Security holes in the NFL Mobile app “have been resolved on both iOS and Android,” a spokeswoman for Wandera said Friday. That mobile data gateway alerted the public Tuesday to potential security issues that allegedly made highly valuable personal information at risk of being exposed by hackers, ahead of Sunday's Super Bowl game. Scanning technologies used by Wandera allegedly discovered that after NFL Mobile app users logged into the app, the app “leaks their username and password in a secondary, insecure (unencrypted) API [application program interface] call,” a Wandera news release said. An app user’s username and email address were also leaked in an unencrypted format, allowing a hacker to access an app user’s full NFL profile, which contains personal data. “We’ve looked into this vulnerability and it’s been addressed,” a spokesman for NFL Media said Friday.
The healthcare.gov website appears to be sharing personal user data through an automated process with several major tech companies, including Google, Twitter and Yahoo, according to analysis by staffers from eight combined House and Senate committee chairmen. The findings were sent in a letter Friday to Health and Human Services Secretary Sylvia Burwell from Senate Commerce Chairman John Thune, R-S.D.; Senate Judiciary Chairman Chuck Grassley, R-Iowa; Senate Finance Committee Chairman Orrin Hatch, R-Utah; House Commerce Chairman Fred Upton, R-Mich.; House Ways and Means Chairman Paul Ryan, R-Wis.; House Oversight Chairman Jason Chaffetz, R-Utah; and others. It’s not “clear which pieces of consumer information are being passed to other third parties,” but “this sort of information sharing practice raises serious questions about the relationships between all parties involved,” it said. The letter asked several questions of HHS, including whether it authorized the sharing of consumer data. HHS didn’t comment.
Google won't fix security flaws affecting about 60 percent of all Android users -- those who use Android 4.3 and earlier systems -- said Google Chief of Security for Android Adrian Ludwig. Google decided updating outdated browser versions was requiring hundreds of developers to write more than 5 million lines of code every month for just one browser, and in some cases “significant portions of the code” were changed, so it was no longer practical to make these changes. “Keeping software up to date is one of the greatest challenges in security,” Ludwig said in a Google Plus post, but a necessary one since using an “updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future.” Google's decision is “is great news for criminals,” wrote Tod Beardsley, a software developer and blogger. “As a software developer, I know that supporting old versions of my software is a huge hassle,” he said. “I empathize with their decision to cut legacy software loose. However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I'm hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”
The FTC has settled 53 data security law enforcement actions since 2000, a number expected to rise in the future, said the agency on its blog Friday. To better protect consumers, the FTC is proactively reminding companies that their “data security measures should be reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities,” said the agency. To ensure companies understand what is expected of them when it comes to data security basics, the commission published all data security resources in one place on its website and created a “to-the-point” brochure, 20-minute interactive tutorial and an imaginary text conversation between a business person and an FTC staff member on key data security points.
Harman announced purchase agreements designed to position the company as a leading software provider for the connected space. CEO Dinesh Paliwal said on a Thursday conference call that Harman’s planned buys of Symphony Teleca, which provides software engineering and integration services globally, and Red Bend Software, provider of over-the-air (OTA) and cybersecurity software, will transform Harman into a “comprehensive products, systems and engineering services company” for the automotive, telecom, media, CE and healthcare markets. Harman will be able to “enable and enhance the connected lifestyle people want,” Paliwal said. Both companies have been service providers to Harman “for some time,” he said. The Red Bend transaction is valued at $170 million -- about $99 million in stock and $71 million in cash. The agreement to buy Symphony Teleca calls for a base purchase price of $780 million, including $382 million in cash and $166 million in Harman stock. The acquisitions will add some 8,000 engineers -- most from Symphony Teleca -- to Harman’s current engineering staff of 3,500 in software and 3,000 in hardware and industrial design, Paliwal said. Symphony Teleca, based in Silicon Valley, has a customer base including Adobe, Comcast, Google, Intel, Jaguar, Land Rover, Microsoft, Verizon and SiriusXM, Harman said. Symphony Teleca, which brings a platform for integrated services geared to converged markets, along with software engineering and integrated services for the connected experience, offers Harman “immediate scale and engineering services to accelerate connected car innovations,” Paliwal said. Symphony’s software development capabilities will enable Harman to integrate and leverage high-margin segments including the cloud, mobile devices, design and analytics, said Paliwal. He said Symphony is the “largest Android ecosystem scaling partner worldwide” as well as a strategic partner of Microsoft. Harman will be able to provide a “complete set of software defined services” around predictive analytics, cloud enablement, the Internet of Things gateway, turnkey mobile development and commercialization “to enable everything from autonomous driving to intelligent cities,” he said. Israeli company Red Bend -- with a customer base including AT&T, China Mobile, Huawei, Lenovo, LG, Samsung, Sprint, Telit and Verizon -- provides over-the-air software and hypervisor-based virtualization technology for cybersecurity applications. The technology is positioned to meet the demands of the connected car and can be a “prerequisite to autonomous driving,” Paliwal said. That includes the ability to deliver “safe, secure OTA updates” for on-board and non-Harmon automotive systems, “either embedded or downloaded,” Paliwal said.
