Encrypted chat used BitTorrent backbone to provide secure communications
Peer-to-peer protocol pioneers BitTorrent has released an Alpha version of its chat client. BitTorrent has revealed Bleep -- what used to be called BitTorrent Chat -- for Android and OSX. Bleep offers fully encrypted, end to end communications between users only stored locally on devices, and not retained by servers along any step of the way.
CTO, Heath Project Manager at briefing; Apple security defended
Apple has sent two high-ranking executives to Capitol Hill earlier this week to brief lawmakers on what it is doing to keep users' data secure and private in the wake of new devices tapping into users' health information and financial data. Apple Chief Technology Officer Bud Tribble and Health Project Manager Afshad Mistri briefed the House Energy and Commerce Committee behind closed doors on Tuesday, according to sources within Congress.
New system avoids compromise of Apple ID, limited to 25 active passwords
Starting next month, Apple will add another layer of security to its iCloud service for third-party apps that utilize iCloud storage or other access. The company will allow users to assign up to 25 app-specific passwords for those users who don't want a third-party app to have the user's Apple ID credentials to utilize services such as syncing. The app-specific password approach not only protects the iCloud and Apple ID account, but enhances security for apps that don't support two-step authentication.
Company confident that new larger iPhones will attract switchers
With its combination of more and better apps, better security and now large-screen mobile devices, Apple is expecting the new iPhone and iOS 8 to help persuade more Android users to move up to iOS, and to that end has published a document on its website guiding switchers on how to move content from their Android device to the iPhone. The expectation isn't based on hubris: surveys have shown that at least a third of Android users would consider switching to the iPhone 6 family.
Apple takes another step towards securing iCloud
Apple has once again enabled a two-factor authentication option for iCloud.com. It was briefly introduced in June, but then vanished for reasons unknown. Much like its equivalent for Apple IDs, the iCloud.com two-factor system requires verifying identity through SMS or Find My iPhone. Only once this is done can users load the site's apps.
Police largely silent during pre-announcement era
Chinese police have arrested a 40-year-old Foxconn worker, identified only by the surname Qiao, for stealing iPhone 6 shells from a factory in Jincheng, according to the state-run Taihang Daily. The person was detained on September 4, and is specifically accused of selling six of the shells for 6,000 yuan (about $960) to a gadget market in Shenzhen, where a number of electronics makers are located.
Stored cross-site scripting attack can steal stored cookies on tablet
Apple's product-centric business model differentiates it from others, CEO says
During more of the interview for PBS' "Charlie Rose" show, Apple CEO Tim Cook addressed the thorny issue of user privacy, with Cook coming out strongly differentiating Apple from other companies, noting that Apple "tries not to collect data." Cook said he believes users "have a right to privacy," and used the issue to reiterate that Apple was not cooperating with US government spying programs.
Association's aim is to improve cryptographic and data keys, thwart physical and online attacks
Apple is now a member of a non-profit trade association made up of mostly financial institutions, cellular carriers and software and hardware developers devoted to improving security in applications, transactions, data and cryptography. The group, GlobalPlatform says its objective is to "create a standardized infrastructure that accelerates the deployment" of secure software and data, "protecting them from physical or software attacks." Most of Apple's carrier and financial partners in Apple Pay are also members.
Concerns more directly related to HealthKit
Connecticut's Attorney General, George Jepsen, has issued a letter to Apple CEO Tim Cook, asking the company to explain how the Apple Watch will collect and store data. Jepsen asks, for instance, "whether Apple will allow consumers to store personal and health information on Apple Watch itself and/or on its servers, and if so, how information will be safeguarded," and "if and how Apple will review application privacy policies to ensure that users' health information is safeguarded." Other concerns include consent, the specific types of data the watch and its apps will collect, and guideline enforcement.
Institutions aim to improve speed, accuracy
In the next few weeks, two major US hospitals -- linked with Stanford University and Duke University, respectively -- are embarking on medical trials using Apple's HealthKit platform, according to Reuters. Doctors at Stanford say they're working with Apple on tracking blood sugar for children with diabetes. Duke, meanwhile, is planning a pilot to track blood pressure, weight, and other statistics for patients with cancer or heart diseases.
Malware injected by raffle link sells items in Steam inventory, trades to specific account
Security firm F-Secure was recently alerted to a wave of malware targeting the Twitch game streaming audience as a way to turn a quick buck. The target of the Windows-based malware infection isn't aimed at stealing credit card information or joining into an click-through advertising botnet, but rather selling items of value that are associated with a Steam account.
