The Tor Project announced on its blog today that the service suffered two different types of attacks in an attempt to uncover information that could remove the anonymity of sources accessing hidden services. Tor states that the attackers are so far unknown, but it states that anyone that accessed any hidden services from the beginning of February through July 4 should assume they're affected by the attack.
Companies will likely be hesitant to comply
The Russian government has proposed that two Western companies, Apple and SAP, grant access to their source code so it can determine whether or not products are tools for spying on state organizations and/or the public, Reuters reports. Russia's communications minister, Nikolai Nikiforov, is said to have made the request when he met last week with Apple's local general manager, Peter Nielsen, and SAP's local managing director, Vyacheslav Orekhov. In an official Communications Ministry statement, Nikiforov comments that "Edward Snowden's revelations in 2013 and US intelligence services' public statements about the strengthening of surveillance of Russia in 2014 have raised a serious question of trust in foreign software and hardware."
Company turnaround underway, says CEO in wake of deal
At its annual BlackBerry summit, the beleagured smartphone manufacturer has announced a deal that will see it acquire Germany's Secusmart to enhance its own security offerings. BlackBerry CEO John Chen said of the deal that it "creates that much more distance between [BlackBerry] and competitors" in the battle for corporate and governmental business share.
App masquerading as Flash, others, can break Android sandboxing
Mobile device researchers Bluebox Security have discovered a serious flaw in Google's Android operating system that dates back to version 2.1, and is still present (albeit weakened) in the new 5.0 preview. The "Fake ID" security flaw allows a fake app to include an invalid security certificate, claiming that it is an app with sandbox-breaking privileges, in essence, giving the malicious app root access to the phone and all its contents.
Visit tied to investigation, Microsoft states that it will cooperate with officials
Officials from the China's State Administration for Industry and Commerce (AIC) showed up at four Microsoft offices in the country unannounced earlier today. Offices in Beijing, Chengdu, Guangzhou and Shanghai received the sudden visits, that could be tied to the start of an antitrust investigation for a presently-unknown reason. The visits come at a time when Microsoft faces scrutiny in the country, over spying allegations and government refusal of Windows 8.
Review score of customers by Uber drivers pulled from view
Bill headed to oval office, with Obama willing to sign
In an unexpected move, and avoiding a potential fight, the House of Representatives has passed bill S517, aiming to make cellphone unlocking legal. The amended bill, passed by the Senate last week, was passed with no changes -- a controversial clause of the bill previously passed by the House, prohibiting bulk unlocking by companies, has been removed from the final passed version.
Free games, subscriptions offered as compensation for PSN intrusion
Sony has agreed to a preliminary settlement worth $15 million in a hacking class-action lawsuit in the United States. The agreement, which still requires approval from a judge, will see Sony handing out free games to console owners affected by the April 2011 PlayStation Network hack, which saw the shutdown of the service and Qriocity for several weeks, as well as compromising personal data and credit card information from over 77 million users.
Tools intended strictly for diagnostics, file capture, company says
In another step to address concerns of possible backdoors in iOS, Apple has published a newdocument explaining what three services are intended to do. The first, com.apple.mobile.pcapd, is said to support "diagnostic packet capture from an iOS device to a trusted computer," something useful for "troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections." Another, com.apple.mobile.file_relay, "supports limited copying of diagnostic data from a device."
Company says no breach confirmed, but continuing investigation with authorities
Goodwill Industries International, the business entity behind the popular nonprofit second-hand stores, announced this week that it is investigating a potential data breach involving credit card data. The breach was said to occur in selected stores within the United States, but Goodwill has offered no information on which stores were affected.
May enable collection of private data by Apple, governments
[Updated with rebuttal from Apple] Apple's iOS platform contains several backdoors that may allow for Apple and/or governments to collect private data, according to a forensic scientist, Jonathan Zdziarski. Presenting at the recent Hackers On Planet Earth (HOPE/X) conference, Zdziarski said that that there are several conspicuous design gaps -- and some deliberately-included forensic services -- that make it possible to extract data using forensic tools. The services have names such as "lockdownd," "pcapd," and "mobile.file_relay."
