TIME Security

Apple, Android Browsers Vulnerable to ‘FREAK Attack’

Apple iPhone 6
Roman Vondrous—AP Apple iPhone 6

Millions of people may have suffered a "FREAK" attack

(SAN FRANCISCO) — Millions of people may have been left vulnerable to hackers while surfing the web on Apple and Google devices, thanks to a newly discovered security flaw known as “FREAK attack.”

There’s no evidence so far that any hackers have exploited the weakness, which companies are now moving to repair. Researchers blame the problem on an old government policy, abandoned over a decade ago, which required U.S. software makers to use weaker security in encryption programs sold overseas due to national security concerns.

Many popular websites and some Internet browsers continued to accept the weaker software, or can be tricked into using it, according to experts at several research institutions who reported their findings Tuesday. They said that could make it easier for hackers to break the encryption that’s supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.

About a third of all encrypted websites were vulnerable as of Tuesday, including sites operated by American Express, Groupon, Kohl’s, Marriott and some government agencies, the researchers said. University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple web browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla.

Apple Inc. and Google Inc. both said Tuesday they have created software updates to fix the “FREAK attack” flaw, which derives its name from an acronym of technical terms. Apple said its fix will be available next week and Google said it has provided an update to device makers and wireless carriers.

A number of commercial website operators are also taking corrective action after being notified privately in recent weeks, said Matthew Green, a computer security researcher at Johns Hopkins University.

But some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned those policies could inadvertently provide access to hackers.

“This was a policy decision made 20 years ago and it’s now coming back to bite us,” said Edward Felten, a professor of computer science and public affairs at Princeton, referring to the old restrictions on exporting encryption code.

TIME Hacking

Hackers Steal $1 Billion in Massive, Worldwide Breach

Russian Retail-Sales Growth Unexpectedly Gains Amid Ruble Crisis
Bloomberg/Getty Images

A prominent cybersecurity firm says that thieves have infiltrated more than 100 banks in 30 countries over the past two years

Hackers have stolen as much as $1 billion from banks around the world, according to a prominent cybersecurity firm. In a report scheduled to be delivered Monday, Russian security company Kaspersky Lab claims that a hacking ring has infiltrated more than 100 banks in 30 countries over the past two years.

Kaspersky says digital thieves gained access to banks’ computer systems through phishing schemes and other confidence scams. Hackers then lurked in the institutions’ systems, taking screen shots or even video of employees at work. Once familiar with the banks’ operations, the hackers could steal funds without raising alarms, programming ATMs to dispense money at specific times for instance or transferring funds to fraudulent accounts. First outlined by the New York Times, the report will be presented Monday at a security conference in Mexico.

The hackers seem to limit their scores to about $10 million before moving on to another bank, Kaspersky principal security researcher Vicente Diaz told the Associated Press. This helps avoid detection; the crimes appear to be motivated primarily by financial gain. “In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

[New York Times]

TIME apps

This Is Why It’s Risky to Use a Dating App on Your Company Device

Tablet SmartPhobe Digital Love
iMrSquid—Getty Images

Think before you give an app access to your camera or microphone

Employees who use dating apps on their company’s smartphone or tablet could be exposing themselves to security threats such as hacking, spying and data theft, a study by IBM has found.

Researchers analyzed 41 dating applications and found that 60% were potentially vulnerable to cyberattacks, putting personal or corporate data at risk, reports Reuters.

IBM also highlighted problems with employees using their personal phone for work purposes, which is known as “bring your own device,” or BYOD.

“The trouble with BYOD is that, if not managed properly, the organizations might be leaking sensitive corporate data via employee-owned devices,” the report said.

One issue is that when people are looking for love on dating sites, they could be letting their guard down more than they would if they were using emails or on the phone, IBM says.

Many of these sites have access to a phone’s microphone, camera or GPS location and so if hackers find a security flaw in the app, they could eavesdrop on potentially sensitive conversations or confidential business meetings.

