Security Alerts & News
by Tymoteusz A. Góral

History
#985 Google is making two-step verification less annoying
Using two-step authentication, normally a code from an app or texted to you, is a crucial, but highly irritating, part of logging into all manner of things.

From banking, Facebook, Twitter, Apple and Yahoo to World of Warcraft, Steam and Xbox Live, two-step authentication is seen as the way to make our insecure username and password system slightly safer.

Most rely on typing in a freshly generated six or eight-digit code after having logged in with a username and password.

Now Google is attempting to make the whole process less irritating and much faster, using a push notification which users can simply accept to login.
#984 Apple patches AirPort remote code execution flaw
Apple is keeping typically tight-lipped about a remote code execution vulnerability it patched in its AirPort router firmware.

Last night, Apple released an advisory warning users of the AirPort Express, AirPort Extreme and AirPort Time Capsule base stations that a new firmware was available—AirPort Base Station Firmware Update 7.6.7 and 7.7.7—and should be applied immediately.

“A memory corruption issue existed in DNS data parsing,” Apple’s advisory reads. “This issue was addressed through improved bounds checking.”
#983 Hack attack drains start-up investment fund
Hackers have taken control of virtual cash worth $60m (£41m) by exploiting a bug in a system designed to help start-ups.

The attack targeted an investment fund called the DAO which is based on technology derived from the Bitcoin crypto-currency.

DAO members are now debating how to recover the diverted funds.

One suggestion involves rolling back the entire computerised system to a time when the hack had not happened.
#982 Smartphone users are paying for their own surveillance
In the movie Sneakers, a motley gang of security experts chase after a little black box that can crack any form of encryption. Though the idea of a digital skeleton key may seem like the stuff of Hollywood thrillers, there are researchers at the University of Michigan who've recently created just that. They've built a stealthy hardware back door that can be inserted into the blueprints of a computer chip to give intruders complete access to a system after executing an obscure series of commands.

Consider the implications: This kind of low-level attack is extremely difficult to detect and even more challenging to defend against. If a small group of university professors can successfully cook up their own little black box, imagine what an intelligence service with federal backing can do. William Binney, the National Security Agency's (NSA) former technical leader for intelligence, claims that with the NSA's budget of over $10 billion a year, "they have more resources to acquire your data than you can ever hope to defend against."

But it's not just the government that's watching us. IBM recently filed a patent for "monitoring individuals using distributed data sources," a stark reminder that much of what people do with their mobile devices is scooped up and stored in corporate data silos for later analysis. It's an inconvenient fact that Silicon Valley prefers to drown out with marketing pitches.
#981 GoToMyPC suffers major password reuse attack
Citrix Systems is forcing all its GoToMyPC remote desktop access service customers to reset their passwords because of a “very sophisticated attack” that targeted the service over the weekend.

John Bennett, product line director for Citrix said the attack was a result of leaked passwords from other accounts used to crack open existing GoToMyPC accounts.

“Citrix can confirm the recent incident was a password reuse attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett told Threatpost in an email statement.
#980 Using Edge instead of Chrome will add hours of extra battery life
It's no big secret that Google's Chrome browser is a bit of a battery hog. The native browsers on both Windows and macOS (Edge and Safari) are widely reported to outlast Google's offering. In its latest campaign, Microsoft is quantifying this difference: in a test that cycles through some common sites including Facebook, YouTube, Wikipedia, and Amazon, Microsoft's latest browser lasted 7 hours and 22 minutes on a Surface Book system. Chrome lasted just 4 hours and 19 minutes.

Between these extremes were Firefox, at 5 hours and 9 minutes, and Opera in battery-saving mode, at 6 hours and 18 minutes.

Microsoft has gone a step beyond just measuring how long each system runs by measuring the power draw of the Wi-Fi, CPU, and GPU during its test workload. A task that drew 2.1W in Edge pulled 2.8W in Chrome, 3.1W in Opera, and 3.2W in Firefox. This lower draw translates to the longer battery life.
#979 Russian bill requires encryption backdoors in all messenger apps
Backdoors into encrypted communications may soon be mandatory in Russia.

A new bill in the Russian Duma, the country's lower legislative house, proposes to make cryptographic backdoors mandatory in all messaging apps in the country so the Federal Security Service—the successor to the KGB—can obtain special access to all communications within the country.

Apps like WhatsApp, Viber, and Telegram, all of which offer varying levels of encrypted security for messages, are specifically targeted in the "anti-terrorism" bill, according to Russian-language media. Fines for offending companies could reach 1 million rubles or about $15,000.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12