News

Apple: Don’t panic, but your Mac can be pwned via GarageBand...

macOS gets patch for critical flaw in music app Apple says a newly patched hole in its GarageBand music tool could allow for remote code execution on the Mac.…

Hacker exposed bank loophole to buy luxury cars and a face...

♪ I'm gonna wait... til the midnight hour, when there's no one else around A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months.…

2016: Bad USB sticks, evil webpages, booby-trapped font files still menace...

So update your software – now! Patch Tuesday Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft posted 13 bulletins this month: MS16-023 A cumulative update for Internet Explorer addressing 13 CVE-listed vulnerabilities, including remote code execution flaws.
Visiting a booby-trapped webpage using IE can trigger the execution of malicious code and malware on the system. MS16-024 A cumulative update for Microsoft Edge that addresses 10 CVE-listed memory corruption vulnerabilities and one information disclosure flaw. MS16-025 An update for a single remote code execution vulnerability in Windows.

This flaw only affects Windows Vista, Server 2008 and Server Core. "A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries," says Redmond. "An attacker who successfully exploited this vulnerability could take complete control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." MS16-026 Two CVE-listed vulnerabilities in Windows, one causing denial of service and another allowing remote code execution.
If an attacker convinces "a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts," then malicious code will execute on their system. MS16-027 Two CVE-listed vulnerabilities in Windows Media Parsing, both potentially allowing remote code execution.
Visiting a webpage with a booby-trapped video embedded in it can exploit the bug to hijack the PC. MS16-028 Two flaws in the Windows PDF Library that allow for remote code execution if you open a maliciously crafted document. MS16-029 An update for Office addressing two memory corruption flaws and one security feature bypass vulnerability. Opening a document laced with bad code will trigger the bugs. MS16-030 An update for two remote code execution vulnerabilities in Windows OLE. "An attacker must convince a user to open either a specially crafted file or a program from either a webpage or an email message," noted Microsoft.

After that, code execution is possible. MS16-031 An elevation of privilege vulnerability in Windows: applications can abuse handles in memory to gain administrator-level access. MS16-032 An elevation of privilege vulnerability in the Windows Secondary Logon Service: again, applications can abuse handles in memory to gain administrator-level access. MS16-033 An update to address a flaw in the Windows USB Mass Storage Class Driver that could allow attackers to gain elevation of privilege with a specially-crafted USB drive. MS16-034 A collection of four elevation of privilege flaws in the Windows Kernel-Mode Drivers: applications can exploit these to execute malicious code at the kernel level. MS16-035 A fix for one security feature bypass flaw in the .NET framework. Adobe, meanwhile, has issued two updates for its products: Digital Editions for Windows, OS X, iOS and Android has been updated to patch a remote code execution vulnerability. Acrobat and Reader for Windows and OS X have been updated to address three CVE-listed remote code execution flaws. Users should also expect an update for unspecified vulnerabilities in Flash Player "in the coming days." ® Sponsored: 2016 global cybersecurity assurance report card

Certus Appoints Richard Summerfield As Non-Executive Director

Press Release Oracle Platinum Partner Certus Solutions [www.certus-solutions.com] has appointed Richard Summerfield as a Non-Executive Director. Richard is currently the Group HR Director at global telecoms provider JT [Jersey Telecom], an Oracle HCM customer of Certus-Solutions since 2015. JT is also currently using Certus-Solutions’ 'engage® Business Support Services’. Richard has over 20 years of corporate HR leadership experience, the last six as a member of JT's management board. Previously, he has worked at Ogier, Standard Bank, Zurich and Barclays. He was also a guest speaker at Oracle Openworld 2015 where he gave a customer view of the implementation of cloud HR products through Certus-Solutions. Richard Summerfield In his Non-Executive capacity, he will be ensuring that the company’s strategic business plans are robust, giving independent advice on senior recruitment and remuneration, and providing the personal ‘insight’ of an HR Cloud implementation customer. Commenting on his appointment, Tim Warner, Chairman (designate) and Chief Operating Officer of Certus Solutions says, “Richard brings with him both huge professional experience along with the unique insight of an Oracle HCM Cloud user. We like to think that the relationship we have built with him and his HR team over the last 18 months, and the quality of the Oracle HCM implementation, were key factors in him taking this new role. Adding Richard to the Board is a key step in defining the next chapter of our growth plans, where having stronger governance, independent advice and healthy challenge to the senior managers is crucial to our future success.” Building on Tim's words, Richard commented, “Certus-Solutions has grown rapidly through its ability to deliver leading edge Cloud solutions to major public and private sector clients alike, myself included.

