Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - February 10, 2015

Feb 10, 2015 3:34AM PST
Senator: Car hacks that control steering or steal driver data way too easy

Recently manufactured cars expose drivers to hacking attacks that could cause collisions and steal sensitive personal information, according to a report released Monday by a US Senator.

The majority of model-year 2014 cars offer network-connected features that provide driving directions, messaging, hands-free phone calls, safety monitoring, and entertainment. But a lack of security defenses makes it possible for those features to be remotely hijacked, potentially giving attackers the ability to control critical functions such as steering and braking, the 12-page report (pdf) warned.

Monday's report was issued by the office of US Senator Edward Markey, a member of the Senate Commerce Committee, which has jurisdiction over the auto industry. The report is the result of correspondence with 20 automobile manufacturers that received questions from Markey about the security mechanisms they employ to prevent hacking attacks.

Continued : http://arstechnica.com/security/2015/02/senator-car-hacks-that-control-steering-or-steal-driver-data-way-too-easy/

Recent (related) post: Automotive Security: Connected Cars Taking the Fast Lane

Discussion is locked

- Collapse -
Be careful when talking in front of a Samsung SmartTV
Feb 10, 2015 3:52AM PST

Owners of Samsung SmartTVs that use its Voice Recognition feature to control the device should be aware that everything they say in front of their smart television set may end up in the hands of third parties.

What's more, according to the Samsung Global Privacy Policy, the company "is not responsible for these providers' privacy or security practices."

This information is not and was not secret - it's provided in the aforementioned privacy policy, and is written out clearly under the Voice Recognition section: [...]

When Shane Harris first noticed and publicized this fact, EFF activist Parker Higgins compared the policy with an excerpt from George Orwell's "1984," in which it's described how citizens were surveilled by the government via the "telescreen."

Continued : http://www.net-security.org/secworld.php?id=17928

Related:
Samsung's warning: Our Smart TVs record your living room chatter
Samsung SmartTV eavesdropping flap overblown

- Collapse -
Researcher Publishes 10 Million Usernames and Passwords
Feb 10, 2015 3:52AM PST

In an effort to contribute to making authentication more secure, a researcher has decided to publish 10 million username/password combinations that he has collected over the years from the Web.

The number of leaked passwords has increased significantly over the past few years. Specialized websites that allow users to check if their credentials have been compromised in major data breaches have already collected hundreds of millions of records. For example, Have I Been Pawned? has 175 million accounts and PwnedList has close to 390 million.

Leaked passwords have been used by many companies to determine the most common passwords and other trends. However, in many cases, only passwords are made available.

Continued : http://www.securityweek.com/researcher-publishes-10-million-usernames-and-passwords

Related :
Researcher publishes 10 million usernames and passwords to aid future research
Fearing an FBI raid, researcher publishes 10 million passwords/usernames

- Collapse -
Box Giving Customers Control Over Encryption Keys
Feb 10, 2015 3:52AM PST

"Box says they've eliminated the last major barrier to cloud adoption, even in highly regulated organizations."

Box, a leading provider of cloud storage and collaboration services, today announced new technology they say will eliminate the final major barrier to cloud adoption. The new solution, Box Encryption Key Management (EKM), gives Box customers the ability to manage, create, and revoke their own encryption keys.

"EKM helps break into more heavily regulated areas," says Box's vice-president of enterprise product, Rand Wacker.

One of the major reasons organizations -- particularly those that are risk-averse or in highly regulated industries -- avoid cloud adoption is that, in the cloud, they share servers with strangers. Although each tenant has always been in its own virtual instance, segregated from other customers', some organizations were rightly wary.

Continued : http://www.darkreading.com/box-giving-customers-control-over-encryption-keys/d/d-id/1319028

Related:
Box hands cloud encryption keys over to its customers
Box's new Enterprise Key Management service lets companies store their own encryption keys

- Collapse -
Simplocker ransom Trojan returns with more dangerous ..
Feb 10, 2015 3:52AM PST
.. encryption

The Simplocker ransom malware that infected thousands of Android devices last summer has dramatically boosted the power of its encryption design in a new version, security firm Avast as discovered.

First detected by ESET in June 2014 circulating on Russian sites, the original incarnation generated a crude symmetric master key (the same key used for encryption as decryption) to encrypt the files on victim devices, which made providing decryption straightforward once that was found.

Updated weeks later to an English-speaking version, the malware was notable as the first Android attack using the ransom technique to extort money from victims.

Continued : http://www.techworld.com/news/security/simplocker-ransom-trojan-returns-with-more-dangerous-encryption-3597445/
- Collapse -
Microsoft Pushes Patches for Dozens of Flaws
Feb 10, 2015 5:42AM PST
Microsoft today released nine update bundles to plug at least 55 distinct security vulnerabilities in its Windows operating system and other software. Three of the patches fix bugs in Windows that Microsoft considers "critical," meaning they can be exploited remotely to compromise vulnerable systems with little or no help from users, save for perhaps clicking a link or visiting a hostile Web site.

The bulk of the flaws (41) addressed in this update apply to Internet Explorer, the default browser on Windows. This patch should obviously be a priority for any organizations that rely on IE. Other patches fix bugs in the Windows OS itself and in various versions of Microsoft Office. A full breakdown of the patches is available here.

Among the more interesting critical patches is a fix for a vulnerability in Microsoft Group Policy that could present unique threats for enterprises that rely on Active Directory, the default authentication mechanism on corporate Windows networks. The vulnerability is remotely exploitable and can be used to grant attackers administrator-level privileges on the targeted machine or device - that means 10s of millions of PCS, kiosks and other devices, if left untreated.

Continued : http://krebsonsecurity.com/2015/02/microsoft-pushes-patches-for-dozens-of-flaws/

See : Microsoft Security Bulletin Summary for February 2015
- Collapse -
TurboTax resumes e-filing following torrent of fraudulent ..
Feb 10, 2015 5:42AM PST
.. tax returns

Intuit, the makers of the popular TurboTax app, stopped the e-filing of all state tax returns in the US on Thursday due to a surge in fraudulent filings but then recommenced on Saturday after having taken security measures to help clean up the mess.

The filing freeze came after several states refused to accept the returns after seeing a deluge of phony filings.

Utah, the first state to reach out to Intuit, issued a statement (pdf) on Thursday, saying that the state tax commission had discovered 28 fraud attempts that "originate from data compromised through a third-party commercial tax preparation software process," as well as 8,000 returns flagged as potentially fraudulent.

Continued : https://nakedsecurity.sophos.com/2015/02/10/turbotax-resumes-e-filing-following-torrent-of-fraudulent-tax-returns/

Related: Intuit Suspends Turbo Tax e-Filing, Investigating Fraudulent Returns