[web applications] – Mulesoft ESB Runtime 3.5.1 Privilege Escalation / Code Execution Vulnerabilities
Wyden spoke with WIRED about the difficulties of keeping mum on classified matters, about his public showdown with intelligence chief James Clapper over the NSA's data collection on Americans, and about the government's use of zero-day exploits.
The post Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System appeared first on WIRED.
Office supply retailer Staples is investigating a possible breach of its systems following reports from the banking industry of fraudulent credit and debit card transactions at stores in the northeastern United States.
On Tuesday, the company acknowledged that a breach may have occurred and that it had contacted the appropriate law enforcement agencies. The retailer declined to provide further details.
“Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement,” a spokesperson said in a statement sent to Ars. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”
Last week, Ars reported on the story of Anonabox, an effort by a California developer to create an affordable privacy-protecting device based on the open source OpenWRT wireless router software and the Tor Project’s eponymous Internet traffic encryption and anonymization software. Anonabox was pulled from Kickstarter after accusations that the project misrepresented its product and failed to meet some basic security concerns—though its developers still plan to release their project for sale through their own website.
But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device.
Based on the Chinese-built WT 3020A—a small wireless router that appears identical to the box that was the basis for the Anonabox—the Invizbox will have similar specs to the cancelled Kickstarter: 64 megabytes of RAM, 16 megabytes of Flash storage, and the Linux-based OpenWRT embedded OS. The main difference, according to the Dublin, Ireland-based team behind Invizbox (Elizabeth Canavan, Paul Canavan, and Chris Monks) is that their Tor router will be locked down better—and they won’t pretend that they’re using custom-built hardware.
GreatFire.org, a group that monitors censorship by the Chinese government’s national firewall system (often referred to as the “Great Firewall”), reports that China is using the system as part of a man-in-the-middle (MITM) attack on users of Apple’s iCloud service within the country. The attacks come as Apple begins the official rollout of the iPhone 6 and 6 Plus on the Chinese mainland.
The attack, which uses a fake certificate and Domain Name Service address for the iCloud service, is affecting users nationwide in China. The GreatFire.org team speculates that the attack is an effort to help the government circumvent the improved security features of the new phones by compromising their iCloud credentials and allowing the government to gain access to cloud-stored content such as phone backups.
Chinese iCloud users attempting to log in with Firefox and Chrome browsers would have been alerted to the fraudulent certificate. However, those using Mac OS X’s built-in iCloud login or another browser may not have been aware of the rerouting, and their iCloud credentials would have been immediately compromised. Using two-step verification would prevent the hijacking of compromised accounts.