Slashdot Mirror

← Back to Domains

Domain: csoonline.com

Stories and comments across the archive that link to csoonline.com.

Stories · 202

  1. Google Fixes Rooting Vulnerabilities In Android (csoonline.com)

    Tech · Android · · posted by Soulskill · from the manufacturers-pledge-to-implement-by-2019 dept. · 126 comments
    itwbennett writes: Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday, fixing a new batch of vulnerabilities in Android that could allow hackers to take over devices remotely or through malicious applications. The new patches address six critical, two high and five moderate vulnerabilities. The most serious flaw is located in the mediaserver Android component, a core part of the operating system that handles media playback and corresponding file metadata parsing.

  2. Comcast's Xfinity Home Security Flaw Leaves Doors Open (rapid7.com)

    It · Security · · posted by Soulskill · from the comcast-meets-your-expectations-for-comcast dept. · 119 comments
    itwbennett writes: Researchers at Rapid7 have disclosed vulnerabilities in Comcast's Xfinity Home Security offerings that prevent the system from alerting homeowners to unsecured doors or windows and would also fail to sense an intruder's motion in the home. The root cause of the problem can be found in the ZigBee-based protocol used by Comcast's system to operate over the 2.4 GHz frequency band. Rapid7's Phil Bosco discovered that the Xfinity Home Security system does not fail closed with an assumption of an attack if radio communications are disrupted. Instead, the system fails open, reporting that all sensors are intact, doors are closed, and no motion is detected.

  3. Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

    It · Security · · posted by samzenpus · from the new-weapon dept. · 50 comments
    itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

  4. 18 Million Targeted Voter Records Exposed By Database Error (csoonline.com)

    It · Security · · posted by samzenpus · from the like-a-sieve dept. · 75 comments
    itwbennett writes: Last week, a database containing 191 million voter records was exposed because of a misconfigured database that no on wants to claim ownership of. Around the same time, a second, smaller database containing fewer than 57 million records similar to those previously discovered was also found by researcher Chris Vickery. But the second database also includes 18 million records that hold targeted demographic information. And as was the case with the previous voter database, no one wants to claim ownership.

  5. 18 Million Targeted Voter Records Exposed By Database Error (csoonline.com)

    It · Security · · posted by samzenpus · from the like-a-sieve dept. · 75 comments
    itwbennett writes: Last week, a database containing 191 million voter records was exposed because of a misconfigured database that no on wants to claim ownership of. Around the same time, a second, smaller database containing fewer than 57 million records similar to those previously discovered was also found by researcher Chris Vickery. But the second database also includes 18 million records that hold targeted demographic information. And as was the case with the previous voter database, no one wants to claim ownership.

  6. Hyatt Hotels Payment-Processing Systems Hit By Malware (csoonline.com)

    It · Crime · · posted by timothy · from the welcome-to-the-overlook-hotel dept. · 32 comments
    itwbennett writes: Hyatt Hotels said Wednesday that it recently identified malware on the computers that run its payment-processing systems. And while Hyatt didn't provide more details on the breach, including how many customers might be affected, the alert to customers asking them to closely check their credit card statements suggests that hackers may have obtained critical credit card information. The breach is the latest in a series of attacks in the hospitality industry, which include Hilton Worldwide, Mandarin Oriental and Starwood Hotels & Resorts Worldwide.

  7. Hyatt Hotels Payment-Processing Systems Hit By Malware (csoonline.com)

    It · Crime · · posted by timothy · from the welcome-to-the-overlook-hotel dept. · 32 comments
    itwbennett writes: Hyatt Hotels said Wednesday that it recently identified malware on the computers that run its payment-processing systems. And while Hyatt didn't provide more details on the breach, including how many customers might be affected, the alert to customers asking them to closely check their credit card statements suggests that hackers may have obtained critical credit card information. The breach is the latest in a series of attacks in the hospitality industry, which include Hilton Worldwide, Mandarin Oriental and Starwood Hotels & Resorts Worldwide.

