Alert

NEWS - October 13, 2015

Privacy Victory! Healthcare.gov Announces Support for Do Not Track

In January of 2015 we wrote about how healthcare.gov—the flagship site for the Affordable Care Act—was leaking personal data to third party services. The story gained a lot of attention in the press and in the government. Many privacy concerns were raised, and it appears that the administrators of healthcare.gov took notice.

Last week, officials with healthcare.gov announced plans to improve privacy across the service, including a new privacy policy, easy privacy controls for users, and a commitment to honoring the Do Not Track header.

Continued : https://www.eff.org/deeplinks/2015/10/privacy-victory-healthcaregov-announces-support-do-not-track
Discussion is locked
Follow
Reply to: NEWS - October 13, 2015
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 13, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
All versions of Windows affected by critical security flaw

Microsoft has issued a "critical" patch for every supported version of Windows.

The software giant said in its monthly security bulletin as part of its so-called Patch Tuesday that Windows Vista and later, including Windows 10, require patching from a serious remote code execution flaw in Internet Explorer.

The patch, MS15-106, addresses a flaw in how Internet Explorer handles objects in memory, the company said in its advisory. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data.

An attacker would have to "take advantage of compromised websites, and websites that accept or host user-provided content or advertisements," said the advisory. "These websites could contain specially crafted content that could exploit the vulnerabilities."

Continued: http://www.zdnet.com/article/october-2015-patch-tuesday/

- Collapse -
Adobe Patches 69 Vulnerabilities in Reader, Acrobat, Flash

Adobe today released a jumbo-sized Patch Tuesday update for Reader, Acrobat, and Flash, addressing a combined 69 critical vulnerabilities in the software, many which can lead to information disclosure and code execution.

The company warned about the bugs via a blog post at its Product Security Incident Response Team (PSIRT) Blog and in a pair of security bulletins published to its site Tuesday morning.

The bulk of the bugs, 56 in total, exist in the company’s Acrobat and Reader software families, including its DC, XI, and X products, for both Windows and Macintosh machines.

Continued : https://threatpost.com/adobe-patches-69-vulnerabilities-in-reader-acrobat-flash/115005/

See:
Security Updates Available for Adobe Acrobat and Reader
Critical Security Updates for Adobe Flash Player (APSB15-25)

- Collapse -
Arrest of Chinese Hackers Not a First for U.S.
The Washington Post reported last week that the Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government, a move described as “an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions.” While this a welcome and encouraging development, it is not the first time Beijing has arrested Chinese hackers in response to pressure from the U.S. government.

The action reported by The Post and other media outlets came shortly before Chinese President Xi Jinping’s state visit to Washington late last month. The hackers arrested had reportedly been identified by U.S. officials as having stolen commercial secrets from U.S. firms to be sold or passed along to Chinese state-run companies.

Continued: http://krebsonsecurity.com/2015/10/arrest-of-chinese-hackers-not-a-first-for-u-s/

Related: Chinese hackers arrested at US request
- Collapse -
Dow Jones & Co. Latest Financial Firm Hit With Data Breach

The financial firm Dow Jones & Company announced late last week that it’s the latest in an exhaustive list of companies this year to report a data breach.

The News Corp.-owned company informed customers Friday that hackers managed to infiltrate their system in an apparent attempt to gather contact information on current and former subscribers.

The letter Dow Jones sent to customers (.PDF) – as most data breach letters tend to be however – is a little vague when it comes to details.

Continued: https://threatpost.com/dow-jones-company-latest-financial-firm-hit-with-data-breach/115002/

- Collapse -
Android ransomware uses Material Design to scare users ..
.. into paying ransom

Symantec's "Security Response" blog:

A new variant of Android ransomware (Android.Lockdroid.E) takes advantage of Google’s Material Design and an open-source project to create the lockscreen’s user interface (UI). This allows the threat to easily display fraudulent legal notices and gathered device logs to make the ransom notice seem more intimidating.

