Security posts on CNET - Page 11


New Gmail image server proxies raise security risks

A new Gmail policy that allows e-mailed image attachments to load automatically comes at a price, say two security researchers.

Google announced on Thursday that Gmail would once again load attached images by default. The feature had been disabled years ago, as a way of clamping down on malware and phishing attacks.

The news was accompanied by an explanation: Google proxy servers would host the images, thus preventing any malware they were hiding from surreptitiously showing up in the e-mail.

However, security researcher H.D. Moore determined that the proxy servers posed a tracking risk to e-mail recipients.

"If … Read more

Gmail now shows you all images by default

Before the dark times of drive-by malware, attached images would show in their e-mail. That practice went away as e-mail providers stopped displaying attachments to cut down on spreading malware, but Google has figured out a better solution: proxy servers for all.

The company revealed on Thursday that Gmail can maintain its current level of security while serving image attachments through Google's own proxy servers, instead of through the image's original host server.

What this means is that instead of seeing a box that asks you if you want to display an attached image, you'll see the … Read more

You shall not pass (this time): Google+ tweaks permissions

Google+ Sign-In is the social network's authentication service, used by a range of apps and services to simplify logging in for users. On Wednesday, Google announced that developers who implement it will no longer have to ask their users for all or nothing when it comes to permissions.

The update introduces incremental authorization so that an app's users don't have to be asked to surrender all app permissions at once. This could help educate people as to what an app or service is doing with those permissions, although it's not as far a step as giving … Read more

Google releases Android Device Manager app

Google today released a mobile app for its Android Device Manager service. Available for free in the Google Play store, the app lets users manage and secure an Android tablet or phone associated with their Google account from another Android device (running Gingerbread and up).

The app gives access to all Android Device Manager features, including locating a tablet or phone on a map, resetting its lock code, and erasing it completely. Just note that your missing device must be connected to the cellular network or to Wi-Fi for it to perform the commands.

Though Google released Android Device Manager … Read more

Google eyes password-free authentication in Chrome OS

Google developers are proposing technology that would let Web apps unlock Chrome OS machines without requiring people to type in a password.

The chrome.screenlockPrivate feature would let an app wake up a Chromebook or Chromebox if it judges a person to be present based on trusted data from Bluetooth, NFC, or USB ports.

"A platform app may use the USB, NFC, and/or Bluetooth APIs to communicate with a secondary trusted device such as a phone, ring, watch, or badge, thereby allowing that trusted device to serve as an alternative form of authentication for the user," said … Read more

Carriers got 1M gov't, police requests for data in 2012

Requests for customer mobile phone data from federal, state, and local authorities topped 1 million last year, according to Senator Edward Markey.

The results were revealed Monday by the senator's office, which published letters received from the major US carriers in response to questions from Markey. The senator's questions touched on such topics as:

How many total requests did your company receive from law enforcement to provide information about your customers' phone usage? How long does your company retain records for law enforcement? How many of the requests did your company fulfill, and how many did it deny? … Read more

Crackdown successfully reduces spam

Efforts to put an end to e-mail phishing scams are working, thanks to the development of e-mail authentication standards, according to a pair of Google security researchers.

Internet industry and standards groups have been working since 2004 to get e-mail providers to use authentication to put a halt to e-mail address impersonation. The challenge was both in creating the standards that the e-mail's sending and receiving domains would use, and getting domains to use them.

Elie Bursztein, Google's anti-abuse research lead, and Vijay Eranti, Gmail's anti-abuse technical lead, wrote that these standards -- called DomainKey Identified Email (… Read more

Microsoft to fight Internet snooping with stronger crypto

Comparing government surveillance to sophisticated malware and cyber attacks, Microsoft said late Wednesday it will encrypt Internet traffic traveling through its data centers.

Brad Smith, Microsoft's general counsel, wrote in a company blog post that the software giant is taking steps to ensure that any government surveillance of the Internet is conducted legally rather than by a technological subterfuge. Not mentioning the National Security Agency by name, Smith said Microsoft was especially alarmed by allegations that "some governments" had collected customer data from the Internet without warrants.

"If true, these efforts threaten to seriously undermine confidence … Read more

Researchers discover database with 2M stolen login credentials

Researchers have unearthed an online database full to the brim of stolen account information from popular services including Facebook, Yahoo, Twitter, and Google.

On Tuesday, the security team at Trustwave's SpiderLabs revealed in a blog post that the database contained 1.58 million stolen usernames and passwords. The login credentials were associated with 318,121 Facebook accounts, 21,708 Twitter accounts, 54,437 Google-based accounts, and 59,549 Yahoo accounts. The database also contained approximately 320,000 stolen email account credentials. The remaining number of compromised accounts on the server were FTP accounts, remote desktop details, and secure shells.… Read more

Top Black Friday and Cyber Monday software deals

Is it me or are the stores opening up for Black Friday shopping a lot earlier than ever before? I heard that one of the stores opened its doors at 5pm on Thanksgiving day with its "sweet door buster" deals, but is that really worth it? What are the extreme bargain hunters to do? Pick "deals" over friends and family on Thanksgiving?

Thankfully, I have rounded up some of the best deals out there as well as some exclusive deals just for users, so you don't have to choose deals over quality time … Read more