internetsecurity
Latest
1,500 iOS apps are vulnerable to an HTTPS-crippling bug
According to analytics service SourceDNA, nearly 1,500 iPhone and iPad apps currently available in the App Store include a bug that breaks HTTPS. This could leave users' sensitive personal information exposed to hackers. Analysts have identified an out-of-date version of open-source code library AFNetworking as the source of the vulnerability. The library itself has already been patched, however, many apps are still using the older, insecure version. "We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention," researchers Simone Bovi and Mauro Gentile wrote in March.
PayPal's chief information security officer says passwords' days are numbered
Recently speaking at the Interop IT conference, PayPal's chief information security officer, Michael Barrett, stated that passwords and PINs were operating on borrowed time. Barrett hopes to replace online security keys with a setup that's a blend of software and hardware-based identification. He also serves as president of the Fast Identity Online Alliance (FIDO) -- the organization's focus is to combine an effective mix of software (passwords and plugins) and hardware (USB drives and fingerprint scanners) for user authentication. PayPal's technology boss didn't allude to his company adopting these new types of security systems for its customers anytime soon. Instead he announced that FIDO-enabled devices will be hitting the market sometime this year. Progress, yes, but until this hardware becomes more widely available, it's likely that you'll be spending more time getting acquainted with two-step logins.
Microsoft and British agency create child-friendly version of IE9
As the entry age for web access heads ever southwards, preventing young minds from the perils of the internet is a growing concern for parents. For this reason, Microsoft teamed up with the UK-based CEOP (Child Exploitation and Online Protection Center) to create a special kid-friendly version of its IE9 browser. Access to key CEOP pages are baked right in, and there are dedicated tabs for the thinkuknow.co.uk information site and, of course, Bing. Additional security comes via a Jump List that lets parents and care-givers set the age group of their child and prevents them from seeing unsuitable content. It's only available on Windows 7, and you'll need to prevent your curious children from using any other browser, but at least it's extra peace of mind at no extra cost.
Key pattern analysis software times your typing for improved password protection
The recent pilfering of PlayStation Network passwords and personal info shows that having a strong passcode doesn't always guarantee your online safety. However, key-pattern analysis (KPA) software from researchers at American University of Beirut may be able to keep our logins secure even if they're stolen. You create a unique profile by entering your password a few times while the code tracks the speed and timing of your keystrokes. The software then associates that data to your password as another means of authentication. Henceforth, should the magic word be entered in a different typing tempo, access is denied. We saw a similar solution last year, but that system was meant to prevent multiple users from accessing subscription databases with a single account. This KPA software allows multiple profiles per password so that your significant other can still read all your email -- assuming you and your mate reside in the trust tree, of course.
Intel acquires McAfee for $7.68 billion
digg_url = 'http://digg.com/tech_news/Intel_acquires_McAfee_for_7_68_billion_Engadget'; Well, we got our copy of McAfee Antivirus for $29, but it looks like Intel had something a little more substantial in mind. The latter has picked up the Santa Clara-based security / antivirus company for a cool $7.68 billion, which works out to $48 per share in cash. Intel informs us that it will function as a wholly owned subsidiary (under the control of its Software and Services group). This comes hot on the heels of the company's acquisition of TI's cable modem unit, and possibly signals a new focus on security for connected devices. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month," said McAfee CEO Dave DeWalt."We believe this acquisition will result in our ability to deliver a safer, more secure and trusted Internet-enabled device experience." This has added a wonderful new phrase to the Engadget lexicon (and possibly even a name for our new garage band): Cyber Threat Landscape. PR after the break.
Seven physical keys serve as the internet's horcrux
The internet may not have a kill switch, but there really are a set of keys, developed by ICANN in case of digital catastrophe. Seven keyholders across the world hold smart cards like the ones you see above, each with a piece of the DNSSEC's recovery key. What's that, you say? We're glad you asked -- DNSSEC's an initiative to make sure websites are who they say. To do that, it needs a way of authenticating domain names with a cryptographic master key, and a replacement copy of that key is the item these individuals are safeguarding. Even banded together, the individuals have no power over the internet at large -- the tokens simply allow the world to reboot the authentication system in case ICANN's two facilities happen to simultaneously go down. Policies and procedures dictating how this all works sadly include neither demonic keymasters nor secret societies, but you're welcome to hit up our more coverage link for the deep dive.
Sophos decries XP Mode vulnerability, Microsoft offers chill pill
If you're keeping score at home, Microsoft needs to bring two heavies to a fight with Google, but it can lay the smack down on an AV software firm like Sophos all by itself. Richard Jacobs, chief technology officer and master of inflammatory rhetoric at Sophos, points out that Windows 7's XP Mode makes computers vulnerable to attack due to it operating independently from the underlying OS and therefore not having the same firewall and anti-virus protection. For those who actually go to the trouble of buying and updating security software -- like say, most businesses -- this essentially doubles costs for each new Windows 7 machine. Microsoft has countered with the fact that big businesses will be using its MEDV management software, while smaller shops will be able to update the virtualized XP in the same fashion as they would a physical PC. Storm in a teacup, then? Absolutely, but you'll want to give these a read if only for the passive aggressive silliness that ensues. [Via The Register] Read - Richard Jacobs on XP Mode Read - MS chief security adviser for EMEA Roger Haibheer retorts Read - Jacobs retorts to the retort Read - MS developer James O'Neill threetorts
