Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - August 01, 2016

Aug 1, 2016 10:09AM PDT
Social Security Administration Now Requires Two-Factor Authentication

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

The SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

Continued: http://krebsonsecurity.com/2016/08/social-security-administration-now-requires-two-factor-authentication/

Discussion is locked

- Collapse -
Russian spies claim they can now collect crypto keys ..
Aug 1, 2016 10:40AM PDT
.. but don't say how

Russia's intelligence agency the FSB, successor to the KGB, has posted a notice on its website claiming that it now has the ability to collect crypto keys for Internet services that use encryption. This meets a two-week deadline given by Vladimir Putin to the FSB to develop such a capability. However, no details have been provided of how the FSB is able to do this.

The FSB's announcement follows the passage of Russia's wide-ranging surveillance law, which calls for metadata and content to be stored for six months, plus access to encrypted services, as Ars reported back in June.

Continued : http://arstechnica.com/tech-policy/2016/08/russian-spies-say-they-are-able-to-collect-crypto-keys-but-dont-say-how/
- Collapse -
New Android Trojan SpyNote leaks on underground forums
Aug 1, 2016 10:42AM PDT

A new and potent Android Trojan has been leaked on several underground forums, making it available for free to less resourceful cybercriminals who are now likely to use it in attacks.

The Trojan app is called SpyNote and allows hackers to steal users' messages and contacts, listen in on their calls, record audio using the device's built-in microphone, control the device camera, make rogue calls and more.

Continued : http://www.pcworld.com/article/3102101/security/new-android-trojan-spynote-leaks-on-underground-forums.html

Related:
New Trojan SpyNote Installs Backdoor on Android Devices
https://threatpost.com/new-trojan-spynote-installs-backdoor-on-android-devices/119560/

- Collapse -
Android app found in Google Play stole users' photos, videos
Aug 1, 2016 10:44AM PDT

"Development tool removed from Android app store for targeting users' media files"

Symantec's Shaun Aimoto explains that the app "HTML Source Code Viewer", developed by Sunuba Gaming, poses as a development tool.

In actuality, the app sends files stored in an Android phone's standard image and video locations to "proqnoz.info," a web server hosted in Azerbaijan.

Attackers could use people's stolen media for all kinds of nefarious purposes. As Aimoto notes in a blog post: [...]

Continued : https://www.grahamcluley.com/2016/07/android-app-steals-photos/

- Collapse -
WhatsApp doesn’t properly erase your deleted messages
Aug 1, 2016 10:46AM PDT

There were cheers a few months ago when WhatsApp announced that it was using end-to-end encryption for all messages by default, boosting the privacy and security of users.

But now respected iOS security researcher Jonathan Zdziarski claims to have found a worrying weakness in WhatsApp, that could open a door for intelligence agencies and other prying eyes to snoop upon your private conversations, even after they have been “deleted” from the app.

In a blog post, Zdziarski describes how he found a “forensic trace” of supposedly-deleted conversations on his iPhone’s disk image: [...]

Continued : https://www.hotforsecurity.com/blog/whatsapp-doesnt-properly-erase-your-deleted-messages-researcher-reveals-16169.html

- Collapse -
Forced HTTPS for google.com aims to help block attacks ..
Aug 1, 2016 10:51AM PDT
Google's HSTS rollout: Forced HTTPS for google.com aims to help block attacks

HSTS allows website operators to ensure their site is only accessible via a browser when using a secure HTTPS connection, helping block SSL-stripping and man-in-the-middle attacks. All major browsers, including Chrome, Safari, Internet Explorer, and Edge now support HSTS.

"HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites," explained Jay Brown, a senior technical program manager for security at Google.

Continued: http://www.zdnet.com/article/googles-hsts-rollout-forced-https-for-google-com-aims-to-help-block-attacks/
- Collapse -
WPAD Flaws Leak HTTPS URLs
Aug 1, 2016 10:54AM PDT

Researchers have found flaws in the Web Proxy AutoDiscovery protocol tied to DHCP and DNS servers that allow hackers spy on HTTPS-protected URLs and launch a myriad of different malicious attacks against Linux, Windows or Mac computers.

According to the security firm SafeBreach, this vulnerability allows hackers to monitor the URLs of every request the browser makes. With that information, SafeBreach says it’s possible for a hacker to see the entire URL of every site visited even if the traffic is protected with HTTPS encryption.

Continued : https://threatpost.com/wpad-flaws-leak-https-urls/119582/

- Collapse -
The dangerous cost of ‘free’ Wi-Fi
Aug 1, 2016 10:58AM PDT

So you go to a political convention. Do a little politicking and listen to some speeches. While taking a break from the handshaking and schmoozing you decide to do a little work on your laptop. Then you get hacked.

During the Republican National Convention, IT security company Avast security set up fake Wi-Fi hotspots to see who would fall for their trick. As it turns out, a lot of people fell for it. Avast estimated more than 1,200 people logged into the fake hotspots, some with politically leaning names like “I VOTE TRUMP! FREE INTERNET,” and “I VOTE HILLARY! FREE INTERNET,” and some with an official ring to them like “Google Starbucks” and ATTWifi at GOP.”

Continued : http://www.pcworld.com/article/3101860/wi-fi/the-dangerous-cost-of-free-wi-fi.html

- Collapse -
Trojan in 155 Google Play Android Apps Affects 2.8M Users
Aug 1, 2016 11:35AM PDT

"Trojan was seen before, last time in April 2016"

There are currently 155 Android apps on the official Google Play Store infected with the Android.Spy trojan that collects details about the user's device and then shows ads on top of the phone's homescreen or of other applications, and inside the OS notification area.

Security firm Dr.Web says they informed Google about this new threat, but the search giant has not yet removed all infringing apps, and as such, they are releasing a list of names of all the apps they've found showing traces of the trojan so that users can stay away from them. (Full list at the end of the article.)

Continued : http://news.softpedia.com/news/trojan-in-155-google-play-android-apps-affects-2-8-million-users-506849.shtml