Alert

NEWS - May 17, 2011

MailChimp tightens up security - will other email marketing services follow suit?

I may be a little late to the party, but I was pleased to discover today that MailChimp - a popular online tool used by companies and individuals for managing email campaigns - has tightened up its security with a number of new features.

If you've never been involved in managing mailing lists, you might not be familiar with MailChimp. But it's certainly made a name for itself both through its ease-of-use and strong branding courtesy of its chimp mascot.

In an email to its users, MailChimp explains that the new security features are "optional but strongly encouraged":

* TXT and email security alerts: MailChimp can send your phone an SMS text message when it detects a login, attempted list download, or other change that might affect your account's security. Email alerts are also available. More info.

* Detect location changes: If someone logs in to your account from a different location than usual (determined via the IP address used), MailChimp users can force them to answer your account security question. More info.

Continued : http://nakedsecurity.sophos.com/2011/05/17/mailchimp-tightens-up-security-will-other-email-marketing-services-follow-suit/
Discussion is locked
Follow
Reply to: NEWS - May 17, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - May 17, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Hack Targets NASA's Earth Observation System

A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief.

The hacker, who uses the handle "Tinkode" has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency.

The screenshot from the server at the Goddard Space Center was published on Tuesday. It shows a directory tree from the server, servir.gsfc.nasa.gov, which appears to be connected with NASA's SERVIR program. It is not clear what the purpose of the server is or the nature of the security hole exploited by Tinkode.

Continued : http://threatpost.com/en_us/blogs/hack-targets-nasas-earth-observation-system-051711

- Collapse -
Researcher: Dropbox misrepresents security features

"A University of Indiana PhD has filed a complaint with the FTC alleging Dropbox misrepresents its encryption claims"

Cloud data storage and synchronization company Dropbox has been hit with a complaint to the U.S. Federal Trade Commission alleging that the company has deceived consumers about the level of encryption security it offers.

In a letter sent to the FTC, University of Indiana PhD and security researcher Christopher Soghoian claimed that while Dropbox encrypted every file it stored, this could be reversed by employees, undermining the company's security credibility.

Not only did this design fall short of "industry best practices", wrote Soghoian, it also represented a serious security risk that the company was not being upfront about.

"Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data," Soghoian wrote. "Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted."

In Sioghan's view, Dropbox has deceived its users, infringing Section 5 of the Federal Trade Commission Act.

Continued : http://www.networkworld.com/news/2011/051711-researcher-dropbox-misrepresents-security.html

Also: Dropbox security woes are back, FTC complaint filed

- Collapse -
CA antivirus unit sold: Will become 'Total Defense'

CA has sold its antivirus division to venture capital firm Updata Partners.

Updata plans to form a new firm, provisionally called Total Defense, Inc, once the deal closes in June.

Around 60,000 businesses worldwide rely on antivirus technologies from CA's Internet Security Business Unit, the division of the firm that is being sold.

CA will retain its enterprise-focused identity and access management software business, a line of products that fits more closely with its core systems management market. Financial terms of the deal, announced late last week, were not disclosed.

The move following disappointing financial results from the system management firm, which has been a premier league player in the anti-malware market for 10 years without ever managing to knock any of the big four off their perch.

CA Q4 sales rose by five per cent to $1.13bn, falling below analyst predictions of $1.17bn. Shares in the firm fell nine per cent as a result, Bloomberg reports.

Continued : http://www.theregister.co.uk/2011/05/17/ca_quits_anti_virus_biz/

- Collapse -
Return of the Playstation Network

Kaspersky Lab Weblog:

Today is May 17, almost exactly a month after the massive breach of Sony's PSN network. If you live in North America then you may be pleased to know that the Playstation network has finally come back online. Due to the enormous amount of subscribers to the service, the restart has been a bit shaky, with reports of password reset emails clogging ISP mail servers. Despite the hiccups, it seems that the service is gradually returning.

If you are a customer of the Sony service, you will need to immediately change your password as well as install a firmware update to your system. Sony has pledged a much stronger security environment to its customers and partners, and this appears to be the beginning of many changes. Sony has previously stated that they have rebuilt the entire network from scratch and moved their PSN infrastructure to a new data center in an undisclosed location. I'm not sure why this emphasis on security wasn't a focus of the original model, but maybe Sony can prevent future mishaps. Perhaps all the additional outside scrutiny will help, but only time will tell.

