Malware entry vector not yet identified; may capitalize on jailbreak compromise
In an almost unheard-of claim, Lacoon Mobile Security has said that it has discovered a new spyware attack that targets both iOS and Android devices and which appears to be aimed specifically at Hong Kong pro-democracy protesters. Lacoon says it made the discovery while investigating the Android version, but did not clarify how the malware might be installed, or overcome the security built into iOS that has, thus far, kept it largely immune to serious malware or viruses.
Users can enter IMEI to learn more; technology is on by default in iOS 8
Users who are unsure if their iOS device has the anti-theft feature Activation Lock turned on can now easily check through a new page based on Apple's iCloud site. While the page is currently not linked to the main menu on iCloud.com -- suggesting it may still be undergoing testing -- it offers users a chance to input the devices serial number or IMEI identifier, and returns information on whether the device is protected.
New $15,000 award for successful submissions, up from $5,000.
Google is increasing the rewards in its bug bounties program, as it tries to make its software more secure. The search company is updating its reward pricing range to between $500 and $15,000 per bug, up from the previous maximum of $5,000 for a high-quality report, with an increased focus on discovering potential vulnerabilities within the Chrome browser.
Newest range of grocery store breaches spans 20 states
Supervalu and Albertson's shoppers may be in for another round of personal information theft notifications. The companies said that a second hack took place in late August or early September, with the company finding malicious software on systems that process credit and debit card sales at some of the company's 1,081 stores. Additionally, the malware was also found at Shoppers Food and Pharmacy, plus Shop 'n Save stores -- but the company believes that the installation was not successful, and failed to capture payment data.
Dueling regulatory boards fight over future of ISP regulation
Allegedly concerned about protecting the American consumer, US Federal Trade Commission (FTC) head Maureen Ohlhausen has come out as strongly against Federal Communications Commission (FCC) Chairman Tom Wheeler's net neutrality provision -- specifically, the possibility of Title II regulation of ISPs. The comment against the possibility of regulating Internet providers as a utility is the FTC's second in September.
Updates bash for OS X Lion, Mountain Lion and Mavericks
Although nearly all Mac users are unaffected by the issue Apple has made good on its word to quickly fix a serious security flaw in bash, a Unix shell that comes as part of OS X. Apple acknowledged the problem on Friday, and today released OS X bash update 1.0 for OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). The flaw, known as "Shellshock," could potentially allow users who have set up advanced Unix services that interact with the web to be vulnerable to remote intrusion.
SSL added after Google's decision to rank encrypted sites higher in search rankings
CloudFlare is pushing its users toward security in a good way, as it is adding secure socket layer (SSL) encryption to all of its customer accounts starting today. Where the company says that only around two million sites supported encrypted connections previously, CloudFlare believes it will double that number by the end of the day. The SSL encryption is being adding to all accounts, even free users.
Fines not the central means of enforcement -- violators face wide block
Russia's Internet watchdog has sent formal notices to Google, Facebook, and Twitter this week, enforcing early compliance with the country's social media law, requiring services with more than 3,000 readers in a day to register with the overseeing governmental agency and store data within the country. Deputy chief Maxim Ksenzov of Roskomnadzor, the agency in charge of enforcement of the law, has said that the trio will be "forced one way or another to obey the law" despite being international companies.
Only those running advanced UNIX services should be concerned, fix is on the way
An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.
Agency thinks Android L, iOS 8 security put consumer security ahead of law enforcement
Addressing reporters in Washington today, Federal Bureau of Investigation (FBI) Director James Comey voiced his concerns over the recent shifts in security policy for Android and iOS 8. Specifically, Comey believes that the new security encryption measures that cannot be bypassed for law enforcement puts consumers before possible emergency situations.
Vulnerability in Apple iCloud patched a week after celeb photo leak
According to emails between Apple and a security researcher, the brute-force method of attack on iCloud passwords was clear to the Cupertino manufacturer since March 26 of this year, well before the attack on celebrity accounts. A lengthy email chain, made public in recent days documents communications between the researcher and Apple, as well as Apple's continued requests to Ibrahim Balic for more information on the exploit.
Major security risk could be bigger issue than Heartbleed
A new bug may have a greater potential for harm than April's Heartbleed vulnerability, according to reports. The "Shellshock" vulnerability in Bash, a Unix shell typically used in Linux systems as well as in OS X, apparently allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user.
Assault detected July 30, all stores purged by September 5.
