Should address one central fear
Assault on JPMorgan Chase may be only one of multiple intrusions in August
JP Morgan Chase & Co plus at least four other financial institutions have reportedly come under attack by hackers. According to a quartet of people familiar with the investigation, the possibility exists that gigabytes of customer data, including banking information, may have been stolen by the assailants with a "zero-day" attack, who may to be linked to Russian state-sponsored hackers.
Security firms says malvertising hit sites such as Java, DeviantArt and Photobucket
A "malvertising" campaign made the rounds last week hitting at least eight high-profile websites according to security firm Fox-IT. The firma noticed that the sites were redirecting their visits to other places, allowing it to discover that sites were using vulnerabilities in software like Java and Flash to inject malicious programs. The purpose of the "malvertising" was to infect machines with botnet malware involved in boosting advertisement clicks.
BruteProtect to be rolled into Jetpack, paid service ends to make all features free
Automattic, the company responsible for the WordPress blog platform, announced today that it acquired BruteProtect. The pick up will allow the company to strengthen security of the WordPress platform through its Jetpack service, without additional cost to users. BruteProtect started its life as a plug-in for the popular blogging software, only to expand into other areas of security, server management and premium services.
Major apps identified as culprits
A number of iOS apps -- including Facebook Messenger, Gmail, and Google+ -- have a security vulnerability that could allow malicious parties to force an iPhone to auto-dial, observes Romanian developer Andrei Neculaesei. iOS supports a tel:// URI that can make a call automatically, even though developers are allowed to bypass confirmation prompts for the dialer if they want. Through a vulnerable app and the right web code, a person could potentially be tricked into dialing a toll number. A FaceTime variant could let someone capture images of a person before disconnecting.
Several companies confirm attacks as service returns, hacking group claims responsibility
Some of the most popular gaming services are reportedly under attack as a series of distributed denial of service attacks (DDoS) has been underway since last week. Shacknews reports that Blizzard, Grinding Gear Games, PlayStation Network, Riot and Sony Online Entertainment have all been undergoing a series of attacks leading to connection instabilities and service failures. While the attack was initially thought to be limited to a few companies, it's been discovered that several additional gaming services and websites have been targeted as far back as August 18 by a hacking group.
Presidential advisor believes education, overall government experience sufficient
In an interview with the Information Security Media Group publication, White House cybersecurity coordinator Michael Daniel admits to having no practical experience with the subject matter. Daniel claims that "being too down in the weeds at the technical level could actually be a little bit of a distraction" to his job of advising the president about ongoing and emergent information security issues.
'Backoff' malware has infected 1,000 businesses across US
Target isn't the only US retailer affected by the "Backoff" point of sale malware. Following forensic analysis of the intrusion software, researchers for US government law enforcement have claimed that more than 1,000 businesses have been infected by the same strain that assaulted the big-box retailer, and now UPS storefronts.
Amazon hopes contract will pave the way for cloud-based confidential data
Amazon Web Services has received the first ever U.S. Department of Defense level three through five provisional authorization for the AWS GovCloud (US) region under the Defense Information Systems Agency's (DISA) codified Cloud Security Model (CSM). This new authorization allows Department of Defense users to conduct development and integration activities for everything but classified workflows with Amazon's service.
Stores in 24 states affected by breach, spanned up to seven months in some cases
The UPS Store chain of delivery and packaging facilities has reported that a number of its stores have been the target of a "broad-based malware intrusion," adding that customer data could have been accessed. The United Parcel Service (UPS) subsidiary became aware of the breach on July 31, the same day that the Department of Homeland Security sent out notices regarding a malware called "Backoff," according to the New York Times.
OpenSSL vulnerability the first attack vector, occured shortly after bug announced
Security firm TrustedSec says that it learned how hackers were able to obtain records from Community Health Systems (CHS). According to a statement released by the firm yesterday, the initial attack occurred through an OpenSSL vulnerability. An anonymous source tied to the investigation told the company that Heartbleed, a vulnerability that has made headlines in recent history, is to blame for the breach.
