14 total posts
Amazon sues over 1000 people for posting fake reviews
Online retail giant Amazon has filed a lawsuit against more than 1100 people it says posted fake reviews on its website.
The company is suing 1114 defendants - all named as "John Does" because it has yet to uncover their real identities - over a breach of its review policy that prohibits paid-for or fictional reviews.
In a complaint filed Friday in King County Superior Court, Seattle, Amazon says the defendants collectively tarnished "Amazon's brand for their own profit and the profit of a handful of dishonest sellers and manufacturers."
Continued : https://nakedsecurity.sophos.com/2015/10/19/amazon-sues-over-1000-people-for-posting-fake-reviews/
lawsuit really is a waste of time. All you have to do is to pay attention to the verified purchase reviews and ignore the others.
Researchers find 256 iOS apps that collect users’ personal..
The apps, which at most recent count totaled 256, are significant because they expose a lapse in Apple's vetting process for admitting titles into its highly curated App Store. They also represent an invasion of privacy to the one million people estimated to have downloaded the apps. The data gathering is so surreptitious that even the individual developers of the affected apps are unlikely to know about it, since the personal information is sent only to the creator of the software development kit used to deliver ads.
Continued : http://arstechnica.com/security/2015/10/researchers-find-256-ios-apps-that-collect-users-personal-info/
Related: Apple pulls hundreds of iOS apps using private SDK from China to gather user data
Secret code in color printers enables government tracking
A research team led by the EFF recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known. [Screenshot]
"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen.
There was press releases about this years and years ago. Guess they are wanting to remind everyone about this.
Let's talk about that NSA Diffie-Hellman crack
Even before the leaks by former NSA sysadmin Edward Snowden, rumours had circulated for years that the agency could decrypt a significant fraction of encrypted internet traffic.
Now security researchers, who published a paper on their theory in May, have come forward with a detailed and credible theory on the technical foundations of this code-breaking capability. They presented a talk last week with a better explanation of how this fitted with the Snowden leaks.
Three years ago, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Edward Snowden documents revealed that that the NSA had the ability to intercept and decrypt VPN traffic. The on-demand decryption of some HTTPS and SSH connections was also possible because of unspecified but ground breaking cryptanalysis capabilities, according to the Snowden leaks.
Continued : http://www.theregister.co.uk/2015/10/19/nsa_crypto_breaking_theory/
Related : Prime Diffie-Hellman Weakness May Be Key to Breaking Crypto
Better SSL Error Indicators to Be Added in Firefox 44
Mozilla is constantly working on improving its product, and in Firefox 44, along with the planned deprecation of the RC4 cipher, the company is also overhauling its SSL error pages.
Added in Firefox 33, these pages were used to signal users of a failed SSL connection attempt, one that might have put their personal data at risk.
While useful in some cases, the error pages also prevented users from accessing some URLs, which they were sure were secure, and not harboring any attacks.
Tricky new malware replaces your entire browser with a ..
.. dangerous Chrome lookalike
This malicious browser looks and acts just like Chrome--except for all the pop-up ads, system file hijacking, and activity monitoring. [Screenshot]
Security researchers have discovered a fiendish form of browser malware that stands in for your copy of Google Chrome and hopes you won’t notice the difference.
As reported by PCRisk, the “eFast Browser” works by installing and running itself in place of Chrome. It’s based on Google’s Chromium open-source software, so it maintains the look and feel of Chrome at first glance, but its behavior is much worse.
First, makes itself the default and takes over several system file associations, including HTML, JPG, PDF, and GIF, according to MalwareBytes. It also hijacks URL associations such as HTTP, HTTPS, and MAILTO, and replaces any Chrome desktop website shortcuts with its own versions. Essentially, eFast Browser makes sure to open itself at any opportunity.
Continued : http://www.pcworld.com/article/2994778/security/tricky-new-malware-replaces-your-entire-browser-with-a-dangerous-chrome-lookalike.html
Yahoo! launches! password-free! push! logins! for! mobes!
" 'Death to passwords', cries Purple Palace "
Yahoo! has launched a password-free method of logging into its mail and online services that prompts users to approve access through a mobile push notification.
The Yahoo! Account Key service is another blow to passwords, and the second dealt by the Purple Palace since it rolled out SMS two-factor authentication in March.
Product management vice president Dylan Casey says the new gizmo is "elegant", as long as users don't lose their mobes.
"Passwords are usually simple to hack and easy to forget," Casey suggests.
Continued : http://www.theregister.co.uk/2015/10/19/yahoo_passwords_key/
willing to bet
every time yahoo makes a change, there seems to be more ads on their pages in addtion to the new features. Makes me wonder if there will be ads associated with their new mobile push notifications. I guess I will soon find out.
any security system has its flaws. I just want my passwords without having to do too much fancy security stuff to access my account.
Don’t Be Fooled by Fake Online Reviews Part II
Brian Krebs @ his "Krebs On Security" blog:
In July I wrote about the dangers of blindly trusting online reviews, especially for high-dollar services like moving companies. That piece told the story of Full Service Van Lines, a moving company that had mostly five-star reviews online but whose owners and operators had a long and very public history of losing or destroying their customers’ stuff and generally taking months to actually ship what few damaged goods it delivered. Last week, federal regulators shut the company down.
NBC Miami reports that Full Service Van Lines (FSVL) was shut down by the U.S. Department of Transportation, but not because of consumer complaints. The DOT reportedly revoked the company’s license due to a pattern of safety violations. And that’s saying something: The NBC story said FSVL received more complaints this year than any other Florida mover of its size.
Continued : http://krebsonsecurity.com/2015/10/dont-be-fooled-by-fake-online-reviews-part-ii/