  8. Hyatt Hotels Payment-Processing Systems Hit By Malware (csoonline.com)

    It · Crime · · posted by timothy · from the welcome-to-the-overlook-hotel dept. · 32 comments
    itwbennett writes: Hyatt Hotels said Wednesday that it recently identified malware on the computers that run its payment-processing systems. And while Hyatt didn't provide more details on the breach, including how many customers might be affected, the alert to customers asking them to closely check their credit card statements suggests that hackers may have obtained critical credit card information. The breach is the latest in a series of attacks in the hospitality industry, which include Hilton Worldwide, Mandarin Oriental and Starwood Hotels & Resorts Worldwide.

  9. Wyndham Settlement: No Fine, But More Power To the FTC (csoonline.com)

    Yro · Government · · posted by samzenpus · from the power-up dept. · 17 comments
    itwbennett writes: Earlier this month, Wyndham settled a lawsuit with the FTC over weak security practices that resulted in 3 major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges. But all the settlement requires Wyndham to do 'is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS),' writes Taylor Armerding. There was no fine and it seemed as though Wyndham had 'dodged a bullet', says Armerding, But things are not always as they seem. Because the PCI DSS is not a government standard and is not a law 'the case was not about fines for noncompliance, which the FTC doesn't even have the authority to impose,' says Armerding. 'It was instead about power – the authority of the FTC to charge Wyndham with 'unfair and deceptive' practices because of its security flaws.'

  10. The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com)

    It · Security · · posted by samzenpus · from the protect-ya-neck dept. · 61 comments
    itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'

  11. HIV Dating Company Accuses Researchers of Hacking Database (csoonline.com)

    Yro · Bug · · posted by timothy · from the data-is-everywhere dept. · 71 comments
    itwbennett writes: Slashdot readers will recall the story posted last week about the misconfiguration of the MongoDB database that powers Hzone, a dating app for the HIV-positive, and the ensuing threat of HIV infection the company hurled at DataBreaches.net, who sent the notification. (Hzone later apologized.) But that's not the end of the story. Among other twists and turns that point to a CEO who was in way over his head, in several emails to Dissent, the admin of DataBreaches.net, Hzone CEO Justin Robert accused Dissent of changing the Hzone user database. But follow-up emails suggest that the company couldn't tell what was accessed or when, as Robert says Hzone doesn't have 'a strong tech team to maintain the site.'

  12. Google Joins Mozilla, Microsoft In Pushing For Early SHA-1 Crypto Cutoff (blogspot.com)

    Tech · Google_Fb · · posted by samzenpus · from the joining-the-club dept. · 115 comments
    itwbennett writes: Due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism. Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates.

  13. Google Joins Mozilla, Microsoft In Pushing For Early SHA-1 Crypto Cutoff (blogspot.com)

    Tech · Google_Fb · · posted by samzenpus · from the joining-the-club dept. · 115 comments
    itwbennett writes: Due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism. Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates.

  14. Juniper's Backdoor Password Disclosed, Likely Added In Late 2013 (rapid7.com)

    It · Security · · posted by Soulskill · from the hand-in-the-cookie-jar dept. · 107 comments
    itwbennett writes: In a blog post on Rapid7's community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: "Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. ... Once the binary is loaded, it helps to identify and tag common functions. Searching for the text "strcmp" finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. ... The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges."

  15. Database Leak Exposes 3.3 Million Hello Kitty Fans (csoonline.com)

    It · Security · · posted by samzenpus · from the herding-kitties dept. · 92 comments
    itwbennett writes: "A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery," writes CSO's Steve Ragan, who was contacted about the leak Saturday evening. The database houses 3.3 million accounts containing records including first and last names, email addresses, unsalted SHA-1 password hashes, password hint questions and their corresponding answers, along with other information. The database also has ties to a number of other Hello Kitty portals.

