The Tech News Blog

August 7, 2014

Report: Chinese Government Drops Apple Products Over ‘Security Concerns’

Apple logo Apple's inroads into China may have suffered a setback with the reported exclusion by Beijing of iPads, MacBooks, and other Apple products from approved government procurement lists.

Ten products made by Apple, including the "iPad, iPad Mini, MacBook Air, and MacBook Pro," were "omitted from a final government procurement list distributed in July, according to officials who read it and asked not to be identified because the information isn't public," Bloomberg reported on Wednesday.

Notably absent from Bloomberg's partial list of products purportedly banned for public purchase in China was the iPhone.

The news comes just days after antivirus vendors Symantec and Kaspersky were reportedly dropped from China's approved roster of software suppliers for government purchases.

In May, Beijing reportedly banned Microsoft's Windows 8 operating system on government PCs.

The Bloomberg report cited unnamed Chinese government sources as saying "security concerns" were the reason for the removal of Apple products from the ranks of computer products which can be purchased with public money in China. Sources discussing the reported ban of Symantec and Kaspersky products also pointed to Beijing's concern over electronic security in the aftermath of former NSA contractor Edward Snowden's revelations about U.S. spying.

Symantec and Kaspersky have both denied that their products had been "banned" by China. Apple has yet to comment on the report about its products.

The Chinese government also had a run-in this week with another U.S. tech giant, Microsoft, reportedly telling Redmond not to interfere in its anti-trust investigation of the software giant. Last month, Chinese government officials showed up unannounced at Microsoft offices in China as part of that probe.

Apple, meanwhile, has appeared in recent months to be progressing steadily in its agenda of opening up more of the massive, lucrative Chinese market to its products. As Bloomberg noted, about some 16 percent of Apple's $37.4 billion in revenue from its last fiscal quarter were generated by sales in China.

This after CEO Tim Cook, the first Apple chief executive to personally visit China, spent a good chunk of 2013 courting the country's largest carrier, China Mobile, an effort that culminated in the long-awaited launch of the iPhone on China Mobile plans in January.

Apple also does a tremendous amount of business with Asian contract electronics manufacturers like Foxconn which run factories in mainland China where iPhones, iPads, and other Apple products are built.

July 23, 2014

WSJ Computer Systems Offline After Hack

What to Expect When You've Been Hacked

The Wall Street Journal's new computers were taken offline this week following an attack by outside parties, according to publisher Dow Jones & Co.

There are no reports of damage or tampering with news graphics database housed on the hacked computers.

"We are investigating an incident related to's graphics systems," a Journal spokeswoman said in a Tuesday announcement. "At this point we see no evidence of any impact to Dow Jones customers or customer data."

The hacker, who goes by the name w0rm, boasted about the attack via Twitter, writing " #hacked" with a screenshot of his work.

According to the Journal, w0rm claims to be selling user information, as well as the credentials necessary to control the server. That, according to IntelCrawler CEO Andrew Komarov, would allow buyers to "modify articles, add new content, insert malicious content in any page, add new users, delete users and so on."

The LA-based cybersecurity firm was the first to bring the hack to the Journal's attention, confirming the ability to access any database on the server. Komarov's team has been monitoring the alleged attacker, whose former alias was Rev0lver.

The Journal did not immediately respond to a request for comment.

W0rm also claimed to have hacked other media organizations, including Vice Media, which assured PCMag that the issue—a security exploit used to access a list of content management systems— was "minor." The exploit has since been patched and passwords reset.

July 21, 2014

XP Users Can Still Get Effective Antivirus Protection

XP Users Can Still Get Effective Antivirus ProtectionAs of April this year, Microsoft officially ended support for Windows XP. Those still using XP won't get any more security patches. Well, there was one in May for an egregious Internet Explorer bug, but that's not likely to happen again. An XP system without antivirus protection is a sitting duck, ripe for attack. On the plus side, the latest test results from AV-Test Institute show that many popular security products remain quite effective under XP.

Three-Part Test
AV-Test regularly releases lab test results organized into three categories: protection, performance, and usability. Products can earn up to six points in each category, in half-point increments, with a maximum possible score of 18 points. In order to receive certification, a product must achieve a total of ten points, with no category score below one point.

To measure protection, AV-Test researchers install each antivirus on a clean system and then expose that system to malware in a variety of ways. For testing, they use both very new zero-day malware and a collection of very widespread malware. Quite a few products managed 100 percent protection in both parts of this test. A few clunkers dragged down the overall average to 97 percent for zero-day samples and 98 percent for widespread samples. Microsoft Security Essentials (included as a baseline) and AhnLab both turned in scores below 80 percent protection.