The ransomware isn’t spreading through the Google Play store. Instead, a device can be compromised in one of two ways:

The user downloads a free software package on their computer which includes a popular browser hijacker. This hijacker then redirects the victim's search results to sites hosting the Android ransomware.
The ransomware is disguised as a legitimate video app and is made available on unofficial app stores.

What is Material Design?

Continued: http://www.symantec.com/connect/fr/blogs/android-ransomware-uses-material-design-scare-users-paying-ransom

Related: Android ransomware gets new, professional look thanks to Google’s Material Design
- Collapse -
Credit Card Breach at America’s Thrift Stores

Another charity store chain has been hacked: America’s Thrift Stores, an organization that operates donations-based thrift stores throughout the southeast United States, said this week that it recently learned it was the victim of a malware-driven security breach that targeted software used by a third-party service provider.

This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers,” the company’s CEO said in a statement. “This virus/malware, is one of several infecting retailers across North America.”

The statement continues:

Continued: http://krebsonsecurity.com/2015/10/credit-card-breach-at-americas-thrift-stores/

- Collapse -
Businesses Warned of Router, Riddled with Security Holes ..
.. and a Zero-day Exploit

When you buy a new piece of computer hardware, and connect it to your network, I really hope that you check whether there are any security updates available.

A security researcher from Singaporean firm Vantage Point Security is giving a presentation this week at the Hack in the Box conference about just how disturbingly easy it is to compromise SOHO routers. Lyon Yang claims to have found a series of zero-day vulnerabilities, and will demonstrate that it is "quite easy to pull off [a] remote hijack exploit" against routers made by ZHONE, potentially secretly monitoring victims' internet traffic or installing malicious code.

In particular, the problem is said to impact businesses and home users in Singapore, where at least one internet provider is said to mandate that the ZHONE router is used by customers to access their services.

Continued: http://businessinsights.bitdefender.com/businesses-warned-of-router-riddled-with-security-holes-and-a-zero-day-exploit
- Collapse -
This USB stick will fry your computer within seconds

A Russian security researcher known as "Dark Purple" has created a USB stick that contains an unusual payload.

It doesn't install malware or exploit a zero-day vulnerability. Instead, the customised USB stick sends 220 Volts (technically minus 220 Volts) through the signal lines of the USB interface, frying the hardware.

Dark Purple claims in a Russian-language blog post that the attack is not just limited to computers, but can used to incapacitate almost any equipment equipped with a USB drive.

Want to see the attack in action? Of course you do.

Here is Dark Purple's video, where he demonstrates how USB Killer v2.0 bricking a Lenovo Thinkpad X60 laptop:

Continued (with video) here: https://grahamcluley.com/2015/10/usb-killer/

- Collapse -
How to listen to (and delete) everything you've ever said ..
.. to Google

Users of Google’s voice-control features such as OK Google are probably aware that the company stores the voice recordings it receives when they talk to it. But it’s still a bit of a shock to be confronted with a list of all the recordings the company has ever made of you.

Google’s voice and audio activity page isn’t promoted heavily by the company, and visiting it gives a hint as to why. If you have (or have ever had) an Android phone with Google’s “OK Google” voice-control system, the page should show a list of every command you have ever given it – replete with a little play button next to it.

The feature is one of a number of attempts by the company to demystify its data-collection service. Similarly, Google offers a location history, showing users any location the company has tracked them to, through apps such as Google Maps as well as simply using an Android phone.

Continued: http://www.theguardian.com/technology/2015/oct/13/google-voice-activity-listen-delete-recordings

Related: Google records your voice searches. Here's how to listen back to them
- Collapse -
New zero day exploit hits fully patched Adobe Flash

Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe's Flash Player so they can surreptitiously install malware on end users' computers, security researchers warned Tuesday.

So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider McAfee said in a blog post published Tuesday. It's not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207, and may also affect earlier versions. At this early stage, no other technical details are available. The researchers wrote:

Continued: http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/

CNET Forums