  16. Microsoft Extends SmartScreen To Foil Malvertising and Exploit Kits (windows.com)

    Tech · Microsoft · · posted by Soulskill · from the more-baby-steps dept. · 48 comments
    itwbennett writes: With the latest update for Windows 10, Microsoft has extended SmartScreen to block drive-by attacks in Microsoft Edge and Internet Explorer 11, the Microsoft Edge Team said Wednesday in a blog post. The new capability is based on the security intelligence that Microsoft receives from multiple products such as Microsoft Edge, Internet Explorer, Bing, Windows Defender and the Enhanced Mitigation Experience Toolkit (EMET). Thanks to this data, which includes behavioral telemetry, SmartScreen can even detect attacks that exploit zero-day vulnerabilities, according to Microsoft. The company is also revoking trust for a bunch of certificate authorities starting in January.

  17. Over 650 TB of Data Up For Grabs From Publicly Exposed MongoDB Database (csoonline.com)

    It · Security · · posted by samzenpus · from the have-some-data dept. · 96 comments
    itwbennett writes: A scan performed over the past few days by John Matherly, the creator of the Shodan search engine, has found that there are at least 35,000 publicly accessible and insecure MongoDB databases on the Internet, and their number appears to be growing. Combined they expose 684.8 terabytes of data to potential theft. Matherly originally sounded the alarm about this issue back in July, when he found nearly 30,000 unauthenticated MongoDB instances. He decided to revisit the issue after a security researcher named Chris Vickery recently found information exposed in such databases that was associated with 25 million user accounts from various apps and services, including 13 million users of the controversial OS X optimization program MacKeeper, as reported on Slashdot on Wednesday.

  18. Following Data Leak, HIV Dating App's Developers Threaten Infection (csoonline.com)

    It · Security · · posted by Soulskill · from the be-nice-when-somebody-helps-you dept. · 105 comments
    itwbennett writes: Sometime before November 29, the MongoDB housing the data of Hzone, a dating app for HIV-positive singles, was exposed to the Internet. The company, displeased with having the security incident disclosed, responded to an email notification from DataBreaches.net with this threat: "Why do you want to do this? What's your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don't want to get HIV from us? If you do, go ahead." Hzone later apologized for the threat.

  19. European Space Agency Records Leaked For Amusement, Attackers Say (csoonline.com)

    It · Security · · posted by Soulskill · from the how-long-until-we-lose-a-satellite dept. · 74 comments
    itwbennett writes: A weekend data breach at the European Space Agency (ESA) by hackers calling themselves "Anonymous" has resulted in the release of 8,107 names, email addresses, and passwords of ESA supporters and researchers. "The leaked data highlights a troubling problem with regard to passwords used on the compromised domains," writes CSO's Steve Ragan. "Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.)."

  20. SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites (csoonline.com)

    It · Encryption · · posted by Soulskill · from the privacy-versus-convenience dept. · 146 comments
    itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.

  21. Deputy Secretary of DHS On Agency's Role In Cybersecurity (csoonline.com)

    It · Security · · posted by samzenpus · from the take-your-agent-to-work-day dept. · 19 comments
    itwbennett writes: In an interview with CSO's Ira Winkler, Deputy Secretary of Homeland Security Alejandro N. Mayorkas discusses the agency's cybersecurity role, breaking it down into 2 broad categories: helping protect .govs, and assisting .coms. When asked whether DHS is prepared to handle the additional responsibility that Congress is looking to give the agency, including insider threat detection and mitigation, Mayorkas said the agency has a 'current capacity' to assist .gov and .com to a 'very great' degree. But when asked whether the agency planned to outsource a lot of the capability it has been mandated to perform, as it recently did with intrusion detection, Mayorkas demurred, saying 'it's not a one-size fits all.'

  22. Quantum Computer Security? NASA Doesn't Want To Talk About It (csoonline.com)

    It · Security · · posted by timothy · from the thank-you-all-very-much-for-coming dept. · 86 comments
    itwbennett writes: At a press event at NASA's Advanced Supercomputer Facility in Silicon Valley on Tuesday, the agency was keen to talk about the capabilities of its D-Wave 2X quantum computer. 'Engineers from NASA and Google are using it to research a whole new area of computing — one that's years from commercialization but could revolutionize the way computers solve complex problems,' writes Martyn Williams. But when questions turned to the system's security, a NASA moderator quickly shut things down [VIDEO], saying the topic was 'for later discussion at another time.'

