Menu
The Tech News Blog

May 5, 2014

Target CEO Out After Security Breach

Target Black Friday

Target CEO Gregg Steinhafel has announced plans to step down, about five months after the retailer revealed a massive breach that affected up to 70 million customers.

Steinhafel will step down from his positions as chairman of the Target board of directors, president, and CEO. CFO John Mulligan will serve as interim president and CEO until a replacement is found.

In a Monday letter to the board, Steinhafel said that the data breach "tested Target in unprecedented ways."

"From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused than ever on delivering for our guests," he wrote. "We have already begun taking a number of steps to further enhance data security, putting the right people, processes, and systems in place."

With those milestones in place, "now is the right time for new leadership at Target," Steinhafel said.



May 1, 2014

Microsoft Fixes Nasty IE Bug, Even for Windows XP

Windows XP Update Reprieve

Earlier this week PCMag reported on a zero-day bug in Internet Explorer that would allow cybercrooks to run arbitrary code on users' PCs. Just visiting a malicious website would suffice to allow the attack, and the bug affected all versions of IE from 6 to 11. Worse, given that XP has reached its end of support, those holdouts still using XP would be permanently vulnerable. Good news! Not only has Microsoft released a patch for all versions of IE, they're even patching XP's Internet Explorer 8.

According to a Microsoft post, the patch started rolling out around 10am (Pacific time) today. If you have automatic updates enabled, you don't need to do a thing. If you've chosen to have Windows Update await your confirmation before installing updates, be sure to give it that confirmation as soon as you see the notification. Of course, if you've turned off automatic updates altogether, you'll have to perform a manual installation.



April 28, 2014

AOL Breach Puts Users’ Personal Info at Risk

AOL Email

AOL today said it is "investigating a security incident" that likely led to a recent increase in incidents of email spoofing.

The breach "involved unauthorized access to AOL's network and systems," AOL said in a statement, which put email addresses, postal addresses, address book contact information, encrypted passwords, and encrypted answers to security questions at risk.

At this point, AOL has no indication that the encryption on the passwords or the answers to security questions was broken, or that financial information, including debit and credit cards, were compromised.

"We nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer," AOL said. "We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2 percent of our email accounts."



April 28, 2014

Microsoft Warns of Internet Explorer Zero-Day Bug

Internet Explorer (IE) logo

Microsoft has released a security advisory that warns about remote code executions in various versions of Internet Explorer.

"This issue allows remote code execution if users visit a malicious website with an affected browser," Microsoft said. "This would typically occur by an attacker convincing someone to click a link in an email or instant message."

The bug affects Internet Explorer 6 - 11, though according to security firm FireEye, "the attack is targeting IE9 through IE11."

"We believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available," FireEye said.

Microsoft said that Enhanced Protected Mode, on by default in IE10 and IE11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, "will help protect against this potential risk." But until a patch is released, IE users should be on high alert and not click on any sketchy links or travel to unknown sites, or temporarily switch to another browser.



April 22, 2014

AOL Mail Hacked, Accounts Sending Spam

AOL Email

If you get a suspicious email from an AOL user, it's probably best to delete it. The service has apparently been compromised and some accounts are sending out spammy messages.

But rather than compromising actual accounts, it appears the scammers are just spoofing them. As AOL explained in a help page, "spoofing is when a spammer sends out emails using your email address in the From: field. The idea is to make it seem like the message is from you – in order to trick people into opening it."

"These emails do not originate from AOL and do not have any contact with the AOL Mail system – their addresses are just edited to make them appear that way," the company said. "The message actually originates from the spammer's email account and is sent from the spammer's email server."

The easiest way to tell if you've been affected is if your inbox is littered with message bounce backs from emails you never sent. Or perhaps a friend or two has been kind enough to alert you to the spam messages your account appears to be sending. To determine if you've been hacked versus spoofed, check you sent messages: if there are sent emails you didn't send, it's a hack. If there's nothing there, it's a spoof.

AOL is urging users to change their passwords and be on the lookout for sketchy emails so they don't fall prey to phishing scams.