To protect and nurture future growth, there is a requirement for greater investment in governance, best practice, and independent oversight.
I am delighted to join the Board at such an exciting time to help Certus realise its big ambitions to be a disruptor in the Oracle Cloud technology sector on a global basis”. About Certus SolutionsCertus Solutions is an Oracle® Platinum Partner and Oracle Education Partner.

A leading provider of implementation and business support services for Oracle Cloud based software for ERP, HCM and Payroll.

For more information regarding this press release and Certus Central Government activities please contact Mark Sweeny, Chief Executive Officer at Certus Solutions at mark.sweeny@certus-solutions.com +44 (0) 1483 610 220.

Speaking in Tech: Comparing Apples to BlackBerrys and Cooks to Chens

Plus: Did you have a phreaky past? Let's talk SS7 Podcast Hosted by Greg Knieriemen, Ed Saipetch and Sarah Vela.

This week, Greg is out while Ed and Sarah talk about Theranos, BlackBerry, phone hacking and hand dryers. Our special guest this week is Irfan Ahmad, CTO and co-founder of CloudPhysics – and an alumnus of both Transmeta (kind of an ARM before ARM) and an early-stage VMware. The details (1:00) Sarah takes the lead (2:12) No head on a stick (8:07) OpenStack around the corner (9:35) Theranos Investigation (13:14) Apples & Blackberry (16:33) Congressional phone hacking (22:30) Germ-laden hand dryers (25:42) FLASHBACK: Sharp’s First Handheld Calculator (1971) (26:42) Solving for X (27:39) Introducing Irfan Ahmad, CTO and co-founder of CloudPhysics (28:00) Looking back at Transmeta and VMware (34:42) Pace of open source innovation (38:20) Digging into Cloud Physics - IT Operations and Analytics (42:35) Could Physic’s managing cloud costs Listen with the Reg player below, or download here. Speaking in Tech: Episode Podcast Subscriber Links Subscribe through iTunesSubscribe through GoogleSubscribe through Stitcher Feed URL for other podcast tools – Juice, Zune, et cetera: http://nekkidtech.libsyn.com/rss Sponsored: Top Tips For Time Stretched Admins

Diver has close encounter with killer whales, catches it on film

Enlarge Image A diver in New Zealand got the chance to swim with a pod of orcas. Video screenshot by Danny Gallagher/CNET Deep-sea diving must be one of the most exhilarating experiences you can have outdoors, but it also seems like a huge hassle. ...

Report: Backdoor access in the Blu R1 HD and other phones...

Some Blu smartphone owners got a hidden feature they weren’t quite expecting. It turned out software from a Chinese company was transmitting all of their text messages and other data to China every 72 hours.

The vulnerability was discovered by a Kryptowire, an American enterprise security firm. According to a New York Times report it wasn’t clear if the information went beyond the recipient of Shanghai Adups Technology Company, but it impacted Blu R1 HD and other phones. On its website, Adups says it builds firmware that runs on more than 700 million phones. Kryptowire concluded that the data sharing included full contexts of text messages, call logs, contact lists, location information, and other data.

There was other identifiable information, like each phone’s Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). Blu Products told the Times that 120,000 of its phones were affected, but the leak was plugged through a software update.

Blu is known primarily for low-cost phones, such as the Blu R1 HD, which recently was part of a special offered by Amazon for $50. Adups provides software for ZTE and Huawei, although it’s unclear if the scope of the data-mining effort extends to other products as well.

According to the report, Adups assured Blu that all customer information had been destroyed and was not part of any intentional effort to keep the data or send to a government agency. The purpose of saving the information, according to Adups, was to identify client junk text messages and calls.  Kryptowire shared its findings with the U.S. government, Blu, and Google. You can check out the full report for details about what it uncovered. Why this matters: The episode illustrates that data can often pass through many different companies as part of the process of creating a smartphone. While any crisis may have been averted here, it may give you pause about where you buy your next smartphone and which companies have hands in creating all of the software. This story, "Report: Backdoor access in the Blu R1 HD and other phones sent data to China" was originally published by Greenbot.