Software line drops nine different programs, new software launches September 23
Symantec announced earlier this week that it would be issuing a sweeping change to its line of antivirus software to offer consumers a single solution. Starting September 23, the company will begin offering Norton Security for around $80 per year. The change effectively ends releases of Norton Antivirus, the company's main product line that has seen annual releases since the early 90s.
AppleScript, multi-platform hooks make spamming easier
Over 30 percent of all mobile spam messages are now being sent through Apple's iMessage system, claims Tom Landesman, a security researcher at Cloudmark. Many of the messages are pushing fake luxury products, such as sunglasses and handbags. Landesman explains that spammers are -- or were -- taking advantage of several aspects of Apple's ecosystem. However, Apple has responded to the charge, and said that some countermeasures have been implemented.
Package changes developer ad ID with that of assailant with Cydia Substrate
A new piece of malware has started infecting jailbroken iOS devices earlier this year. The "AdThief" or "Spad" package hijacks advertising clicks and revenue, and redirects them to the author of the package, rather than the developer who inserted the advertising in the first place. The malware is simple and low profile -- it replaces the developer's ID with the attacker's ID. Mobile ad kits targeted by the AdThief malware are mostly from Chinese vendors, with four in the US, and a pair in India.
Re-signing mandatory for existing apps
Despite recent claims, a Dev Center security breach may not be why developers are being asked to re-sign Mac apps using OS X Mavericks, sources say. An alternative reason for the switch hasn't been mentioned, but unnamed sources are countering reports yesterday from other unnamed sources. In the earlier rumors, it was claimed that one or more hackers had managed to obtain not only Gatekeeper keys but "virtually every key Apple used for everything."
Gatekeeper added to testing list
Apple has posted a new beta of OS X 10.9.5 for developers and AppleSeed participants, identified as build 13F18. Testing areas remain largely the same -- including Safari, graphics, Thunderbolt, and USB/USB smart cards -- but with the addition of a significant change to Gatekeeper, Apple's app-signing security feature. "Signatures created with OS X version 10.8.5 or earlier ('v1 signatures') are obsoleted and will no longer be recognized by Gatekeeper," Apple reminds the developer audience. "To ensure your apps will run on updated versions of OS X, they must be signed using the codesign tool on OS X version 10.9 or later ('v2 signatures')."
Microsoft-provided fix involves registry modification, manual deletion
Plagued by crashes, Microsoft has retracted its Windows patches from August 12. Users that have installed patches 2982791, 2970228, 2975719 and 2975331 are at risk of system instability, or a "0x50 Stop" error on startup, which prevents the system from booting. A fix requires either a clean OS install, or registry modification to purge the afflicted updates.
New malware not stealing info, passwords; just growing
The Gameover Zeus botnet has re-appeared in stronger form, with most of the infections taking place inside the US. The new botnet implementation doesn't rely on the peer-to-peer methodology of the parent strain, but instead relies on a more flexible, and harder to stop, domain generation algorithm (DGA) to determine how the malware botnet will connect with command-and-control servers.
Enterprise Signing Key, Activation Lock keys could have been compromised
An unidentified Twitter user is claiming that recent changes to Gatekeeper in OS X Mavericks and OS X Yosemite which has forced developers to re-sign their app credentials is actually the result of a security breach that successfully pilfered the Gatekeeper keys and possibly "many other keys for many other things," according to the user. A corraborating source was located by TUAW that has allegedly confirmed the breach and tied it to the recent alleged Activation Lock hack.
Personal information including social security numbers stolen, no medical information
Today, in a filing with the United States Securities and Exchange Commission (SEC), medical services provider Community Health Systems (CHS) revealed that it was the victim of a cyber attack that spanned a three-month period. According to the filing information, personal information from around 4.5 million patients was stolen, including Social Security numbers.