NSA whistleblower points to board member, companies should have no access to data
In an interview with UK newspaper The Guardian last week, fugitive American whistleblower Edward Snowden made it clear that he opposed cloud companies that had access to user data. He specifically pointed out Dropbox as being "hostile to privacy" for a number of reasons, including a board appointment of an ex-government official with ties to suspected privacy violations.
Could be important step towards reducing hacking
Apple has dramatically expanded the reach of its two-step Apple ID verification option, adding another 48 regions to the previous 11. The full list of countries with support is below. When two-step verification is on, trying to change account details or make an iTunes/App Store purchase from a new device will send a code via SMS or Find My iPhone. Only once this code is entered can an action continue.
Nest is essentially jailbroken, uses a custom tool to end reporting back to company
A group of researchers from the University of Central Florida (UCF) discovered a way to root the Nest thermostat in the process of finding a way to hack the device to steal data and install malware. Led by engineering professor Yier Jin, the team used physical access to accomplish the hack even though it is built with security in mind. During the hacking discovery, the team came up with a way to stop the device from reporting data back to Google (or Nest).
Service sends out notes after user passes away, cleans up personal data on Internet
Yahoo Japan launched an interesting service this week, one that gives people an option for deleting part of their digital lives once they reach the end of their physical ones. The service, called Yahoo Endings, offers users some basic services like will-writing, but also sends goodbye notes and deletes personal information from Yahoo.
Team discounts now on sale
Dashlane has launched version 3 of its namesake password and wallet management software for Mac and Windows. The update features two major additions, beginning with the Sharing Center, which lets people share passwords with other people while maintaining central control and AES-256 encryption. Although recipients must have a Dashlane account, the system gives administrators the ability to limit re-shares or revoke access, and will sync password changes made by others.
Google not limiting effort to internal apps -- any vendor is fair game
Google has launched a new web-wide security project. Titled "Project Zero", the effort by the search behemoth has the lofty goal to "significantly reduce the number of people harmed by targeted attacks." Google intends to have no bounds for the project, planning on working to "improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers."
W0rm interested in publicizing security holes, not motivated by profit
Purported white-hat Russian hacker group w0rm has attacked tech news website CNet. The group claims that it has usernames, email addresses, and encrypted passwords for one million users of its information services. A tweet on Monday by the group confirmed the attack, but even after a sale offer for a single Bitcoin was made, the group claims to be interested in drawing attention to security and "nothing more."
Old me.com and mac.com addresses also covered
Apple has started encrypting email traffic between iCloud and third-party services, according to data from a Google transparency website. This includes messages from older me.com and mac.com accounts. The move follows Apple promises in June that encryption would expand beyond iCloud-to-iCloud exchanges, something essential given the greater popularity of services like Google's Gmail.
No-IP will bring tales of woe to Senate, addressing improper enforcement issues
Following the fallout of the Microsoft seizure of No-IP domains, the dynamic domain name service company is speaking to the Senate about the incident. In a hearing scheduled before the Microsoft action against No-IP about proper enforcement of cybercrime laws, No-IP will address the Senate Judiciary Committee today about how the incident was handled, and the need for sensible enforcement so that the Internet property rights of innocent third parties don't become collateral damage in such efforts.
Repository of JTRIG tools shows some that can modify or mimic existing information
Information posted by The Intercept revealed this week that the British Intelligence agency Government Communications Headquarters (GCHQ) has the tools to modify communications, on top of monitoring them and collecting data. A database in the form of a Wiki entry of internal tools was posted to the site, listing the function and development status of each. Data from social media sites like Facebook, video sites like YouTube and various forms of web traffic and phone calls can all be modified or spoofed.
