Ash Carter: Government Isn’t Going to Invent a Solution to Crypto Problem
As government leaders and technologists continue to butt heads over the use of strong encryption, the top defense official in the United States said he supports users’ rights to employ the technology and does not thing the government will come up with a magic answer to the crypto problem. Speaking at the TechCrunch Disrupt conference this […]
Years After Disclosure, Apple Was Still Sending Updates Over HTTP
With the release of iOS 10 on Tuesday, Apple made a number of significant changes to the mobile operating system. The most attention-grabbing security upgrade is the move to push software updates over an encrypted connection, a fix that is more than two years in the making. In 2014, researcher Raul Siles of DinoSec discovered that an […]
Apple Moves to HTTPS for Updates With iOS 10
Apple has fixed seven security vulnerabilities with the release of iOS 10, none of which involve arbitrary code execution. The new release is a major overhaul for iOS and the biggest security change is that Apple now performs software updates over HTTPS. The most interesting vulnerability patched in iOS 10 is one that an attacker could […]
Bypassing the CA Restrictions in Android Nougat
One of the new security features Google added to Android Nougat is a function that prevents the OS from trusting by default any user-installed certificate authorities. The goal is to protect the traffic to and from apps, but a researcher has found a way around that protection and a method to intercept HTTPS traffic from […]
Malware Infecting Seagate NAS Devices to Mine Monero Cryptocurrency
Attackers are using a nasty piece of malware to infect Seagate storage devices and then jump to the PCs connected to the NAS devices and use the machines to mine the Monero open source cryptocurrency. Researchers at Sophos, taking an in-depth look at the Miner-C malware, discovered that it is infecting large numbers of NAS devices […]
Large Database of Device Certificates, SSH Keys Published
Let’s say you’re a manufacturer of embedded device, maybe routers or wireless access points. Cool. And let’s also say that you want to offer encrypted connections to those devices. Great. So you grab a server certificate online, throw it in the device’s firmware and ship it. Not cool at all. But that’s what a number […]
Wyden Calls on Senate to Prevent Expansion of Government Hacking
A proposed change to a little-known criminal procedure “would make us less safe, not more” by allowing law enforcement agencies to hack an unlimited number of computers with a single warrant, Sen. Ron Wyden said Thursday. Wyden (D-Ore.) spoke on the Senate floor about the proposed change to Rule 41 of the Federal Rules of […]
Google Chrome to Mark HTTP Pages as Not Secure
Sites that send sensitive user data over HTTP will soon find their pages marked as insecure in Google Chrome. The company is planning to begin marking as insecure pages that send information such as passwords or credit card numbers over HTTP rather than HTTPS. The change is a major one, but it’s just one step in […]
Cry Ransomware Pinpoints Victims Via Google Maps API
UPDATE: A new strain of ransomware known variously as Cry or CryLocker has emerged, and it’s using a few novel techniques, including communicating via UDP and using the Google Maps API to find victims’ locations. Researchers at the MalwareHunterTeam discovered the CryLocker ransomware and analyzed its behavior, with the help of Lawrence Abrams of Bleeping […]