According to reports, hundreds of Dropbox usernames and passwords were leaked online as a preview to a larger alleged leak of 7 million accounts.

As The Next Web reports, a thread appeared on reddit pointing to files with the leaked account details, saying, “Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts. To see plenty more, just search on [redacted] for the term Dropbox hack. More to come, keep showing your support.”

According to Dropbox, it hasn’t been hacked, and any such account details have been obtained from third-party services. The company addressed the situation on its blog, saying that it wasn’t hacked:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

In a update to the post, it added:

A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.

Long story short, it’s probably a good time to reset your passwords across the various online services you use, and to make them all different this time.

The post Dropbox Says They Haven’t Been Hacked appeared first on SecurityProNews.

Read more here:: Security Pro News

It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell.

Security expert Robert Graham at Errata Security has been blogging about the bug saying that it is “as big as Heartbleed,” and also that it’s twenty years old. He says it’s as big a deal as Heartbleed because it interacts with other software in unexpected ways, and that unknown systems remain unpatched. He writes:

We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.

I’d suggest keeping up with his blog for analysis on the issue, as it appears to be the go-to spot at this point.

Here’s an “everything you need to know about it” post from Troy Hunt, which you should probably also check out if this concerns you.

The post ‘Shellshock’ Bug Scaring Experts as Much as Bash Heartbleed appeared first on SecurityProNews.

Read more here:: Security Pro News

In general, we shouldn’t consider mobile apps particularly secure for the foreseeable future. That is if Gartner is correct in its latest analysis.

The firm said this week that over 75% of mobile apps will fail basic security tests through 2015. This is not particularly comforting for businesses.

Gartner notes that enterprise employees download from app stores, and use mobile apps that can access enterprise assets or perform business functions, and that the apps have “little to no security assurances”.

“Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance,” said Dionisio Zumerle, principal research analyst at Gartner. “Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”

“Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied,” said Zumerle. “App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors.”

Gartner looks even further into the future, and says that by 2017, the focus of endpoint breaches will shift to tablets and smartphones. Through that year, it predicts, over 75% of mobile security breaches will be the result of mobile app misconfigurations as opposed to “deeply technical” attacks.

Read more here:: Security Pro News

Last week, Google announced that it started recognizing non-Latin characters in email addresses, opening up the ability for users to send and receive emails in more languages. By doing this, however, they were potentially opening the door to more spam slipping through the cracks courtesy of bad actors using sneak character combinations.

Google isn’t letting this happen though. The company announced in a blog post that they have taken measures to prevent this type of thing. Mark Risher of the Spam & Abuse Team writes:

Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims. Can you imagine the risk of clicking “ShဝppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?

To stay one step ahead of spammers, the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” designation—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

These changes began rolling out on Tuesday. Google says it hopes others in the industry will “follow suit”.

Read more here:: Security Pro News

Yahoo has acquired ClairtyRay, a company that has in the past dealt with getting around ad blockers, but has since been more about ad security and fraud detection.

In a message on its homepage, ClarityRaysays:

Our vision has always been making the eco-system safe, compliant and sustainable for consumers, publishers and advertisers. We helped the online advertising industry take a big step towards that direction by identifying, measuring, and solving many of its unseen hurdles inhibiting that. We brought traffic clarity to an amazing roster of clients, with our findings becoming an industry standard.

Joining Yahoo now will allow us to make use of that momentum and take the next steps (or rather, leaps) towards that vision, and we couldn’t be more excited. This once-in-a-lifetime opportunity enables the mass scaling of our technology, impact and ideas to the absolute forefront of our field, while working with an amazing team who shares our passion. We’re proud to call Yahoo ‘home’.

We would like to thank our customers, employees, partners and investors. You’ve made this voyage fulfilling, challenging, successful and fun.

TechCrunch shares this statement from Yahoo:

We’ve been working on building up security capabilities and making Yahoo a safer place for users and partners. Advertising is an essential part of our business here at Yahoo, and we’re committed to getting it right. ClarityRay is a company with deep expertise in ad-malware detection and prevention. The bottom line for Yahoo is that search is going to get better and safer for users, and advertising will become more reliable and profitable for partners.

Terms of the deal were not disclosed.

