Syber Group
Toll Free : 855-568-TSTG(8784)
Subscribe To : Envelop Twitter Facebook Feed linkedin

Google And Yahoo Get Blocked

May 24, 2016 by  
Filed under Around The Net

Comments Off on Google And Yahoo Get Blocked

The IT department of the U.S. House of Representatives is prohibiting access to Yahoo Mail and the Google App Engine platform due to malware threats.

On April 30, the House’s Technology Service Desk informed users about an increase in ransomware-related emails on third-party email services like Yahoo Mail and Gmail.

“The House Information Security Office is taking a number of steps to address this specific attack,” the Technology Service Desk said in an email obtained and published by Gizmodo. “As part of that effort, we will be blocking access to Yahoo Mail on the House Network until further notice.”

The ban on Yahoo Mail access suggests that some House of Representatives workers accessed Yahoo mailboxes from their work computers. This raises questions: Are House workers using Yahoo Mail for official business, and, if they’re not, are they allowed to check their private email accounts on work devices?

If they use the same devices for both personal and work activities, one would hope that there are access controls in place to separate the work and personal data. Otherwise, if they are allowed to take those devices outside of the House’s network, they could just as easily become infected there, where the ban is not in effect.

“The recent attacks have focused on using .js files attached as ZIP files to e-mail that appear to come from known senders,” the House’s Technology Service Desk said. “The primary focus appears to be through Yahoo Mail at this time.”

The increase in ZIP and RAR attachments that contain malicious JavaScript (JS) files has been observed by multiple security companies in recent months. Microsoft offers several recommendations, like using the Windows AppLocker group policy to restrict the execution of .JS files.

The House Information Security Office also banned access to appspot.com, the domain name used by applications hosted on the Google App Engine platform, Reuters reported.

Source- http://www.thegurureview.net/aroundnet-category/u-s-house-of-representatives-block-yahoo-and-google-apps.html

iOS Developers Warned About Taking Shortcuts

February 10, 2016 by  
Filed under Computing

Comments Off on iOS Developers Warned About Taking Shortcuts

Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.

It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.

FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.

“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.

“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.

“However, if the original app is embedded with the JSPatch engine, its behaviour can be changed according to the JavaScript code loaded at runtime. This JavaScript file is remotely controlled by the app developer. It is delivered to the app through network communication.”

Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.

FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.

“Specifically, if an attacker is able to tamper with the content of a JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.

Courteys-TheInq

Apple Removes Data Spying Apps From Store

October 21, 2015 by  
Filed under Consumer Electronics

Comments Off on Apple Removes Data Spying Apps From Store

Apple has removed several apps from its store that it said could pose a security risk by exposing a person’s Web traffic to untrusted sources.

The company recommended deleting the apps but did not name them, which may make it hard for people to know which apps put their data at risk.

The apps in question installed their own digital certificates on a person’s Apple mobile device. It would enable the apps to terminate an encrypted connection between a device and a service and view the traffic, which is a potential security risk.

Most websites and many apps use SSL/TLS (Secure Socket Layer/Transport Security Layer), a protocol that encrypts data traffic exchanged with a user. SSL/TLS is a cornerstone of Web security, ensuring data traffic that is intercepted is unreadable.

It is possible in some cases to interfere with an encrypted connection. Many enterprises that want to analyze encrypted traffic for security reasons will use SSL proxies to terminate a session at the edge of their network and initiate a new one with their own digital certificate, allowing them to inspect traffic for malicious behavior.

In that scenario, employees would likely be more aware or expect that kind of monitoring. But people downloading something from the App Store probably would have no idea of the access granted to their sensitive data traffic.

Apple checks applications to ensure that malicious ones are not offered in its store. Those checks are in large part the reason why Apple has had fewer problems with malicious mobile applications in its store.

Installing digital certificates isn’t itself a malicious action per se, but Apple may be concerned that users are not fully aware of the consequences of allowing an app to do so.

Source-http://www.thegurureview.net/aroundnet-category/apple-removes-data-spying-apps-from-store.html

Microsoft, Google Cease Fire In Global Patent Deal

October 14, 2015 by  
Filed under Computing

Comments Off on Microsoft, Google Cease Fire In Global Patent Deal

Microsoft has been pursuing a more collaborative approach under CEO Satya Nadella, engaging longtime rivals like Salesforce, VMware and Apple. There hasn’t been much love between Microsoft and Google, but an announcement on Wednesday points towards an easing of those tensions.

Google and Microsoft have reached a broad agreement on patent matters, with a legal settlement ending some 20 lawsuits between the companies in the U.S. and Germany. Financial terms weren’t disclosed, but the deal brings a laundry list of lawsuits to a close.

“Microsoft and Google are pleased to announce an agreement on patent issues,” they said in a joint statement. “As part of the agreement, the companies will dismiss all pending patent infringement litigation between them, including cases related to Motorola Mobility.”

They also agreed to collaborate on patent matters and work together “to benefit our customers.”