Original repository remains intact, popcorn-official and time4popcorn dead
The US Motion Picture Association of America (MPAA) has issued Digital Millennium Copyright Act (DMCA) takedown requests for code repositories for BitTorrent-based video streaming projects based on the Popcorn Time core. The MPAA requested that the code for "popcorn-official" and "time4popcorn" projects be removed from GitHub, but the original Popcorn Time repository remains intact and undeleted.
Apple defines what location tracking does, how it works
Apple has responded to Chinese government media allegations of the iPhone and iPad being a national security threat. A Chinese-language statement titled "Your Location Privacy" has been posted by the Cupertino manufacturer, with the company guaranteeing that it won't track users, or share information location with outsiders. Additionally, it claims that the "frequent locations" feature touted for iOS8 will just "quickly and reliably determine their current locations for specific activities such as shopping, travel, finding the nearest restaurant or calculating the amount of time it takes them to get to work," and not leak any personal data.
Attorney name, fake firm files motion to force Judge Lucy Koh to recuse herself
Silicon Valley's "no poach" lawsuit involving Apple, Adobe, Google, and Intel may be slowly grinding to a conclusion, but not without some peculiar behavior. An investigation has been launched by the US District Court for the Northern District of California and the California State Bar after a court filing was made under an attorney's name without her knowledge, and with a fake lawfirm's name. The incident, and a similar filing made shortly after motion dismissal, is being investigated as a possible identity theft.
Microsoft has little comment over the mishandled matter
The Microsoft and No-IP saga appears to be complete. Just one week after the dynamic domain name service (DNS) had its domains seized by Microsoft, all domains have been returned, users have reported restored functionality, and the lawsuit filed by Microsoft against parent company Vitalwerks has been dropped.
Internet camera looks good on paper, runs into problems in everyday use
Keeping an eye on the home while out and about these days is common practice. Internet cameras have become popular due to the ease of scanning for intruders or checking on the welfare of a child. Selecting the right model can be challenging, based on the number of cameras on the market. Brands like Dropcam and Foscam are generally trusted, but larger companies like Samsung offer alternative solutions. Attempting to bring a Dropcam competitor to consumers, Samsung released the SmartCam HD Pro. But does it offer the features a user needs without hiccups? Find out in our review.
Claims data could be used to glean state secrets
State-run China Central Television has called iOS 7's Frequent Locations function a "national security concern" in a noon broadcast, according to the Wall Street Journal. The report quoted researchers as saying that people with access to the underlying data could get a glimpse of the broader Chinese situation, or "even state secrets." Electronic security has become a sensitive topic for the Chinese government in the wake of leaks from Edward Snowden, revealing that the NSA is spying on Chinese leaders, and that American businesses have willingly or unwillingly provided the NSA with access to demanded data.
Google legal chief outlines removal request difficulties following EU court ruling
Google is still being swamped with requests to remove website listings in Europe, following the Court of Justice of the European Union's ruling on the "right to be forgotten." Senior Vice President and Chief Legal Officer David Drummond claims the search company has received more than 70,000 takedown requests since the ruling in May, with the requests covering 250,000 webpage listings in its search results.
Latest version for Snow Leopard and higher now required for Flash to work
Following an emergency patch issued by Adobe yesterday for a vulnerability in Flash Player and Adobe AIR that the company deemed "critical" for users to upgrade to, Apple is now blocking all un-upgraded versions of the plug-in in Safari, though the warning dialog will take users to the Flash Installer page where they can obtain the patched version. Users of OS X 10.6 and higher must be running version 22.214.171.124 in order for the Flash plug-in to work normally. Windows and Linux users are also affected by the flaw.
Suit files complaints about wanton, and unauthorized, in-app purchases
According to a US Federal Trade Commission report filed today, Amazon has billed parents and other account holders for millions of dollars in unauthorized in-app charges incurred by children. The FTC's lawsuit seeks a court order requiring refunds for consumers for the unauthorized charges, and permanently banning the company from billing parents and other account holders for in-app charges that have been made without their consent.