Child-focused version of YouTube allegedly in development
Google is adapting its services to cater for a younger audience, as the company attempts to make a play for a new generation of user, a report claims. The search company is allegedly working on various child-friendly services which children under the age of 13 will be able to use, provided it receives permission from the child's parent or guardian beforehand.
Breaches target 209 Supervalu stores, AB Acquisition stores in 21 states
Last week, supermarket chain Supervalu announced that it discovered an intrusion into part of its computer network, specifically for the portion that processes payments with debit and credit cards. The company believes that card data may have been stolen from 209 of its standard and franchise stores. A day prior, AB Acquisition LLC announced that its systems were breached, but was said it had yet to determine if any cardholder data had been stolen.
Apple tries to assuage privacy concerns
Apple is now hosting Chinese iCloud content on a mainland datacenter operated by China Telecom, the company has confirmed to Reuters. Questions were raised when the city of Fuzhou posted a notice on its website confirming the transfer of content to the datacenter, but then retracted the statement. The message indicated that Apple actually began the project 15 months ago, but only finished it on August 8th.
Collective has already released information on Ferguson police chief
[Updated with release of police respondent's name, which may be incorrect] Hacker collective Anonymous has allegedly penetrated the St. Louis County police dispatch computer system, and has released audio excerpts from the day that an unarmed African-American man was shot by police. The "OpFerguson" event underway by Anonymous has crippled Ferguson City's website, and already leaked some details about local police -- a very recent tweet by Anonymous has given the city very little time to respond, and has now released the officer's name involved in the shooting. However, the St. Louis police department claims the collective is wrong, and the person named is an "innocent citizen."
WebKit vulnerability, memory corruption, other issues addressed
Seven potential security and stability flaws in the WebKit engine that drives Safari have been identified and fixed in a new update for the default Mac web browser, which was released on Wednesday. The patch updates the version numbers to 6.1.6 for older OS versions going back to Lion (OS X 10.7.5), and to 7.0.6 for Mavericks (10.9.4). Problems with a WebKit vulnerability that could cause crashes, alongside some memory corruption issues, prompted the update.
Two-day Syrian Internet blackout blamed on failed NSA hack
The National Security Agency (NSA) was behind the two-day Internet blackout of Syria in 2012, claims whistleblower Edward Snowden. The accusation, alongside claims that the NSA is working on an automated malware killer, from Snowden comes at the same time as a separate report appearing to show the NSA collected far more information than was legally allowed.
Device hacked enabling root access, SecureCircle apps unaffected
The "super-secure" Android Blackphone has been hacked by an attendee at the DefCon conference. In less than five minutes, the Google-backed device surrendered root access without unlocking the Android bootloader. Initially contested by the manufacturer, the company, Geeksphone, later thanked "Justin Case" for pointing out the flaw.
Brown likely to sign into law; iOS devices are already compliant
The California state Senate has passed a bill requiring cellphone manufacturers to implement, and providers to activate, a "kill switch" that can be triggered remotely in the case of theft that renders the phone inoperable and unable to be reactivated. Owners of the iPhone are long familiar with these abilities, as Apple has offered them as opt-in features for some time, but the requirement that it be activated when users sign up for service will be new to many.
Most recent version of Internet Explorer required for updates, support for IE8 dropped
Microsoft announced last week that it would be changing its support policy in regard to Internet Explorer. Outlined in the change is migration guidance for versions of Windows past XP, which excludes any further support for Internet Explorer 8. The software giant is urging users to enable Windows Updates to keep up with the most recent updates to Internet Explorer.
Executive outlines technology tied to server reporting, changes including ability to opt-in
Since last month, Chinese phone and tablet manufacturer Xiaomi has been under suspicion of data practices that could be considered harmful to its user base, including the discovery of spyware installed in the Star N9500. Recent reports, and testing by a security firm, indicates that Xiaomi's smart phones, including the RedMi 1S, are reporting information back to servers in China.
