Some people think a lot can go wrong if you have your emails pass through LinkedIn's servers with the company's new Intro technology.
Earlier this week, the company released LinkedIn Intro, a plug-in for the iPhone's native email app that attaches people's LinkedIn profile information to their emails. The service is meant to add more professional context to emails, but it does that at the expense of users' private data, some security experts say.
By transmitting sent and received emails through LinkedIn's servers, which then scrape and analyze them for data, the service essentially amounts to a "man-in-the-middle attack," security consulting firm Bishop Fox wrote in a staff blog post.
"The introduction of new data sources into a medium rife with security issues such as email is a dream for attackers," Bishop Fox wrote, noting that it could only be a matter of time before someone uses the service to launch a phishing attack. Read more...
The ongoing government shutdown could leave desktop and server systems in many federal agencies vulnerable to new threats disclosed Tuesday by Microsoft in its latest round of security updates.
Many federal agencies are operating with skeletal IT staff. All IT systems deemed non-essential have been shut down, making the installation of Microsoft's latest patches, especially on desktop and notebook systems, very difficult for federal agencies, say security analysts.
"The October Windows critical vulnerabilities go across PC and server operating systems," said John Pescatore, director of emerging technologies at the SANS Institute.
"While most of the government security staff was deemed essential, it is likely that many of the employee PCs and laptops were turned off, so it will be hard to patch them," Pescatore noted. So, when the standoff is over and government workers return, a lot of their PCs could be missing critical patches. Read more...
Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today.
"Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. "This has been an issue for [Web] hosting providers for years. There are two reasons why. First, they have a trove of credit cards. And second, you know that the cards are good."
Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Securities and Exchange Commission (SEC) earlier this year.
Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments -- monthly or annually -- which for most customers, means providing a credit card. The provider stores that card information so it can charge the customer without sending a traditional bill, and most importantly, waiting for payment. Read more...
SSNDOB, the Russian hacker group that over the course of many months stole massive amounts of personal data from firms like LexisNexis and Dun & Bradstreet, apparently also infiltrated the servers of the National White Collar Crime Center (NW3C), according to security researcher Brian Krebs.
Last week, Krebs reported how SSNDOB broke into a number of business data brokers and set up botnets to look up customers' personal data, which it then sold via its own Web portal.
On Tuesday Krebs followed up that story with more details about how SSNDOB exploited unpatched server software to perform a similar digital ransacking on the NW3C, which Krebs describes as "a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime." Read more...
The cyber criminals behind ZeroAccess, one of the largest botnets in existence, have lost access to more than a quarter of the infected machines they controlled because of an operation executed by security researchers from Symantec.
According to Symantec, the ZeroAccess botnet consists of more than 1.9 million infected computers and is used primarily to perform click fraud and Bitcoin mining in order to generate revenues estimated at tens of millions of dollars per year.
ZeroAccess has a peer-to-peer architecture where every infected computer can relay files, instructions and information to other computers -- peers -- in the botnet. This mechanism is used by its operators for command and control (C&C), making ZeroAccess more resilient to takedown attempts than botnets that depend on dedicated C&C servers. Read more...
Intel has signed a deal to acquire Sensory Networks, a provider of software pattern matching technology for network security applications.
Chris Kraeuter, a spokesman at the chip maker, said he could confirm that Intel has signed an agreement to acquire Sensory Networks, but couldn't comment on the deal terms. Some reports said Intel paid about US$20 million for the company.
Sensory Networks, with headquarters in Mountain View, California, also has a research and development office in Sydney, Australia. Read more...
A piece of malware designed to launch brute-force password guessing attacks against websites built with popular content management systems like WordPress and Joomla has started being used to also attack email and FTP servers.
The malware is known as Fort Disco and was documented in August by researchers from DDoS mitigation vendor Arbor Networks who estimated that it had infected over 25,000 Windows computers and had been used to guess administrator account passwords on over 6,000 WordPress, Joomla and Datalife Engine websites. Read more...
A recently announced and yet-to-be-patched vulnerability that affects all versions of Microsoft Internet Explorer (IE) has been exploited in targeted attacks against organizations in Taiwan since the beginning of July, according to security researchers.
Microsoft published a security advisory about the vulnerability, which is identified as CVE-2013-3893, on Sept. 17 and warned users that it is "aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9.
