger information unencrypted when sent, 'software is unreliable'
A program that is touted as the first step in Internet security for children was examined by the Electronic Frontier Foundation (EFF), only to discover that the software isn't very safe itself. ComputerCop, which the EFF says is distributed by approximately 245 agencies involved in law enforcement in 35 states, is nothing more than branded spyware that is unreliable and sends unencrypted key logs, the foundation says.
Proposals for Facebook research to undergo more stringent reviews
Facebook has admitted fault over its handling of user-based research, a matter which erupted this summer, and is taking steps to prevent such incidents from happening again. The social network is putting in place measures that it hopes will place a greater degree of scrutiny on future research projects, at the time of proposal, and at the time of publication.
Pair of researchers engineer hack, post code to shame companies into action
Security researchers Adam Caudill and Brandon Wilson have published source code for a theoretically-unpatchable USB firmware bug called "BadUSB." First revealed at at the Black Hat security conference in July, the two researchers who reverse-engineered the original finding say that they published for the public good, and "so people can defend against it." More severe exploits are possible using their method, but Caudill and Wilson are hesitant to release them, fearing more dangerous exploits.
Google+ now offering ability to restrict viewers based on age, location
Google's social network, Google+, has added a new privacy feature, allowing its users to limit who views their content based on age and location. The new section, found within Profile Settings, is called Audience; here, an age limit can be selected on content viewing, and users can also select what countries the content can be viewed from. Varying age restrictions can be chosen for each country if desired.
Malware entry vector not yet identified; may capitalize on jailbreak compromise
In an almost unheard-of claim, Lacoon Mobile Security has said that it has discovered a new spyware attack that targets both iOS and Android devices and which appears to be aimed specifically at Hong Kong pro-democracy protesters. Lacoon says it made the discovery while investigating the Android version, but did not clarify how the malware might be installed, or overcome the security built into iOS that has, thus far, kept it largely immune to serious malware or viruses.
Users can enter IMEI to learn more; technology is on by default in iOS 8
Users who are unsure if their iOS device has the anti-theft feature Activation Lock turned on can now easily check through a new page based on Apple's iCloud site. While the page is currently not linked to the main menu on iCloud.com -- suggesting it may still be undergoing testing -- it offers users a chance to input the devices serial number or IMEI identifier, and returns information on whether the device is protected.
New $15,000 award for successful submissions, up from $5,000.
Google is increasing the rewards in its bug bounties program, as it tries to make its software more secure. The search company is updating its reward pricing range to between $500 and $15,000 per bug, up from the previous maximum of $5,000 for a high-quality report, with an increased focus on discovering potential vulnerabilities within the Chrome browser.
Newest range of grocery store breaches spans 20 states
Supervalu and Albertson's shoppers may be in for another round of personal information theft notifications. The companies said that a second hack took place in late August or early September, with the company finding malicious software on systems that process credit and debit card sales at some of the company's 1,081 stores. Additionally, the malware was also found at Shoppers Food and Pharmacy, plus Shop 'n Save stores -- but the company believes that the installation was not successful, and failed to capture payment data.
Dueling regulatory boards fight over future of ISP regulation
Allegedly concerned about protecting the American consumer, US Federal Trade Commission (FTC) head Maureen Ohlhausen has come out as strongly against Federal Communications Commission (FCC) Chairman Tom Wheeler's net neutrality provision -- specifically, the possibility of Title II regulation of ISPs. The comment against the possibility of regulating Internet providers as a utility is the FTC's second in September.
Updates bash for OS X Lion, Mountain Lion and Mavericks
Although nearly all Mac users are unaffected by the issue Apple has made good on its word to quickly fix a serious security flaw in bash, a Unix shell that comes as part of OS X. Apple acknowledged the problem on Friday, and today released OS X bash update 1.0 for OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). The flaw, known as "Shellshock," could potentially allow users who have set up advanced Unix services that interact with the web to be vulnerable to remote intrusion.
SSL added after Google's decision to rank encrypted sites higher in search rankings
CloudFlare is pushing its users toward security in a good way, as it is adding secure socket layer (SSL) encryption to all of its customer accounts starting today. Where the company says that only around two million sites supported encrypted connections previously, CloudFlare believes it will double that number by the end of the day. The SSL encryption is being adding to all accounts, even free users.