Sandwich chain Jimmy John's has reported a security breach, exposing information from customers of 216 locations. According to the chain, the company discovered at the end of July that an unknown assailant stole credentials from a vendor, and accessed the point-of-sale system. This action installed data-collecting malware at some locations between June 16 and September 5 of this year, with most infestations cleared out before the middle of August. The company reports that the security problem has been addressed, and it is once again safe to use credit cards at all stores.
Android, iOS security product featured on Amazon Home Automation
Home technology company Icontrol today announced that the Piper all-in-one home security, video monitoring and automation device is now available on Amazon's new Home Automation store. The CTIA award-winning Piper suite allows users to monitor and interact with home automation through the Internet, without service contracts or fees.
Suit alleges deceptive practices, money dispersion, misuse of company funds
More controversy is further tarnishing virtual currency Bitcoin's reputation. Last week, the US Federal Trade Commission (FTC) filed a civil suit against Butterfly Labs, creator and manufacturer of Bitcoin mining rigs. The suit alleges that the three members of the board of directors have engaged in fraudulent and deceptive practices, plus misappropriation of company funding.
New bill gives information same protection as material goods under law
In the shadow of Microsoft's dispute with the US Department of Justice, Senators Orrin Hatch (R-UT), Dean Heller (R-NV), and Senate Judiciary Committee member Chris Coons (D-DE) have proposed legislation to codify law enforcement access to citizen's data stored internationally. The bill, titled the Law Enforcement Access to Data Stored Abroad Act, seeks to authorize the use of extraterritorial search warrants, but vacate said warrants if it requires parties involved to break the laws of a country to do so.
Refrain from managers asked for more training: 'we sell hammers'
Following the revelation that 56 million credit card transactions were stolen by miscreants, more information is coming out about the hack and The Home Depot's reportedly long-term lackadaisical security. According to employees familiar with the situation, the company was warned as early as 2008 that security would be a problem, and that the company was excruciatingly slow to respond to threats, and often took no action agains perceived attacks or dangers.
Rex Chapman accused of faking payment, facing 14 felony charges
Former Phoenix Suns professional basketball player Rex Chapman was arrested on Friday, and accused of shoplifting $14,000 in Apple merchandise using Apple's EasyPay self-checkout system. Apple store employees reported the player, after recognizing him "based on his previous celebrity status as an NBA basketball player," according to Scottsdale, AZ police.
Service shut down in San Francisco, attempts rebirth in other locales
Parking spot resale service Monkey Parking has quietly relaunched in Santa Monica and Beverly Hills, California. While not currently illegal in the cities, city attorneys have taken note of the launch, met with representatives from the service, and are claiming that they will take steps rapidly to stop the service from operating.
Official states charges are 'groundless,' believes US should focus on upholding security
In a press conference today, Chinese Foreign Ministry Spokesperson Hong Lei responded to the government sponsored hacking allegations from the United States. In an unclassified report from the Senate Committee on Armed Services, the body accused the Chinese military of being responsible for at least 20 successful attacks on US Transportation Command (Transcom) contractors.
Security steps, including terminal removal, outlined, malware evaded detection
More information on the breach of home improvement retailer Home Depot was announced today. While the company still says that only stores in North America are affected by the breach, it now adds that the information from 56 million unique payment cards was at risk. The company provided further insight into the steps taken since the breach, including adding stronger encryption, after the malware from terminals was completely removed.
Missing language suggests Apple has received Patriot Act request
Apple's transparency report on governmental information requests has made a minor but significant change. Language saying that "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us" has been completely removed from the latest version of the document, suggesting that Apple has now received a Patriot Act request, and is subject to a secret Foreign Intelligence Surveillance Court warrant and subsequent gag order.
Follows a day after 7.0.6
Despite v7.0.6 being released just yesterday alongside OS X 10.9.5, Apple has released another version of Safari for Mavericks, 7.1. The release mainly follows in the steps of its iOS 8 sibling, introducing secure search site DuckDuckGo as an alternative to the likes of Google or Yahoo. Security for Yahoo searches has been improved, as entries into the search field are now encrypted.
Should make it harder for government agencies to access user data
Part of Apple's strengthened approach to privacy involves stricter encryption in iOS 8, according to the Washington Post, as well as an Apple PDF document. The latter notes that Apple no longer stores encryption keys for devices as of iOS 8, meaning that even if a government agency has a search warrant, the company is unable to break past the security on a passcoded device. That should protect locally-stored content.
Security, user data respect seen as differentiators from rival companies
Weaknesses from launch still exist a year later, says 'unnecessary risks remain'
In a report set to be delivered to Congress this week, the US Government Accountability Office (GAO) found that the Healthcare.gov website has a number of security issues yet to be addressed. While a number of steps have been taken to secure the health care portal since its troubled release, the complexity of the system and lack of security protocols in some instances still continue to plague the system.