Facebook under fire over secret experiment on users

Facebook has come under fire for conducting a psychology experiment on 689,000 users without their consent. Cornell University and the University of California were involved in the experiment conducted one week in 2012 in which Facebook filtered users’ newsfeeds to study the effects on users’ emotions. One test reduced users' exposure to their friends' "positive emotional content", resulting in fewer positive posts of their own. Another test reduced exposure to "negative emotional content”, resulting in fewer negative posts by those selected for the test. The study concluded: "Emotions expressed by friends, via online social networks, influence our own moods, constituting, to our knowledge, the first experimental evidence for massive-scale emotional contagion via social networks." Facebook has defended the experiment by saying there was "no unnecessary collection of people's data" and that “none of the data used was associated with a specific person's Facebook account." But publication of the study report has unleashed criticism mainly of the way the research was conducted and raised concerns over the impact such studies could have, reports the BBC. The study has also raised fears that the process could be used for political purposes or to boost social media advertising revenues. Labour MP Jim Sheridan, a member of the Commons media select committee has called for a parliamentary investigation into how Facebook and other social networks manipulate emotional and psychological responses of users by editing information supplied to them. "This is extraordinarily powerful stuff and if there is not already legislation on this, then there should be to protect people," he told the Guardian. "They are manipulating material from people's personal lives and I am worried about the ability of Facebook and others to manipulate people's thoughts in politics or other areas. "If people are being thought-controlled in this kind of way there needs to be protection and they at least need to know about it,” said Sheridan. According to Facebook data scientist Adam Kramer, who co-authored the report on the research, the social networking firm felt that it was important to investigate concerns that seeing friends post positive content leads to people feeling negative or left out. Facebook was also concerned that exposure to friends' negativity might lead people to avoid visiting the site, but Kramer admitted that the firm did not "clearly state our motivations in the paper". "I can understand why some people have concerns about it, and my co-authors and I are very sorry for the way the paper described the research and any anxiety it caused,” he said in a statement. The study said altering the news feeds was "consistent with Facebook's data use policy, to which all users agree prior to creating an account on Facebook, constituting informed consent for this research". While it is not new for internet firms to use algorithms to select content to show to users, social media commentator Jacob Silverman said it is disturbing that Facebook essentially manipulated the sentiments of hundreds of thousands of users without asking permission. "Facebook cares most about two things: engagement and advertising. If Facebook, say, decides that filtering out negative posts helps keep people happy and clicking, there's little reason to think that they won't do just that,” he told Wired magazine. “As long as the platform remains such an important gatekeeper – and their algorithms utterly opaque – we should be wary about the amount of power and trust we delegate to it,” said Silverman. Read more on Facebook Facebook changes privacy settings again Facebook still dominates social media Top European court to rule on NSA Facebook data privacy challenge Facebook to move into banking as consumers seek more choice Facebook faces lawsuit over monitoring private messages Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

California governor sends Ben Carson a thumbdrive with climate change report

"Please use your considerable intelligence to review this material."

