Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - October 21, 2014

Oct 21, 2014 1:00AM PDT
Mac OS X Yosemite sends location, search data to Apple [Updated]

"Apple reportedly collects location and search data via Mac's Spotlight feature"

Two steps toward privacy, one step back.

While privacy advocates lauded Apple for the company's decision to default to encrypting data on its latest mobile operating system, iOS 8, the technology firm faced criticism on Monday after independent researchers discovered that its latest operating system, Mac OS X Yosemite, is configured to send location and search data whenever a user queries Spotlight.

Spotlight is the company's search feature for Mac OS X. The capability doesn't just search a user's computer, though; it also sends information to Apple and Microsoft to return searches from the companies' services, according to Fix-MacOSX.com.

Continuded: http://arstechnica.com/security/2014/10/mac-os-x-yosemite-reportedly-leaks-location-search-data/

Related:
Privacy Criticism Hits OSX Yosemite over Location Data
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for

Discussion is locked

- Collapse -
Banks: Credit Card Breach at Staples Stores
Oct 21, 2014 1:04AM PDT

Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating "a potential issue" and has contacted law enforcement.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.

Continued : http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

Related:
Staples customers likely the latest victims of credit card breach
Staples investigates possible data breach, credit card fraud
Carders punch holes through Staples

- Collapse -
Spike in Malware Attacks on Aging ATMs
Oct 21, 2014 1:04AM PDT

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they'd installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR. To learn more about how these attacks are impacting banks and the ATM makers, I reached out to Owen Wild, NCR's global marketing director, security compliance solutions.

Continued: http://krebsonsecurity.com/2014/10/spike-in-malware-attacks-on-aging-atms/

- Collapse -
Google Adds Hardware Security Key For Account Protection
Oct 21, 2014 1:45AM PDT

Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites.

The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users' credentials. Attackers often go to great lengths to create fake Gmail or Google Accounts sites that look exactly like the real ones. They then try to lure or direct users to those sites through phishing emails or other tactics in order to get them to enter their Google account credentials. The attackers then will take over the accounts.

The hardware Security Key is a small USB token that implements the FIDO Alliance's Universal 2nd Factor specification. It's meant for users who require a higher level of security on their accounts and users can buy them from Amazon or other retailers now.

Continued : http://threatpost.com/google-adds-hardware-security-key-for-account-protection/108943

- Collapse -
Facebook trawls thru paste sites for compromised credentials
Oct 21, 2014 1:45AM PDT

In the spirit of November as National Cyber Security Awareness Month, Facebook security engineer Chris Long shared how the company discovers that some of its users' accounts could be compromised and preemptively pushes them towards changing the password.

The company has created an automated system that trawls public paste sites (Pastebin and such) for leaked login credentials, collects the information, compares it to the Facebook internal databases and, if a match is found, alerts and guides the user through the password-changing process.

"The Facebook Security team has always kept a close eye on data breach announcements from other organizations. Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites," Long pointed out.

Continued: http://www.net-security.org/secworld.php?id=17512

Related:
Facebook Designs Stolen Credentials Parsing System
Facebook prowls the internet looking for your password

- Collapse -
Delivering malicious Android apps hidden in image files
Oct 21, 2014 2:17AM PDT

Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app.

Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini devised the attack and demonstrated it last week at the Black Hat Europe conference in Amsterdam.

To pull it off, they had to create a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file .

Continued: http://www.net-security.org/malware_news.php?id=2887

- Collapse -
Chinese government accused of attacking Apple's iCloud
Oct 21, 2014 2:17AM PDT

"Fingers have been pointed at the Chinese government over alleged cyberattacks targeted at Apple's iCloud with the aim of furtively lifting user data."

The Chinese government has been accused of backing cyberattacks against Apple's iCloud, initiated in order to steal user credentials.

According to a report from Chinese web monitoring group Greatfire.org, Apple's cloud backup and storage service was attacked by cybercriminals using a man-in-the-middle (MITM) attack, which slots a malicious website in between users and the iCloud server. By disrupting this connection process, Great Fire says that data could potentially be intercepted, which in turn may give hackers access to passwords, messages, photos and contacts.

While SSL certificates are used by iCloud.com to establish a secure connection, it is believed that self-signed certificates were used by the cybercriminals to trick some users — trying to connect to iCloud using insecure browsers — into thinking they accessed the service correctly.

Continued: http://www.zdnet.com/chinese-government-accused-of-attacking-apples-icloud-7000034907/

Related: China executes MITM attack against iCloud and Microsoft account holders

- Collapse -
Fake Twitch TV Site Recommends PUP as Video Plugin
Oct 21, 2014 2:30AM PDT

"Malwarebytes Unpacked" Blog:

We recently found a site that not only impersonates the look of the legitimate Twitch TV website, but also sports a so-called video player plugin that needs to be downloaded (as recommended) for the clips to play. Note that the only plugin one can use to view live game streams on Twich is Adobe Flash Player, so if you know this, seeing an endorsement of a different plugin should immediately raise a flag. The domain impersonator is twitchtv(dot)net. [Screenshot]

What is downloaded, however, is not the actual plugin but an installer manager, which the site admins only revealed at the foot of the page. Here's the text transcription:

Continued: https://blog.malwarebytes.org/online-security/2014/10/fake-twitch-tv-site-recommends-pup-as-video-plugin/

- Collapse -
Android Lollipop offers password protection against factory
Oct 21, 2014 5:28AM PDT
... resets

ESET's "We Live Security" Blog:

The latest version of Android, nicknamed Lollipop, will offer a new feature that could make stolen phones a whole lot less valuable to thieves: the ability to only allow factory resets when accompanied by a password.

TechHive reports that "lawmakers are celebrating it as a key piece of the smartphone 'kill switch' measures they've been pushing for", as requiring a password to wipe a handset should in theory ensure that the value of a stolen smartphone to a thief is a lot lower than it would be if they could guarantee a quick and easy reset.

While Android users can already lock, wipe or locate a lost phone on the internet using Android Device Manager, the platform currently offers nothing to prevent a thief removing all traces of its original owner from the handset, providing the owner has no lock screen security in place. It's an additional layer of protection which will hopefully see mobile phones as a less obvious target for theft

Continued : http://www.welivesecurity.com/2014/10/17/android-lollipop-offers-password-protection-factory-resets/

Related: Android Lollipop's New 'Kill Switch' Could Discourage Smartphone Theft - But It Still Needs Work
- Collapse -
Ebola Email Scams Growing in Volume in the US
Oct 21, 2014 5:28AM PDT

It was only a matter of time until Ebola-themed scams started spreading at a rapid pace. The issue is not to be taken lightly since crooks are known for their solid social engineering skills that can fool a large number of victims.

The increased number of emails preying on the general interest in news about the Ebola virus only to deliver malware or point to malicious online locations has increased lately and sparked a warning from the US-CERT (United States Computer Emergency Readiness Team).

The organization advises users to keep an eye out for fraudulent emails of this kind, in order to stay safe from malicious cyber campaigns.

Continued : http://news.softpedia.com/news/Ebola-Email-Scams-Growing-In-Volume-In-the-US-462381.shtml