Passwords reset based on database comparison to leaked Gmail credentials
Fallout could still be on the way as a result of the collection of nearly five million Gmail username and password credentials leaked on a Russian Bitcoin forum, but for now at least one company is taking action. Automattic, the company responsible for the blogging platform WordPress, announced it has reset user passwords for more than 100,000 accounts based on the information contained in the list.
SecureMac releases PrivacyScan 1.6, improves OS X compatibility
SecureMac has released an update for its privacy software for OS X, featuring a new digital footprint security wipe functionality. PrivacyScan allows users to erase sensitive information to securely prevent recovery, as such cache files, browsing history, cookies, temporary files and more. The latest version (v1.6) improves compatibility with future versions of OS X, and also adds greater Firefox web browser support and fixes. PrivacyScan is priced at $15 on the App Store, with a free demo version available directly through SecureMac.
Names, addresses, phone numbers taken; banking info probably safe
Information security professionals are still apparently sorting out the depth of an intrusion at J.P.Morgan Chase from earlier this summer. Three people with information regarding the digital break-in have spoken to press, claiming that the hackers had -- and in some cases may still have -- high-level access to bank servers, as well as gleaning information from around a million customer accounts.
Works around lack of Touch ID
The Apple Watch will use a unique system to authorize NFC mobile payments, reports say. Normally, Apple Pay is authorized via Touch ID, but there's no such sensor on the Watch. Instead, when someone puts on the device for the day, they'll have to enter a PIN to authorize transactions. The sensors on the bottom of the watch can detect skin contact, and once that's lost, a person will have to re-enter their PIN.
Google says there is no evidence of a breach, many logins are said to be outdated
Another credential scare has turned up online, this time for one of the world's largest free email services. The emails and passwords of around 4.66 million Gmail users have turned up on a Russian Bitcoin forum, traced backed to English, Russian and Spanish users of the service. It's not clear where or how the list was collected, but it is said that many of the logins are outdated.
Apple Watch may be first new product never seen by Jobs, Apple Pay 'incredibly safe'
In interviews with the Wall Street Journal and ABC News' David Muir, Apple CEO Tim Cook reiterated many of the sentiments expressed during the Tuesday press even that introduced the two new iPhone 6 models, the Apple Watch wearable and the Apple Pay mobile payments system. He also, however, had a few words in response to questions, ranging from his thoughts on Steve Jobs in the three years since his passing, and how the iPhone 6 will trigger "the mother of all upgrades."
Breach confirmed for April forward as investigation continues, no evidence of PIN theft
An initial investigation by Home Depot into an intrusion of its payment data systems has revealed that its systems were indeed breached. The home improvement retailer began looking into the breach of its systems after it noticed irregular activity and subsequent sale of its customer data last week. Home Depot was apparently hit by the same malware responsible for the breach of Target's systems.
Provider stating that ads placed as a courtesy, reminiscent of BitTorrent throttling issue
Part of planned security upgrades
Users of Apple's iCloud are now getting email notifications whenever an Apple ID signs into iCloud.com for the first time from a new device. Each message includes a date and time stamp, and is meant to warn someone in case the login is actually by an unauthorized attacker. The update is part of a series of planned security upgrades announced by Apple CEO Tim Cook.
Joins with rumored merchant Norstrom, banks and credit card companies on deals
A report from anonymous sources suggests that Apple's rumored mobile payment system may have gained further merchant support in the form of drugstore chains CVS and Walgreens. The move would make it easy for customers to use their iPhone to pay for purchases at some 15,000 combined locations in the US, reports AppleInsider via Re/Code. They will be among other known and unknown retail partners to help launch the mobile payment system, which could be announced at the September 9 Apple press event.
Photos not obtained by iCloud breach, but by password hacking
Apple CEO Tim Cook has formally addressed the recent celebrity selfies scandal, where some of the images obtained by hackers came from the victims' iCloud accounts (alongside other services, those responsible for the collection of the images have recently admitted). In an interview with the Wall Street Journal, Cook not only acknowledged that some celebrities' accounts were specifically targeted using conventional data-stealing techniques, but promised both educational and engineering improvements.
Intruder installs 'malicious software' for cyber-attacks, breach access point unknown
Health care exchanges continue to hit rough patches, as the United States government has revealed that the federal health care portal Healthcare.gov was breached. While there is no evidence that any personal information from the 5.4 million people applying through the site was stolen during the event, the attack marks the first time an intrusion has successfully accessed systems attached to the website.
Company failed to inform users of opt-out option for six years
Verizon has agreed to a $7.4 million dollar fine, payable to the US Federal Communications Commission (FCC) as a result of not informing customers that they could "opt out" of Verizon marketing efforts tailored with gleaned user information. The fine, the largest of its kind, is assessed in parallel with the requirement that the company tell customers in every mailed bill that they can prevent the company from using data for advertising and marketing purposes.