Top priorities for Nordic CIOs in 2016

The new year is a time for reflection and resolutions. For businesses, this means setting priorities and goals for the 12 months ahead. Computer Weekly asked a selection of analysts and CIOs to share their views on the top priorities for Nordic CIOs in 2016. From digitisation to security, there are a variety of topics that will keep IT leaders busy. Research outfit IDC predicts that more and more companies will embrace digital transformation in 2016, making increasing use of digital technology to reinvent their business and improve operations – and the Nordics are no exception. Leena Mäntysaari, principal research analyst at Gartner Finland, says digitisation and digital business have become not only a top priority for CIOs, but a theme that affects all areas of IT. “The pressure from the business side to digitise and create digital products and services is reflected in practically all ICT priorities,” said Mäntysaari. “Analytics, ERP, mobility, cloud services and others are all needed in digitisation.” The reason for the rise of digital business transformation both in the Nordics and elsewhere is fairly simple: companies want to stay competitive and serve their customers better. “Many companies experience competition from new digital native companies or see the potential to differentiate or grow their business by leveraging digital technologies to reinvent their business model,” said Anders Elbak, research manager at IDC Nordics. “Supporting the business in this transformation is a key challenge for most CIOs – some actively driving the transformation, others ‘just’ supporting it.” Need for modern IT The importance of modernising IT, whether by individual updates or transformation of legacy systems, was mentioned by most of the experts Computer Weekly contacted. Among the reasons given to renovate IT infrastructure and application portfolios were the need to be more agile and deliver IT more quickly and flexibly. “Increasing digital demand and customer expectations call for layered IT architecture based on modern platforms with strong APIs, modularity, second-to-none interoperability, and cost-effective scaling,” said Janne Aalto, CIO at Finnish telecoms company DNA. However, where Nordic CIOs’ priorities differ notably from their international counterparts is in IT systems development, with nordic CIOs emphasising the importance of enterprise resource planning (ERP) solutions. “This applies both to Finland and other Nordic countries, but I have noticed CIOs put ERP development very high [in their priorities],” said Mäntysaari. “They see that the core needs to be renovated to be ready for digitisation and digital business, and ERP is that core.” This view is echoed by Stig-Göran Flemström, acting CIO of Systembolaget, which has a monopoly on alcohol sales in Sweden, and fellow Swede Elisabeth Stjernstoft, CIO of Apoteket pharmacies, who both put ERP upgrades among their top priorities for 2016. Looking at further regional differences, IDC’s Elbak notes that Nordic CIOs are relatively more focused on growth than most central and southern European countries. The Nordics also tend to be more focused on business alignment – the use of IT to achieve business objectives – rather than operational efficiency, such as reducing the cost of IT operations. Data-related questions will also keep many Nordic CIOs busy in 2016. Data management has become a priority to ensure the right information is available to meet a company’s needs. “CIOs focus on how to leverage existing or new data to allow management to make faster, more informed decisions,” said Elbak. “Also, security issues and storage capacity challenges compel CIOs to consider data classifications systems, deduplication tools, and so on.” These challenges become more critical as data is used in ever more varied ways. DNA’s Aalto points out that data management solutions have been designed mainly from the perspective of reporting and business intelligence, but today’s need is to support online business and omnichannel experience with real-time analytics. The role of analytics – another CIO priority – is changing rapidly in Nordic companies, sais Mäntysaari. An increasing number of smaller firms are following the lead of large corporations by investing in analytics to derive business benefits. Also, the use of analytics has begun to spread across entire organisations. “The significance of analytics lies in how it can be used to take existing data and transform it into real business value,” said Mäntysaari. “New ways to use analytics are being invented all the time – but its further refinement is still in its early stages.” Bringing business and IT closer together Greater co-operation between IT and the business is not a new topic, but with IT becoming increasingly embedded in business development, it is more important than ever. Mikko Vastela, CIO at Nordic insurance company LähiTapiola, said: “Agile development methods, such as a daily scrum, make it easier for those responsible for business to participate [in development projects], but investment is also needed in better dialogue between business and ICT. “Significant pressure for this comes from the need for fast development cycles and releases through pilots and beta users. ICT needs good observational skills to ensure that what business sees as a minimum viable product also works from a technical and security points of view.”’ Fred Johnsen, senior management consultant at PA Consulting, believes the importance of greater co-operation between IT and the business stems from customers becoming the single biggest driver of companies’ digitisation. “CIOs’ relationships with other departments, marketing in particular, should be a priority as these employees are often the most experienced in digital promotion and responding to customer needs,” said Johnsen. Nordic CIOs also list the alignment of IT with business as a priority to support and improve business processes. Security still a challenge Finally, security and privacy issues remain key challenges for CIOs in 2016. With cyber attacks growing in the Nordic region, as in the rest of the world, security plays a vital role in all IT priorities, from digitisation to analytics. “Cyber attacks are becoming ever more advanced and the use of cloud and mobile solutions only emphasises the challenges,” said IDC’s Elbak. “Recent developments around legislation [such as the EU and Safe Harbour] add to the complexity. “However, most security solutions have a negative impact on productivity and/or usability, so for all security measures, the risk must be weighed against the value.”

First Star Trek: Discovery trailer goes where many Treks have gone...

Oft-delayed series comes to CBS All Access this fall.

Hyde selects 1st Touch Mobile to deliver mobile working solutions

The Hyde Group, one of London's leading social housing providers, has chosen the enterprise mobile workforce software solution from 1st Touch (www.1sttouch.com) to help deliver mobile working solutions to staff. This forms part of a wider investment by...