Lack of communication between divisions, contractors left agency aware of two attacks
A US Senate committee discovered that Chinese hackers were able to gain access to computer systems for US Transportation Command (Transcom) contractors at least 20 times in a single year. In an unclassified report released today, the investigation focused on the security of Transcom due of the central role it plays in mobilizing troops and equipment.
Encrypted chat used BitTorrent backbone to provide secure communications
Peer-to-peer protocol pioneer BitTorrent has released an alpha version of its chat client. BitTorrent has revealed Bleep -- what used to be called BitTorrent Chat -- for Android and OS X. Bleep offers fully-encrypted, end-to-end communications between users only stored locally on devices, and not retained by servers any step of the way.
CTO, Heath Project Manager at briefing; Apple security defended
Apple sent two high-ranking executives to Capitol Hill earlier this week to brief lawmakers on what it is doing to keep users' data secure and private in the wake of new devices tapping into users' health information and financial data. Apple Chief Technology Officer Bud Tribble and Health Project Manager Afshad Mistri briefed the House Energy and Commerce Committee behind closed doors on Tuesday, according to sources within Congress.
New system avoids compromise of Apple ID, limited to 25 active passwords
Starting next month, Apple will add another layer of security to its iCloud service for third-party apps that utilize iCloud storage or other access. The company will allow users to assign up to 25 app-specific passwords for those users who don't want a third-party app to have the user's Apple ID credentials to utilize services such as syncing. The app-specific password approach not only protects the iCloud and Apple ID account, but enhances security for apps that don't support two-step authentication.
Company confident that new larger iPhones will attract switchers
With its combination of more and better apps, better security and now large-screen mobile devices, Apple is expecting the new iPhone and iOS 8 to help persuade more Android users to move up to iOS, and to that end has published a document on its website guiding switchers on how to move content from their Android device to the iPhone. The expectation isn't based on hubris: surveys have shown that at least a third of Android users would consider switching to the iPhone 6 family.
Apple takes another step towards securing iCloud
Apple has once again enabled a two-factor authentication option for iCloud.com. It was briefly introduced in June, but then vanished for reasons unknown. Much like its equivalent for Apple IDs, the iCloud.com two-factor system requires verifying identity through SMS or Find My iPhone. Only once this is done can users load the site's apps.
Police largely silent during pre-announcement era
Chinese police have arrested a 40-year-old Foxconn worker, identified only by the surname Qiao, for stealing iPhone 6 shells from a factory in Jincheng, according to the state-run Taihang Daily. The person was detained on September 4, and is specifically accused of selling six of the shells for 6,000 yuan (about $960) to a gadget market in Shenzhen, where a number of electronics makers are located.
Stored cross-site scripting attack can steal stored cookies on tablet
Apple's product-centric business model differentiates it from others, CEO says
During more of the interview for PBS' "Charlie Rose" show, Apple CEO Tim Cook addressed the thorny issue of user privacy, with Cook coming out strongly differentiating Apple from other companies, noting that Apple "tries not to collect data." Cook said he believes users "have a right to privacy," and used the issue to reiterate that Apple was not cooperating with US government spying programs.
Association's aim is to improve cryptographic and data keys, thwart physical and online attacks
Apple is now a member of a non-profit trade association made up of mostly financial institutions, cellular carriers and software and hardware developers devoted to improving security in applications, transactions, data and cryptography. The group, GlobalPlatform says its objective is to "create a standardized infrastructure that accelerates the deployment" of secure software and data, "protecting them from physical or software attacks." Most of Apple's carrier and financial partners in Apple Pay are also members.
Concerns more directly related to HealthKit
Connecticut's Attorney General, George Jepsen, has issued a letter to Apple CEO Tim Cook, asking the company to explain how the Apple Watch will collect and store data. Jepsen asks, for instance, "whether Apple will allow consumers to store personal and health information on Apple Watch itself and/or on its servers, and if so, how information will be safeguarded," and "if and how Apple will review application privacy policies to ensure that users' health information is safeguarded." Other concerns include consent, the specific types of data the watch and its apps will collect, and guideline enforcement.
Institutions aim to improve speed, accuracy
In the next few weeks, two major US hospitals -- linked with Stanford University and Duke University, respectively -- are embarking on medical trials using Apple's HealthKit platform, according to Reuters. Doctors at Stanford say they're working with Apple on tracking blood sugar for children with diabetes. Duke, meanwhile, is planning a pilot to track blood pressure, weight, and other statistics for patients with cancer or heart diseases.
