Time Warner Cable Reports 320,000 Customer Passwords Stolen
01/07/2016 -- Time Warner Cable is telling customers to change their passwords.
The cable giant acknowledged Wednesday that email addresses and
passwords of up to 320,000 customers may have been stolen. The company
said it doesn't know yet how data was compromised but speculated it was
either attacks against other companies that store TWC subscriber
information or malware downloaded in phishing attacks on customers.
Cyberattacks against businesses are nothing new but have ramped up in
recent years as hackers find new ways to exploit security holes. Hackers
often sell stolen customer data on the black market and force companies
to acknowledge shoddy data-protection practices. Phishing attacks, by
contrast, rely on trust to trick people into clicking on links or
downloading files in emails that appear legitimate but are actually
gateways to malicious software.
Adobe Tells People to Stop Using Flash
12/05/2015 -- Adobe is finally ready to say goodbye to Flash. In an announcement
last night, Adobe said that it will now "encourage content creators to
build with new web standards," such as HTML5, rather than Flash. It's
also beginning to deprecate the Flash name by renaming its animation app
to Animate CC, away from Flash Professional CC.
Flash
has been slowly dying over the past decade, in part due to an absence
of support on smartphones and in part because it's kind of become a
scourge of the internet. Though Flash initially had great success as a
tool for creating web games and animations, it has a number of downsides
that have stood out more and more each year. Flash pages and players
can be slow to load and a big drain on laptop batteries. More
importantly, Flash has continually been subject to security issues,
making it a major risk for anyone browsing the web.
Adobe
is by no means doing away with Flash — that's ultimately up to web
developers. Instead, this announcement is more an acknowledgement of
reality. HTML5 has been taking Flash's place as the go-to tool for
animation and interactivity; it's an all-around better choice, and it's
an open standard.
By
acknowledging that Flash is dying, Adobe is able to better position its
animation tools for the future. Flash Professional CC is already capable
of creating HTML5 content — in fact, it already represents a third of
all content created in the app, according to Adobe. By taking up the
name Animate CC, Adobe is able to sell Flash Professional CC as a
general animation tool, rather than a tool geared toward Flash. The name
change will take effect early next year.
Flash
itself will not be changing, and Adobe is continuing to support it.
However, it sounds like that support will most heavily focus on
security. Adobe says it will be working with Microsoft and Google to
maintain Flash's compatibility and security inside of web browsers. It's
also going to be working with Facebook to make sure that Flash games
remain secure. Adobe says that it expects to see Flash use continue, for
now, in web gaming and "premium" video, because HTML5 or other
standards "have yet to fully mature" to meet those areas' needs.
Windows 10 Warning: Latest Updates Are Crashing PCs
08/18/2015 -- Welcome to some unwanted deja vu. Last week Microsoft released a cumulative bug fix for Windows 10 which caused endless crash loops.
Now Microsoft has released a cumulative bug fix to address it and guess
what? Yes, it is also causing Windows 10 computers to crash over and
over again…
‘KB 3081438′ was pushed to Windows 10 users on Friday and the ever alert InfoWorld has spotted reports popping up around the web
of users who find the update will only partially install, get stuck,
then force their computers to reboot. After rebooting Windows 10
automatically begins reinstalling KB 3081438 again and the endless cycle
has begun.
What isn’t helping matters is the policy Microsoft has introduced
with Windows 10 of not explaining what these updates do. With detailed
information more educated attempts could be made at fixes, but like the
last two Windows 10 patches (KB 3081424 on August 5th and KB 3081436 on
August 12th), KB 3081438 simply says:
“This update includes improvements to enhance the functionality of Windows 10.”
There’s also no way to know what type of patch KB 3081438 is, which
causes a further problem when it comes to prevention: Windows 10 driver
and feature updates can be uninstalled and stopped from reinstalling
using this tool Microsoft released shortly after launch, but security updates cannot be stopped by any means using any Windows 10 edition.
Microsoft takes on Tech Support Scammers
01/20/2015 -- US software giant
Microsoft is suing alleged scammers who phone people pretending to
represent the firm and offer bogus technology support.
The callers ask to take over a home computer and demand money to fix it. Some then install viruses as well.
The software company said it had received more than 65,000 complaints about tech support scams since May.
It is taking legal action against several firms it accuses of misusing its name in such cases.