The company released a Microsoft "Fix it" workaround that customers can manually download and install in order to mitigate the vulnerability. However, no patch has yet been released through Windows Update.
On Saturday, researchers from security firm FireEye reported that a known hacker group has been using the vulnerability to target organizations in Japan as part of an attack campaign dubbed "Operation DeputyDog" that started on Aug. 19. They believe that this is the same group that managed to break into the computer network of security firm Bit9 as part of a different attack campaign in February and used one of its systems to digitally sign several pieces of malware. Read more...
The man police suspect of a mass shooting Monday at the Washington Navy Yard was employed by an IT subcontractor working on a government network project. He got that job despite having an arrest record for gun violence.
Aaron Alexis, 34, who was killed by police, was upgrading the Navy and Marine Corp.'s network. He was working for a Fort Lauderdale, Fla.-based firm called The Experts.
There isn't much information available on Alexis' IT skills, but there is much detail about Alexis' prior arrest record of reckless gun behavior, and it's going to raise a lot of questions.
Because Alexis was employed on a military IT project, he almost certainly needed a security clearance with a background investigation. Read more...
A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings.
Ilia Kolochenko, CEO of the Geneva-based penetration testing company High-Tech Bridge, said he repeatedly emailed Nasdaq and warned of the XSS flaw.
"I can basically say I have spammed them," Kolochenko said in an interview.
Nasdaq.com lets users create accounts and build a profile to monitor stocks and news. Nasdaq said it did not believe the flaw was used by an attacker, and no personal data was compromised.
"We responded to his concerns immediately," Nasdaq said in an email statement. "We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets." Read more...
IBM wants to help IT managers apply company policies to their big data analysis projects.
The company will be introducing new products and features to help organizations manage their new big data systems with the same rigor that they manage other IT operations, said Bob Picciano, general manager of IBM information management.
With traditional data analysis systems, "there's been years of focus on the disciplines over enterprise data management, whether it is governance, security, or lifecycle management. [But] the big data space is still like the Wild West, for the most part," Picciano said.
IBM will add new features to its InfoSphere line of information integration and management software. It has also announced the general release of PureData System for Hadoop, a system configured for running Hadoop workloads. Read more...
Six privacy groups have asked the U.S. Federal Trade Commission to strike down proposed changes to Facebook's policies, as they violate a 2011 settlement with the agency over user privacy.
"The changes will allow Facebook to routinely use the images and names of Facebook users for commercial advertising without consent," the groups wrote in a letter Wednesday to the FTC. The groups asked the commission to enforce its 2011 order.
Facebook announced in August proposed updates to its Data Use Policy and Statement of Rights and Responsibilities, two key documents that explain how the social network collects and uses people's data.
In the revised Statement, Facebook states that by joining the site, users "permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you." In the original Statement, people can use their privacy settings "to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us," the groups said. Read more...
A majority of U.S. Internet users polled in a recent survey report taking steps to remove or mask their digital footprints online, according to a report from the Pew Research Center's Internet Project and Carnegie Mellon University.
While 86 percent of the Internet users polled said they made some attempt hide what they do online, more than half of the Web users also said they have taken steps to avoid observation by organizations, specific people or the government, according to the survey.
The survey's findings are based on telephone interviews among a sample of 1,002 adults, age 18 or older in July, with 792 Internet users among the respondents.
When it comes to tapping into U.S. telecommunications networks for surreptitious surveillance, the U.S. National Security Agency can't be accused of not paying its way.
The government agency pays "hundreds of millions of dollars a year" to U.S. telecommunications companies for the equipment and service required to intercept telephone calls, emails and instant messages of potential interest, according to a story in Thursday's Washington Post.
For the current fiscal year, the NSA will pay $278 million for such access, and had paid $394 million in fiscal 2011, according to the Post. Read more...
Facebook is slurping mobile phone numbers from its users without explaining why, it has emerged.
In an upcoming overhaul to the social network's data use policy, Facebook said it had made a number of updates about the information it receives about individuals using the free content ad network.
It includes simplifying the language it uses to explain what information it receives from users whenever they are using or "running" Facebook. It said it was also clarifying that some of that information reveals details about the device itself such as an IP address, operating system or – surprisingly – a mobile phone number. Read more...