The suits that have been settled include those related to mobile phones, video encoding and Wi-Fi technologies. That doesn’t mean Microsoft has given up its campaign to collect royalties from Android device makers for the mobile operating system’s alleged infringement of Microsoft patents.

It’s not clear from the statement what patent matters the companies will be working on together in the future, but changes have already begun. The two companies agreed earlier this month to work together (alongside other firms like Netflix and Mozilla) on a royalty-free video codec.

It remains to be seen if the settlement will lead to more work between Microsoft and Google in other areas. A major sticking point for consumers has been the lack of a Google-made YouTube app for smartphones and tablets running Windows.

Source-http://www.thegurureview.net/aroundnet-category/microsoft-google-cease-fire-in-global-patent-deal.html

Stagefright 2.0 Exploits Android Vulnerabilities

October 13, 2015 by  
Filed under Computing

Comments Off on Stagefright 2.0 Exploits Android Vulnerabilities

Newly found vulnerabilities in the way Android handles media files can allow attackers to compromise devices by tricking users into visiting maliciously crafted Web pages.

The vulnerabilities can lead to remote code execution on almost all devices that run Android, starting with version 1.0 of the OS released in 2008 to the latest 5.1.1, researchers from mobile security firm Zimperium said in a report published Thursday.

The flaws are in the way Android processes the metadata of MP3 audio files and MP4 video files, and they can be exploited when the Android system or another app that relies on Android’s media libraries previews such files.

The Zimperium researchers found similar multimedia processing flaws earlier this year in an Android library called Stagefright that could have been exploited by simply sending Android devices a maliciously crafted MMS message.

Those flaws triggered a coordinated patching effort from device manufacturers that Android’s lead security engineer, Adrian Ludwig, called the “single largest unified software update in the world.” It also contributed to Google, Samsung and LG committing to monthly security updates going forward.

One of the flaws newly discovered by Zimperium is located in a core Android library called libutils and affects almost all devices running Android versions older than 5.0 (Lollipop). The vulnerability can also be exploited in Android Lollipop (5.0 – 5.1.1) by combining it with another bug found in the Stagefright library.

The Zimperium researchers refer to the new attack as Stagefright 2.0 and believe that it affects more than 1 billion devices.

Since the previous attack vector of MMS was closed in newer versions of Google Hangouts and other messaging apps after the previous Stagefright flaws were found, the most straight-forward exploitation method for the latest vulnerabilities is through Web browsers, the Zimperium researchers said.

Zimperium reported the flaws to Google on Aug. 15 and plans to release proof-of-concept exploit code once a fix is released.

That fix will come on Oct. 5 as part of the new scheduled monthly Android security update, a Google representative said.

Source-http://www.thegurureview.net/mobile-category/stagefright-2-0-exploits-android-vulnerabilities.html

Apple Finally Drops iCloud Storage Plan Prices

October 2, 2015 by  
Filed under Computing

Comments Off on Apple Finally Drops iCloud Storage Plan Prices

For the second time in as many years, Apple dropped prices for its expanded iCloud storage plans, putting costs in line with rivals like Google, Microsoft and Dropbox.

Apple announced changes to iCloud extra storage pricing earlier this month at the event where it unveiled new iPhones, the larger iPad Pro and a revamped Apple TV.

Although the Cupertino, Calif., company did not boost the amount of free storage space — as Computerworld speculated it might — and instead continued to provide just 5GB of iCloud space gratis, it bumped up the $0.99 per month plan from 20GB to 50GB, lowered the price of the 200GB plan by 25% to $2.99 monthly, and halved the 1TB plan’s price to $9.99.

Apple also ditched last year’s 500GB plan, which had cost $9.99 monthly.

The new prices are in line with the competition; in one case, Apple’s was lower.

Google, for example, hands out 15GB of cloud-based Google Drive storage for free — triple Apple’s allowance — and charges $1.99 monthly for 100GB and $9.99 each month for 1TB. The smaller-sized plan is 33% more per gigabyte than Apple’s 200GB deal, and Google’s 1TB plan is priced the same as Apple’s.

Microsoft also gives away 15GB. Additional storage costs $1.99 monthly for 100GB — the same price as Google Drive — while 200GB runs $3.99 per month, 33% higher than Apple’s same-sized plan.

Microsoft does not sell a separate 1TB OneDrive plan but instead directs customers to Office 365 Personal, the one-user subscription to the Office application suite. As part of the subscription, customers are given 1TB of OneDrive space. Office 365 Personal costs $6.99 monthly or $69.99 annually.

Source-http://www.thegurureview.net/aroundnet-category/apple-drops-icloud-storage-plan-prices.html

Dropbox Beefs Up Security

August 25, 2015 by  
Filed under Around The Net

Comments Off on Dropbox Beefs Up Security

Two-factor authentication is widely regarded as a best practice for security in the online world, but Dropbox has announced a new feature that’s designed to make it even more secure.

Whereas two-step verification most commonly involves the user’s phone for the second authentication method, Dropbox’s new U2F support adds a new means of authenticating the user via Universal 2nd Factor (U2F) security keys instead.