Amicus briefs filed with NY Supreme Court decry overly broad warrants
Facebook is battling the New York courts over what it says are overly-broad warrants to examine user profiles and data. Supporting the social media giant, Dropbox, Foursquare, Google, Kickstarter, LinkedIn, Meetup, Microsoft, Pinterest, Twitter, Tumblr, and Yelp have all filed amicus curae ("friend of the court") briefs with courts in support of the Facebook effort, complaining that services like Facebook are multi-faceted and require more granular warrants, rather than a sweeping motion to collect all data about a targeted user.
Network compromise redirected mining pool traffic to alternate server
Security researchers have discovered a vulnerability in the way cryptocurrencies, such as Bitcoin, are stored in mining pools, allowing for funds to be stolen. Discovered by the Dell SecureWorks Counter Threat Unit, the exploit has allegedly already been used at least once, with one attacker said to have acquired approximately $83,000 using the technique.
Apple never applied to be on energy-saving list, all parties say
The Chinese Central Government Procurement Center -- as well as the Finance Ministry, and Apple itself -- have all denied a recent Bloomberg report claiming that Apple had been deliberately excluded from procurement lists for security reasons, according to Reuters. It had been said that Chinese government agencies were newly banned from buying devices like iPads and MacBooks. All three parties involved now say, however, that Apple never applied to be on the list in question to begin with.
Minimum Intel processor, 10.6 requirement follows eight years of updates
As a confirmation of earlier reports that Skype was locking out users of very old Macs with OS versions below 10.6 Snow Leopard, Microsoft on Thursday issued a memo that confirmed and clarified that it no longer supported the nearly seven-year-old OS X 10.5.8 or any lower releases on the Mac, and that Skype's service now requires a minimum of an Intel processor and 10.6 or later in order to work. How long Snow Leopard will be supported is unclear.
Nearly 4.5 billion records in total collected, 542 million unique emails addresses
The New York Times reported earlier this week that a hacker group has collected 1.2 billion unique username and password credentials from 420,000 websites. The records, which were verified by a security firm, is thought to be one of the largest collections of Internet identity information reported. The publication had the data analyzed by another expert, who verified the authenticity of the collection but has not commented on the validity of the data.
Forthcoming iOS 8 upgrade with Touch ID support will be free for current owners
According to a new announcement from AgileBits, makers of the iOS and Mac password management app 1Password, the forthcoming version for iOS 8 will be a free update to existing users. In conjunction with that, and a new report that Russian hackers may -- or may not -- have collected over a billion unique email account credentials, the company has opted to put its iOS version on sale for $10, a cut of $15 from its normal $25 price. The iOS 8 update for 1Password, expected this fall, will add extensions and Touch ID support to the password manager.
HTTPS use by sites will give slight improvement to Google search results in future
A website's usage of HTTPS to secure a connection with its visitors will soon play a role in search rankings, Google has announced. Websites actively adopting HTTPS by default for all traffic could rank higher in results listings to sites which do not use it, as the company continues to push other services online into adding more security to their sites.
About 76,000 email addresses, 4,000 encrypted passwords were publicly accessible
At the beginning of the month, Mozilla issued a release on its security blog that there had been an investigation into accidental disclosure of its database for the Mozilla Developer Network (MDN). The company discovered a problem after a web developer found out that the data sanitization process it runs on the MDN database had been failing. The result was that 76,000 email addresses of account holders, as well as the "passwords of about 4,000 users" were able to be accessed publicly.
Malware strikes un-updated Synology NAS units
Synology product users affected by the SynoLocker attack may have lost their files to the cryptoware. Representatives from Synology have informed Electronista that at this time, they are unable to provide assistance recovering data that has been forcibly encrypted by the malware.
Decrypt CryptoLocker to help recover files lost to malware
Victims of the CryptoLocker ransomware may be able to unlock their files without having to pay. Security experts from FireEye and Fox IT are hosting Decrypt CryptoLocker, a site dedicated to providing keys for affected systems, allowing for encrypted files to become available to users who chose not to pay the malware creator's ransom demand.