Nobody wants antivirus protection at the expense of system performance. AV-Test's team measures how long it takes for a standard clean system to perform 13 actions reflective of real-world computer use, such as downloading files, running popular applications, and installing programs. They run these same tests after installing the antivirus and note any slowdown. About a third of the tested programs scored slightly worse on this test than on the previous test, which used Windows 7.

For a perfect usability score, an antivirus product must completely avoid identifying any valid website or file as malicious. At best, false positive warnings can confuse users and diminish their faith in an antivirus product's effectiveness. At worst, the antivirus might prevent installation of a legitimate application. All of the tested products scored 5.5 or 6.0 points in this test, with the exception of Comodo. Comodo's over-enthusiastic behavior-based blocking system knocked its score down to 4.0 points.

Three Champions
In all the time I've been tracking AV-Test, I've rarely seen a perfect score, and I don't think I've ever seen three at once. Yet that's exactly what happened in this test. Bitdefender, Kaspersky, and Panda all earned six points in each of the three categories. If you're stuck using XP, consider one of these three champions to protect your system.

July 9, 2014

Patch Tuesday Closes 29 Vulnerabilities in IE and Windows

Microsoft Patch TuesdayMicrosoft fixed 29 vulnerabilities in Internet Explorer and supported versions of Windows as part of July Patch Tuesday. The lion's share of the vulnerabilities fixed this round were in Internet Explorer.

Of the six security bulletins released, only two of them—for Internet Explorer and Windows Journal—are  rated as critical, according to Microsoft's Patch Tuesday advisory. Three are rated as important, and the final bulletin has only a moderate rating. Both the IE and Windows Journal bulletins address remote code execution flaws. The important bulletins fixed elevation of privilege flaws in the on-screen keyboard, ancillary function driver, and DirectShow, and the moderate bulletin fixed a denial-of-service bug in the Microsoft service bus.

Microsoft said it had not observed any attacks in the wild targeting any of these flaws.

IE Oh My
Microsoft fixed 24 flaws in Internet Explorer (MS14-037), one publicly disclosed bug and 23 privately reported ones. This is after Microsoft patched 59 vulnerabilities in Internet Explorer last month. The issues are critical for Internet Explorer 6 to Internet Explorer 11 on Windows machines, but just moderate on Windows servers.

Attackers can exploit the IE bugs by tricking users into visiting a specially crafted malicious site. Once the attack succeeds, the attacker would have the same user rights as the compromised user. Users with fewer rights—not logged in as Administrator, for example—would be less impacted.

"It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal," said Marc Maiffret, CTO of BeyondTrust.

Obscure Windows Software
The issue with Windows Journal (MS14-038) could allow attackers to remotely execute malicious code. Windows Journal is installed by default on all supported versions of Windows, from Vista to 8.1, but isn't commonly used. Windows Journal can be used on touch-enabled devices as well as non-touch Windows computers to capture handwritten notes. The vulnerability was in how Windows opened files saved in the Windows Journal (.jnt) format.

The Windows Journal bug is a "great example of how unused software can be abused by attackers," stated Craig Young, a security researcher at Tripwire.

Windows Journal is not installed on Windows Server versions.

Maiffret recommending treating the file extension as if it was an executable and block it on the Web and email gateways.

If there is a reason why the two critical patches can't be installed immediately, uninstalling Windows Journal and switching to a different Web browser are sufficient workarounds. "While a patch is always preferred, limiting the attack surface is a good backup," said Tyler Ranguly, manager of security research for Tripwire.

Remaining Patches
The bulletins rated important fixed bugs uncovered during the pwn2own contest back in March. The local elevation of privilege issues can be exploited to give unprivileged users greater access to the vulnerable system. They can be used in chained attacks to compromise the system, suggested Ross Barrett, senior manager of security engineering at Rapid7. "Given the nature of their disclosure, [they] must be known to have exploit code," Barrett warned.

The ancillary function driver bug can be paired with "something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel," Maiffret said.

June 16, 2014

AT&T Confirms Security Breach

AT&T Logo Building AT&T has confirmed an April breach in which the personal information of an unknown number of users was improperly accessed.

"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization," AT&T said in a statement. "This is completely counter to the way we require our vendors to conduct business."

"We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously," AT&T continued. "We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement."

Social Security numbers and call records were accessed between April 9 and 21, according to CNET. AT&T did not say how many customers were affected, but CNET pointed out that California law requires the disclosure of incidents that affect at least 500 local customers.

The data was reportedly breached in order to reveal the request codes that can unlock AT&T phones. AT&T currently will unlock a device for any customer whose account has been active for at least 60 days, whose account is in good standing and has no unpaid balance, and who has fulfilled his or her service agreement commitment.