Internet Explorer, other Windows apps affected; problem could be widespread
Microsoft Internet Explorer users are being affected by a series of fraudulent transport layer security (TLS) certificates. The fake certificates, issued by India's National Informatics Centre, are trusted by the Microsoft Root Store -- a core library that Internet Explorer and other Windows applications use for identity verification. India's Controller of Certifying Records claims that only four fake certificates were issued, but other sources, including Google, are claiming that there are many more.
Official TLC warning leaves little ambiguity as to regulatory intent
The New York City Taxi and Limousine Commission (TLC) has escalated the conflict between it and ride-sharing service Lyft. A warning by the TLC, issued yesterday, reminds residents that while the service is indeed opening on Friday and will be offering free rides for two weeks to new subscribers, that the service is unlicensed to operate, and un-investigated drivers may pose a danger to riders.
New offering allows for more secure international communications
Security-focused communications firm Silent Circle today announced the expansion of Out-Circle Calling (OCC). The expansion allows for encrypted hybrid calling, which enables Silent Circle members to make and receive encrypted, private voice calls through the company's Silent Phone service to non-Silent Circle subscribers in 79 total countries.
Social media usage examined in government-funded research
The US military has been analyzing the use and influence of social networks and social media, according to a report. Research funded by DARPA under the Social Media in Strategic Communication (SMISC) program was conducted with the ultimate aim of developing tools to help "counter misinformation or deception campaigns with truthful information."
Flaw allows attackers to steal authenticating cookies, hasn't been seen in wild yet
Adobe has issued an emergency patch of its Flash Player technology to correct a security flaw that could allow hackers false access to thousands of popular websites -- notably Twitter, Instagram, Tumblr and eBay among many others. The patch, which will update Flash to version 126.96.36.199, is considered "critical" for users of OS X, Windows and Linux operating systems. Even if users have Flash Player disabled in their browser, they may still need to update if they are using any products that require Adobe AIR.
Wild game restaurant near DC blames erroneous listing for closure
Long-time Washington DC metro area restaurant The Serbian Crown has sued Google. After experiencing a 75 percent drop in weekend customers, owner Rene Bertagna filed the suit following a discovery that the restaurant's Google Places listing had a grievous error -- it incorrectly stated that the restaurant was closed on Saturday through Monday. The suit alleges that the incorrect information given to customers from the search engine lead to a death spiral of the restaurant, with declining revenue forcing layoffs, which in-turn, drove diners away from poor service and declining food quality.
Robbers leave with seven trucks full of electronic goods from Campinas factory
A group of bandits robbed a Samsung Electronics factory in Brazil last night, escaping with seven trucks filled of goods from the smartphone and notebook computer manufacturer. Reuters reports the factory in Campinas was robbed just before midnight, with 20 robbers, some armed, posing as employees.
Collection of call, text, Internet data to continue under plans by UK ministers
The government of the United Kingdom seeks to force telecommunication companies to log records of calls, texts, and Internet usage for a 12-month period, according to a report. Ministers are said to be attempting to counteract the effects of an European Court of Justice (ECJ) ruling in April, by introducing surveillance laws reinstating powers struck down by the court's decision.
Apple, Samsung smartphones singled out in TSA device power rules
Passengers of some international flights terminating in the United States will face a greater scrutiny of their electronics before being allowed on the airplane. The Transportation Security Administration (TSA) is putting into force new security rules that requires electronic devices to be able to switch on at the time of the security screening, with devices containing flat batteries unable to be let onboard.
Company no longer issuing platform fixes, security updates continue until April 2015
When the next quarterly update to Java rolls around later this month, Oracle says it won't include support for Windows XP users. The critical patch update, scheduled for July 15, updates Java 7 and Java 8 for newer Microsoft operating systems from Vista up to Windows 8. The choice to use Java on XP is left up to users because of the potential risk involved.
