Publicity photos of Prince William covering his day-to-day work as a search-and-rescue helicopter pilot were released with computer passwords visible in the background. In at least one photo, login information is shown printed on a sheet of paper tacked to the wall behind the prince’s head.
Sophos’ Naked Security blog has a good write-up with the sensitive details blacked out, and mentions the importance of changing to much stronger passwords immediately. The Guardian reports that the passwords shown have indeed been changed.
A hacker seems to have broken into a Montana television station’s systems and used that access to issue a fake emergency alert that the dead were rising from their graves.
According to this article from ComputerWorld, a standard Emergency Alert System message appeared along the top of viewers’ TV screens. After the warning sounds, a male voice announces that “the bodies of the dead are rising from their graves and attacking the living.”
Following another recent attack in which the loosely-organized Anonymous hacking collective released the credentials of over 4000 American bank executives, it is now being reported that Anonymous has published additional documents indicating that they have penetrated much further into the US Federal Reserve’s computer systems than previously revealed.
ZDNet reports that the documents, obtained as part of Anonymous’ Operation Last Resort (a series of retaliatory attacks on US government systems following the suicide of Aaron Swartz), were themselves disseminated from a hacked yacht club website. It appears that this is a follow-up attack to the bank executive document release of last week, brought on by the Federal Reserve’s dismissive response.
In response to two zero-day vulnerabilities, Adobe has released out-of-band emergency updates for their Flash Player.
Since last fall, Flash has formally been on a regular update schedule like many large software projects, but InfoWorld reports that this emergency fix constitutes the first patch since the schedule was established. Adobe identifies the update as “critical” as the vulnerabilities it fixes are being actively exploited in the wild on both Windows and Mac OS X.
CNET also has an article about this update, and includes a convenient list of recommendations for end users.
Twitter has reported that encrypted password data for 250 000 users has been compromised. It appears that the attack was highly sophisticated, but engineers were able to stop it while it was still in progress.
Ars Technica reports that the affected users have been notified by email and their passwords automatically reset as a precaution.
In response to news of this attack, CIO offers an article about strong password creation. SlashGear also reports on Twitter’s rumoured intent to implement two-factor authentication.
The popular smartphone instant messaging app WhatsApp has been the subject of a joint Dutch-Canadian probe into breaches of the privacy laws of both countries.
Sophos’ Naked Security reports that this is the first time two countries have worked together to investigate privacy breaches. Linked from the article is the Canadian report from the Office of the Privacy Commissioner.
There are a number of allegations in the report, notably that WhatsApp uploaded full contact lists without allowing end users to select which contacts they wanted to share, retained information about those contacts even if they did not use WhatsApp themselves, and failed to inform users that their own status would be made available to all of their contacts who were users of WhatsApp.
WhatsApp appears to be working toward fixing the problems identified in the report. It has released an update for the iOS version of the app to allow selective uploading of contacts, and plans to roll out updates for all other versions as well.
The unlocking exemption from the United States’ Digital Millennium Copyright Act (DMCA), previously maintained by the Librarian of Congress, has been allowed to expire. Unlocking a smartphone in the United States that was purchased after October 28, 2012 is therefore now illegal. For now, unlocking remains permitted in Canada.
Digital Trends has a question-and-answer article that describes the situation and what it means for American smartphone users.
Belkin has announced a deal to take over the Linksys brand from Cisco, which has owned Linksys since 2003. Engadget provides a copy of Belkin’s press release along with a brief summary, noting that Belkin intends to continue support for Linksys customers. CNET also mentions that Cisco has dropped some other consumer-oriented products from its portfolio as well, and appears to be concentrating on its core enterprise products.
Three men from Russia, Latvia, and Romania have been indicted in the United States for creating and spreading the Gozi virus, designed to steal banking information from victims.
The LA Times reports that Nikita Kuzmin, Deniss Calovskis, and Mihai Paunescu are accused of programming the virus, creating various “injects” such as fake bank login pages, and making the virus available for distribution via spam email and maliciously crafted PDF documents. At least 40 000 computers in the United States were infected along with others in Turkey, Poland, Finland, and other countries.
Among the American victims was apparently NASA, where 190 computers were infected with the Gozi virus between 2007 and 2012.
This basic Internet scams primer appeared on The Next Web today. It goes over four (five if you include the Nigerian Prince scam) methods scammers use to trick their victims, concentrating on email as the vector of choice to reach their marks. Focusing on email makes sense; many, if not most, malware infections come from email attachments and links to web sites containing malicious code.
Prevention of malware infection starts with wariness toward every email that comes in. Malware can relatively easily be prepared to refer to you by name, appear to come from someone you know, or take on the exact outward appearance of an email from a reputable source. Usually, the giveaway is that the email contains an unnecessary attachment, or links to a web site other than the one it appears to be coming from (determine where links go by hovering over them with your mouse; the destination address will appear in the status bar on all major email programs).
The linked article isn’t exactly news, but it’s definitely worth a read as a reminder to be careful with email links and attachments.