itwbennett writes: Tinder users should be on the lookout for Tinder profiles asking them to get “verified" and then sending them a link to a site called Tinder Safe Dating. The service asks for credit card information, saying this will verify the user's age. Once payment information has been captured, the user is then signed up for a free trial of porn, which will end up costing $118.76 per month unless the service is cancelled.
itwbennett writes: A draft of new EU export regulations could put smartphones in the category of dual-use technologies (technologies that can serve civil or military purposes) because of their location-tracking capabilities. This could add significant overheads and delays for exporters of smartphones and various other GPS gadgets. The potential difficulty for smartphone manufacturers and resellers appears on page 20 of the leaked draft regulation, which was obtained by news website Euractiv, where cyber-surveillance technology is broadly defined as including 'mobile telecommunication interception equipment, intrusion software, monitoring centers, lawful interception systems and data retention systems, biometrics, digital forensics, location tracking devices, probes and deep package inspection systems.'
itwbennett writes: Artem Vaulin, the alleged owner of the torrent directory service KickassTorrents, was arrested in Poland earlier this week, charged with copyright infringement and money laundering. Apple and Facebook were among the companies that handed over data to the U.S. in its investigation. Department of Homeland Security investigators traced IP addresses associated with KickassTorrents domains to a Canadian ISP, which turned over server data, including emails. At some point, investigators noticed that Vaulin had an Apple email account that was used to make iTunes purchases from two IP addresses — both of which also accessed a Facebook account promoting KickassTorrents.
itwbennett writes: 'Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors,' writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault. 'It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors,' writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have the WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.
itwbennett writes: On Monday it was reported on Slashdot and elsewhere that the same hacking group that took over Mark Zuckerberg's Twitter account was attacking Pokemon Go's login servers. Now that group, OurMine, is breaking into Minecraft accounts. OurMine made the claim on Tuesday in a video demonstrating its hack. To test the hack, IDG News Service created a user account on Mojang, emailed OurMine and asked the group to break into it, which the group did.
itwbennett writes: Oracle has released its largest Critical Patch Update (CPU) yet, fixing 276 vulnerabilities in more than 80 products. Assuming you've got lots of patching ahead of you, start with the Java patches, advises John Matthew Holt, CTO of application security firm Waratek. And Qualys adds that companies should quickly turn their attention to assets that can be directly attacked from the internet.
itwbennett writes: Earlier this month, Ryan Shapiro, a national security researcher and Ph.D. candidate at MIT, filed a lawsuit against the FBI in which he alleges that the bureau's Freedom of Information Act (FOIA) searches often fail 'by design.' Shapiro has been studying FOIA for years with a particular focus on noncompliance by government agencies and has multiple FOIA lawsuits in motion against the FBI. The new lawsuit claims that one of the 'countless means' by which the FBI foils FOIA requests is by using out-of-date search technology that frequently produces no results. 'In particular, the FBI typically conducts FOIA searches in the 'universal index' portion of its legacy Automated Case Support system, which was deployed in 1995.... despite the existence of two much better search applications within ACS,' writes Katharine Noyes.
itwbennett writes: Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne have developed a new system for anonymous Internet communication, dubbed Riffle, that combines three cryptographic techniques to offer better privacy than Tor and boasts much faster performance to boot. The researchers will present a paper describing their work at the Privacy Enhancing Technologies Symposium in Germany next week.
itwbennett writes: A new article by David Taber opens with the premise that agile and waterfall development methodologies often have to be used together to satisfy the needs of both developers (on the agile side) and management (on the waterfall side). And, as previously reported on Slashdot, the 'The 2014 CAST Research on Application Software Health (CRASH) report states that enterprise software built using a mixture of agile and waterfall methods will result in more robust and secure applications than those built using either agile or waterfall methods alone.' Taber has some ideas for how to combine the two opposing technologies — all of which sound like a project management nightmare. How do you handle this on your development projects?
itwbennett writes: This month's Android security bulletin was split into two parts: one with patches that apply to all Android devices, and one with patches that apply only to devices that contain the affected chipset drivers. The 2016-07-01 patch level includes device-agnostic fixes for 32 vulnerabilities: 8 rated critical, 15 of high severity and 9 moderate. The 2016-07-05 security patch level includes additional fixes for 75 vulnerabilities that are marked as device-specific. Twelve of these vulnerabilities are rated critical and are located in highly privileged components such as the Qualcomm GPU driver, the MediaTek Wi-Fi driver, the Qualcomm performance component, the NVIDIA video driver, the kernel file system, the USB driver and other unspecified MediaTek drivers.
itwbennett writes: Ashley Madison has been sharing information with the the FTC since last August when a hack exposed details of millions of customers. Now, the NY Times reports that the FTC is investigating the service. Although Avid Life Media, which owns Ashley Madison, says it doesn't know the focus of the inquiry, one good guess is that it's related to the hackers' claim that Ashley Madison scammed its customers by deploying bots to make the site appear to have more female users than it really did.
itwbennett writes: Researchers from Bitdefender have found a new backdoor program that allows attackers to hijack Mac systems and control them over the Tor network. The malware, dubbed Backdoor.MAC.Eleanor, is distributed as a file converter application through reputable websites that offer Mac software. The malware 'allows attackers to execute commands and scripts, steal and modify files and take pictures using the webcam,' writes Lucian Constantin.
itwbennett writes: Like the Petya ransomware that appeared in March, a new ransomware program for Windows machines, dubbed Satana, encrypts user files as well as the computer's master boot record (MBR), leaving devices unable to load the OS. But whereas Petya replaces the MBR in order to launch a custom boot loader that then encrypts the system's master file table (MFT), Satana replaces the MBR with its own code and stores an encrypted version of the original boot record so it can restore it later if the victim pays the ransom. 'This leaves the computer unbootable, but can be fixed more easily than if the MFT had also been encrypted,' says Lucian Constantin.
itwbennett writes: It was first reported in April that New Jersey had been using audio surveillance on some of its light rail lines, raising questions of privacy. This week, New Jersey Transit ended the program following revelations that the agency 'didn’t have policies governing storage and who had access to data,' writes Taylor Armerding. But New Jersey isn't the only state where you now have even more reason to want to ride in the quiet car. 'The Baltimore Sun reported in March that the Maryland Transit Administration (MTA) has used audio recording on some of its mass transit vehicles since 2012. It is now used on 65 percent of buses, and 82 percent of subway trains have audio recording capability, but don’t use it yet, according to the Sun,' says Armerding. 'And cities in New Hampshire, Connecticut, Michigan, Ohio, Nevada, Oregon and California have either installed systems or moved to procure them, in many cases with funding from the federal Department of Homeland Security (DHS).'
itwbennett writes: "Pushing a commit to github isn't the same as committing to a life partner, there is no forking this project," Red Hat EVP Paul Cormier told a Texas couple as he united them in holy matrimony at the Red Hat Summit this week. The groom was Matt Hargrave, a Red Hat client. The bride was Shannon Montague, a sign language interpreter and maybe the most understanding bride ever. Red Hat CEO Jim Whitehurst was ring bearer. You can watch the ceremony on YouTube.