  23. Microsoft Kills Many Critical Flaws, Some 0-Days, Un-Trusts One Wildcard Cert

    It · Microsoft · · posted by samzenpus · from the protect-ya-neck dept. · 103 comments
    An anonymous reader writes: For this December Patch Tuesday, Microsoft has released twelve security bulletins, eight of which have been rated critical. Those refer to the cumulative security updates for Internet Explorer, Microsoft Edge, JScript and VBScript, and updates for Microsoft Windows DNS, Microsoft Graphics Component, Silverlight, Microsoft Office, and Microsoft Uniscribe. Microsoft also released a security advisory announcing the removal of a digital certificate from the Certificate Trust list (CTL).

  24. In Kazakhstan, the Internet Backdoors You (csoonline.com)

    Yro · Censorship · · posted by timothy · from the playing-their-trump-card dept. · 94 comments
    itwbennett writes: Kazakhstan passed a law that would require citizens to install a certificate on their personal computers and mobile devices that would allow the government to snoop and capture web traffic, passwords, financial details. Telecom.kz posted the news to their website on November 30, but by December 4 the press release had been removed from the website. This is just the latest example of government overreaching. Recently we've seen the Turkish government attempt to block access to social media sites. And let's not forget Thailand's attempt to roll out their own man-in-the-middle implementation.

  25. In Kazakhstan, the Internet Backdoors You (csoonline.com)

    Yro · Censorship · · posted by timothy · from the playing-their-trump-card dept. · 94 comments
    itwbennett writes: Kazakhstan passed a law that would require citizens to install a certificate on their personal computers and mobile devices that would allow the government to snoop and capture web traffic, passwords, financial details. Telecom.kz posted the news to their website on November 30, but by December 4 the press release had been removed from the website. This is just the latest example of government overreaching. Recently we've seen the Turkish government attempt to block access to social media sites. And let's not forget Thailand's attempt to roll out their own man-in-the-middle implementation.

  26. US Cyber Criminal Underground a Shopping Free-For-All (csoonline.com)

    Yro · Crime · · posted by samzenpus · from the name-your-price dept. · 81 comments
    itwbennett writes: According to a new report by Trend Micro, the North American cyber criminal underground has "[essentially] become a gun show for everyone as long as they can participate and are willing to pay," said Tom Kellermann, chief cybersecurity officer at Trend Micro. Their research revealed that 15% of underground sites sell offer crimeware and allow criminals to buy a variety of malware and hacking services, such as crypting. It's the hottest-selling item, other than drugs, said Kellermann. In case you're wondering, murder for hire sites make up just 1% of the underground mall.

  27. Congress Joins Battle Against Ticket Bots (csoonline.com)

    Tech · Government · · posted by samzenpus · from the new-rules dept. · 150 comments
    itwbennett writes: A pair of companion bills now pending in the House and Senate would define the use of bots to buy tickets as an 'unfair and deceptive practice' under the Federal Trade Commission (FTC) Act. It would also become a federal crime, and create a right of action so that private parties can sue in federal court to recover damages. But if a similar law in Tennessee is any example, making the practice illegal doesn't make it any easier to find the people responsible for the bots. The Tennessean reported a year ago that, 'despite the apparent prevalence of the practice, no one has been prosecuted for this hard-to-prove crime in Davidson County.' This may be just another example of members of Congress not understanding the problem, but some experts say that making the bots illegal is at least a start. 'It helps to shine a light on a problem,' says Rami Essaid, cofounder and CEO of Distil Networks.

  28. No More Security Fixes For Older OpenSSL Branches (csoonline.com)

    News · Communications · · posted by timothy · from the son-you're-on-your-own dept. · 60 comments
    itwbennett writes: The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches, OpenSSL 1.0.0t and 0.9.8zh, they will likely be the last security updates because support for these these two branches will end on Dec. 31. Previous research has shown that many companies using in-house built software keep poor records of which library versions their developers used in which of their applications. 'This makes it very likely that some systems and applications with OpenSSL 0.9.8 and 1.0.0 will never be updated, leaving them exposed to any critical vulnerabilities found in the library in the future,' writes Lucian Constantin.

