security

Hacker says security flaw let him access any Facebook profile

A security hacker recently found a flaw in a Facebook system that allowed developers to access anyone's Facebook account through app permissions.

Though Facebook has fixed this issue, Nir Goldshlager, a Web application security specialist who looks for these types of flaws professionally, found more app authorization bugs that need fixing, according to his blog. App permissions are what developers use to access the user data needed to run their apps. Users give them access permission when they install the apps.

"I found a couple more OAuth flaws in Facebook, just waiting for a fix to post about … Read more

HTC settles with FTC over software security vulnerabilities

Mobile handset maker HTC has agreed to settle a complaint filed against it by the Federal Trade Commission accusing the company of failing to take "reasonable steps" to patch a security flaw in software running on its smartphones.

As part of this settlement, HTC has agreed to patch handsets that were left vulnerable to the security risks. And the company has agreed to develop a security program to address future security issues on its handsets.

HTC has already begun rolling out the patches to devices in the U.S., according to the FTC.

In its complaint, the commission … Read more

Homeland Security: Let's be clear about aerial drone privacy

A Homeland Security office says it plans to review the privacy implications of using drones to monitor U.S. citizens.

The department's Office for Civil Rights and Civil Liberties has created a working group that will "clarify any misunderstandings that exist" about DHS's drone program, as well as make an effort to "mitigate and address any outstanding" privacy concerns.

Tamara Kessler from DHS's civil rights office and Jonathan Cantor, DHS acting chief privacy officer, sent the memo (PDF) describing the review to Secretary Janet Napolitano last September. It was released this week.

It … Read more

Twitter aiming to slash phishing e-mails sent from 'Twitter.com'

If you get an e-mail saying it's from Twitter, the social-networking company wants to assure you that it's really from Twitter and that there's no need to worry that someone's out to steal your password.

At least, it's almost certain that the e-mail you just got from a Twitter.com address is not a phishing attack, the company said in a blog post today.

Twitter said it has adopted a new security protocol known as DMARC that was designed by a consortium in order to cut way down on phishing attempts.

DMARC solves a couple … Read more

Malware getting smarter, says McAfee

Malware continues to grow, not just in volume but in sophistication, according to a new report from McAfee.

Released today, the security vendor's fourth-quarter 2012 Threats Report found that more organizations are being targeted by more clever cyberattacks.

The number of trojans designed to steal passwords rose 72 percent last quarter. Some of these trojans are part of "customized" threats, while others are packaged with more "off-the-shelf" forms of malware. As one example, the Citadel trojan was specifically designed to hit financial services companies.

Operation High Roller and Project Bliztkrieg were also cited by McAfee … Read more

Adobe patches critical security flaws in Reader, Acrobat

Adobe has issued a patch to plug up critical security holes in its Reader and Acrobat software.

Released yesterday, the security updates address flaws that could cause the applications to crash and potentially let an attacker gain control of an infected computer. Adobe confirmed last week that the exploits have already led to some targeted attacks against vulnerable systems.

The patches are directed toward the following products and versions:

Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh Adobe Reader 9.5.3 and earlier … Read more

Biometric USB password key worthy of 'Mission: Impossible'

I hate to use the term "sexy" to describe a gadget, but if the myIDkey isn't "sexy," at least it's "damn fine." It takes the concept of a USB drive that protects all your passwords and does it up right with voice-activated search, biometric fingerprint identification, and Bluetooth.

Making a USB password protection device sound exciting? That's pretty hot.

I'm not the only person who thinks myIDkey is worth a look. It just launched its Kickstarter project and already has pulled in more than $87,000 (and rising fast) toward its $150,000 goal. A $99 pledge gets you a myIDkey with two different protective sleeves.… Read more

China's cyberwar: Intrusions are the new normal (FAQ)

The most remarkable aspect of a new and deeply troubling report about network intrusions originating in China is how commonplace they've become. They're no longer a rare occurrence: A single Shanghai-based hacking organization has reportedly compromised at least 141 companies across 20 industries.

Those figures come from a new report from security firm Mandiant, which revealed the global accomplishments of a group of professional hackers dubbed APT1. Mandiant has assembled convincing evidence that APT1 is actually part of People's Liberation Army Unit 61398, an organization so far uninterested in defacing or deleting data from U.S.-based … Read more

Apple issues Java update after security breach

Following recent security breaches that led to computers at Apple and other companies being compromised, Apple has issued an update for Java on OS X to close the hole.

The update went live this afternoon through Apple's Software Update service, which can be accessed from the Apple menu, and also available as a standalone update for OS X Snow Leopard or later from the following locations:

Java for Mac OS X 10.6 Update 13 Java for OS X 2013-001

According to the update's release notes, it will disable all versions of Java that are supplied by Apple … Read more

Apple: Employee computers were targeted in hack attack

Apple today said it too was targeted as part of the string of hacking efforts on companies and news agencies.

The iPhone and Mac maker told Reuters that hackers targeted computers used by its employees, but that "there was no evidence that any data left Apple."

In a statement, Apple said it discovered malware that made use of a vulnerability in the Java plug-in, and that it was sourced from a site for software developers:

Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware … Read more