April 19, 2014

Websites Fixing Heartbleed Bug, VPNs Still Vulnerable

 Heartbleed

After the initial panic over the Heartbleed bug, which some researchers earlier this month guessed had infected two-thirds of all Web servers, researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability.

But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker "leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client's environment," culminating in the hijacking of "multiple active user sessions."

So in short, the good news is that the vast majority of websites, and all of the most heavily trafficked sites on the Web, have fixed this vulnerability, which is an exploit of a bug in Open SSL code responsible for sending "Heartbeat" notifications between servers and clients, including PCs and mobile devices.



April 9, 2014

Heartbleed Bug: Should You Panic?

Heartbleed Bug

Heartbleed, a bug within OpenSSL, is making headlines this week, and while it might seem like a rather technical issue, it has some real-world ramifications that could impact the online services you use every day. Even worse, there's really no way to tell what malicious activity has occurred thanks to Heartbleed.

Heartbleed is a vulnerability in the open-source encryption standard OpenSSL. It's so named because it affects heartbeat, which is a way to ensure that there is communication between each end of a connection. Heartbleed mimics a heartbeat, allowing it to intercept data.

No matter how secure you think your information is, it's not. The same goes for passwords, even if they're 16 characters long and filled with a nonsensical mix of symbols and numbers. Malware analyst Mark Loman demonstrated that some Yahoo Mail passwords are easily viewed in plain text as result of Heartbleed.



April 8, 2014

Microsoft Issues Final XP, Office 2003 Updates for Patch Tuesday

Microsoft Patch Tuesday

Microsoft released four security updates fixing 11 vulnerabilities in Windows, Microsoft Office, Internet Explorer, and Microsoft Publisher as part of its April Patch Tuesday release. The security bulletins for Windows XP and Office 2003 are the last publicly-released patches for these two products, as Microsoft ended support today.

Seven of the vulnerabilities affect Windows XP, and four affect Office 2003. "This is an important Patch Tuesday for users who rely on the outdated platforms and applications that move to self-support this month," said Russ Ernst, director of product management at Lumension.

The top bulletin addresses three vulnerabilities in Microsoft Word (MS14-017), including the recently discovered zero-day vulnerability in the RTF (Rich Text Format) parser. If an attacker successfully tricks the user into opening a malicious RTF document in an unpatched version of Microsoft Word, the attacker can remotely execute code on the system. The other two vulnerabilities are flaws with the Word 2007 and 2010 File Format Conversion Utility and a stack overflow bug in Word 2003.



March 20, 2014

Google Encrypts All Gmail Messages After NSA Snooping

Gmail Logo

Google is upping the security of Gmail with new measures to protect your email from prying eyes.

The Web giant on Thursday announced that from now on, Gmail will always use an encrypted HTTPS connection when you check and send email. Gmail has always supported HTTPS, and in 2010 Google turned it on for everyone by default, but users still had the option to turn this protection off. From now on, Gmail is HTTPS-only, meaning the mail service no longer allows the more insecure HTTP connections.

"Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers — no matter if you're using public Wi-Fi or logging in from your computer, phone or tablet," Gmail Security Engineering LeadNicolas Lidzborski wrote in a blog post.

One reason to avoid HTTPS is that it could be a tad slower than HTTP. But Google said it has been working for some time to address performance issues and now feels it has reached a point where it no longer makes sense to allow HTTP connections, a spokeswoman for the company told PCMag. Most Gmail users already use HTTPS, so this is just the final step in the transition.



March 14, 2014

Target Ignored Data Breach Warning Signs

Target Black Friday

Target this week acknowledged that it probably could have done more to prevent a hack that impacted up to 70 million shoppers.

"With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," a Target spokeswoman said in a statement.

News of the Target breach emerged in December and impacted those who used credit or debit cards in U.S. Target stores between Nov. 27 to Dec. 15. The retailer said the breach affected 40 million credit and debit card numbers, as well as the personal information of up to 70 million individuals.

The hack is in the news again this week after a Bloomberg BusinessWeek article said that Target ignored warnings about a possible intrusion. The report says Target used a malware detection tool from FireEye, and that the product picked up on sketchy behavior in late November. Target was notified "and then ... nothing happened," according to BusinessWeek.