The scam has been around for decades with callers peddling useless
security software and tricking people into spending hundreds of pounds
(or dollars) to solve non-existent computer problems. Increasingly, the bogus technicians are gaining access to people's computers remotely.
From there they can also steal personal and financial information and install malware.
In some cases people are tricked into signing up for support
via fake web ads. Others receive a direct telephone call from a
technician claiming to represent Microsoft.
Microsoft has issued tips to help users avoid falling for such scams.
It says:
- Ask if there is a fee or subscription for the services. If there is, hang up
- Never give control of your computer to the third party unless
you can confirm it is a legitimate representative of a computer support
team at a company of which you are already a customer
- Take the caller's information down and immediately report it to your local authorities
- Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.
"Sophisticated" Android Malware hits Phones
01/13/2015 -- Hundreds of thousands of
Android phones have been infected with malware that uses handsets to
send spam and buy event tickets in bulk.
Mobile security firm Lookout said the virus, called NotCompatible, was the most sophisticated it had seen.
The cyberthieves behind it had recently rewritten its core code to make it harder to defeat, it said.
Mobile malware aimed at smartphones is steadily getting more complex, said security company Wandera.
Jeremy Linden, a security analyst at Lookout, said: "The
group behind NotCompatible are operating on a different plane to the
typical mobile malware maker."
Usually, he said, mobile malware campaigns lasted only a
couple of weeks but the NotCompatible creators had been operating for
more than two years.
The bug first appeared in 2012 and was now on its third
iteration, he said, adding that the latest version had been rewritten
recently and was now as sophisticated as the malware aimed at desktop
computers.
Phones infected with NotCompatible were enrolled into a network that
is now being rented out to any crime group that needs a ready source of
Android users.
Mr Linden said compromised phones had been used in a variety
of scams including sending spam, attacking Wordpress blogs and buying
tickets for popular events in bulk that would then be resold at a
significant profit.
NotCompatible is being spread via spam and websites seeded
with booby-trapped downloads, he said and urged Android users to be wary
of any app that required a security update to be installed before it
was run.
Mobile malware was growing in popularity among cybercrime
groups because smartphones were now so central to modern life, said
Eldar Tuvey from mobile security monitoring firm Wandera
They were keen to get a foothold on a phone so they could
harvest useful data that they could sell or use to make phishing emails
look more plausible, or to lever open accounts for social networks or
other web-based services.
With 70% of people reusing passwords across many different sites and
services, it was no surprise that criminals regularly got access to
these accounts, he said.
Many were aided by "leaky" apps that passed around log-in
names, email addresses and other credentials in unencrypted text, said
Mr Tuvey.
Serious Security Flaw Discovered in OAuth & Open ID
05/08/14 --Following in the steps of the OpenSSL vulnerability
Heartbleed, another major flaw has been found in popular open-source security software. This time, the
holes have been found in the log-in tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.
Wang Jing, a Ph.D. student at the Nanyang Technological University in
Singapore, discovered that the serious vulnerability "Covert Redirect"
flaw can masquerade as a log-in popup based on an affected site's
domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a
popup window in Facebook, asking them to authorize the app. Instead of
using a fake domain name that's similar to trick users, the Covert
Redirect flaw uses the real site address for authentication.
If a user chooses to authorize the log in, personal data (depending on
what is being asked for) will be released to the attacker instead of to
the legitimate website. This can range from email addresses, birth
dates, contact lists, and possibly even control of the account.
Regardless of whether the victim chooses to authorize the app, he or
she will then get redirected to a website of the attacker's choice,
which could potentially further compromise the victim.
Wang
says he has already contacted Facebook and has reported the flaw, but
was told that the company "understood the risks associated with OAuth
2.0," and that "short of forcing every single application on the
platform to use a whitelist," fixing this bug was "something that can't
be accomplished in the short term."
Facebook isn't the only
site affected. Wang says he has reported this to Google, LinkedIn, and
Microsoft, which gave him various responses on how they would handle the
matter.
iOS7 Reportedly Not Encrypting Email Attachments
05/05/14 -- Apple's bundled Mail app in the latest versions of iOS 7 fails to
encrypt email attachments, leaving them vulnerable to attackers, a
security researcher has warned.
Security researcher Andreas Kurtz wrote in a blog post that he discovered a few weeks ago that attachments stored in the Mobile.Mail app in iOS 7.0.4, 7.1, and 7.1.1 were not adequately secured by Apple's data protection mechanisms.