Fines not the central means of enforcement -- violators face wide block
Russia's Internet watchdog has sent formal notices to Google, Facebook, and Twitter this week, enforcing early compliance with the country's social media law, requiring services with more than 3,000 readers in a day to register with the overseeing governmental agency and store data within the country. Deputy chief Maxim Ksenzov of Roskomnadzor, the agency in charge of enforcement of the law, has said that the trio will be "forced one way or another to obey the law" despite being international companies.
Only those running advanced UNIX services should be concerned, fix is on the way
An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.
Agency thinks Android L, iOS 8 security put consumer security ahead of law enforcement
Addressing reporters in Washington today, Federal Bureau of Investigation (FBI) Director James Comey voiced his concerns over the recent shifts in security policy for Android and iOS 8. Specifically, Comey believes that the new security encryption measures that cannot be bypassed for law enforcement puts consumers before possible emergency situations.
Vulnerability in Apple iCloud patched a week after celeb photo leak
According to emails between Apple and a security researcher, the brute-force method of attack on iCloud passwords was clear to the Cupertino manufacturer since March 26 of this year, well before the attack on celebrity accounts. A lengthy email chain, made public in recent days documents communications between the researcher and Apple, as well as Apple's continued requests to Ibrahim Balic for more information on the exploit.
Major security risk could be bigger issue than Heartbleed
A new bug may have a greater potential for harm than April's Heartbleed vulnerability, according to reports. The "Shellshock" vulnerability in Bash, a Unix shell typically used in Linux systems as well as in OS X, apparently allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user.
Assault detected July 30, all stores purged by September 5.
Sandwich chain Jimmy John's has reported a security breach, exposing information from customers of 216 locations. According to the chain, the company discovered at the end of July that an unknown assailant stole credentials from a vendor, and accessed the point-of-sale system. This action installed data-collecting malware at some locations between June 16 and September 5 of this year, with most infestations cleared out before the middle of August. The company reports that the security problem has been addressed, and it is once again safe to use credit cards at all stores.
Android, iOS security product featured on Amazon Home Automation
Home technology company Icontrol today announced that the Piper all-in-one home security, video monitoring and automation device is now available on Amazon's new Home Automation store. The CTIA award-winning Piper suite allows users to monitor and interact with home automation through the Internet, without service contracts or fees.
Suit alleges deceptive practices, money dispersion, misuse of company funds
More controversy is further tarnishing virtual currency Bitcoin's reputation. Last week, the US Federal Trade Commission (FTC) filed a civil suit against Butterfly Labs, creator and manufacturer of Bitcoin mining rigs. The suit alleges that the three members of the board of directors have engaged in fraudulent and deceptive practices, plus misappropriation of company funding.
New bill gives information same protection as material goods under law
In the shadow of Microsoft's dispute with the US Department of Justice, Senators Orrin Hatch (R-UT), Dean Heller (R-NV), and Senate Judiciary Committee member Chris Coons (D-DE) have proposed legislation to codify law enforcement access to citizen's data stored internationally. The bill, titled the Law Enforcement Access to Data Stored Abroad Act, seeks to authorize the use of extraterritorial search warrants, but vacate said warrants if it requires parties involved to break the laws of a country to do so.
Refrain from managers asked for more training: 'we sell hammers'
Following the revelation that 56 million credit card transactions were stolen by miscreants, more information is coming out about the hack and The Home Depot's reportedly long-term lackadaisical security. According to employees familiar with the situation, the company was warned as early as 2008 that security would be a problem, and that the company was excruciatingly slow to respond to threats, and often took no action agains perceived attacks or dangers.
Rex Chapman accused of faking payment, facing 14 felony charges
Former Phoenix Suns professional basketball player Rex Chapman was arrested on Friday, and accused of shoplifting $14,000 in Apple merchandise using Apple's EasyPay self-checkout system. Apple store employees reported the player, after recognizing him "based on his previous celebrity status as an NBA basketball player," according to Scottsdale, AZ police.
Service shut down in San Francisco, attempts rebirth in other locales
Parking spot resale service Monkey Parking has quietly relaunched in Santa Monica and Beverly Hills, California. While not currently illegal in the cities, city attorneys have taken note of the launch, met with representatives from the service, and are claiming that they will take steps rapidly to stop the service from operating.