Read more here:: Security Pro News

It’s a bit of a dichotomy. We’ve been told many times to be careful about giving out our Social Security numbers, but it seems like we’re being asked for all or part of it in almost every business transaction. I once saw a video rental store — back when there were such things — requiring a customer’s SSN before allowing them to rent a video. One guy refused to give it. They told him to get lost.

But why is it such a big deal? Everyone knows that the answer is “identity theft,” but how?

Your Credit Identity

The most common thing you hear about is someone applying for a loan, only to learn that someone else has opened credit cards in their name and had a spending spree. All it takes to do that is your SSN, and maybe a pre-approved credit card offer in some junk mail you’ve thrown away. These problems are solvable, but not without some incredibly inconvenient process.

And this whole scam can get very easy. Some department stores will have you fill out a one or two page form for a credit card application. They key your SSN into the computer, and give you credit that can be used in the store right away. A thief can load up on clothing, tools, electronics, and leave you holding the bill.

Your Employment Identity

The most commonly-heard form of this is when employers use stolen Social Security Numbers for undocumented workers. Why would this hurt you? At the end of the year, when you file your taxes, your information will not match what the IRS has on file for you. Suddenly, you tax refund is reduced, and there goes that car you were hoping to put a down payment on.

Your Political Identity

There is an unbelievable number of people who subscribe to the conspiracy theory that President Obama is using a stolen Connecticut Social Security Number. There have been three different variations on this, all of which have explanations. The notion has been long disproven, but that doesn’t stop it from spinning around the interwebs.

Read more here: Security Pro News

Google announced back in November that it would start requiring all Chrome extensions to be hosted in the Chrome Web Store for its Windows stable and beta channels (starting in January). Google announced today that it is now enforcing this.

Extensions will only be able to be installed if they’re hosted on the Chrome Web Store. Previously installed extensions may be automatically disabled, and will have to be re-installed if they become hosted on the Chrome Web Store.

“We’re constantly working to keep Chrome users safe as they browse, with built-in features like Safe Browsing, which blocks many types of malicious websites and downloads,” says Erik Kay, Engineering Director in a post on the Chrome blog. “In the case that malicious software has managed to hijack your settings, we’ve added a “reset browser settings” button, so you can get things back to normal. But since the bad guys continue to come up with new ways to cause our users headaches, we are always taking additional measures.”

“Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity,” Kay adds. “If you notice strange ads, broken web pages or sluggish browsing after installing some new software or plugins, you could be affected.”

Hence the changes.

Google says it will continue to support local extension installs during development for developers as well as installs via Enterprise policy. More on that here.

Chrome users on the Windows developer channel and other operating systems are not affected by the changes.

Read more here: Security Pro News

Everyone has a favorite Internet browser. If yours happens to be Internet Explorer, you may want to switch to a different one.

Internet Explorer has numerous problems, but one of the worst is the current weakness in its security.

Hackers are taking advantage of this weakness and are creating new attacks that can put malware and viruses on your computer with just one accidental click of your mouse.

The hackers create websites that install the malware on your computer automatically. If you are using Internet Explorer and accidentally click on a wrong link that takes you to one of these websites, your computer could be infected in a matter of seconds.

Malware can slow your computer down, cause popups and use up your storage space. It can also be hard to identify and remove. In some cases, you might not notice the malware, which might not seem so bad until you realize the hackers have used it to steal your identity and access your email, social networks and other important websites.

“I’d say someone taking control of your computer is just the beginning of the worst case scenario,” said Adrian Sanabria, a security expert with 451research.com. “Because then they steal your info, get access to your email, etc.”

Some malware programs allow the hackers to access anything on your computer or Internet network. That means they can find your passwords, look up your credit card numbers and even operate your computer’s webcam to spy on you while you are using your computer or leave it on.

So what can you do to protect yourself from this type of malware?

According to the U.S. Department of Homeland Security, the best thing to do is stop using Internet Explorer completely, at least until the bug has been fixed. You can also disable your Adobe Flash plugin to prevent the malware from automatically downloading.

Microsoft is working to fix the problem but is not sure how long it could take.

What Internet browser do you use?

Image via Wikimedia Commons

Read more here: Security Pro News