Using an iPhone 4
running the most recent versions of iOS 7, Kurtz wrote that he was able
to locate test email attachments without any encryption. He wrote that
he was able to reproduce the same results on an iPhone 5s
and an iPad 2 running iOS 7.0.4. Kurtz wrote that he was able to access
the device's file system using "well-known techniques," including the
device firmware upgrade mode, which allows devices to be restored from
any state by plugging them into a computer.
Kurtz wrote that the issue contradicts an Apple promise
that its data protection "provides an additional layer of protection
for your email messages attachments, and third-party applications."
When
he contacted Apple about the issue, Kurtz wrote that he was told that
it was a known problem but he wasn't told when a fix was expected to be
issued.
"Considering the long time iOS 7 is available by now and
the sensitivity of email attachments many enterprises share on their
devices (fundamentally relying on data protection), I expected a
near-term patch," Kurtz wrote. "Unfortunately, even today's iOS 7.1.1
did not remedy the issue, leaving users at risk of data theft."
An
Apple spokesperson said the company was aware of the issue and was
working on a fix that would be delivered in a future software release.
Is Your Cloud Drive Really Private? Not According to the Fine Print
03/15/13 -- If you upload a copy of a legally bought DVD to your cloud drive, could your provider label it as a copyright violation? What about a honeymoon photo set that includes one too many bikini shots — could an overzealous automated porn filter delete your pictures by mistake?
Some popular cloud storage providers sweep accounts looking for illegal data. Right now, the focus is on hunting for child pornography, but their terms of service allow for other kinds of files to be considered non grata as well.
"When users place their data with cloud computing services, they lose the ability to maintain complete control of that information," said Lillie Coney, associate director of the Electronic Privacy Information Center (EPIC).
The fight against child pornography
A Maryland man was charged earlier this month with possession of child pornography after authorities were tipped off by the National Center for Missing and Exploited Children (NCMEC). Police say Verizon Online found approximately 23 suspect images during a routine sweep of the man's cloud drive and alerted NCMEC, a non-profit established by Congress and primarily funded by the Justice Department.
While cloud storage providers are required by law to respond to known or suspected instances of child pornography, not all scan users' accounts looking for them.
Apple and Microsoft, along with Verizon Online, state in their user agreements that they reserve the right to actively search stored files.
Dropbox, Amazon and Google take a more hands-off approach, according to their terms of service. They will investigate notifications of suspected illegal activity, but won't use automated prescreening.
Is there a difference between services that actively police and those that don't? Coney says yes.
"One is treating data like it belongs to them and the other is following a due-process approach regulated by the courts or existing laws," she told NBC News.
No one argues against the virtues of stopping child pornography. But not all providers make it clear to customers where that fight ends and others — such as the hunt for pirated media files — begin. "There is a need to update (electronic privacy legislation) to help establish the boundaries for due process, police authority and the role of the courts," Coney said.
"If too many decisions are left to individual vendors or cloud service providers to decide, that may bring more harm than good."
How cloud storage is policed
The system that scans cloud drives for illegal images was created by Microsoft and Dartmouth College and donated to NCMEC. The organization creates signatures of the worst known images of child pornography, approximately 16,000 files at present. These file signatures are given to service providers who then try to match them to user files in order to prevent further distribution of the images themselves, a Microsoft spokesperson told NBC News. (Microsoft implemented image-matching technology in its own services, such as Bing and SkyDrive.)
The process is meant to "protect child victims from being revictimized by having images of their abuse circulated online," John Shehan, executive director of NCMEC's Exploited Children Division, told NBC News.
Marianne Grant, a senior vice president at the Motion Picture Association of America, said it was possible for services to use similar tools to filter for other sorts of content.
"There are two opportunities to look at content," when it's going into a cloud-storage account and when it's leaving, she said. "There is technology to do this," Grant added, pointing out that file signatures — unique hashes or fingerprints — could be used to confirm the nature of the files.
"It wouldn't necessarily be the (service provider), it could be the owner of a site or cloud service" that would use the scanning technology, she said, adding that third-party vendors are often used for this sort of filtering.
Microsoft and Verizon Online declined to comment on whether their automated scanning processes are used to catch content other than child pornography. (Apple declined to comment on its cloud storage policies for this article.)
Can there be real privacy in the cloud?
