STE WILLIAMS

Magic Quadrant for Enterprise Backup/Recovery

UK cops and spook agencies wrongly fingered five people as criminals after seizing data about their communications, according to a new report.

The Interception of Communications Commissioner’s latest dossier [PDF] gave examples of intelligence data used to seize drugs and firearms, stop illegal waste dumping and in one instance catch a con artist – but it also revealed that cock-ups had been made.

In most cases, the officers or agents involved realised their mistake and took no action on the data. However, five people were either wrongly detained or accused of crimes following requests for data about their internet activity (curiously referred to as “Internet Protocol or node name resolutions” in the report). In another error, police were sent to an address where they wrongly believed a child had threatened to harm him or herself.

According to the report, last year cops and spooks sent 570,135 demands for information about folks’ texts, emails and other communications to telcos and ISPs. That collected data revealed who got the messages and calls, and where and when – the so-called metadata – rather than the content of said messages. But that information alone can be useful enough for savvy investigators trying to work out what was being discussed.

That number of requests also includes multiple demands made during the same investigation, so the number of people targeted “would be much smaller”, the report pointed out.

A total of 3,372 lawful intercept warrants were issued, up 16 per cent on 2011, to actually listen in on the calls or read the messages.

The power to snoop on citizens’ private communications is granted by the Regulation of Investigatory Powers Act (RIPA).

Former commissioner Sir Paul Kennedy, who served until the end of 2012, said that 55 breaches of the RIPA law were reported to his office, including seven errors where law enforcement agencies didn’t have the authority to seize texts, voicemails and emails. However, he added that none of the mistakes were “malicious or deliberate”.

“Each error involved some kind of human error or system related technical problem. In a large number of the 55 error cases, no intercept product was actually obtained and therefore there was no unjustified or unnecessary intrusion,” he said.

“In the smaller number of cases where intercept product was wrongly obtained, I have been assured that any such product has been destroyed.”

Nearly a thousand errors were made in communications metadata requests, with around 80 per cent being mistakes made by the authorities and another 20 per cent made by the communications service providers.

However, the snooping-on-the-snoopers commissioner said that comms data slurping was still a great way to catch would-be criminals and terrorists.

“Interception and communications data remain powerful techniques in the investigation of many kinds of crime and threats to national security,” Sir Paul, who was succeeded at the start of this year by Sir Anthony May, wrote in his report.

“Many of the largest drug-trafficking, excise evasion, people-trafficking, counter-terrorism and wider national security, and serious crime investigative successes of the recent past have in some way involved the use of interception and/or communications data.”

Most of the data requests were made by law agencies and spook centres, but 160 local councils across the UK made more than 2,500 of the requests for data to ID criminals for crimes such as dodging their taxes or selling fake goods.

The commission said that a number of measures had been put in place to stop mistakes happening again, including the sage advice to double check all details.

“I am satisfied with the measures put in place by these public authorities and communication service providers and hopefully this will prevent recurrence,” the knight of the realm declared. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/19/interception_communications_commissioner_report_2012/

Magic Quadrant for Enterprise Backup/Recovery

Miscreants have brewed up a FBI-themed ransomware scam aimed at Apple users that relies on malicious JavaScript code rather than a conventional trojan.

The scam prompted a warning from the FBI-backed Internet Crime Complaint Centre on Thursday, and a denial that it was anything to do with the Feds. The ploy represents a further diversification for extortion-based malware, which has become a mainstay of the cybercrime economy over recent months and years.

Jerome Segura, a senior security researcher at Malwarebytes, came across the scam via a Bing Images search for Taylor Swift. This search led to a compromised site hosting an image mimicking police warnings.

The scam uses clever persistent JavaScript in its attempt to trick people into paying a supposed fine of $300 to “unlock their computers”. Prospective marks are falsely told this is a “release fee” to avoid further legal consequences after they were supposedly caught “viewing or distributing prohibited pornographic content”.

“Repeated attempts to close the page will only lead to frustration as even the ‘Leave Page’ browser trick does not work,” Segura explains in a blog post. “If you ‘force quit’ the application, the same ransomware page will come back the next time [you] restart Safari because of the ‘restore from crash’ feature which loads backs the last URL visited before the browser was quit unexpectedly.”