  29. Microsoft, Law Enforcement Disrupt Dorkbot Botnet (technet.com)

    It · Botnet · · posted by Soulskill · from the dorkbot-is-now-a-word-a-you-know dept. · 31 comments
    An anonymous reader writes: Microsoft said in a blog post Thursday that it aided law enforcement agencies in several regions to disrupt a 4-year-old botnet called Dorkbot. The botnet aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix and has infected one million computers worldwide. The company didn't provide details on how Dorkbot's infrastructure was disrupted.

  30. Millions of Smart TVs, Phones and Routers At Risk From Old Vulnerability (trendmicro.com)

    It · Security · · posted by Soulskill · from the why-fix-something-when-you-can-just-not-fix-something dept. · 65 comments
    itwbennett writes: Adding fuel to the growing concern over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products, Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs, routers and phones still hasn't been patched by many vendors. Although a patch was issued for the component in December 2012, Trend Micro found 547 apps that use an older unpatched version of it, wrote Veo Zhang, a mobile threats analyst on the Trend Micro blog. 'These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all at risk as well,' he wrote.

  31. Scammy Tech Support Sites Now Serving Up Ransomware (csoonline.com)

    It · Security · · posted by samzenpus · from the from-bad-to-worse dept. · 43 comments
    itwbennett writes: One holds your files hostage, the other overcharges to fix nonexistent computer problems. And now they may be working together. On one scammy tech support site seen by Symantec, an iframe hidden on the page redirected to the Nuclear exploit kit, a popular one used to spread malware. What is unclear is whether the people running tech support scams are working with those who create and rent out the use of exploit kits and associated infrastructure or if the tech support websites have been compromised in order to redirect visitors to exploit kits. Either way, it could add up to a very big headache for anyone who falls for the scam.

  32. Skip the Picks; Expert Uses Hammer To Open a Master Lock (csoonline.com)

    It · Security · · posted by Soulskill · from the if-all-you-have-is-a-hammer,-everything-looks-like-a-master-lock dept. · 222 comments
    itwbennett writes: Buyer beware. If it's security you're looking for, the #3 Master Lock might not be for you. In a video, locksport enthusiast Bosnian Bill demonstrates how to open a new #3 Master Lock using a small brass hammer — in under 90 seconds. This video is just one of several videos he's produced focusing on defeating the security of Master Locks, and, according to Bosnian Bill, has earned him several lawsuit threats from the company.

  33. Phishing Blast Uses Dropbox To Target Hong Kong Journalists (csoonline.com)

    Yro · Crime · · posted by timothy · from the hi-bob-remember-me? dept. · 12 comments
    itwbennett writes: Researchers at FireEye have disclosed an ongoing Phishing campaign targeting pro-democracy media organizations in Hong Kong that's using Dropbox storage services as a command and control (C2) hub, writes CSO's Steve Ragan. 'The attacks are using basic emails trapped with documents that deliver a malware payload called LowBall,' says Ragan. 'LowBall is a basic backdoor that uses a legitimate Dropbox storage account to act as a C2.'

  34. Lenovo Patches Serious Vulnerabilities In PC System Update Tool (csoonline.com)

    It · Security · · posted by samzenpus · from the protect-ya-neck dept. · 38 comments
    itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

  35. This Gizmo Knows Your Amex Card Number Before You've Received It (csoonline.com)

    It · Security · · posted by samzenpus · from the lucky-number dept. · 68 comments
    itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

  36. Patreon Users Threatened By Ashley Madison Scammers (csoonline.com)

    Yro · Bitcoin · · posted by samzenpus · from the give-us-your-money dept. · 76 comments
    itwbennett writes: "Over the last few days, the group responsible for extortion attempts and death threats against Ashley Madison users has turned to a new set of targets – Patreon users," writes CSO's Steve Ragan. A message sent from the same account used in previous campaigns by the scammers demands a payment of 1 BTC or else the Patreon user will have their personal information exposed. "The [Bitcoin] wallet being used by the group has barely collected anything," says Ragan, "suggesting that after their massive push towards Ashley Madison users, people have stopped falling for their scams."