Disagreement among cloud storage providers on whether to scan or not illustrates a gray area that may trip up privacy advocates and law enforcement professionals alike. EPIC's Coney said that the fine print just isn't enough.
"Terms of service should not be the standard for due process," Coney said. "Laws enforced by the courts should establish what is permissible and what is not.
"The increased use of cloud computing services will raise questions regarding Fourth Amendment protections for that information, property rights between content creators and content holders, and the ability to port data from one cloud service to another," she added.
In other words, even if you're happy with your cloud storage provider, pay attention to the files you're uploading, and keep a back-up of everything on a real hard drive at home.
Online Storage Firm Evernote Says Security Has Been Breached By Hackers
03/04/13 -- The California-Based Company, which is thought to have about 50 Million users, says that user names, email addresses, and encrypted passwords were accessed. But Evernote insists that there was "no evidence" that payment details or stored content was accessed, changed, or lost.
The firm has asked all users to reset their passwords. It added, "While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."
The firm apologized "for the annoyance" caused by the breach, which it said is becoming far more common at other larger services.
In Feburary Apple revealed that a "small number" of its computers had been hacked. That hack came a week after Facebook announced that it had traced a cyber attack upon some of its employees' laptops back to China. A month ago, Twitter announced that it had been the victim of a security breach which comprimised the accounts of some 250,000 users.
Will the End of Windows XP Support Spark Rash SaaS and Office 365 Decisions?
03/01/2013 – If you’re still running Windows XP, you’re far from alone. An analyst from Ovum estimates that 41% of computers are still running XP. But the sun is setting on that era. The operating system that first shipped to computer manufacturers in August of 2001 will officially cease to be supported by Microsoft on April 8th 2014.
Foot-dragging over upgrading from XP could be followed by a series of hasty decisions, as organizations realize the scale and cost of the task facing them. A study released by consultancy firm Avanade suggested that 52% of IT departments in the UK have yet to put in place a strategy for dealing with applications will only run on Windows XP.
People who are only just realizing how much time the migration of XP desktops will take may look to Software-as-a-Service (SaaS) applications such as Office 365 to speed up the migration process, without thinking about the long-term strategic view.
The problem is that the consequences of moving to a SaaS solution may not surface immediately. The decision made out of haste and convenience may be very difficult and costly to disentangle the organization from, when it turns out that the strategic path of the organization dictates different application or data storage requirements.
Microsoft Changes Office 2013 Licensing, And Not For The Better
02/28/2013 -- In a move that is plainly designed to drive users towards its subscription based Office 365 software, Microsoft has made some significant changes to the way its Office software is licensed and sold with the release of its 2013 version.
Any such licensing agreement is going to be long and full of mundane details that will rarely ever be read by anyone, but here's the two important points that you need to know:
-- Per User licensing for retail copies is now a thing of the past. If you bought a boxed copy of Office 2007 or Office 2010 you were licensed to install that copy onto more than one computer, so long as you were the owner and primary user on each computer. No longer. A copy of Office 2013 is now allowed to be installed on one computer only, and the license is considered to be permanently bound to that computer. If the computer is replaced for any reason after the expiration of its warranty period, a new copy of Office must be purchased.
-- No copy of Office 2013 will include installation media (AKA: The install CD). Instead the box will have a license key, which must be redeemed at Microsoft's website, where the software can be downloaded. If you are trying to install onto a system without internet access, or if you prefer to keep your install CD's around for any future reinstall tasks, then you're out of luck.
Microsoft would prefer that everyone switch over to Office 365. That software certainly does have some advantages for businesses with multiple employees, or for someone who works from the office and from home. But for the average home user the $100 per year subscription requirement will quickly overshadow any useful advantages.
Yahoo's Mayer: Bashed for her telecommuting policy. The CEO gave employees an ultimatum: Work in the office -- or quit.
02/25/2013 -- When Yahoo last year tapped Marissa Mayer as its new chief executive, many thought the 37-year-old (who was a mom-to-be at the time) would prove a champion of working parents. But with Mayer's recent ultimatum that telecommuters need to either come into the office or quit, some of her one-time fans are turning on her.
Many comments on Twitter reflect disappointment with her stance: Her policy is "awful for ALL workers" and "[t]his woman is RIDICULOUS!" are among the tweets sent by irate consumers, some of whom had expressed previous support for her.