Users trapped in this vicious circle can escape by resetting Safari, he adds. A little web savvy means there’s no need to give in to the extortionate – and bogus – threats of the scammers. However the sophistication of social engineering scam at play means that a few people, enough to make the scam worthwhile, are likely to be tricked into handing over money to fraudsters.

Although the scam most obviously takes advantage of the ‘restore from crash’ feature of Safari browsers on Mac machines it might just as easily be slung against Windows users. The scam uses black hat search engine poisoning tactics to targets users searching for popular search terms, which is how Segura came across it in the first place.

Finnish software security firm adds that although Segura was directed to an FBI themed webpage any European surfer would be directed to a Europol-themed fake warning page.

After the ransomware scam was exposed earlier this week the still-compromised webpages have been re-purposed to push traffic towards a hookup site. Although this particular campaign has been nipped in the bud the future appearance of similar scams along the same lines are all too likely.

“This scam is unfortunately all too efficient and is not going away anytime soon,” Segura warns. It has posted a video tutorial on YouTube about how to remove the FBI ransomware on Mac OS X machines.

Earlier this week we reported how cybercrooks had grafted ransomware to a survey scam fraud. Victims PCs are locked up before slaves are pushed towards completing a survey in order to receive an unlock code.

The ransomware blocks Task Manager, CMD.exe, Regedit and the Start Menu from operating. The whole ruse is designed to enrich crooks via dodgy advertising affiliate networks, which take a relaxed line on marketing tactics that are illegal in many countries, including the US and UK.

It’s since emerged that scams of this type first appeared in December 2012 if not earlier. Chris Boyd, a senior threat researcher at ThreatTrack Security, has posted an informative blog post charting the development of ransomware/survey scam hybrids since then here.

Boyd’s post focuses on Shadowlock, one of the most sophisticated strains of ransomware/survey hybrid seen to date. News from earlier this week focused on an underground advert offering services relating to building survey launching PC hijacking ransomware. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/18/javascript_ransomware/

Magic Quadrant for Enterprise Backup/Recovery

The Guardian has fixed a minor cross-site scripting vulnerability on its website.

The flaw, discovered and responsibly disclosed by security researcher Pete Houghton, occurred at the worse possible place on the UK broadsheet’s website – right on its login page. Readers use the page to log in and comment on stories. In theory the flaw might have been used to phish the login credentials of Guardian readers. There’s no evidence this actually happened.

A Guardian News Media spokesperson told El Reg: “We have not asked our users to change their passwords as there is no evidence that this flaw was exploited maliciously”.

Houghton notified the UK broadsheet about the flaw in early April and it was fixed by early June. Houghton only published a detailed write-up of the problem last week, however. The bug hunter praised The Guardian‘s team’s overall handling of his bug report.

Cross-site scripting (XSS) vulnerabilities stem from web application development mistakes. Attackers can exploit XSS bugs to inject scripts or pop-ups from untrusted sites so that they appear to surfers as originating from the site they happened to be visiting. XSS flaws are a common class of vulnerability, most regularly abused in phishing attacks.

XSS bugs are bad news whenever they appear but the practical danger they pose is only really worth worrying about when they appear on banking or e-commerce websites. More on the consequences of XSS problems can be found in a guide by the Open Web Application Security Project‬ here. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/19/guardian_xss_vuln/

Cloud storage: Lower cost and increase uptime

Michael Hayden, a former head of the CIA and the NSA, has openly accused Chinese networking giant Huawei of spying for China in a move likely to further inflame tensions between the US and China over state-sponsored hacking.

Retired four star general Hayden told the Australian Financial Review that “at a minimum, Huawei would have shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with. I think that goes without saying.”

Asked “Does Huawei represent an unambiguous national security threat to the US and Australia?” General Hayden replied “Yes, I believe it does.”

Hayden goes out of his way to point out these opinions are his own, rather than those of the Obama administration. But his own experiences of the company get a decent airing.

“Two or three years ago Huawei was trying to establish a pretty significant footprint here [in America]. And they were trying to get people like me to endorse their presence in the US,” he told the Aussie paper.

