Security

A 19-year-old student has been arrested for allegedly exploiting the Heartbleed vulnerability to steal taxpayer data from as many as 900 Canadians, authorities said Wednesday.

The arrest of Stephen Arthuro Solis-Reyes by the Royal Canadian Mounted Police marks the first time authorities anywhere have publicly levied charges in connection to the malicious exploitation of a defect in the widely used OpenSSL cryptography library.

In response to customer outcry, organizations holding off on deploying the Windows 8.1 Update will be able to get security updates for their systems for another three and a half months, as opposed to the 30 days that Microsoft originally promised.

When the Windows 8.1 Update designed to improve the mouse and keyboard experience of Windows 8.1 was initially released last week, Microsoft said that it was a mandatory update. Any future security updates, starting from next month, would require the update to be installed.

Google added a paragraph to its terms of service as of Monday to tell customers that, yes, it does scan e-mail content for advertising and customized search results, among other reasons. The change comes as Google undergoes a lawsuit over its e-mail scanning, with the plaintiffs complaining that Google violated their privacy.

Lavaboom, a new German-based and supposeldyNSA-proof email service, will go into private beta this week with a mission spread the gospel according to Edward Snowden by making encrypted email accessible to all.

Although it has been referred to in various parts of the interwebs as an heir to Lavabit, the now-defunct encrypted email service used by Snowden, the new service's name is a tribute to its predecessor and nothing more.

A new WhiteHat Security report takes a deeper look into the security of a number of the most popular programming languages including .Net, Java, ColdFusion, ASP and more.

"Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done," said Jeremiah Grossman, founder and iCEO of WhiteHat Security. "How secure the language might be is simply an afterthought, which is usually too late."

Canada’s tax authority and a popular British parenting website both lost user data after attackers exploited the Heartbleed SSL vulnerability, they said Monday.

The admissions are thought to be the first from websites that confirm data loss as a result of Heartbleed, which was first publicized last Tuesday. The flaw existed in Open SSL, a cryptographic library used by thousands of websites to enable encryption, and was quickly labeled one of the most serious security vulnerabilities in years.

For those who don't feel the urgency to install the latest security fixes for their computers, take note: Just a day after Heartbleed was revealed, attacks from a computer in China were launched.

The software bug, which affects a widely used form of encryption called OpenSSL, was announced to the world April 7 at 1:27 p.m. New York time, according to the Sydney Morning Herald. That sent companies scrambling to fix their computer systems -- and for good reason.

The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.

On Monday, after seven months of discussion and planning, the first-phase of a two-part audit of TrueCrypt was released.

The results? iSEC, the company contracted to review the bootloader and Windows kernel driver for any backdoor or related security issue, concluded (PDF) that TrueCrypt has: “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”

The National Security Agency denied that it previously knew of the Heartbleed bug, calling reports that it or any part of the U.S. government were aware before April “wrong.”

Bloomberg reported earlier Friday that the NSA knew of the bug in the widely used encryption tool called OpenSSL for at least two years and exploited it to gather intelligence. Security researchers have called Heartbleed one of the biggest flaws in the Internet’s history. Later in the day, the NSA released a statement saying the agency wasn’t aware of Heartbleed until it was made public.