Mayer's new policy was leaked on Friday, when The Wall Street Journal published a memo that it said was disclosed by "a plethora of very irked Yahoo employees."
Sent by the company's human resources chief, the memo said, "We need to be one Yahoo!, and that starts with physically being together." It added, "Speed and quality are often sacrificed when we work from home.
The reason for the policy change was that Yahoo found many of its telecommuters weren't productive, according to Business Insider. Many of them were depicted as hiding out, with Yahoo apparently unaware that some still worked for the company, the story adds. These hidden telecommuters reportedly worked in divisions ranging from marketing to engineering.
Regardless of Yahoo's situation with its telecommuters, Mayer's new policy is striking many one-time fans as, well, backwards.
More Americans are working from home than ever before, with a Census Bureau report from last year finding that 13.4 million people work from home. That represents a jump of 41% in a decade.
Many technology companies are big supporters of telecommuting, according to Fortune. Among those are Cisco Systems, with 90% of its workforce counted as "regular" telecommuters, and Intel, with 81% of its employees counted as often working from home.
It's no coincidence that many tech companies support telecommuting: San Francisco, home to the tech industry, is one of the worst U.S. cities for traffic.
At least one rival is taking advantage of Mayer's gaffe, reports the Journal.
WordPress founder Matt Mullenweg wrote a pitch for working at his telecommuting-friendly company in the comments section of the article. He wrote, "For anyone who enjoys working from wherever they like in the world, and is interested in WordPress, Automattic is 100% committed to being distributed. 130 of our 150 people are outside of San Francisco."
Adobe Releases Emergency Patches For Reader and Acrobat
02/20/2013 -- Adobe released emergency patches for Adobe Reader and Acrobat 11, 10 and 9 on Wednesday that address two critical vulnerabilities being actively exploited by attackers.
The exploit was discovered by researchers from security firm FireEye in active attacks last Tuesday and was confirmed by Adobe one day later. It's particularly dangerous because it bypasses the sandbox anti-exploitation mechanism in Adobe Reader 10 and 11.
"Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux," the company said Wednesday in a security advisory. "These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."
Users should update their Adobe Reader and Acrobat installations to the new versions released Wednesday as soon as possible. These are Adobe Reader and Acrobat 11.0.02, 10.1.6 and 9.5.4.
"Users on Windows and Macintosh can utilize the product's update mechanism," Adobe said. "The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates."
Before releasing the updates, Adobe recommended that users of Adobe Reader 11 turn on the Protected View feature as a temporary mitigation to the existing exploit by choosing the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. This is a protection mechanism only in Adobe Reader 11, but it isn't turned on by default.
Adobe Reader Protected View only allows a single function and that is to view a PDF document, said Heather Edell, Adobe's senior manager of corporate communications, Wednesday via email. "Turning Adobe Reader Protected View on by default would break existing workflows customers rely on and result in unexpected impact on a very significant number of users."
"That being said, we have been working closely with customers and partners since the release of Adobe Reader Protected View on finding ways to make these additional protections a default at some point in the future without the negative impact on such a large number of users," she said.
Apple Ships JAVA Update After Confirming Attacks On Its Own Macs
02/20/2013 -- The day it acknowledged company-owned Macs had been hacked using a "drive-by" Java exploit, Apple on Tuesday patched the Oracle software for older systems and released a malware detection tool.
The Apple-issued "Java for Mac OS X v10.6 Update 13" aimed at OS X Snow Leopard included patches for the same 30 vulnerabilities in Java 6 that were addressed in a special Feb. 1 update, as well as three fixes that had not been released earlier.
Also on Tuesday, Oracle updated Java 7. Like Apple, Oracle essentially bundled the Feb. 1 fixes with several new patches to create Java 7 Update 15.
Snow Leopard users can grab Apple's Java Update 13 by selecting "Software Update" from the Apple menu. Customers running OS X Lion or OS X Mountain Lion must update Java 7 themselves, either by manually downloading the update from Oracle's website or waiting for the Java update tool to do so.
The disparity in updating between Snow Leopard and later editions stems from Apple's decision in mid-2010 to stop bundling Java with OS X. Instead, it handed off development and maintenance of Java for OS X to Oracle. Patches for Java 7 are thus not delivered to Lion and Mountain Lion via Apple's Software Update service.
As it did when it shipped the Feb. 1 updates, Oracle again urged users to immediately deploy the patches. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," its Tuesday advisory stated.