“I reviewed Huawei’s briefing paper. But God did not make enough slides on Huawei to convince me that having them involved in our critical communications infrastructure was going to be OK. This was my considered view, based on a four-decade career as an intelligence officer.”

Hayden, who headed up the NSA from ’99 to ’05 and was in charge at Langley from 2006 to ’09, isn’t exactly deviating from the US line on Huawei although he is the first high profile official, or former official, to publically accuse the Shenzhen firm of spying.

A US House of Representatives committee famously branded the handset and telecoms kit maker, along with its near neighbour ZTE, a national security risk in a high profile report in October 2012.

Aussie politicians responded by banning Huawei from bidding on the National Broadband Network (NBN) project.

The UK, on the other hand, has welcomed the firm with open arms, prime minister David Cameron even hosting founder Ren Zhengfei at Downing Street after he announced a £1.2bn investment in the country.

However, a parliamentary security and intelligence committee has since raised national security concerns with Huawei.

The firm sent El Reg the following response to Hayden’s accusations:

Huawei is a world-leading, proven and trusted ICT company. These tired, unsubstantiated defamatory remarks are sad distractions from real-world concerns related to espionage – industrial and otherwise – that demand serious discussion globally.

Hayden’s remarks will likely inflame an already tense relationship between the US and China.

Huawei, meanwhile, has continued its Australian charm offensive by extending its sponsorship of the National Rugby League team in the national capital, the Canberra Raiders, and pledging to help it play a game in Shenzen.

“As China’s most successful global company, Huawei would love to see Shenzhen Stadium filled with our 65,000 China-based staff – with all of them backing the Raiders!,” said Corporate Affairs Director Jeremy Mitchell.

Read whatever you like into the monopoly on seats for home fans. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/19/huawei_cia_boss_accuses_spying/

Magic Quadrant for Enterprise Backup/Recovery

Facebook has bought Monoidics, a UK-based firm that develops software that checks other software for bugs. Financial terms of the deal, announced Thursday and subject to unspecified closing conditions, were undisclosed.

The Mark Zuckerberg-led social network plans to incorporate Monoidics’ formal verification and analysis technology within its mobile development process. Monoidics developers will upping sticks to move into Facebook’s London office.

Philip Su, a senior member of Facebook London’s engineering team, posted an announcement of the acquisition on (where else) his Facebook timeline here.

Monoidics, which opened up its business in 2009, posted its take on the acquisition on its blog here. The startup has already adopted the argot of its social networking master, not least by emphasising the importance of moving fast and breaking trying new things.

“When we met members of Facebook’s engineering team, we realized how much we have in common: a relentless focus on quality, a desire to move fast and try new things, and a passion for making an impact,” the Monoidics team said. “Right away we knew this was our chance to take what we’ve built to the next level. Joining the Facebook team opens up a world of new opportunity for our technology and for our individual and collective scientific expertise.” ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/19/facebook_monoidics/

Magic Quadrant for Enterprise Backup/Recovery

Miscreants have brewed up a FBI-themed ransomware scam aimed at Apple users that relies on malicious JavaScript code rather than a conventional trojan.

The scam prompted a warning from the FBI-backed Internet Crime Complaint Centre on Thursday, and a denial that it was anything to do with the Feds. The ploy represents a further diversification for extortion-based malware, which has become a mainstay of the cybercrime economy over recent months and years.

Jerome Segura, a senior security researcher at Malwarebytes, came across the scam via a Bing Images search for Taylor Swift. This search led to a compromised site hosting an image mimicking police warnings.

The scam uses clever persistent JavaScript in its attempt to trick people into paying a supposed fine of $300 to “unlock their computers”. Prospective marks are falsely told this is a “release fee” to avoid further legal consequences after they were supposedly caught “viewing or distributing prohibited pornographic content”.

“Repeated attempts to close the page will only lead to frustration as even the ‘Leave Page’ browser trick does not work,” Segura explains in a blog post. “If you ‘force quit’ the application, the same ransomware page will come back the next time [you] restart Safari because of the ‘restore from crash’ feature which loads backs the last URL visited before the browser was quit unexpectedly.”

Users trapped in this vicious circle can escape by resetting Safari, he adds. A little web savvy means there’s no need to give in to the extortionate – and bogus – threats of the scammers. However the sophistication of social engineering scam at play means that a few people, enough to make the scam worthwhile, are likely to be tricked into handing over money to fraudsters.

