Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Bug

Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au)

River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
Businesses

One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam (softpedia.com) 19

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.
Security

Half Of People Click Anything Sent To Them (arstechnica.com) 66

Want to know why phishing continues to be one of the most common security issue? Half of the people will click on anything without thinking twice ArsTechnica reports: A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages -- even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects -- university students -- from fake accounts. The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data -- some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.
Businesses

No Coding in Palo Alto? City Takes On Silicon Valley Growth (siliconbeat.com) 204

An anonymous reader writes:The birthplace of Hewlett Packard and Xerox Parc and founding place of Facebook is now considering whether to enforce a zoning regulation banning firms whose "primary business is research and development, including software coding," according to the New York Times. As the Times wrote, "To repeat: The mayor is considering enforcing a ban on coding at ground zero of Silicon Valley." Palo Alto Mayor Patrick Burt told the Times: Big tech companies are choking off the downtown. It's not healthy. Palo Alto is a software capital. It has also become a company town, with Palantir Technologies renting 20 downtown buildings, as Marisa Kendall wrote. Other notable tech firms there include Tesla, SAP, Flipboard, VMWare and many others. It has become a center for automation and cars and is home to Ford's research and development center.
Security

After Breaches At Other Services, Spotify Is Resetting Users' Passwords (vice.com) 25

And now, Spotify is asking its users to reset their passwords. The popular music streaming service is "actively resetting a number of users' passwords," Motherboard reports, adding that the company is doing this because of the data breaches at other services and websites. In an email to customers, the company said, "Don't worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure." The move comes less than a week after Dropbox began resetting its users' passwords. Earlier today we learned that the cloud storage had been hacked, and as many as 68 million accounts are affected.
Security

SWIFT Discloses More Cyber Thefts, Pressures Banks On Security (reuters.com) 24

Jim Finkle, reporting for Reuters:SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts -- some of them successful -- have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank. "Customers' environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions," according to a copy of the letter reviewed by Reuters. "The threat is persistent, adaptive and sophisticated - and it is here to stay." The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers. The Brussels-based firm, a member-owned cooperative, indicated in Tuesday's letter that some victims in the new attacks lost money, but did not say how much was taken or how many of the attempted hacks succeeded.
Security

Hackers Stole Account Details for Over 60 Million Dropbox Users 63

The Dropbox hack is more severe than we expected. Motherboard has the details: Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts. The data is legitimate, according to a senior Dropbox employee. Security expert Troy Hunt has corroborated on Motherboard's claims, and has updated Have I Been Pwned website where you can go and see if you're among one of the victims.
Security

Transmission Malware On Mac, Strike 2 (macrumors.com) 48

New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.
Google

Google Login Bug Allows Credential Theft (onthewire.io) 43

Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users' credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don't consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user's credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug,] said an attacker also could send an arbitrary file to the target's browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. "Attacker would not need to intercept traffic to exploit -- they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter," Woods said. Google told Woods they don't consider this a security issue.
Encryption

FBI Director Says Prolific Default Encryption Hurting Government Spying Efforts (go.com) 345

SonicSpike quotes a report from ABC News: FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces -- including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." Comey made his remarks to the 2016 Symantec Government Symposium. The Daily Dot has another take on Comey's remarks, which you can read here.
Software

Companies Are Developing More Apps With Fewer Developers (fortune.com) 160

Fortune reports that the "yawning gap in tech skills" has resulted in a surprising shift in supply and demand in the software industry. And in many companies now, a growing trend of developer jobs being given to non-developers can be seen. From the article: That's because a relatively new technology, known as low-code or no-code platforms, is now doing a big chunk of the work that high-priced human talent used to do. Low-code platforms are designed so that people with little or no coding or software engineering background -- known in the business as "citizen developers" -- can create apps, both for use in-house and for clients. Not surprisingly, the low-code platform industry, made up of about 40 small companies (so far), is growing like crazy. A recent Forrester Research report put its total revenues at about $1.7 billion in 2015, a figure that's projected to balloon to $15 billion in the next four years. Low-code-platform providers, notes Forrester, are typically seeing sales increases in excess of 50% a year.The report cites QuickBase, a company whose low-code platforms are used by half of the Fortune 500 companies, as an example. Its CEO Allison Mnookin says that almost any employee can now do most or all of the same work that developers used to do. Mnookin adds that there's a big advantage in this. "Opening an app's development to the non-techies who need the app removes misunderstandings between the IT department and other employees about what the end user needs."
IT

Not Using Smartphones Can Improve Productivity By 26%, Says Study (business-standard.com) 132

Smartphones do a plethora of things for us. But if you stopped using them, you might actually start seeing improvements in the work you do. From a Business-Standard report: The study, commissioned by Kaspersky Lab, showed that employees' performance improved 26 percent when their smartphones were taken away. The experiment tested the behaviour of 95 persons between 19 and 56 years of age in laboratories at the universities of Wurzburg and Nottingham-Trent. The experiment unearthed a correlation between productivity levels and the distance between participants and their smartphones. "Instead of expecting permanent access to their smartphones, employee productivity might be boosted if they have dedicated 'smartphone-free' time. One way of doing this is to enforce rules such as no phones in the normal work environment," says Altaf Halde, managing director, South Asia at Kaspersky Lab.
Transportation

Vienna Airport Says Glitch That Disrupted Dozens Of Flights Resolved (reuters.com) 17