Malware injected by raffle link sells items in Steam inventory, trades to specific account
Security firm F-Secure was recently alerted to a wave of malware targeting the Twitch game streaming audience as a way to turn a quick buck. The target of the Windows-based malware infection isn't aimed at stealing credit card information or joining into an click-through advertising botnet, but rather selling items of value that are associated with a Steam account.
Passwords reset based on database comparison to leaked Gmail credentials
Fallout could still be on the way as a result of the collection of nearly five million Gmail username and password credentials leaked on a Russian Bitcoin forum, but for now at least one company is taking action. Automattic, the company responsible for the blogging platform WordPress, announced it has reset user passwords for more than 100,000 accounts based on the information contained in the list.
SecureMac releases PrivacyScan 1.6, improves OS X compatibility
SecureMac has released an update for its privacy software for OS X, featuring a new digital footprint security wipe functionality. PrivacyScan allows users to erase sensitive information to securely prevent recovery, as such cache files, browsing history, cookies, temporary files and more. The latest version (v1.6) improves compatibility with future versions of OS X, and also adds greater Firefox web browser support and fixes. PrivacyScan is priced at $15 on the App Store, with a free demo version available directly through SecureMac.
Names, addresses, phone numbers taken; banking info probably safe
Information security professionals are still apparently sorting out the depth of an intrusion at J.P.Morgan Chase from earlier this summer. Three people with information regarding the digital break-in have spoken to press, claiming that the hackers had -- and in some cases may still have -- high-level access to bank servers, as well as gleaning information from around a million customer accounts.
Works around lack of Touch ID
The Apple Watch will use a unique system to authorize NFC mobile payments, reports say. Normally, Apple Pay is authorized via Touch ID, but there's no such sensor on the Watch. Instead, when someone puts on the device for the day, they'll have to enter a PIN to authorize transactions. The sensors on the bottom of the watch can detect skin contact, and once that's lost, a person will have to re-enter their PIN.
Google says there is no evidence of a breach, many logins are said to be outdated
Another credential scare has turned up online, this time for one of the world's largest free email services. The emails and passwords of around 4.66 million Gmail users have turned up on a Russian Bitcoin forum, traced backed to English, Russian and Spanish users of the service. It's not clear where or how the list was collected, but it is said that many of the logins are outdated.
Apple Watch may be first new product never seen by Jobs, Apple Pay 'incredibly safe'
In interviews with the Wall Street Journal and ABC News' David Muir, Apple CEO Tim Cook reiterated many of the sentiments expressed during the Tuesday press even that introduced the two new iPhone 6 models, the Apple Watch wearable and the Apple Pay mobile payments system. He also, however, had a few words in response to questions, ranging from his thoughts on Steve Jobs in the three years since his passing, and how the iPhone 6 will trigger "the mother of all upgrades."
Breach confirmed for April forward as investigation continues, no evidence of PIN theft
An initial investigation by Home Depot into an intrusion of its payment data systems has revealed that its systems were indeed breached. The home improvement retailer began looking into the breach of its systems after it noticed irregular activity and subsequent sale of its customer data last week. Home Depot was apparently hit by the same malware responsible for the breach of Target's systems.
Provider stating that ads placed as a courtesy, reminiscent of BitTorrent throttling issue
Part of planned security upgrades
Users of Apple's iCloud are now getting email notifications whenever an Apple ID signs into iCloud.com for the first time from a new device. Each message includes a date and time stamp, and is meant to warn someone in case the login is actually by an unauthorized attacker. The update is part of a series of planned security upgrades announced by Apple CEO Tim Cook.
Joins with rumored merchant Norstrom, banks and credit card companies on deals
A report from anonymous sources suggests that Apple's rumored mobile payment system may have gained further merchant support in the form of drugstore chains CVS and Walgreens. The move would make it easy for customers to use their iPhone to pay for purchases at some 15,000 combined locations in the US, reports AppleInsider via Re/Code. They will be among other known and unknown retail partners to help launch the mobile payment system, which could be announced at the September 9 Apple press event.
Photos not obtained by iCloud breach, but by password hacking
Apple CEO Tim Cook has formally addressed the recent celebrity selfies scandal, where some of the images obtained by hackers came from the victims' iCloud accounts (alongside other services, those responsible for the collection of the images have recently admitted). In an interview with the Wall Street Journal, Cook not only acknowledged that some celebrities' accounts were specifically targeted using conventional data-stealing techniques, but promised both educational and engineering improvements.