[Reuters]

TIME Security

Chipotle Hackers Direct Racist Tweets at Obama

Changed company's logo to a swastika

Chipotle apologized and promised an investigation into racist tweets sent by hackers from the company’s Twitter account early Sunday morning.

In the early morning hours, the hackers changed the company’s avatar to a photo of swastika and tweeted racist remarks directed at President Barack Obama. Other tweets targeted the FBI and included other offensive language.

Chipotle’s Twitter biography was changed to say it was the official account of “@TUGFeds” and “@TheCeltic666.” Both accounts had been suspended as of Sunday afternoon.

TIME China

Chinese Hackers May Be Responsible for the Anthem Attack, Reports Say

Anthem Health Insurance Announces Data Breach Of Over 80 Million Records
Aaron P. Bernstein—Getty Images An exterior view of an Anthem Health Insurance facility in Indianapolis on Feb. 5, 2015

Beijing has been implicated in cyberattacks on U.S. organizations in the past

Chinese hackers are the suspected perpetrators of the massive cyberattack on the American health insurer Anthem that was uncovered last month and resulted in the theft of sensitive information belonging to an estimated 80 million customers, according to reports in Bloomberg and the Washington Post.

Both news outlets say unnamed individuals familiar with the ongoing probe suggest the data theft might have links to state-sponsored hackers in China.

“Technical details of the attack include ‘fingerprints’ of a nation-state, according to two people familiar with the investigation, who said China is the early suspect,” says Bloomberg.

“Investigators suspect Chinese hackers may be responsible for the breach, according to an individual briefed on some aspects of the probe,” the Post says.

China has been implicated in several previous cyberattacks on U.S. organizations.

TIME Video Games

Is It Really Time to Abandon Sony’s PlayStation Network?

Sony, Microsoft Sony's PlayStation 4 (upper-left) and Microsoft's Xbox One (lower-right).

Is Sony's PlayStation Network as terrible as some seem to think?

It’s tempting to view online services as perennial. You probably paid money for the privilege of using them, whatever the fine print you didn’t read actually says about availability, and you expect the vast province of interlinked devices we call the Internet to operate with the continuity of running water or electricity (never mind the number of power outages I’ve endured living in southeast Michigan).

When things go south, you get mad, the friends you wanted to play with are nonplussed, grumpy cat gets even grumpier–who isn’t fuming?

Thus when something like Sony’s PlayStation Network goes kaplooey, as it did at some point on Sunday, is it any surprise we’re seeing angry, hyperbolic, message-board-like news headlines? Writers jotting off zingers like “Why trust Sony ever again?”

Why indeed. But before we aim our collective invective at Sony or its online gaming peers, it’s helpful to review the pathology. Have Sony’s PSN outages crossed the Rubicon? Is it really time to cancel your online subscription? Maybe take your business across the aisle?

When people think of the PlayStation Network as unreliable, they’re really thinking about April 2011, a monumental mess wherein PSN collapsed and stayed down for nearly a month (followed by further hacks of other Sony services and embarrassing data leaks). Hackers attempted to snatch sensitive personal data, succeeding in pilfering vast troves of essentially innocuous names and addresses. The outage length–a record 23 days–was because Sony had to rethink its entire online security apparatus.

In late August 2014, the PlayStation Network as well as Sony Online Entertainment were briefly disrupted by a denial of service attack (the group responsible reportedly tweeted a bomb threat at SOE President John Smedley as he was flying to San Diego–the plane was consequently diverted to Phoenix). Microsoft’s Xbox Live was also disrupted during this period.

In early December 2014, Sony’s PlayStation Network as well as Sony Online Entertainment were once again briefly disrupted by a denial of service attack. Microsoft’s Xbox Live was also disrupted during this period.

In late December 2014, Sony’s PlayStation Network was unavailable for several days (including Christmas), apparently the victim of a malicious traffic-related disruption. Microsoft’s Xbox Live was similarly impacted.

