Yahoo drops ‘Do Not Track’ policy in favor of ‘personalized’ experience

May 3, 2014 – 8:19 AM

Yahoo is watching you, whether you like it or not.

Yahoo said this week that the company will stop honoring “Do Not Track” requests made by a user’s browser. It will now actively attempt to track your interactions with its site and its content. 

“Here at Yahoo, we work hard to provide our users with a highly personalized experience,” the ironically named “Yahoo Privacy Team” wrote in a blog post. “We keep people connected to what matters most to them, across devices and around the world. We fundamentally believe the best web is a personalized one.”

Yahoo’s team claimed that Yahoo was originally the first major tech company to implement “Do Not Track,” which, in reality, is more of a request from the browser to the Web site than an order. Yahoo said it had yet to see a single privacy standard that is “effective, easy to use and has been adopted by the broader tech industry.” For that reason, as well as its desire for “personalized” experiences, Yahoo changed its policy.

“Personalized” ads, of course, are a mixed bag. On the one hand, if Yahoo knows you’re a single man, you probably won’t receive ads for maternity clothes. On the other, tailoring an ad to your gender, age, location, and even annual income means that Yahoo can charge far more per ad than it normally would.

Yahoo does allow you to manage certain elements of your privacy via its “Yahoo Privacy Center,” where users can manually click a button and opt out of what Yahoo calls “interest-based advertising.” Doing so, however, requires you not only to accept cookies into your browser, but also to be logged into Yahoo, across every PC you own, for those privacy settings to be passed along to your other devices.

“Do Not Track,” of course, allows you to set a blanket statement against tracking across all Web sites, not just Yahoo. If more sites follow Yahoo’s lead, imagine the time you’ll spend simply ensuring that your privacy rights are configured the way you want them. What Yahoo hopes, of course, is that you simply won’t bother.

Source:
http://www.pcadvisor.co.uk/news/security/3514787/yahoo-drops-do-not-track-policy-in-favor-of-personalized-experience/?olo=rss

Serious security flaw in OAuth, OpenID discovered

May 2, 2014 – 6:34 PM

Following in the steps of the OpenSSL vulnerability Heartbleed, another major flaw has been found in popular open-source security software. This time, the holes have been found in the log-in tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.

Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a log-in popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.

For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.

If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.

Source:
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

Passwords: Not Going Away Anytime Soon

April 30, 2014 – 5:40 PM

For users who are not system administrators, the biggest impact of the Heartbleed vulnerability has been all the passwords that they have had to change. This, together with improvements in alternative authentication methods (like the fingerprint scanners now embedded in flagship smartphones), have caused some rather bold statements about passwords to be made.

Passwords are out of fashion? Obsolete in the short term, I hear some people say? Not so fast! While it’s true that passwords are not the most convenient way of authenticating yourself and they are inherently insecure, we should not be so quick to dismiss them.

The main advantage of passwords is that everybody can use them straight away. There is no need to tie yourself to a specific authentication token (“I could swear it was in my bag this morning!”), location (“I can’t log in from the hotel, I forgot I enabled that security feature!”), or smartphone (“I let my phone’s battery go dead!”). It might seem odd to some, but forcing users to own a smartphone – or asking a company to provide their employees with one – might be too costly.

Even if passwords are supplemented by other authentication methods, passwords will still be around as a secondary method. What would happen otherwise when your phone or hardware token gets stolen? We are simply not ready for a world without passwords, much as we’d like to get rid of them.

If that’s the case, we might as well learn how to use them properly. It’s not that difficult:

First, use a different password for each online service. If you’re trying to do this manually, it becomes difficult – which is why the best way to do this is to use a password manager. There are multiple options available, many of which are free.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/passwords-not-going-away-anytime-soon/

Adobe Patches Critical Flash Player Zero Day

April 29, 2014 – 9:05 PM

Adobe has released security updates for Adobe Flash Player 13.0.0.182 and earlier versions for Windows, Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh and Adobe Flash Player 11.2.202.350 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform. Adobe recommends users update their product installations to the latest versions:

  • Users of Adobe Flash Player 13.0.0.182 and earlier versions for Windows should update to Adobe Flash Player 13.0.0.206.
  • Users of Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh should update to Adobe Flash Player 13.0.0.206.
  • Users of Adobe Flash Player 11.2.202.350 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.356.
  • Adobe Flash Player 13.0.0.182 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 13.0.0.206 for Windows, Macintosh and Linux.
  • Adobe Flash Player 13.0.0.182 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 13.0.0.206 for Windows 8.0.
  • Adobe Flash Player 13.0.0.182 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 13.0.0.206 for Windows 8.1.

Source:
https://helpx.adobe.com/security/products/flash-player/apsb14-13.html

AOL reports e-mail breach as bigger than thought

April 28, 2014 – 5:02 PM

Last week, AOL confirmed that an unknown number of AOL Mail accounts have been hacked. Today, the company urged all its customers to change passwords and security questions, as it determined that information for at least two percent of all its accounts had been compromised. That’s an impact of half a million users.

Attackers breached AOL’s systems and gained access to e-mail addresses, encrypted passwords, answers to security questions, and other contact information (including postal mailing addresses). While the mailboxes themselves were not compromised, the attackers used the contact information in a barrage of “spoofed” e-mails from those addresses—messages sent from outside AOL’s network with forged “from” address headers. Those e-mails are part of a large-scale phishing operation containing malicious Web links.

An AOL spokesperson said that the company is working with federal law enforcement to investigate the attack on its servers and that there was no indication that encrypted passwords were cracked by the attackers. The company has also changed its Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to “p=reject”—meaning that other mail services will automatically discard messages sent by someone using an AOL.com mail address when a message is sent from a non-AOL server.

Source:
http://arstechnica.com/security/2014/04/youve-got-pwned-aol-reports-e-mail-breach-as-bigger-than-thought/