Although the scam most obviously takes advantage of the ‘restore from crash’ feature of Safari browsers on Mac machines it might just as easily be slung against Windows users. The scam uses black hat search engine poising tactics to targets users searching for popular search terms, which is how Segura came across it in the first place.

Finnish software security firm adds that although Segura was directed to an FBI themed webpage any European surfer would be directed to a Europol-themed fake warning page.

After the ransomware scam was exposed earlier this week the still-compromised webpages have been re-purposed to push traffic towards a hookup site. Although this particular campaign has been nipped in the bud the future appearance of similar scams along the same lines are all too likely.

“This scam is unfortunately all too efficient and is not going away anytime soon,” Segura warns. It has posted a video tutorial on YouTube about how to remove the FBI ransomware on Mac OS X machines.

Earlier this week we reported how cybercrooks had grafted ransomware to a survey scam fraud. Victims PCs are locked up before slaves are pushed towards completing a survey in order to receive an unlock code.

The ransomware strain blocks Task Manager, CMD, Regedit and the Start Menu. the whole ruse is designed to enrich crooks, who earths their money from dodgy advertising affiliate networks that take a relaxed line to marketing tactics that are illegal in many countries, including the US and UK.

It’s since emerged that scams of this type first appeared in December 2012 if not earlier. Chris Boyd, a senior threat researcher at ThreatTrack Security, has posted an informative blog post charting the development of ransomware/survey scam hybrids since then here.

Boyd’s post focuses on Shadowlock, one of the most sophisticated strains of ransomware/survey hybrid seen to date. News from earlier this week focused on an underground advert offering services relating to building survey launching PC hijacking ransomware. ®

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/18/javascript_ransomware/

Cloud storage: Lower cost and increase uptime

Half of all the world’s critical financial exchanges have suffered cyber attacks in the past year, a report has found.

A joint investigation by the World Federation of Exchanges and‎ the International Organisation of Securities Commissions found that the attacks are increasingly aimed at destabilising markets, rather than making financial gains.

The authors found that people at the very top of the world’s economic system are nervous that a concerned online assault could cripple markets.

Top bankers are increasingly aware of the possible threat but have little confidence in their ability to thwart attacks, with one quarter of respondents admitting their “current preventative and disaster recovery measures may not be able to stand up against a large-scale and coordinated attack”. Just half of all exchanges believe their local laws are tough enough to deter hackers.

The exchanges want to see more concerted international efforts to ensure that hackers have no chance to bring down critical systems.

“Doubt over the effectiveness of these regimes generally appears to rest on the international nature of cyber crime, which creates a major obstacle in effective enforcement,” said Rohini Tendulkar, author of the report.

However, even tighter laws might not stave off market Armageddon. Hackers have proved that they don’t even need to target financial systems to move the markets. In April, stocks tumbled after the Syrian Electronic Army sent a false tweet from news agency AP’s eponymous account claiming that the White House had been attacked and President Obama had been injured.

Siobhan MacDermott, chief policy officer at anti-virus and security firm AVG, has previously warned that the world is already in the grip of a cyber war. As well as flogging anti-virus to punters, MacDermott advises officials from the US, EU, NATO and China.

She told El Reg that even top generals are flummoxed when it comes to cyber security, which will not reassure nervous financial exchange bosses worried about hackers causing cataclysmic damage.

“I sat down with a top-ranking general,” said MacDermott, “and I asked what kept him up at night. He told me that when he was in the military, warfare was simple. You stood on either side of a field, marched into the middle and fought.

“It didn’t get that different until the internet came along, he said, but now I’m holding underpowered weaponry and I just don’t know where the shots are coming from… This totally changes the dynamic of how you protect assets. It’s sort of like having a water pistol and going up against someone with a cyber weapon of mass destruction.”

The report said that cyber crime costs the world between $38bn and $1tn, although it is impossible to produce entirely accurate figures due to the indirect costs which are often left out of such calculations. ®

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/18/half_of_all_financial_exchanges_hit_by_cyber_attacks/

Magic Quadrant for Enterprise Backup/Recovery

US drivers are being tracked to an unprecedented extent thanks to a system fattened by federal grant money and spurred by the rush to market private automobile data, according to a report by the ACLU.