Late last year, AT&T joined the nation's top wireless carriers—Sprint, T-Mobile, U.S. Cellular, and Verizon Wireless—in an effort to make it easier for consumers to unlock their devices.

The companies committed to a number of services, including posting information about unlocking policies, unlocking the phones of customers who have satisfied their contract, notifying users when their phone is eligible for unlocking, and unlocking devices for deployed military personnel.

June 1, 2014

Microsoft Cautions Against Using Registry Trick for Windows XP Updates

Why You Should Ditch Windows XP Now

Well, that was easy. News of a new hack for Windows XP users has been making the rounds this week — and trust us, it's a good thing if you're one of those holdouts who is now using the operating system in the Wild, Wild, West. Which is to say, you're still running your day-to-day operations on Windows XP, even though we've passed Microsoft's cutoff date for support, patches, updates, and what-have-you.

According to numerous sources, a simple registry tweak allows you to fool Microsoft into thinking that your version of Windows XP is actually a version of "Windows Embedded POSRready 2009" In doing so, you'll set yourself up to receive updates from Microsoft all the way through April 9, 2019. That all said, the company hascaught on that this trick is in use, and it has an as-you-might-expect warning for anyone giving the registry tweak a shot:

"We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1," reads Microsoft's statement.

May 27, 2014

Australian iOS Users Reporting Hijacked Devices

iPhone 5S

Several iOS users in Australia have been locked out of their devices and received messages that demand money before their gadgets will be unlocked.

Complaints began yesterday on the Apple forums when a Melbourne-based user reported having his iPad lock up while he was using it. "I went to check my phone and there was a message on the screen (it's still there) saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded $100 USD/EUR."

One Oleg Pliss known in the tech community is an engineer at Oracle, but as the hacked user noted, "I was pretty sure that whoever Oleg Pliss is, it's not really the name of the person who hacked my iDevices."

Soon other users started chiming in. Most are from Australia, though one affected user posted this morning that he lives in the U.S. and has never been to Australia, while another is in the U.K.

"I have the same problem, with the exact same message. Affecting both my iPhone and iPad," wrote a Perth-based Apple user.

May 27, 2014

Spotify Hacked, Urges Android Users to Upgrade

Get Organized: How to Organize Spotify Playlists

Music-streaming service Spotify is the latest company to report a security breach.

In a Tuesday blog post, Oskar Stål, Spotify's CTO, said it has identified "unauthorized access to our systems and internal company data."

According to Spotify, the breach affected just one user. "This did not include any password, financial or payment information. We have contacted this one individual," Stål wrote. "Based on our findings, we are not aware of any increased risk to users as a result of this incident."

Still, as a "general precaution," certain Spotify users will be signed out and asked to re-enter their usernames and passwords over the coming days.

May 21, 2014

eBay Urges Users to Change Passwords After Hack

New eBay Logo

EBay is urging all users to change their passwords following a cyber attack that compromised one of the auction site's databases.

According to today's announcement, the database contained encrypted passwords, but there is no evidence that financial or credit card data was accessed or compromised, or that there was any unauthorized activity on eBay users' accounts.

Still, eBay suggests that everyone change their passwords; users will be reminded starting today via email, the Web, and other channels.

The hack, which occurred between late February and early March, was detected only two weeks ago. EBay has since conducted "extensive tests" on its networks before issuing today's warning.

"Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers," the company said in a statement.

May 8, 2014

Apple Not Encrypting Mail on iOS 7 is Bad, But Not a Disaster

Encrypted Email

While it's true that email attachments are not encrypted on the latest version of iOS 7, the severity of the flaw does not appear to be as damaging as originally reported.

Security researcher Andreas Kurtz discovered that mail attachments opened in the bundled Mobile Mail app on iOS 7 devices are not encrypted, even though Apple claims the files are secured using its Data Protection technology. Affected versions include iOS 7.0.4 and iOS 7.1, as well as the most current, iOS 7.1.1, Kurtz wrote on his blog. He verified the issue on an iPhone 4, iPad2, and iPhone 5s.

"I noticed that email attachments within the iOS 7 are not protected by Apple's data protection mechanisms," wrote Kurtz, a researcher with NESO Labs.

Andrey Belenko, a researcher at viaForensics confirmed the vulnerability, but noted that while some attachments were not encrypted, other mail files had some form of data protection. The main Messages store had Data Protection enabled, but other mail elements, such as Envelope Index and Recents, did not, viaForensics found.

"The flaw was observed but did not globally affect all email attachments," viaForensics noted in a blog post.