Unfettered Google Play in-app purchase solved with 2012 password requirement
Google has offered to settle charges levied against it with the the US Federal Trade Commission (FTC) over unfair billing for in-app purchases made by children. The search engine giant has offered to pay out at least $19 million to end the suit, similar to that faced by Apple and Amazon.
Hackers penetrated system between April 15 and August 6, 2014
Apple iPad case seller ClamCase is the victim of a computer intrusion, revealing its customer information to hackers. Emails to customers have been arriving in recent days, claiming that the company has fallen victim to the hack, and purchase data from that period between April 15 and August 6 has been stolen. Information obtained includes customer names, addresses, and credit card information.
Intrusion may have been performed by same team behind Target hack
Home Depot is investigating "unusual activity" with its customer data, with the retailer appearing to be the victim of a major credit card breach. The store chain confirmed it was looking into the matter earlier today, after a report claimed acquired customer data was going on sale via a number of illicit websites specializing in credit card details.
Claims victims were hit by 'very targeted' attack
Apple has issued a new follow-up statement on this week's celebrity photo leaks via iCloud. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," the company writes. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find My iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
Further evidence undermining claims pictures were stolen from Apple's servers
Even as Apple on Monday issued a terse statement saying only that "we take user privacy very seriously and are actively investigating this report," concerning the leak of compromising images from 101 celebrities, the 4chan poster who released the compromising images and video has now admitted that the pictures come from a variety of sources. In the meantime, Apple has patched a potential security flaw that could have allowed attackers to brute-force their way into obtaining weak iCloud passwords.
Vulnerability in Find My iPhone authentication system patched today
A script which allowed access to iCloud servers may have been behind the recent celebrity photo leaks, a report suggests. A Python script which discovered the password of an iCloud account has surfaced, with an apparent vulnerability in Find My iPhone potentially allowing attackers to "brute force" attack an account without any lockout or warning to the account owner.
Reports remain dubious on origin of photos, videos allegedly obtained
A plethora of new celebrity nude images have surfaced on the Internet, along with claims that the photos and videos are the result of a hack of iCloud accounts. At least one of the victims of the leak has confirmed the images, but did not confirm the leak came from iCloud and added that the images now circulating were "deleted long ago," saying it would take a lot of "creepy effort" to obtain them.
CryptoLocker derivative attack demands variable ransoms
In a five-month period, CryptoLocker-esque malware CryptoWall has infected 625,000 devices worldwide, and has locked down 5.25 billion files, according to Dell's security researchers. In that same time period, it has exceeded its predecessor's infection rates, and gathered over $1.1 million in file ransoms, with one victim paying out $10,000 in Bitcoin to rescue his own files held hostage by the malware.
New ruling forces defiant Microsoft to hand over data held overseas
A stay giving Microsoft permission to deny a warrant ordering email release from a user whose data is stored in Ireland has been lifted by Judge Loretta Preska. As a result of the order, issued on August 29, Microsoft has until September 5 to coordinate with the US Department of Justice and inform the court how it will comply with the original court order, demanding Microsoft surrender the data. Microsoft promises to fight the order, and does not intend to hand over the data.
Protest accommodated until doors to store blocked
A group of corporate and retail security guards for Apple stores staged a peaceful protest of what they consider to be low pay relative to other employees at the company's flagship San Francisco store on Thursday. The issue the guards were drawing attention to is not one specific to Apple, but endemic among tech firms in Silicon Valley -- who collectively tend to pay cleaning, support, maintenance and security staff lower wages on average than regular employees.
Should address one central fear
Assault on JPMorgan Chase may be only one of multiple intrusions in August
JP Morgan Chase & Co plus at least four other financial institutions have reportedly come under attack by hackers. According to a quartet of people familiar with the investigation, the possibility exists that gigabytes of customer data, including banking information, may have been stolen by the assailants with a "zero-day" attack, who may to be linked to Russian state-sponsored hackers.
Security firms says malvertising hit sites such as Java, DeviantArt and Photobucket
A "malvertising" campaign made the rounds last week hitting at least eight high-profile websites according to security firm Fox-IT. The firma noticed that the sites were redirecting their visits to other places, allowing it to discover that sites were using vulnerabilities in software like Java and Flash to inject malicious programs. The purpose of the "malvertising" was to infect machines with botnet malware involved in boosting advertisement clicks.
BruteProtect to be rolled into Jetpack, paid service ends to make all features free
Automattic, the company responsible for the WordPress blog platform, announced today that it acquired BruteProtect. The pick up will allow the company to strengthen security of the WordPress platform through its Jetpack service, without additional cost to users. BruteProtect started its life as a plug-in for the popular blogging software, only to expand into other areas of security, server management and premium services.
