Twitter detects and shuts down password data hack in progress

Twitter engineers shut down what they described as an "extremely sophisticated" hack attack on its network that exposed the cryptographically protected password data and login tokens for 250,000 users.

In a blog post published late Friday afternoon, company officials said affected passwords and tokens have been reset and e-mails are in the process of being sent out to affected users. Twitter said it discovered the breach “earlier this week” and shut it down moments later.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Bob Lord, Twitter's director of information security, wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Read 7 remaining paragraphs | Comments

Path promises fix for grabbing geolocation data from photos

Just as Path was trying to put its privacy woes behind it, a security researcher has caught the social network taking new liberties with personal information stored on iPhones and iPads. Path developers have submitted an update that fixes the problem, which they only became aware of today, officials at the company said.

Path's iOS app was found copying geographic locations embedded in photos and pasting them into user posts—even when location services have been disabled. This is according to a blog post published Friday by Jeffrey Paul, a self-described hacker and security researcher living in Berlin. He characterized the behavior as exploiting a loophole, since it allows Path to regularly keep tabs of users' locations, even when they have taken pains to keep that data private.

"This is surely terrible form on Path's part," Paul wrote.

Read 5 remaining paragraphs | Comments

Oracle Releases Out-of-Band Patch to Address Java 7 Vulnerabilities

Oracle has released an out-of-band patch to address multiple vulnerabilities in the Java Runtime Environment (JRE) 7 Update 11 and earlier. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.

See Vulnerability Note VU#858729 for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Kim Dotcom promises $13,600 to anyone who breaks Mega encryption

Following a barrage of criticism about the security of his recently unveiled Mega cloud storage service, Kim Dotcom is offering a $13,600 bounty to anyone who can crack the cryptography designed to prevent confidential files from being read by hackers or other unauthorized parties.

"Mega's open source encryption remains unbroken!" the unfazed entrepreneur wrote on Twitter Friday morning. "We'll offer 10,000 EURO to anyone who can break it. Expect a blog post today."

When the service debuted two weeks ago, Ars found its encryption methods included some "puzzling choices." The amount of entropy used during the key-generation process appeared to outsiders to be lacking, a potential vulnerability that could make it unnecessarily easy for someone to guess the bits needed to unlock someone else's private files. Mega's documentation was also vague on exactly how private crypto keys were secured.

Read 4 remaining paragraphs | Comments