In early February 2015, Sony’s PlayStation Network was briefly disrupted by another denial of service attack. (Microsoft’s Xbox Live went down briefly in late January–it’s still not clear why.)

Setting aside planned maintenance outages, Sony’s PlayStation Network has thus been unavailable as a result of nefarious activity less than a dozen times. Furthermore, Microsoft’s Xbox Live, while spared the colossal (and importantly, lingering) public shaming Sony endured back in 2011, has been down nearly as often. Both companies have attempted, in various ways, to compensate users for these outages.

Cognitive distortion can make molehills into mountains. The question, given the volatility of a global network susceptible to sudden malicious traffic missiles, is whether companies like Sony and Microsoft are over-promising availability, or whether consumers–obliged, in my view, to see more shrewdly through corporate hyperbole–need to take a dimmer view of what the Internet in 2015 can deliver. Denial of service attacks in 2015 remain a problem to which no company or service is immune.

I’m not apologizing for incompetence (where indeed incompetence can be proven), I’m just suggesting we’ve been sold a bill of goods about online dependability (in our minds, anyway–the fine print says otherwise) that can’t live entirely up to its claims. Not in 2015, anyway.

Is 98 or 99% availability the end of the world? I’m not so sure, though I’d definitely like to see companies like Sony and Microsoft level with us rolling forward, perhaps implementing an if-this-then-that remuneration clause, e.g. this much outage time equals that much compensatory service. At least you’d know the parameters going in.

TIME intelligence

U.S. Journalist Receives Five Years in Jail for Linking to Hacked Data

Europe Hacking Startfor
Cassandra Vinograd—AP The home page of the Stratfor website is seen on a computer monitor in London Wendesday Jan 11, 2012.

Barrett Brown must also pay $890,000 in restitution

An American journalist loosely affiliated with the Anonymous hacking collective was sentenced to 63 months in jail by a Dallas federal judge on Thursday for linking to hacked data from private global intelligence firm Stratfor in 2011.

Barrett Brown, 33, initially faced a sentence of over 100 years until he pled guilty last year to three reduced charges of obstructing a police search, issuing online threats and involving himself in the sharing of Stratfor data, reports the BBC.

“The government exposed me to decades of prison time for copying and pasting a link to a publicly available file that other journalists were also linking to without being prosecuted,” Brown said in a statement before the hearing.

Free speech activists allege Brown’s prosecution is based on his investigations into U.S. cybersecurity and intelligence contractors. He created Project PM in 2010 to probe intelligence leaks on a crowdsourcing platform.

“The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex,” Brown said in a public statement after the sentencing, according to The Guardian.

The hacker responsible for the Stratfor data breach, Jeremy Hammond, 30, is currently serving a 10-year prison sentence.

TIME cybersecurity

Twitter Hackers Announce Start of World War III

By announcing that US and Chinese ships are in "active combat"

Hackers appear to have infiltrated the Twitter accounts of two news organizations Friday to announce a fictional battle between China and the United States.

Identical tweets posted to the feeds of the New York Post and news agency United Press International about “active combat” between U.S. and Chinese navy vessels in the South China sea appear to be the work of hackers:

Screen Shot 2015-01-16 at 1.14.46 PM
Screen Shot 2015-01-16 at 1.14.30 PM

The New York Post announced they had been hacked in a follow-up tweet:

UPI’s Twitter also posted a tweet saying that Pope Francis had declared “World War III has begun,” also presumably the work of hackers.

Screen Shot 2015-01-16 at 1.37.16 PM

The U.S. Navy confirmed to the Military Times that the USS George Washington was in port, and not engaged in battle in the South China Sea.

TIME Morning Must Reads

Morning Must Reads: January 13

Capitol
Mark Wilson—Getty Images The early morning sun rises behind the US Capitol Building in Washington, DC.