Major apps identified as culprits
A number of iOS apps -- including Facebook Messenger, Gmail, and Google+ -- have a security vulnerability that could allow malicious parties to force an iPhone to auto-dial, observes Romanian developer Andrei Neculaesei. iOS supports a tel:// URI that can make a call automatically, even though developers are allowed to bypass confirmation prompts for the dialer if they want. Through a vulnerable app and the right web code, a person could potentially be tricked into dialing a toll number. A FaceTime variant could let someone capture images of a person before disconnecting.
Several companies confirm attacks as service returns, hacking group claims responsibility
Some of the most popular gaming services are reportedly under attack as a series of distributed denial of service attacks (DDoS) has been underway since last week. Shacknews reports that Blizzard, Grinding Gear Games, PlayStation Network, Riot and Sony Online Entertainment have all been undergoing a series of attacks leading to connection instabilities and service failures. While the attack was initially thought to be limited to a few companies, it's been discovered that several additional gaming services and websites have been targeted as far back as August 18 by a hacking group.
Presidential advisor believes education, overall government experience sufficient
In an interview with the Information Security Media Group publication, White House cybersecurity coordinator Michael Daniel admits to having no practical experience with the subject matter. Daniel claims that "being too down in the weeds at the technical level could actually be a little bit of a distraction" to his job of advising the President about ongoing and emergent information security issues.
'Backoff' malware has infected 1,000 businesses across US
Target isn't the only US retailer affected by the "Backoff" point of sale malware. Following forensic analysis of the intrusion software, researchers for US government law enforcement have claimed that more than 1,000 businesses have been infected by the same strain that assaulted the big-box retailer, and now UPS storefronts.
Amazon hopes contract will pave the way for cloud-based confidential data
Amazon Web Services has received the first-ever US Department of Defense level three through five provisional authorization for the AWS GovCloud (US) region under the Defense Information Systems Agency's (DISA) codified Cloud Security Model (CSM). This new authorization allows Department of Defense users to conduct development and integration activities for everything but classified workflows with Amazon's service.
Stores in 24 states affected by breach, spanned up to seven months in some cases
The UPS Store chain of delivery and packaging facilities has reported that a number of its stores have been the target of a "broad-based malware intrusion," adding that customer data could have been accessed. The United Parcel Service (UPS) subsidiary became aware of the breach on July 31, the same day that the Department of Homeland Security sent out notices regarding a malware called "Backoff," according to the New York Times.
OpenSSL vulnerability the first attack vector, occured shortly after bug announced
Security firm TrustedSec says that it learned how hackers were able to obtain records from Community Health Systems (CHS). According to a statement released by the firm yesterday, the initial attack occurred through an OpenSSL vulnerability. An anonymous source tied to the investigation told the company that Heartbleed, a vulnerability that has made headlines in recent history, is to blame for the breach.
Software line drops nine different programs, new software launches September 23
Symantec announced earlier this week that it would be issuing a sweeping change to its line of antivirus software to offer consumers a single solution. Starting September 23, the company will begin offering Norton Security for around $80 per year. The change effectively ends releases of Norton Antivirus, the company's main product line that has seen annual releases since the early 90s.
AppleScript, multi-platform hooks make spamming easier
Over 30 percent of all mobile spam messages are now being sent through Apple's iMessage system, claims Tom Landesman, a security researcher at Cloudmark. Many of the messages are pushing fake luxury products, such as sunglasses and handbags. Landesman explains that spammers are -- or were -- taking advantage of several aspects of Apple's ecosystem. However, Apple has responded to the charge, and said that some countermeasures have been implemented.
Package changes developer ad ID with that of assailant with Cydia Substrate
A new piece of malware has started infecting jailbroken iOS devices earlier this year. The "AdThief" or "Spad" package hijacks advertising clicks and revenue, and redirects them to the author of the package, rather than the developer who inserted the advertising in the first place. The malware is simple and low profile -- it replaces the developer's ID with the attacker's ID. Mobile ad kits targeted by the AdThief malware are mostly from Chinese vendors, with four in the US, and a pair in India.
Re-signing mandatory for existing apps
Despite recent claims, a Dev Center security breach may not be why developers are being asked to re-sign Mac apps using OS X Mavericks, sources say. An alternative reason for the switch hasn't been mentioned, but unnamed sources are countering reports yesterday from other unnamed sources. In the earlier rumors, it was claimed that one or more hackers had managed to obtain not only Gatekeeper keys but "virtually every key Apple used for everything."