  37. New IBM Tech Lets Apps Authenticate You Without Personal Data (csoonline.com)

    Yro · Privacy · · posted by Soulskill · from the ways-to-confirm-you-exist dept. · 27 comments
    itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.

  38. Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com)

    Yro · Privacy · · posted by timothy · from the little-oopsie dept. · 49 comments
    itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

  39. How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear (csoonline.com)

    Hardware · Privacy · · posted by samzenpus · from the and-stay-out dept. · 130 comments
    itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

  40. Could a Change In Wording Attract More Women To Infosec? (csoonline.com)

    Science · Security · · posted by Soulskill · from the break-out-the-thesaurus dept. · 291 comments
    itwbennett writes: "Information security is an endeavor that is frequently described in terms of war," writes Lysa Myers. "But what would the gender balance of this industry be like if we used more terms from other disciplines?" Just 14 percent of U.S. federal government personnel in cybersecurity specialties are women, a number startlingly close to the 14.5 percent of active duty military members who are women (at least as of 2013). By comparison, women are well represented in other STEM fields: "As of 2011, women earn 60 percent of bachelor-level biology degrees. Women also earn between 40 and 50 percent of chemistry, mathematics and statistics, and Earth sciences undergraduate degrees," writes Myers. Why the difference? Myers points to a comment from someone who taught a GenCyber camp for girls: "He found that one effective way to get girls to feel passionate about security was to create an emotional connection with the subject: e.g. the shock and distress of seeing your drone hacked or your password exposed," writes Myers.

  41. After Paris, ISIS Moves Propaganda Machine To Darknet (csoonline.com)

    Tech · Internet · · posted by samzenpus · from the no-stone-unturned dept. · 184 comments
    itwbennett writes: Over the weekend, researcher Scot Terban came across the new website of Al-Hayat Media Center, the media division of Daesh (aka ISIS/ISIL), in a post on Shamikh forum (a known jihadi bulletin board), 'someone had posted the new address and instructions for reaching it,' writes CSO's Steve Ragan. The website hosts the usual anti-Western iconography, as well as songs (Nasheeds) and poems for mujahids in various locations. Terban has mirrored the website and its files; he says he plans to publish more details in the coming days. 'Over the years, there have been several claims made that Daesh had propaganda and recruitment hubs on the Darknet, but no one has ever published proof of those claims or explored how the propaganda machine operates in public,' says Ragan.

  42. New Ransomware Business Cashing In On CryptoLocker's Name (csoonline.com)

    Yro · Crime · · posted by timothy · from the ransomware-now-everywhere dept. · 62 comments
    itwbennett writes: A new service launched this week on a standalone Darknet website offering ransomware called CryptoLocker Service to anyone willing to pay a small fee and 10% of the collected ransom. The new venture is being run by a person using the handle Fakben, who was a former user of the Evolution (Evo) marketplace, writes CSO Online's Steve Ragan. Customers pay $50 to get the basic Ransomware payload. Once the victim pays the demanded ransom, the payment address will forward the funds – less a ten percent fee – to the Bitcoin wallet designated by the CryptoLocker Service customer. The ransom fee itself can be determined by the customer, but the recommended fee is $200. 'I prefer to be less expensive, more downloads and more infections,' Fakben said during a brief chat with Ragan.

  43. Linux Ransomware Has Predictable Key, Automated Decryption Tool Released (csoonline.com)

    It · Security · · posted by samzenpus · from the protect-ya-neck dept. · 78 comments
    itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.

  44. Comcast Resets Nearly 200,000 Passwords After Customer List Goes On Sale (csoonline.com)

    Yro · Crime · · posted by samzenpus · from the 1-2-3-4-5 dept. · 43 comments
    itwbennett writes: Over the weekend a Dark Web marketplace had 590,000 Comcast email addresses and passwords for sale, offering the entire list for $1,000, writes CSO's Steve Ragan. Saturday evening Ragan contacted Comcast about the accounts being sold online and learned that Comcast had 'already obtained a copy of the list' and was checking it against their customer base. 'Of the 590,000 records being sold, only about 200,000 of them were active,' Comcast said. Still unknown is the source of the data being sold online, although signs point to it being recycled.