The Worcester Polytechnic Institute was given $4.4 million by the National Science Foundation to address the “critical national shortage of highly trained experts in cybersecurity,” a WPI news release said Thursday. The program, funded by NSF’s CyberCorps: Scholarship for Service initiative, will provide scholarships to 25 undergraduate and graduate students who commit to government employment upon graduation, it said. Rep. Jim McGovern, D-Mass., said in the release: “We have a critical need for additional experts in this field -- a need that the federal government can and should help to fill.”
U.S. Central Command confirmed that hackers claiming to belong to the Islamic State of Iraq and the Levant (ISIL) terrorist group temporarily took control of the military command’s Twitter and YouTube accounts earlier Monday. The hackers claimed their actions were retaliation for recent U.S. military actions in Afghanistan, Iraq and Syria. Both accounts went offline soon after the hacking occurred and remained suspended at our deadline. The hackers changed the profile picture and background image on the command’s Twitter page to an image of an ISIL militant that included the word “Cybercaliphate” and the phrase “i love you isis,” referring to the group’s alternate name Islamic State of Iraq and Syria. Hackers sent out multiple Tweets, including images that listed the phone numbers and email addresses of active-duty and retired U.S. Army officers. Another Tweet included an image of a document listing purported “scenarios” involving China and North Korea. Hackers also uploaded several videos to Central Command’s YouTube account. “We are taking appropriate measures to address the matter,” a command spokesman said. The hacks occurred as President Barack Obama began a four-day rollout of proposed broadband and cybersecurity policies (see 1501120043 and 1501120045).
Bitstamp, a bitcoin exchange, closed its website Monday after a possible security breach Sunday, said the company website. “We have reason to believe that one of Bitstamp’s operational wallets was compromised,” said the company. It promised it has “more than enough offline reserves to cover the compromised bitcoins.” Bitstamp hoped to announce sometime Monday when it would restore its website, said CEO Nejc Kodric in a tweet.
Sony’s decision to release The Interview on Christmas Eve for rental or purchase through Google Play, YouTube Movies and Xbox Live came a week after Sony began contacting “a number of companies, including Google, to ask if we’d be able to make their movie, 'The Interview,' available online,” said Google Chief Legal Officer David Drummond Wednesday in a blog post. “We'd had a similar thought and were eager to help -- though given everything that’s happened, the security implications were very much at the front of our minds,” Drummond said. “Of course it was tempting to hope that something else would happen to ensure this movie saw the light of day. But after discussing all the issues, Sony and Google agreed that we could not sit on the sidelines and allow a handful of people to determine the limits of free speech in another country (however silly the content might be)." Xbox Live also is offering the movie for sale and rental, Drummond said. It’s also available through a website Sony set up called seetheinterview.com. Microsoft General Counsel Brad Smith wrote in a blog post Wednesday that his company made the decision to support Sony after “substantial thought.” Microsoft “decided to stand up with Sony and work with others to ensure that freedom of expression triumphs over cyberterrorism,” Smith wrote. Through Xbox Live, the movie is available to U.S. customers who own an Xbox console, a Windows Phone, or a PC or tablet running Windows 8 or 8.1, Smith said. Sony also is releasing the movie in select theaters nationally on Christmas Day. Sony Entertainment representatives didn't comment on why The Interview isn't being offered online through such Sony vehicles as the PlayStation Store.
ICANN was hit by a data breach in November, believed to be a “spear phishing” attack, it said in a news release Wednesday. Emails were sent to ICANN staffers that appeared to come from the ICANN domain, it said. The attack compromised the email credentials of several staff members, ICANN said. The attack also breached ICANN’s centralized zone data system (CZDS), which contained names, email addresses, telephone numbers and other information of CZDS users, it said. ICANN’s Governmental Advisory Committee's members-only wiki page also was breached, it said. The nonprofit is continuing to investigate the attack.