On Sunday, Vienna Airport was at the receiving end of a number of flight delays and cancellations due to data transmission issues. On Monday, it announced that all the issues have been resolved. Reuters reports:"Austrian air traffic control has solved the issue," the airport said on its website early on Monday. "At the moment there are no delayed or canceled flights. We advise passengers to contact their airline." The automated transfer of flight planning data between air traffic control centers in Brussels and Vienna collapsed completely for a while on Sunday afternoon, said a spokesman for Austro Control, which monitors Austrian air space.
Government

FBI Says Foreign Hackers Breached State Election Systems (theguardian.com) 161

The FBI has uncovered evidence that foreign hackers breached two state election databases in recent weeks, and it has warned election officials across the country to some measures to step up the security of their computer systems. The Guardian reports: The FBI warning did not identify the two states targeted by cyber intruders, but Yahoo News said sources familiar with the document said it referred to Arizona and Illinois, whose voter registration systems were penetrated. Citing a state election board official, Yahoo News said the Illinois voter registration system was shut down for 10 days in late July after hackers downloaded personal data on up to 200,000 voters. The Arizona attack was more limited and involved introducing malicious software into the voter registration system, Yahoo News quoted a state official as saying. No data was removed in that attack, the official said. US intelligence officials have become increasingly worried that hackers sponsored by Russia or other countries may attempt to disrupt the November presidential election.
Security

Tens of Thousands of Infowars Accounts Hacked (vice.com) 114

Joseph Cox, reporting for Motherboard: Tens of thousands of subscriber accounts for media company Infowars are being traded in the digital underground. Infowars, created by famed radio host and conspiracy theorist Alex Jones, produces radio, documentaries and written pieces. The dumped data relates to Prison Planet TV, which gives paying subscribers access to a variety of Infowars content. The data includes email addresses, usernames, and poorly hashed passwords. The administrator of breach notification site Databases. Land provided a copy of 100,223 records to Motherboard for verification purposes. Vigilante.PW, another breach notification service, also has the Infowars dump listed on its site, and says the data comes from 2014. However, every record appears to have been included twice in the data, making the actual number of user accounts closer to 50,000.Motherboard adds that it tested a few of the login credentials and that they worked.
Security

Cyber Security Should Be Expanded To Departments Other Than IT: CII-KPMG (www.bgr.in) 38

An anonymous reader shares a BGR report: Cyber threats today are no longer restricted to a company's communications and IT domains, calling for more than just technical controls to avert attacks and protect the business from future risks and breaches, a new report said. According to the joint report of the Confederation of Indian Industry (CII) and KPMG, cyber security today embraces multiple units of an organization like human resource, supply chain, administration and infrastructure. It, therefore, requires governance at the highest levels. "It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust," said Richard Rekhy, Chief Executive Officer, KPMG, India.
Opera

Opera Sync Users May Have Been Compromised In Server Breach (fortune.com) 26

An anonymous reader writes: Someone broke into Opera's servers. The Opera browser has a handy feature for synchronizing browsing data across different devices. Unfortunately, some of the passwords and login information used to enable the feature may have been stolen from Opera's servers. Opera's sync service is used by around 1.7 million people each month. Overall, the browser has 350 million users. The Norwegian firm told its users that someone had gained access to the Opera sync system, and "some of our sync users' passwords and account information, such as login names, may have been compromised." As a result, Opera had to reset all the passwords for the feature, meaning users will need to select new ones.
Security

How Security Experts Are Protecting Their Own Data (siliconvalley.com) 214

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."

Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
Data Storage

Ask Slashdot: What's The Best Way To Backup Large Amounts Of Personal Data? (foxdeploy.com) 360

An anonymous Slashdot reader has "approximately two terabytes of photos, currently sitting on two 4-terabyte 'Intel Rapid Storage' RAID 1 disks." But now they're considering three alternatives after moving to a new PC: a) Keep these exactly as they are... The current configuration is OK, but it's a pain if a RAID re-sync is needed as it takes a long time to check four terabytes.

b) Move to "Storage Spaces". I've not used Storage Spaces before, but reports seem to show it's good... It's a Good Thing that the disks are 100% identical and removable and readable separately. Downside? Unknown territory.

c) Break the RAID, and set up the second disk as a file-copied backup... [This] would lose a (small) amount of resilience, but wouldn't suffer from the RAID-sync issues, ideally a Mac-like "TimeMachine" backup would handle file histories.

Any recommendations?

This is also a good time to share your experiences with Storage Spaces, so leave your answers in the comments. What's the best way to backup large amounts of personal data?
Security

New Ransomware Poses As A Windows Update (hothardware.com) 88

Slashdot reader MojoKid quotes an article from Hot Hardware: A security researcher for AVG has discovered a new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for the ruse will see a Windows screen acting like it's installing the update, but what's really happening is that the user's documents and files are being encrypted in the background...

The scam starts with a pop-up labeled as a critical update from Microsoft. Once a user decides to apply the fake update, it extracts files and executes an embedded program called WindowsUpdate.exe... As with other EDA2 ransomware, Fantom generates a random AES-128 key, encrypts it using RSA, and then uploads it to the culprit. From there, Fantom targets specific file extensions and encrypts those files using AES-128 encryption... Users affected by this are instructed to email the culprit for payment instructions.

While the ransomware is busy encrypting your files, it displays Microsoft's standard warning about not turning off the computer while the "update" is in progress. Pressing Ctrl+F4 closes that window, according to the article, "but that doesn't stop the ransomware from encrypting files in the background."

Slashdot Top Deals