Cites security concerns
[Updated with Chinese government denial] The Chinese government has excluded 10 Apple products from its latest procurement list dictating which products can be bought using public funds, according to officials cited by Bloomberg. Among the banned products are all variations of the MacBook and the iPad, but not the iPhone or other Mac models. The products were on a June version of the list, but are said to have been left out as of July due to security worries, though another report quotes government officials as denying this.
Parallels notifies Desktop 8 for Mac users that software will not run on Yosemite public beta
Parallels has released a service notification for users of Parallels Desktop 8 for Mac. Users considering installing the OS X Yosemite public beta 10.10 will not be able to launch Windows applications, or directly use files through Parallels Desktop 8. Parallels Desktop allows for Windows applications to run on OS X without rebooting in systems up to and including 10.9 Mavericks. In order to avoid service disruption, Parallels encourages users to upgrade to version 9 of its software. Upgrading is available for $50, with Parallels Desktop 9 for new users priced at $80.
SynoLocker demanding 0.6 bitcoin to release encrypted data
[Updated with additional info] Network attached storage device manufacturer Synology is reporting that a new form of malware is spreading to some of its customers. Dubbed the SynoLocker cryptoware, the malware encrypts data on the network peripheral, and the perpetrators are demanding 0.6 bitcoin ($350) to get the key to retrieve the files.
Essentially requires all apps be recompiled for Mavericks to avoid Gatekeeper trap
A upcoming change in the way the OS X security feature Gatekeeper works is essentially going to force developers to re-build and re-"sign" their applications and submit updates to Apple for programs that need to run in Mavericks or Yosemite. The upcoming change for security purposes only affects those running the forthcoming 10.9.5 or later, but cause cause apps that aren't updated to "break" (not launch) except through bypassing Gatekeeper, which most users will be loathe to do. The change will not force users to update their OS versions.
Kaspersky, Symantec said to be excluded from procurement lists, could be due to security concerns
One of China's state-sponsored media channels is indicating that the government has removed all foreign-made software from its list of approved security software purchases. Newspaper The People's Daily posted on Twitter yesterday, indicating that Kaspersky and Symantec are now excluded from the country's government procurement channels.
Adds AppleScript, TCP-over-HTTPS support
Rayner Software has released Netshade 6, an update of its proxy/VPN client for the Mac. The main addition is actually KeyShade, a tool for storing passwords, notes, and bank and credit card info. Data is encrypted using AES-256, and synced across devices. Rayner says that a standalone version of KeyShade will be "coming soon" to Mac and iOS, but that for now it's tied to NetShade.
Payment service jumps ahead of Visa, Master Card dates to shift to chip cards
Square, a company that helped open mobile payments up to the masses, released news today that it would be expanding its device offerings with a reader for chip-based credit cards, now frequently used outside the US. While the company states that typical Europay, Master Card and Visa (EMV) solutions are costly, it will release an affordable model to enable sellers to accept the secure payments.
Company releases first chat application Bleep, currently only available for Windows
BitTorrent is making an attempt to diversify its offerings even more. While the company has said it was adding pay options to its Bundles early in the month, it has now launched a server-less chat client called Bleep. BitTorrent says that the app is created in a way that the experience is decentralized, only exposing messages and phone calls to people users choose to trust.
Department of Justice warrant to obtain emails valid, judge gives Microsoft chance to appeal
A United States District Court judge ruled today that a warrant issued to Microsoft requesting emails stored in Dublin, Ireland is valid. The judge stated that the company must follow the order to produce emails involved in a criminal investigation, in spite of foreign law. The order was temporarily stayed to give Microsoft the opportunity to appeal through the Second United States Circuit Court of Appeals.
Senate Intelligence Committee's computers were accessed states internal investigation
It turns out that the Central Intelligence Agency (CIA) did in fact access Senate computers in an improper fashion, as they have been accused of earlier this year. Back in March, Senator Diane Feinstein (D-CA) claimed that the intelligence agency had accessed the computers of the Senate Select Committee on Intelligence, searching for a document relating to research into the agency's detention and interrogation program.