Paris Attacker Violence-Obsessed

Chérif Kouachi, one of the brothers responsible for the deadly attack on Charlie Hebdo, was obsessed with violence, his mentor has revealed. Farid Benyettou said the pair last spoke two months ago to discuss previous attacks, and called Kouachi “guided by ignorance”

Facebook Predicts Your Personality

Researchers studied how Facebook Likes matched up with people’s own answers on personality tests — as well as those of their family and friends

Hackers Hit the Pentagon

The latest cyberwar skirmish involves an embarrassing breach of U.S. Central Command’s social-media accounts by alleged Islamist hackers

Watch the New Avengers: Age of Ultron Trailer

The second trailer for Marvel’s eagerly awaited Avengers: Age of Ultron has been released, and it’s more sinister than ever. Robert Downey, Jr., Scarlett Johansson, and Samuel L. Jackson, among others, star in the superhero blockbuster, which hits theaters on May 1

Ohio State Wins 1st Playoff-Era Title, Upsetting Oregon 42-20

Ohio State can add the newest version of the national-championship trophy to a case that already has a bunch of the old ones. The Buckeyes’ Cardale Jones led Ohio State past Marcus Mariota and the Ducks 42-20 on Monday nightie Arlington, Texas

Divers Retrieve 2nd Black Box From AirAsia Crash

Divers have retrieved the crashed AirAsia plane’s second black box from the bottom of the Java Sea, giving investigators the essential tools they need to start piecing together what brought Flight 8501 down

1 Person Dies After Smoke Empties D.C. Metro Station

A spokeswoman for the metro system in Washington, D.C., says one person has died after smoke forced the evacuation of the L’Enfant Plaza station on Monday. At least six others were taken to the hospital with injuriesDogs Came to Americas Thousands of Years after Humans

They may be man’s best friend, but new research indicates that dogs arrived in the Americas thousands of years after humans did. According to a recent study, dogs only came to the region about 10,000 years ago

Ford Reveals Stunning New GT

After a nine-year hiatus, the iconic American automobile manufacturer unveiled the latest installation of the prized GT to ecstatic car aficionados at the 2015 North American International Auto Show in Detroit on Monday

Pakistan Executes 7 Militants During John Kerry’s Visit

Pakistani officials oversaw the execution of seven convicted militants across the country on Tuesday morning as U.S. Secretary of State John Kerry began the second day of his trip to the South Asian nation aimed at ramping up security and intelligence cooperation

Apatow to Cosby: ‘Go in Your Mansion and Disappear’

The director has mostly kept his criticisms of comedian Bill Cosby, whom dozens of women have accused of sexual assault, to a 140-character minimum. But he elaborated recently to say, among other beliefs, “I absolutely would like to see him in jail”

A Plane from New York to London Almost Went Supersonic

A British Airways flight traveling from New York to London made the trip in just 5 hours and 16 minutes at ground speeds of up to 1,200 km/h (745 mph)—just short of the sonic barrier—thanks to unusually strong winds

Get TIME’s The Brief e-mail every morning in your inbox

TIME Security

Hackers Flood Crayola Facebook Page With NSFW Images

Binney and Smith Celebrates 100 Years Of Crayola
William Thomas —Getty Images EASTON, PA - JUNE 18: Crayons are packaged by machine at Binney and Smith, Inc., the manufacturer of Crayola crayons, June 18, 2003 in Easton, Pennsylvania.

"Our sincere apologies to our Facebook community for the inappropriate and offensive posts you may have seen here today"

Crayola apologized to fans on Sunday after hackers infiltrated the company’s Facebook page and flooded it with racy, lewd and bizarre posts.

“Our sincere apologies to our Facebook community for the inappropriate and offensive posts you may have seen here today,” the crayon-maker wrote on its recently scrubbed Facebook page.

Adweek grabbed images of the posts before they were taken down on Sunday (Warning: these are not for the coloring book crowd). The images ranged from sexual innuendos to pornographic cartoons, including one image that imagined what Disney cartoons might look like “If Disney Was for Adults.”

Read more at AdWeek.

Your browser is out of date. Please update your browser at http://update.microsoft.com