EPIC claims social media giant 'purposefully messed with people's minds'
If Facebook hasn't received enough flak for the emotional manipulation study it conducted on its user base, the company could soon face more from regulators. Last week, privacy watchdog group the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) over the one-week study Facebook conducted in 2012 that manipulated users' news feeds.
Service restoration in process, connectivity waiting on DNS propagation
Following Microsoft's seizure of dynamic DNS service No-IP domains on a claim that some were spreading malware, many customers' paid and free connections were no longer functioning. Many of these services have been restored tonight, as Microsoft has begun the process of returning domains to No-IP. As of this evening, all of the seized domains have been returned to the service, with .org redirect restoration waiting on the .org registrar to act. Not all DNS services have been updated, but Electronista can confirm that Verizon FiOS, Google, and OpenDNS are all resolving properly.
Foundation discovers phones less than three years old broadcasting visited locations
Recently, the Internet advocacy and legal group the Electronic Frontier Foundation (EFF) discovered that a number of Android devices could be sharing location information when not connected to Wi-Fi. The Android phones in question periodically send out information on Wi-Fi networks it knows in order to speed up the process of connecting. However, in doing so it gives off previous location data based on stored wireless networks in "human language."
Email sent to wrong address sparks privacy concerns, Google blocks access to email
A Goldman Sachs contractor sent an email containing confidential information to the wrong email account, causing the investment company to contact Google over its removal. After a Google representative told Goldman Sachs that it requires a court order to do so, the company filed a complaint with the Supreme Court of New York requesting that Google delete or retrieve the email. The company further asks for any information pertaining to its access.
Addresses numerous flaws, bugs already addressed in Mavericks 10.9.4
Alongside the release of OS X 10.9.4 Mavericks for newer Macs, Apple has also releases security-oriented updates for OS X 10.7.x (Lion), the server version of Lion, and for 10.8.x Mountain Lion. The vulnerabilities patched for all three versions include an update to the certificate trust policy, a flaw in the "copyfile" command, and an issue with the Dock that could allow apps to circumvent the sandboxing restrictions. Numerous other discovered potential security vulnerabilities were also addressed.
Information Commissioner checks if Facebook research broke UK data laws
The fallout from Facebook's experiment with its users continues, with a UK government agency planning to investigate. The United Kingdom's Information Commissioner's Office (ICO), the body that deals with data protection laws in the country, will be looking to see if the social network broke any laws during its testing of emotional manipulation in 2012.
Supports Kensington, similar locks
Apple has released an official security lock adapter for the 2013 Mac Pro. The accessory connects without tools and supports a variety of Kensington locks, plus locks in a "similar style." While in use the adapter prevents easy access to a Pro's internals.
Outlook, OneDrive traffic gains encryption to increase security
Microsoft has announced three new ways the company will improve the security of customer data in the wake of the NSA surveillance revelations. New encryption has been added to Outlook.com, with OneDrive also receiving a similar encryption-based security boost, and the company is also introducing its first "Microsoft Transparency Center" on its Redmond campus, in order to help governments understand and trust the security of the company's software.
No-ip.com domains seized ostensibly to prevent malware spread
Updated with more testing Early Monday morning, Microsoft announced that had seized, by court order, 23 domains used by dynamic IP company no-ip.com. Seeing a preponderance of malware hosts using these domains, the company then routed all "known bad traffic" through Microsoft filters, in order to classify the identified threats. The move was not without innocent victims, however, as users who use the affected domains -- including paid users for legitimate VPN purposes and one MacNN employee -- are this morning unable to connect through the redirect, at least in part.
Four-digit passcode identifies device on top of user credentials
Apple is either testing or in the process of rolling out two-step verification for its iCloud.com portal, optionally allowing users who want to use the two-factor authentication to enter a random four-digit passcode on their device in order to add it to a list of "trusted" devices. The option is not yet available to Apple ID accounts that have previously set the preference for using two-step verification, but improves security over the default "Apple ID password only" method.