Social Network For Security Executives: Network, Learn & Collaborate
Apple finally turns HTTPS on for the App Store:
A Google developer is celebrating an Apple success today. That is, the iPhone maker has finally enabled HTTPS for all of its App Store today, fixing a number of vulnerabilities the Google developer discovered and reported.
Elie Bursztein discovered and reported the issue to Apple in “early July,” according a blog post by the developer. He said that by not having HTTPS enabled across of all of the network traffic from Apple’s App Store, it opened itself (and its customers) up to a number of attacks. This includes password stealing, tricking a user to download an unwanted app, preventing app downloads or app updates, and stealing information about what apps are on a device.
Privacy experts say that a pair of new mobile privacy bills recently introduced in Texas are among the “most sweeping” ever seen. And they say the proposed legislation offers better protection than a related privacy bill introduced this week in Congress.
If passed, the new bills would establish a well-defined, probable-cause-driven warrant requirement for all location information. That's not just data from GPS, but potentially pen register, tap and trace, and tower location data as well. Such data would be disclosed to law enforcement "if there is probable cause to believe the records disclosing location information will provide evidence in a criminal investigation."Further, the bills would require an annual transparency report from mobile carriers to the public and to the state government.
The United States was the origin of more than half of the hacking attacks on China in the first two months of 2013, state news agency Xinhua said on Sunday, amid escalating tensions between Beijing and Washington over the use of the Internet.
Beijing and Washington have been squaring off for months over the issue of cyber attacks, each accusing the other of hacking into sensitive government websites.China has long singled out the United States as the top source of intrusion on its computers.China's top Internet security agency, the National Computer Network Emergency Response Coordination Center (CNCERT), said the hacking attacks from other countries have become "increasingly serious", Xinhua said.
It's back to the drawing board for coders at Microsoft, Google, Adobe, Mozilla, and Oracle after entrants in the annual Pwn2Own contest waltzed off with over half a million dollars in prizes for exploiting security holes in popular software.
At this year's CanSecWest security conference in Vancouver, contestants had a choice of two hacking contests; the traditional Pwn2Own trial against Internet Explorer 10, Firefox, Chrome, Java, and Adobe's Reader and Flash, plus Google's own Pwnium contest – which this time focused on cracking Chrome OS.
Lawmakers have picked up the baton from the White House in the effort to make it legal for cellphone users to switch their devices to any mobile carrier.At issue is whether cellphone buyers, who often get new devices at a heavily subsidized price in return for committing to long-term contracts, should then be able to take their gadgets with them when they change carriers.
Opponents argue that the phones should be "locked," or prevented from moving freely across networks, because of the subsidies that carriers provide to buy the phones. The subsidies help get the devices into the hands of more people.
Katie Szpyrka, a registered LinkedIn account holder since 2010, claims the company "failed to properly safeguard its users' digitally stored personally identifiable information including email addresses, passwords, and login credentials."Szpyrka, who filed the suit in United State District Court in the Northern District of California, is demanding a jury trial on grounds including breach of contract and negligence.
One of Britain’s most notorious cyber criminals hacked into a prison computer system from inside jail – after he was allowed to join an IT class.Nicholas Webber, 21, jailed for five years in 2011 for masterminding a multi-million-pound internet crime site, triggered the security scare during a lesson.
It is understood his actions caused ‘major panic’ but it is not clear what, if anything, he managed to access.The prison, HMP Isis in South London, blamed his teacher, Michael Fox, who was employed by Kensington and Chelsea College. He was banned from the prison but the college cleared him of committing any security breaches at a disciplinary hearing last March.However, he was made redundant when no alternative work could be found for him.
Microsoft to Ship 7 Bulletins in March Patch Tuesday Release:
Software giant Microsoft plans to ship seven bulletins in the March 2013 edition of Patch Tuesday. Four of the bulletins are receiving high-severity, critical ratings.
Three of the four critically rated bulletins that affect Microsoft Windows, Internet Explorer, Silverlight, Office, and Server Software could lead to remote code execution while the final critically rated bulletin could allow for privilege elevations. The less severe, important-rated bulletins affect Office, Server Software, and Windows and could lead to information disclosures and privilege escalations.
The Blackhole exploit kit has received a lot of attention recently, and we have published several technical papers on it.The attention is warranted - the kit remains one of the most prevalent being used by criminals to infect users with malware.
In this article I am going to take a look at some of the recent attacks against legitimate websites that are being used to drive unsuspecting user traffic to the Blackhole exploit sites.
A hacker group calling itself the Arab Youth Group has claimed responsibility for what appears to be a serious hacking attack on Saudi Aramco, one of the world's largest energy companies.
The attack comes at the same time security firms are warning of a destructive new malware threat called Shamoon, which is being directed at companies in the energy sector.In an alert this week, Symantec described Shamoon as a threat being used in "specific targeted attacks against at least one organization in the energy sector." Symantec has not identified that firm so far.