After analyzing 26,000 pages of documents from police departments spread across the USA, along with information about private companies, the American Civil Liberties Union has produced a report highlighting the large amounts of data public and private companies are storing on drivers, and the poor retention policies that go along with it.

The You Are Being Tracked report was released on Wednesday, and argues that “the implementation of automatic license plate readers poses serious privacy and other civil liberties threats”.

Automatic license plate readers have proliferated across the US due to a fall in the cost of underlying storage and interception technology, and some $50 million dollars in federal grant money distributed to under-funded law enforcement departments that otherwise couldn’t afford it.

Though US law enforcement tends to have data retention policies that limit the time this information can be retained, data sharing agreements with other agencies and private companies can prolong the time that data is kept.

Automated license readers scoop up vast amounts of data on innocent individuals along with the minuscule bits of information about “hot” vehicles or tagged cars.

Readers controlled by law enforcement agencies in the state of Maryland performed 29 million reads in the first five months of 2012, but only one in 500 license plates scanned were associated with a hit – “any crime, wrongdoing, minor registration problem, or even suspicion of a problem”.

Of these hits, 97 per cent were for a suspended or revoked registration, or for violating Maryland’s Vehicle Emissions Inspection program. This makes for a vanishingly small number of hits on vehicles any right thinking person could conceivably want a distributed robotic state to be tracking.

The report is chock full of examples like this, which all show mass data slurping for a tiny hit rate.

But how long agencies store this data on civilians and tagged vehicles is variable, with some agencies deleting all “non-hit” information immediately, but others retaining the information from anywhere from 14 days, to 30 days, to several years.

Many of these agencies may feed this data into local state “fusion centers” that pool IT assets for use by various enforcement agencies, the report notes. So even if data is being deleted locally it is still being stored somewhere.

“If not properly secured, license plate reader databases open the door to abusive tracking,” write the ACLU.

Private companies also track vehicles, and these organizations such as MVTrac or Digital Recognition Network slurp huge amounts of license plate information from readers deployed by private companies into centralized databases. DRN’s national database, for example, contains over 700 million data points, the ACLU says.

These companies will re-sell access to their data to law enforcement agencies, which can search through the images other data associated with the license plates when investigating a crime.

In an impressive feat of understatement, the ACLU notes: “These private databases raise serious privacy concerns”.

Given the lack of regulation around how long data is kept on file, the different policies used by private and the public sector, and the potential for massive abuse, the ACLU report concludes with several pleas for restraint in the gathering and storage of this data.

But, given the recent revelations around PRISM and other data slurping schemes, this vulture thinks it unlikely that the public sector will hesitate at collecting this data.

And as for the private sector? Well, after surreptitiously scooping up information on Wi-Fi points for years via Street View vans Google was hit by a probe from UK watchdog the ICO, but was merely ordered to delete the data and faced no fine. ®

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/18/aclu_license_plate_orwell/

Agentless Backup is Not a Myth

Oracle has pushed out a quarterly patch batch of 89 updates that mean almost all of its enterprise software products need updating for one reason or another.

Craig Young, a security researcher at Tripwire, noted that most of the vulnerabilities were picked up by third-party researchers. “The constant drumbeat of critical Oracle patches is more than a little alarming particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code,” he said. “This month’s Critical Patch Update credits 18 different researchers coming from more than a dozen different companies.”

Sysadmins and database administrators would be well to patch internet-accessible systems first, according to Wolfgang Kandek, CTO at cloud security firm Qualys. Updates to the Oracle Database; Fusion Middleware; the Oracle and Sun Systems Product Suite – including the Solaris OS; and MySQL ought to be patching priorities since vulnerable systems are easier to attack.

Oracle’s Critical Patch Update (CPU) for July 2013 covers six bulletins for Oracle’s flagship database software, one of which is remotely exploitable.

The XML parser vulnerability, which is remotely accessible but requires authentication, has the highest CVSS (Common Vulnerability Scoring System) severity score of all Tuesday’s releases, hitting a peril factor of 9.0. Databases are typically firewalled from the internet, which ought to provide at least some protection.

