Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani -- two of the team behind the myki identity management security software -- found that a series of terminal commands can be used to extract a range of stored credentials.
What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute.
Being able to accurately and safely verify identity is increasingly important as online fraud remains a major threat.
Mobile identity solutions specialist TeleSign is announcing the launch of TeleSign Smart Verify, a new unified API that simplifies end-user verification and two-factor authentication (2FA) for online and mobile app-based accounts to help prevent fraud and stop account compromise.
Amid Windows 10 controversy, Microsoft quietly releases privacy botching features to Windows 7 and 8
It's been roughly a month since the release of Windows 10, Microsoft's newest desktop operating system. It packs in several enticing features including the digital assistant Cortana. But despite all the interesting offerings, Windows 10 isn't sitting well with many. Privacy advocates have criticized Microsoft for introducing several features that are seemingly concerning to those who care about their privacy. To make things worse, the company has now rolled out some of these annoying features to Windows 7 and Windows 8.
First spotted by Ghacks, some of the recent updates that Microsoft rolled out to Windows 8 and Windows 7 set a computer to regularly send reports of a machine's activities to Microsoft. The update dubbed 3068708, for instance, introduces the Diagnostics and Telemetry tracking service on the computers it is installed on. "By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights", Microsoft describes the purpose of the update.
Attackers are increasingly capable of modifying their existing malware to slip into a victim’s infrastructure undetected. Because traditional security solutions are reactive and can only protect against already known threat vectors this leaves a gap in defenses.
Security company Check Point is launching its new SandBlast product that uses CPU-level threat detection to uncover threats at the pre-infection level. It elevates threat defense with evasion-resistant malware detection and comprehensive protection, significantly reducing the risk of expensive breaches.
Receiving a new smartphone with malware pre-installed is unlikely, but this is exactly what has happened with handsets from well-known brands sold by some third-party sellers in Asia and Europe. Consumers expect them to run factory software, so it is unlikely that they will check to see whether it has been modified prior to using their account credentials and storing sensitive information, making these kind of infections extremely dangerous.
Security firm G Data has discovered malware on more than 20 smartphone models which were advertised as new. And we are not talking about no-name brands. Among other companies, Huawei, Lenovo and Xiaomi, top-tier vendors, have had their devices infected prior to the sale.
There’s no excuse for having a ridiculously weak account password, and yet many folks continue to make no effort at all on the security front in this respect, according to a new piece of research.
BT.com highlighted a government survey, which was part of the Cyber Streetwise campaign, and found that three quarters of UK citizens used passwords which weren’t secure.
The writing has been on the wall for Flash for some time now. A web technology loathed for countless reasons -- not least the security issues -- the death knell is now tolling loudly as HTML5 is more widely embraced.
Back in June, Google announced that Chrome would pause Flash ads in its browser by default, helping to eliminate a major online annoyance. Now the company has outlined when this will happen -- and there are only a few days to wait.
Macs have around six percent of the business endpoint market and Mac specific malware is on the increase. In the rapidly evolving world of malware and security, Mac users can no longer afford to be complacent when it comes to protecting their systems.
To tackle these threats Kaspersky Lab is updating its Kaspersky Endpoint Security for Business suite with Endpoint Security 10 for Mac. This offers a combination of deep protection, efficiency and manageability, designed to serve the needs of protecting diverse IT environments.
Internet browsers are like sports teams. Every IT department and individual has an opinion on which one is the best, and personal preferences often comes down to long standing allegiances.
In the browser’s case, this is due to personal preference or ease of IT administration. Search privacy is not always top of the agenda, but should it be?
Mobile identity specialist TeleSign has announced an agreement with Spanish telecoms giant Telefόnica -- the company behind O2 in the UK and Germany -- to deliver a suite of services to address account security and fraud prevention for enterprises and service providers.
The partnership will use TeleSign's products and infrastructure, along with Telefόnica's consent-based insights, to increase account security, reduce fraud, and improve customer experience for consumers. At the same time it will help to manage costs for service providers across financial services, e-commerce, cloud and social media.
PayPal has patched a security vulnerability which could have been used by hackers to steal users' login details, as well as to access unencrypted credit card information. A cross site scripting bug was discovered by Egyptian 'vulnerabilities hunter' Ebrahim Hegazy -- ironically on PayPal's Secure Payments subdomain.
Hegazy found the Stored XSS Vulnerability on https://Securepayments.Paypal.com back in the middle of June, and was able to demonstrate how it could be exploited. More than two months later, PayPal has addressed the issue and plugged the security hole.
Spare a moment to consider the plight of the humble password. It has become an essential component of modern life, but it would be wrong to say we've grown to know and love it.
In fact a survey by mobile authentication specialist LaunchKey shows that 84 percent of respondents would like to do away with passwords altogether and 76 percent believe their information would be more secure with an alternative form of authentication.
Successful phishing attacks can lead to costs from loss of employee productivity and credential compromise, among other factors, which together may cost an average sized company $3.77 million per year.
Cloud security specialist CloudLock has released a new report looking at the risks of user behavior to businesses using cloud systems.
It reaches the startling conclusion that just one percent of users account for 75 percent of the security risk. The top one percent of users are responsible for 57 percent of file ownership, 81 percent of files shared, 73 percent of excessively exposed files and 62 percent of app installations.