What that means is that users can now use a USB key as an additional means to prove who they are.

“This is a very good advancement and adds extra security over mobile notifications for two-factor authentication,” said Rich Mogull, Securosis CEO.

“Basically, you can’t trick a user into typing in credentials,” Mogull explained. “The attacker has to compromise the exact machine the user is on.”

For most users, phone-based, two-factor authentication is “totally fine,” he said. “But this is a better option in high-security environments and is a good example of where the FIDO standard is headed.”

Security keys provide stronger defense against credential-theft attacks like phishing, Dropbox said.

“Even if you’re using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code,” the company explained in a blog post. “They can then use this information to access your account.”

Security keys, on the other hand, use cryptographic communication and will only work when the user is signing in to the legitimate Dropbox website.

Dropbox users who want to use the new feature will need a security key that follows the FIDO Alliance’s Universal 2nd Factor (U2F) standard. That U2F key can then be set up with the user’s Dropbox account along with any other U2F-enabled services, such as Google.

Source

Can OSX Make Macs Vulnerable To Rootkits?

August 7, 2015 by  
Filed under Computing

Comments Off on Can OSX Make Macs Vulnerable To Rootkits?

The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.

Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.

The bug in the latest version of Apple’s OS X allows attackers root user privileges with a micro code which could be packed into a message.

Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.

The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job’s ghost.

This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.

“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation,” Esser said.

The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.

An Apple spokesman said that engineers are aware of Esser’s post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.

Source

IBM Partners With BOX

July 6, 2015 by  
Filed under Computing

Comments Off on IBM Partners With BOX

IBM and BOX have signed a global agreement to combine their strengths into a cloud powerhouse.

The star-crossed ones said in a joint statement: “The integration of IBM and Box technologies, combined with our global cloud capabilities and the ability to enrich content with analytics, will help unlock actionable insights for use across the enterprise.”

Box will bring its collaboration and productivity tools to the party, while IBM brings social, analytic, infrastructure and security services.

The move is described as a strategic alliance and will see the two companies jointly market products under a co-banner.

IBM will enable the use of Box APIs in enterprise apps and web services to make a whole new playground for developers.

The deal will see Box integrate IBM’s content management, including content capture, extraction, analytics, case management and governance. Also aboard will be Watson Analytics to study in depth the content being stored in Box.

Box will also be integrated into IBM Verse and IBM Connections to allow full integration for email and social.

IBM’s security and consulting services will be part of the deal, and the companies will work together to create mobile apps for industries under the IBM MobileFirst programme.

Finally, the APIs for Box will be enabled in Bluemix meaning that anyone working on rich apps in the cloud can make Box a part of their creation.

Box seems to be the Nick Clegg to IBM’s ham-faced posh-boy robot in this relationship, but is in fact bringing more than you’d think to the party with innovations delivered by its acquisition of 3D modelling company Verold.

What’s more, the results of these collaborations should allow another major player to join Microsoft and Google in the wars over productivity platforms.

It was announced today that Red Hat and Samsung are forming their own coalition to bring enterprise mobile out of the hands of the likes of IBM and Apple which already have a cool thing going on with MobileFirst.

Source

RadioShack Plans To Sell Customer Data

April 22, 2015 by  
Filed under Around The Net

Comments Off on RadioShack Plans To Sell Customer Data

RadioShack plans to keep moving forward with its plan to sell its customer data, despite opposition from a number of states.

The company has asked a bankruptcy court for approval for a second auction of its assets, which includes the consumer data.

The state of Texas, which is leading the action by the states, opposed the sale of personally identifiable information (PII), citing the online and in-store privacy policies of the bankrupt consumer electronics retailer.

The state claimed that it found from a RadioShack deposition that the personal information of 117 million customers could be involved. But it learned later from testimony in court that the number of customer files offered for sale might be reduced to around 67 million.

In the first round of the sale, RadioShack sold about 1,700 stores to hedge fund Standard General, which entered into an agreement to set up 1,435 of these as co-branded stores with wireless operator Sprint. Some other assets were also sold in the auction.

The sale of customer data, including PII, was withdrawn from the previous auction, though RadioShack did not rule out that it could be put up for sale at a later date.

The case could have privacy implications for the tech industry as it could set a precedent, for example, for large Internet companies holding consumer data, if they happen to go bankrupt.

Texas has asked the U.S. Bankruptcy Court for the District of Delaware for a case management order to ensure that in any motion for sale of the PII, RadioShack should be required to provide information on the kind of personal data that is up for sale and the number of customers that will be affected.

On Monday, Texas asked the court that its motion be heard ahead of RadioShack’s motion for approval to auction more assets.

The court had ordered in March the appointment of a consumer privacy ombudsman in connection with the potential sale of the consumer data including PII. RadioShack said in a filing Friday that it intends to continue working with the ombudsman and the states with regard to any potential sale of PII, but did not provide details.

Source

Next Page »