As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us:

"HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public."

Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.

HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits originally appeared on Engadget on Fri, 03 Feb 2012 05:13:00 EDT. Please see our terms for use of feeds.

Permalink TheNextWeb  |  My War with Entropy, HTC Support  | Email this | Comments

coondoggie writes "Speaking at a National Football League press conference ahead of this weekend's Super Bowl, the U.S. Immigration and Customs Enforcement agency said special agents this week seized a total of 307 websites and snatched up 42,692 items of phony Super Bowl-related memorabilia along with other counterfeit items for a total take of more than $4.8 million – up from $3.72 million last year."

Read more of this story at Slashdot.

It took some digging through more than 2,000 pages of SEC documents, but Reuters revealed today that VeriSign was attacked "repeatedly" by hackers in 2010, and that some undisclosed information was stolen from the company. The key danger there is the DNS records that the company manages -- which ensure that URLs take you to the correct website -- but VeriSign says that its executives "do not believe these attacks breached the servers that support our Domain Name System network." As Reuters notes, however, the company isn't ruling anything out. Details on the attacks themselves (or the exact number and timing of them) are otherwise hard to come by, but it's reported that VeriSign's security staff did not notify top management until September of 2011 -- although they are said to have "responded" to the attacks themselves.

VeriSign revealed to have suffered repeated security breaches in 2010 originally appeared on Engadget on Thu, 02 Feb 2012 16:16:00 EDT. Please see our terms for use of feeds.

Permalink   |  Reuters  | Email this | Comments

Google has had its fair share of malware-related problems in the Android Market, but that's hopefully about to change, now that the company has announced a new security-enhancing service. Codenamed "Bouncer," Mountain View's new program sounds pretty simple, in principle: it just automatically scans the Market for malware, without altering the Android user experience, or requiring devs to run through an app approval process. According to Hiroshi Lockheimer, Android's VP of Engineering, Bouncer does this by scanning recently uploaded apps for spyware, trojans or any other lethal components, while looking out for any suspicious behavior that may raise a red flag. The service also runs a simulation of each app using Google's cloud-based infrastructure, and regularly checks up on developer accounts to keep repeat offenders out of the Android Market. Existing apps, it's worth noting, will be subject to the same treatment as their more freshly uploaded counterparts. Lockheimer went on to point out that malware is on the decline in the Market, citing a 40 percent drop between the first and second halves of 2011, and explained some of Android's fundamental security features, including its sandboxing and permission-based systems. Head for the source link below to read the post in full.

Google's 'Bouncer' service scans the Android Market for malware, will judge you at the door originally appeared on Engadget on Thu, 02 Feb 2012 15:30:00 EDT. Please see our terms for use of feeds.

Permalink   |  Google Mobile Blog  | Email this | Comments

Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its "Forensic" edition software can decrypt files protected by FileVault 2 in just 40 minutes -- whether it's "letmein" or "H4x0rl8t0rK1tt3h" you chose to stand in its way. Using live-memory analysis over firewire, the encryption key can be accessed from FileVault's partition, gifting the pilferer privy access to keychain files and login data -- and therefore pretty much everything else. If you want to try this out for yourself, conveniently, Passware will sell you the software ($995 for a single user license) without so much as a flash of a badge.

Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it originally appeared on Engadget on Thu, 02 Feb 2012 13:39:00 EDT. Please see our terms for use of feeds.

Permalink 9to5Mac  |  Passware (PDF)  | Email this | Comments

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen.It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

Read more of this story at Slashdot.

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

Read more of this story at Slashdot.

Hugh Pickens writes "As millions of fans sit glued to their sets next Sunday, one part of the game they will not see is the massive deployment of federal and local law enforcement resources to achieve what is being called the most technologically secure Super Bowl in history, an event that has been officially designated as a National Security Special Event (PDF). At the top of the list are gamma-ray cargo and vehicles scanners that can reportedly see through six inches of steel to reveal the contents of large vehicles. 'We can detect people, handguns and rifles,' says Customs and Border Protection Officer Brian Bell. 'You'd be a fool to bring something into that stadium that you shouldn't. We're going to catch it. Our goal is to look at every vehicle that makes a delivery inside the stadium and inside the secure perimeter.' Next is the 51-foot Featherlite mobile command center for disaster response that will support the newly constructed $18 million Regional Operations Center (ROC) for the Marion County Department of Homeland Security that will serve as a fusion center for coordinating the various federal agencies involved in providing security for the Super Bowl. One interesting security measure are the 'Swiveloc' explosion-proof manhole covers (video) that Indianapolis has spent $150,000 installing that are locked down during the Super Bowl. In case of an underground explosion, the covers lift a couple of inches off the ground — enough to vent gas out without feeding in oxygen to make an explosion bigger — before falling back into place. Finally the Department of Homeland Security and the FBI has installed a network of cameras that will be just a click away for government officials. 'If you had the right (Internet) address, you could set up a laptop anywhere and you could watch the camera from there,' says Brigadier General Stewart Goodwin."

Read more of this story at Slashdot.

Continue reading BlackBerry 7 devices get American, Canadian Government approval

BlackBerry 7 devices get American, Canadian Government approval originally appeared on Engadget on Wed, 01 Feb 2012 14:41:00 EDT. Please see our terms for use of feeds.

Permalink Mobilesyrup  |  RIM  | Email this | Comments

itwbennett writes "In a classic case of 'we say destroy, you say party hard,' the U.S. Dept. of Homeland Security detained a pair of British twenty-somethings for 12 hours and then sent them packing back to the land of the cheeky retort. At issue is a Tweet sent by Leigh Van Bryan about plans to 'destroy America,' starting with LA, which, really, isn't that bad an idea."

Read more of this story at Slashdot.