NEWS - October 09, 2015

Apple removes several apps that could spy on encrypted traffic

Apple has purged its iOS App Store of several titles that it said had the ability to compromise encrypted connections between end users and the servers they connect to. The company advised users to uninstall the apps from their iPhones and iPads to prevent potentially harmful monitoring, but it has yet to name any of the offending titles.

"Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data," company officials wrote in an advisory posted Friday. "This monitoring could be used to compromise SSL/TLS security solutions. If you have one of these apps installed on your device, delete both the app and its associated configuration profile to make sure your data remains protected."

Continued :

Related :
Apple boots some ad blockers from App Store to protect users' privacy
Apple Removes Apps That Expose Encrypted Traffic
Apple removes apps from App Store that could spy on your data traffic
Apple Removes ‘A Few’ Apps Including Ad Blockers From App Store For Installing Root Certificates
Discussion is locked
Reply to: NEWS - October 09, 2015
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 09, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Samsung Pay ‘safe’ from LoopPay attack

ESET's "We Live Security" blog:

Following a report from the New York Times that Samsung’s new mobile payment system acquisition was attacked by cybercriminals, the tech giant has reassured its customers that there is no need to be concerned.

In an official statement that directly addressed the article, it said that Samsung Pay was not affected by the isolated incident at LoopPay.

It added that the attack was focused on the LoopPay office network, which is completely independent of the production network that is native to Samsung Pay.

Continued :

Hackers breach firm whose tech is used in Samsung Pay
Samsung says customer payment data not affected by hack attack

- Collapse -
LogMeIn buys LastPass for $125 million

Remote computer-access company LogMeIn has acquired popular password-management company LastPass for $125 million, LogMeIn says in a statement today. The company says the deal is "expected to close in the coming weeks."

According to the statement, LogMeIn is planning to merge LastPass with another password-management company, Meldium, which was bought last year by LogMeIn. Eventually, Meldium and LastPass will go under the LastPass brand.

LastPass became a favorite password-management option soon after its launch in 2008, and now caters to millions of users. Earlier this year, the company also offered its service for free on smartphones, only charging users hoping to switch between desktop and mobile. In June, the company announced that it had been hacked, with attackers stealing email addresses and hashed versions of some users' master passwords.

Continued :

Related :
LogMeIn buys LastPass password manager for $110 million
LogMeIn buying password manager LastPass
Furious LastPass fans fear favorite tool's fate amid LogMeIn's gobble
LogMeIn just acquired LastPass to build one password platform to rule them all

- Collapse - had classic security blunder in authentication..
.. engine

"Redmond pays $25k to hacker who spotted flaw allowing anyone to own your email"

Synack senior security researcher Wesley Wineberg has received US$25,000 from Microsoft for quietly disclosing a bug that allows any Hotmail account to be hijacked.

The cross-site request forgery vulnerability means that any user visiting a malicious page can have their accounts hijacked without further interaction.

The since-patched hole existed in Microsoft and could have been spun into a dangerous worm, Wineberg says.

Continued :

CNET Forums