A bug that Oracle recently patched broke the main functionality of Oracle Access Manager (OAM), which should only give authorized users access to protected enterprise data.
OAM provides an authentication function for web applications based on Oracle Fusion Middleware. It can be used to provide and block access to external mobile and cloud applications. However, researchers at Austrian security firm SEC-Consult found a flaw in OAM's cryptographic format that allowed them to create session tokens for any user, which the attacker could use to impersonate any legitimate user and access web apps that OAM should be protecting.Read more
The Trump administration is considering executive action that would restrict some Chinese companies’ ability to sell telecommunications equipment in the U.S., based on national-security concerns, said several people familiar with the matter.
The move, if it happens, would represent a significant escalation of a growing feud between the U.S. and China over tech and telecommunications. The affected firms likely would include Huawei Technologies Co. and ZTE Corp. , two of the world’s leading telecommunications equipment makers. They have found themselves increasingly in an international crossfire.Read more
The National Security Agency collected 534 million records of phone calls and text messages of Americans last year, more than triple gathered in 2016.
The sharp increase from 151 million occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk. The spike in collection of call records coincided with an increase reported on Friday across other surveillance methods, raising questions from some privacy advocates who are concerned about potential government overreach and intrusion into the lives of U.S. citizens.Read more
Russia's Fancy Bear APT group is likely behind the malicious command and control domains found in Lojack agents, according to the Arbor Security Engineering & Response Team.
LoJack, a popular laptop recovery solution, “makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution,” researchers said, noting that while “the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.” Because many antivirus programs don't flag the malware as a concern, it's largely able to do its dirty work without detection.Read more
GitHub has said a bug exposed some user passwords -- in plaintext. The code repository site, with more than 27 million users as of last year, sent an email to affected users Tuesday.
"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email, received by some users. The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. "We have corrected this, but you'll need to reset your password to regain access to your account," the email added.Read more
Twitter Inc. sold data access to the Cambridge University academic who also obtained millions of Facebook Inc. users’ information that was later passed to a political consulting firm without the users’ consent.
Aleksandr Kogan, who created a personality quiz on Facebook to harvest information later used by Cambridge Analytica, established his own commercial enterprise, Global Science Research (GSR). That firm was granted access to large-scale public Twitter data, covering months of posts, for one day in 2015, according to Twitter. “In 2015, GSR did have one-time API access to a random sample of public tweets from a five-month period from December 2014 to April 2015,” Twitter said.Read more
U.S. prosecutors in New York have been investigating whether Chinese tech company Huawei violated U.S. sanctions in relation to Iran, according to sources familiar with the situation.
Since at least 2016, U.S. authorities have been probing Huawei’s alleged shipping of U.S.-origin products to Iran and other countries in violation of U.S. export and sanctions laws, two of the sources said. News of the Justice Department probe follows a series of U.S. actions aimed at stopping or reducing access by Huawei and Chinese smartphone maker ZTE Corp to the U.S. economy amid allegations the companies could be using their technology to spy on Americans.Read more
At midnight ET last night, MyEtherWallet users started noticing something odd. Connecting to the service, users were faced with an unsigned SSL certificate, a broken link in the site’s verification. It was unusual, but it’s the kind of thing web users routinely click through without thinking.
But anyone who clicked through this certificate warning was redirected to a server in Russia, which proceeded to empty the user’s wallet. Judging by wallet activity, the attackers appear to have taken at least $13,000 in Ethereum during two hours before the attack was shut down. The attackers’ wallet already contains more than $17 million in Ethereum. MyEtherWallet confirmed the attack in a statement on Reddit.Read more
Ten years ago, Amazon introduced the Kindle and established the appeal of reading on a digital device. Four years ago, Jeff Bezos and company rolled out the Echo, prompting millions of people to start talking to a computer.
Now Amazon.com Inc. is working on another big bet: robots for the home. The retail and cloud computing giant has embarked on an ambitious, top-secret plan to build a domestic robot, according to people familiar with the plans. Codenamed “Vesta,” after the Roman goddess of the hearth, home and family, the project is overseen by Gregg Zehr, who runs Amazon’s Lab126 hardware research and development division based in California.Read more
Yet another hacker crew has been battering the healthcare industry in recent months.
But rather than just aim for the PCs, its also gotten footholds on the computers controlling X-Ray, MRI and other medical machines, according to a report from Symantec on Thursday. The hacker group, dubbed Orangeworm, is mainly targeting American healthcare organizations, though there are a number of victims worldwide, including in Asia and Europe. But rather than do anything destructive, Orangeworm is likely using leverage on those medical devices to learn more about them as part of an ongoing corporate espionage operation, Symantec said.Read more