A total of 18 vulnerabilities in Oracle’s MySQL database were lanced, including two that are remotely accessible. There are also 16 updates for Sun Solaris servers, eight of which cover flaws that might be targeted by hackers across the internet. “If you have Sun Solaris servers in your organisation, review these patches and start with the machines on your perimeter and DMZ (De-Militarised Zone),” Kandek advises.

Oracle’s Fusion Middleware gets patches to address a total of 21 vulnerabilities – a whopping 16 of which are remotely exploitable. The software includes many components that are typically found on the web, such as the Oracle HTTP server. A quick query on Shodan shows more than 500,000 machines with Oracle’s HTTP are accessible across the internet.

The software giant’s patch batch also includes updates for Oracle’s Peoplesoft, E-Business and Virtualization enterprise software products.

Young told The Register: “It’s also noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities. By my count, Oracle has already acknowledged and fixed 343 security issues in 2013,” he added. Scheduled updates for Java are handled on a separate four-month release cycle, so don’t appear in the July patch batch. Oracle is planning to align the two releases together starting with its next Critical Patch Update in October 2013.

Earlier this week Oracle published a study arguing IT security spending is misplaced, despite increased investment. Databases and applications – not networks – should be focus of information security programs, Oracle concludes.

Veteran IT analyst Clive Longbottom disagreed with Oracle’s assessment and said that enterprises would do better to focus on protecting information. “It is the information that matters – [focusing on] network, app or database misses the point,” he told El Reg. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/17/oracle_quarterly_patch_batch/

Agentless Backup is Not a Myth

Tumblr has urged users of its iOS app to put down that latte and start updating their software and changing their passwords. But it appears the selfies-rich pic app only copped to the problem and issued the fix a full two weeks after a Reg reader had first contacted it about the issue.

Our source had told The Reg that he’d run tests revealing the kitten-friendly blogging platform exposed users’ login credentials every time the iPhone and iPad users used an open Wi-Fi network.

The error made it easy for hackers to sniff passwords over the open Wi-Fi networks so ubiquitous in coffee shops, using readily available tools such as Wireshark.

The security howler was discovered by our reader during the course of an audit of which iOS apps were permissible for use on corporate smartphones.

The source, who wishes to remain anonymous, told us he had notified Tumblr about the problem TWO WEEKS ago. He said he only went to the press after his warnings were ignored. Our own experiences this week confirm that Tumblr’s security response team is hard to reach.

It was only after escalating the matter through Yahoo!’s PR team that the message finally got through. Experts at ThreatTrack Security were able to confirm our reader’s concerns within minutes of our request for comment on the matter.

Android or web-based versions of Tumblr’s app were never vulnerable and always ran logins through a secure connection.

The Yahoo!-owned micro-blogging site acknowledged the problem and pushed out an update to its iOS app early on Wednesday morning. Version 3.4.1 of Tumblr’s iOS app, released through the Apple Store, only states that it includes a “security fix” without giving any details.

However Tumblr vice-president of product Derek Gottfrid confirmed that a vulnerability with the app meant login usernames and passwords were sent in the clear. iPhone or iPad users should update their password on Tumblr as well as anywhere else they use the same password, Gottfrid advised in a post on an official but internal blog.

In a statement, issued in response to El Reg‘s repeated inquiries on the issue this week, Tumblr apologised for the whole security flap.

Earlier today, Tumblr was notified of a security vulnerability introduced in our iOS app. We immediately released an update that repairs the issue and are notifying affected users. We obviously take these incidents very seriously and deeply regret this error.

Independent security consultant Graham Cluley criticised Tumblr for sloppy security. He pointed out that parent firm Yahoo! has “priors” when it comes to SSL snafus.

“It’s good news that Tumblr has now released a version of its app which fixes this flaw,” Cluley writes. “But the gaping security hole shouldn’t have been present in the first place. And an updated app doesn’t rescue any users’ passwords which may have been stolen or exposed up until now.

“Yahoo!, which recently acquired Tumblr, has been in trouble with HTTPS/SSL in the past. Up until January it was one of the few major webmail providers which didn’t provide an option for users to login via HTTPS/SSL,” he added. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/17/tumblr_ios_snafu_fixed/