Security Alerts & News
by Tymoteusz A. Góral

History
#790 LinkedIn user? Your data may be up for sale
Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users.

According to Motherboard, the company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent.

Founded in 2002, LinkedIn catered for approximately 400 million users in 2015. The company provides a social network alternative for finding professional and work connections, sharing resumes and potentially finding new posts.

Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident.
#789 Twitter ads could be exposing you to malware attacks
Over the past four days, some Twitter users have been noticing something strange: a flurry of tweets that appear to depict a young person removing their underwear.

They’re “promoted tweets”—essentially ads users have paid Twitter put in people’s timelines whether they’re following the advertiser or not.

Brands and celebrities use them to promote themselves. But these tweets were different. Not only did they feature unsettling images, which multiple users suggested might be child pornography, they also linked to a phishing site made to resemble YouTube.

So far this same picture has been sent from at least a dozen users’ accounts, though it no longer appears on any of their timelines. One of the senders claimed their account had been hacked.
#788 Microsoft comes through with rollup of updates and fixes for Windows 7
The convenience rollup -- officially known as Windows 7 SP1 convenience rollup -- isn't Service Pack 2 for Windows 7, but it's the next best thing.

The new Windows 7 convenience rollup is cumulative back to Service Pack 1, which Microsoft released in 2011. It doesn't include updates to IE 11 (which are released separately) or updates to .NET releases. But it does include core Windows fixes, security fixes and hot fixes.

In January this year, I asked Microsoft officials about plans to deliver this convenience rollup -- something execs announced a year ago. Officials said Microsoft's update strategy was all about Windows as a Service, a k a Windows 10, moving forward.
#787 It's trivially easy to identify you based on records of your calls and texts
Contrary to the claims of America's top spies, the details of your phone calls and text messages—including when they took place and whom they involved—are no less revealing than the actual contents of those communications.

In a study published online Monday in the journal Proceedings of the National Academy of Sciences, Stanford University researchers demonstrated how they used publicly available sources—like Google searches and the paid background-check service Intelius—to identify "the overwhelming majority" of their 823 volunteers based only on their anonymized call and SMS metadata.

Using data collected through a special Android app, the Stanford researchers determined that they could easily identify people based on their call and message logs.

The results cast doubt on claims by senior intelligence officials that telephone and Internet "metadata"—information about communications, but not the content of those communications—should be subjected to a lower privacy threshold because it is less sensitive.
#786 Google set to kill SSLv3 and RC4 in SMTP, Gmail in June
Google clarified this week exactly when it plans to disable support for the RC4 stream cipher and the SSLv3 protocol on the company’s SMTP servers and Gmail’s web servers.

It turns out the end will come sooner than later; the company announced it will begin to disable both a month from now, on June 16.

Adam Langley, a security engineer with the company, announced last fall that Google was planning on moving away from both RC4 and SSLv3, citing a long history of weakness in the cipher and protocol. Langley initially failed to provide a timeline but acknowledged the company was looking to rid Chrome, Android, webcrawlers, and SMTP servers of RC4 and SSLv3 in the medium term.
#785 SourceForge tightens zecurity with malware scans
After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the site’s previous owners. FOSS Force has learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don’t make the grade will be noticeably flagged with a red warning badge located beside the project’s download button.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12