With the return of its online services Sony is offering a "welcome back" package to its customers. The details vary by region, but it generally consists of two free games, some time-limited free access to premium services, and some free game related content. Is this enough? Customers appear to be flocking back to the online service in droves. At this time there are no reports of any of the customers leaked data being used against them. As the breach is so recent, it may take some time for criminals to make use of the data.

Continued : http://www.securelist.com/en/blog/208188072/Return_of_the_Playstation_Network

- Collapse -
French 3 Strikes Suspended Due To Anti-Piracy Security Alert

Following a weekend security breach at Trident Media Guard, the outfit spearheading data collection for France's 3 strikes anti-piracy drive, the country's HADOPI agency has severed interconnection with the company. This means that, pending an enquiry, French file-sharers are no longer being tracked, a major embarrassment for the government.

On Saturday evening, with the invaluable assistance of blogger and security researcher Olivier Laurelli, aka Bluetouff, TorrentFreak first reported that Trident Media Guard (TMG), the private company entrusted to carry out file-sharing network monitoring for the French government, had been hacked.

As became evident, the term 'hacked' was probably overly generous to TMG, since according to Bluetouff the company had left the equivalent of its front door open.

"A virtual machine leaked a lot of information like scripts, p2p clients to generate fake peers, local physical addresses in the datacenter and even a password that could lead to a major global TMG security breach," he explained.

TorrentFreak obtained and listed some of the files in question in our earlier report, but as the contents of the leak were examined in more detail, it became evident that TMG had not only leaked out its own data, but that belonging to the subjects of their monitoring.

Continued : http://torrentfreak.com/french-3-strikes-suspended-due-to-anti-piracy-security-alert-110517/

Also:
France Halts 'Three Strikes' IP Address Collection After Data Leak
France's official P2P monitoring firm hacked

- Collapse -
Tumblr bloggrs ensnared in chain-spam scam

Tumblr has become the target of a chain letter-style spam that spread rapidly over the micro-blogging service.

The fake messages falsely warned that "your blog will be deleted unless you repost this" note, which claimed that Tumblr was drawing up a list of inactive profiles.

Totally untrue, but over 130,000 people were taken in enough to repost the chain spam, according to an assessment of the scam by GFI Software.

Similar scams have been commonplace on Facebook for some time. The Tumblr chain letter took advantage of a shortcoming in the reblog function on the site that meant that more clued-up users could only warn about the scam by reposting the dodgy message themselves.

"The only way users can really warn others is by adding a note to the comments, and the only way to do that is to reblog the original message, thus spreading it further," explained Jovi Umawing, a security researcher at GFI Software.

http://www.theregister.co.uk/2011/05/17/tumblr_chain_letter_scam/

- Collapse -
Microsoft claims IE8 and 9 stop millions of malware attacks
.. daily

Today Microsoft laid out claims as to the efficacy of its Internet Explorer product, versions 8 and 9, the most recent editions, in blocking malware and protecting users.

The blog post on the matter states that between two and five million malware attacks are blocked every day by the two browsers. It's enough to make you wonder how the Internet Explorer 7 users are faring, as they lack the main element that is keeping users of IE8 and 9 safe: SmartScreen Filter.

Yes, the SmartScreen Filter is what Microsoft is using to stop malware in its tracks. This is good, because as we all know, the average Internet browser is as smart as a normal piece of driftwood.

Want proof? Out of every fourteen programs that users download with IE, again according to Microsoft, one is malware. That means that IE users are downloading harmful bits of data to their computer over seven percent of time. Such poor behavior must require some serious conditioning.

Of course, Microsoft is proud of what IE8 and 9 have done together, but it is even prouder of what IE9 alone can do, and that is run a part of its architecture called Application Reputation. Application Reputation is the company's latest attempt to save Internet Explorer from a future as a forgotten, unsafe browsing tool.

Continued: http://thenextweb.com/microsoft/2011/05/17/microsoft-claims-ie8-and-9-stop-millions-of-malware-attacks-daily/

CNET Forums