Security & Privacy

Apple has fixed the security issue involving its Apple ID password-reset page, a vulnerability that had made it possible for hackers with a user's e-mail address and birth date to reset the user's password.

Apple said yesterday that it was aware of the issue and was preparing a fix. Meanwhile, the company had taken the "iForgot" reset page offline for maintenance. Now the page is back up, and Apple has confirmed the fix with CNET.

The security exploit made use of a special URL that got around the need to answer a security question. Apple had … Read more

A bipartisan group of lawmakers has introduced a new bill, known as the Geolocation Privacy and Surveillance Act, to force law enforcement to obtain a warrant to track suspects with GPS devices.

The bill, which was introduced to Congress yesterday, is sponsored by Reps. Jason Chaffetz (R-Utah) and Jim Sensenbrenner (R-Wis.), as well as Sen. Ron Wyden (D-Ore.) and House judiciary committee ranking member Rep. John Conyers (D-Mich.). If passed, it would provide a "legal framework" that provides clear guidelines on when and how GPS devices can be accessed and used.

"New technologies are making it increasingly … Read more

South Korea apparently still has a mystery on its hands. Who launched a cyberattack against several of its banks and broadcasters this week?

Regulators for the country initially pointed the finger at China, saying that the attacks originated from a Chinese IP address. But they admitted today that they jumped the gun.

The IP address used in the attack was actually traced to one of the banks hit on Wednesday. South Korea's NongHyup Bank had been using the address as a virtual one for its internal network, according to Reuters. By coincidence, that address matched one registered in China.… Read more

Apple today added an extra layer of security to its Apple ID system that can harden the password people use to log in to various Apple services.

Users with an Apple ID can now sign up for two-step verification of their password, a system that sends a four-digit passcode by text message to a user's phone, and must be used on top of a regular password. In practice, this could keep an account from being compromised by an attacker, unless that person had access to the mobile device too.

The move comes a little less than a year after … Read more

Security company Dr. Web is reporting on a new adware Trojan attack that is targeting Mac users, where malicious Web sites will trick users into installing a plugin that will track your browsing and display ads to you.

The malware, called "Yontoo," will be first encountered as a media player, download manager, or other plug-in requirement for viewing contents on some maliciously crafted Web sites disguised as sources for file sharing and movie trailers. When the plug-in prompt is clicked, you're redirected to a site that downloads the Trojan installer and requires you to run it. The … Read more

A new Mac OS X Trojan is making the rounds, installing an adware plug-in that renders ads on Web pages to generate revenue for its author.

Dubbed Trojan.Yontoo.1, it is the most prominent of an increasing number of adware Trojans making the rounds, according to Russian antivirus company Dr. Web, the same company that discovered the Flashback virus last year.

"Criminals profit from affiliate ad network programs, and their interest in users of Apple-compatible computers grows day by day," Dr. Web said yesterday in a statement. "Recently discovered, Trojan.Yontoo.1 can serve as a … Read more

Matthew Keys, the deputy social media editor at Reuters who was recently indicted of charges of conspiring with Anonymous, has denied allegations he fed information to the hacktivist group that led to the defacement of the Los Angeles Times Web site.

Prosecutors alleged last week that Keys, a former Web producer for a TV station owned by the Tribune Company, handed over log-in credentials and passwords for the network of his former employer to members of the hacker group a couple of years ago. The Tribune Company also owns the L.A. Times.

The Los Angeles Times site's defacement … Read more

The cyberattack that targeted banks, TV broadcasters, and an Internet service provider in South Korea yesterday originated from an IP address in China, but the identities of the people responsible remain unknown, South Korean regulators say.

"We've identified that a Chinese IP has connected to the organizations affected," a spokesman for South Korea's Communications Commission told a press conference on Thursday, according to a Reuters account of the event.

The revelation comes a day after a massive coordinated attack on servers in South Korea led officials to raise the alert status for the nation's army … Read more

A newly discovered botnet has found a way to siphon cash from advertisers.

Spider.io, a security researcher, yesterday announced that it has discovered a new botnet, called Chameleon, that's targeting "at least" 202 Web sites. The botnet is made up of over 120,000 host machines running Windows, according to Spider.io. Those machines are connecting to the Web with a Flash-friendly Trident-based browser that executes JavaScript. The vast majority of the machines -- 95 percent -- have come from U.S.-based IP addresses.

The botnets have targeted at least 202 Web sites, hitting them … Read more