  45. Microsoft Follows Mozilla In Considering Early Ban On SHA-1 Certificates (csoonline.com)

    Tech · Microsoft · · posted by samzenpus · from the you're-outta-here dept. · 47 comments
    itwbennett writes: Following the first successful collision attack on the SHA-1 hashing algorithm last month, Mozilla said that it was considering a cut-off of July 1, 2016 to start rejecting all SHA-1 SSL certificates, ahead of an earlier scheduled date of Jan. 1, 2017. And now Microsoft is considering blocking the hashing algorithm on Windows by June next year.

  46. Sprint Faces Backlash For Adding MDM Software To Devices (csoonline.com)

    Mobile · Cellphones · · posted by timothy · from the but-we-thought-you-wanted-that dept. · 123 comments
    itwbennett writes: On Wednesday, Sprint customer Johnny Kim discovered an in-store technician adding MDM software to his personal iPhone 6 without prior notice or permission. Kim took to Twitter with his complaint, sparking a heated conversation about privacy and protection. One expert who commented on the issue told CSO's Steve Ragan that 'it's possible Sprint sees the installation of MDM software as an additional security offering, or perhaps as a means to enable phone location services to the consumer.' But, as Ragan points out, 'even if that were true, it's against [Sprint's] written policy and such offerings are offered at the cost of privacy and control over the user's own devices.' (MDM here means "Mobile Device Management.")

  47. FireEye: Many Companies Still Running XcodeGhost-Infected Apple Apps (csoonline.com)

    Apple · Ios · · posted by samzenpus · from the bad-apple dept. · 23 comments
    itwbennett writes: In September, more than 4,000 applications were found to have been modified with a counterfeit version of Xcode, dubbed XcodeGhost. On Tuesday, FireEye said in a blog post that it has detected 210 enterprises that are still using infected apps, showing that the XcodeGhost malware 'is a persistent security risk.' In addition, whomever created XcodeGhost has also developed a new version that can target iOS 9, called XcodeGhost S, FireEye wrote.

  48. Despite Takedown, the Dridex Botnet Is Running Again (sans.edu)

    It · Botnet · · posted by timothy · from the down-but-sadly-not-out dept. · 57 comments
    itwbennett writes: Brad Duncan, a security researcher with Rackspace, on Friday wrote on the Internet Storm Center blog that 'the Dridex botnet administrator was arrested on 2015-08-28, and Palo Alto Networks reported Dridex was back by 2015-10-01. That represents an outage of approximately one month.' The lesson here, writes Jeremy Kirk in an article on CSOonline is that 'while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'

  49. Despite Promises, China Still Targeting US Firms (crowdstrike.com)

    Yro · China · · posted by Soulskill · from the when-diplomacy-can't-hack-it dept. · 125 comments
    itwbennett writes: Three weeks after the U.S. and China reached their first ever cybercrime and cyberespionage agreement, a new report from CrowdStrike details intrusions from hackers affiliated with the Chinese government, indicating they almost immediately broke their word. In a blog post, CrowdStrike's Dmitri Alperovich said the first observed intrusion was detected on September 26 – one day after President Obama hosted President Xi Jinping of China for a state visit.

  50. Since-Pulled Cyanogen Update For Oneplus Changes Default Home Page To Bing

    Search · Android · · posted by timothy · from the just-what-I-wanted-except-wait-huh? dept. · 87 comments
    ourlovecanlastforeve writes: Nestled into GSMArena's report on the Cyanogen OS 12.1 update for Oneplus [ Note: an update that the story reports has since been pulled.] is this tasty bite: "...you'll find out that your Chrome homepage has been changed to Bing." Then it's casually dismissed with "Thankfully though, you can easily get rid of Microsoft's search engine by using Chrome settings." as if this were the most normal thing to have to do after an OTA update. Is this the new normal? Has Microsoft set a new precedent that it's okay to expect users to have to go searching through every setting and proactively monitor network traffic to make sure their data isn't being stolen, modified or otherwise manipulated?