Security News

A US Senate panel Thursday approved legislation aimed at combatting online child exploitation as civil liberties activists warned the measure could lead to an array of constitutional and privacy problems. The Judiciary Committee voted to approve a revised version of the Earn It Act which would eliminate "Blanket liability protection" for online platforms which fail to protect against child sexual abuse material.

A report from Comparitech has looked into cyberattacks on educational institutions in the United States, finding that there have been more than 1,300 breaches since 2005 and more than 24 million records lost. California remains a hotspot, according to the report, "Yet Arizona becomes one of the worst-hit states with only slightly fewer people affected in its breaches than California. West Virginia and Georgia also display high numbers of records affected in contrast to the number of breaches with 1.3 million and 1.6 million records impacted, respectively. Other states with high numbers of records exposed or stolen in breaches include Ohio, Massachusetts, and Florida."

China on Wednesday demanded Washington stop "Oppressing Chinese companies" after U.S. regulators declared telecom equipment suppliers Huawei and ZTE to be national security threats. "We once again urge the United States to stop abusing the concept of national security, deliberately discrediting China and unreasonably oppressing Chinese companies," said the spokesman, Zhao Lijian.

Palo Alto Networks revealed on Monday that it has patched a critical authentication bypass vulnerability in its PAN-OS firewall operating system, and U.S. Cyber Command believes foreign APTs will likely attempt to exploit it soon. "When Security Assertion Markup Language authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled, improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability," Palo Alto Networks explained in an advisory.

South Wales Police and the UK Home Office "Fundamentally disagree" that automated facial recognition software is as intrusive as collecting fingerprints or DNA, a barrister for the force told the Court of Appeal yesterday. Jason Beer QC, representing the South Wales Police also blamed the Information Commissioner's Office for "Dragging" the court into the topic of whether the police force's use of the creepy cameras complied with the Data Protection Act.

John Mauger of U.S. Cyber Command came a day after Defense Department officials briefed reporters on virtual war games that digital combatants from U.S. and allied militaries have been holding to sharpen their abilities to counter online threats with real-world impact. On Wednesday, Cybercom offered reporters a window into what it described as its largest virtual training exercise to date - in this case, a simulated attack on an airfield's control systems and fuel depots.

Prosecutors in the US have upgraded their case against Julian Assange with a second superseding indictment claiming he sought out the services of a notorious hacker who, unbeknownst to the WikiLeaks boss, was secretly working with the Feds. The latest filing does not add any charges, though it includes evidence of Assange asking hackers to steal sensitive and scandalous dirt from government systems for WikiLeaks to disseminate.

WikiLeaks founder Julian Assange sought to recruit hackers at conferences in Europe and Asia who could provide his anti-secrecy website with classified information, and conspired with members of hacking organizations, according to a new Justice Department indictment announced Wednesday. Beyond recruiting hackers at conferences, the indictment accuses Assange of conspiring with members of hacking groups known as LulzSec and Anonymous.

A trio of Republican senators on Tuesday proposed legislation that requires service providers and device makers in America to help the Feds bypass encryption when presented with a court-issued warrant. The law bill [PDF] is dubbed the Lawful Access to Encrypted Data Act, which uncharacteristically cannot be condensed into a pandering acronym.

The Maze ransomware gang has threatened to publish information stolen from an American firm that overhauls airliners and installs flight control software upgrades - because its victim refused to pay a demanded ransom. In a "Press release" published on its leaks website, Maze raged against victims who refused to play its game and cough up vast sums of money to decrypt their illicitly encrypted data.