"French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR."
More information here and more updated information here
Wednesday, May 11, 2011
Android malware - This picture explains it all
This was an interesting picture that I was looking at regarding Android malware.
(Source: HelpNet Security)
(Source: HelpNet Security)
Sunday, May 8, 2011
Social networking site Facebook should be more secure
Social networking sites like Facebook should do more to become more secure. There are more and more Facebook scams (like the free IPAD etc.) that are now more pervasive and if you don't check out the link (as most users don't) before clicking the link; it's a bad thing.
"When landing on the fake Facebook page, they are re-directed to a different, malicious page where they are supposed to provide their email and shipping address in order to take part in an alleged test session of the iPad 2.
The bait is more interesting as scammers announce that Apple is giving away for free a total of 10,000 iPad2 for review purposes only.
“This scam is very aggressive and efficient at the same time because it uses two Facebook specific spreading mechanisms which ensure high visibility: notifications and direct email,” commented Catalin Cosoi, Head of the BitDefender Online Threats Lab. “The main social engineering elements are on the one hand, getting users curious about why they were made admins of a page and on the other, the classic iPad bait. In this case, the device is supposed to be given away for free, but sent through mail, for testing purposes.”
If you come across this scam, do not provide any details through the received form. Second, remove yourself from the admin list of that page."
(Source: HelpNet Security)
Password Manager "LastPass" Users must change master passwords -- but not all right now
Here is another breach . . .
"The "last password you'll ever need" now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company's discovery of unusual network activity around one of its databases. "
More information here
(Source: DarkReading)
"The "last password you'll ever need" now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company's discovery of unusual network activity around one of its databases. "
More information here
(Source: DarkReading)
Wednesday, May 4, 2011
Self-encrypting drives most effective against data breaches
This is actually very interesting data results. Though, how much would it cost?
"With more than 82 percent of respondents reporting one or more data breaches, a new Ponemon Institute study on self-encrypting drives found that 70 percent believed that self-encrypting drives “would have had an enormous and positive impact on the protection of sensitive and confidential data.”
Data breaches cost about $214 U.S. per lost record or about $7.2 million per incident.
Ponemon’s study interviewed 517 IT practitioners in financial services, the public sector, retailing, healthcare, technology and other fields who were familiar with self-encrypting drives (SEDs).
SEDs automatically and continuously encrypt data in the drive, with most SEDs today based on a TCG specification. The study found that with software-based encryption, 40 percent of employees regularly turn it off without permission, thereby leaving data unprotected.
IT practitioners rated performance and ease of deployment as the most important aspects of encryption solutions. Sixty-four percent agreed that SEDs provide a faster set-up time, and 59 percent agreed that SEDs provide enhanced scalability in multi-drive situations.
In addition to data breach protection, respondents noted that compliance with state or federal data protection laws is the main driver for encrypting data at rest, including financial documents, employee records and customer data. Respondents note that the types of data that they encrypt include:
* 89 percent: confidential (57 percent) and non-confidential (32 percent) financial documents
* 52 percent: trade secrets (34 percent) and intellectual property (18 percent)
* 41 percent: employee records
* 39 percent: customer data.
“While self-encrypting drives are a new technology, the IT staff we interviewed believed they are more secure than software-based encryption,” noted Dr. Ponemon. “And it’s apparent that complying with the increasing number of state and federal data protection mandates is driving encryption and interest in SEDs.”"
(Source: HelpNet Security)
"With more than 82 percent of respondents reporting one or more data breaches, a new Ponemon Institute study on self-encrypting drives found that 70 percent believed that self-encrypting drives “would have had an enormous and positive impact on the protection of sensitive and confidential data.”
Data breaches cost about $214 U.S. per lost record or about $7.2 million per incident.
Ponemon’s study interviewed 517 IT practitioners in financial services, the public sector, retailing, healthcare, technology and other fields who were familiar with self-encrypting drives (SEDs).
SEDs automatically and continuously encrypt data in the drive, with most SEDs today based on a TCG specification. The study found that with software-based encryption, 40 percent of employees regularly turn it off without permission, thereby leaving data unprotected.
IT practitioners rated performance and ease of deployment as the most important aspects of encryption solutions. Sixty-four percent agreed that SEDs provide a faster set-up time, and 59 percent agreed that SEDs provide enhanced scalability in multi-drive situations.
In addition to data breach protection, respondents noted that compliance with state or federal data protection laws is the main driver for encrypting data at rest, including financial documents, employee records and customer data. Respondents note that the types of data that they encrypt include:
* 89 percent: confidential (57 percent) and non-confidential (32 percent) financial documents
* 52 percent: trade secrets (34 percent) and intellectual property (18 percent)
* 41 percent: employee records
* 39 percent: customer data.
“While self-encrypting drives are a new technology, the IT staff we interviewed believed they are more secure than software-based encryption,” noted Dr. Ponemon. “And it’s apparent that complying with the increasing number of state and federal data protection mandates is driving encryption and interest in SEDs.”"
(Source: HelpNet Security)
Apple iOS 4.3.3 Released
"The iOS 4.3.3 software update is now available via iTunes.
It contains changes to the iOS crowd-sourced location database cache including:
* Reduces the size of the cache
* No longer backs the cache up to iTunes
* Deletes the cache entirely when Location Services is turned off.
Products compatible with this software update:
* iPhone 4 (GSM model)
* iPhone 3GS
* iPad 2
* iPad
* iPod touch (4th generation)
* iPod touch (3rd generation)."
(Source: HelpNet Security)
It contains changes to the iOS crowd-sourced location database cache including:
* Reduces the size of the cache
* No longer backs the cache up to iTunes
* Deletes the cache entirely when Location Services is turned off.
Products compatible with this software update:
* iPhone 4 (GSM model)
* iPhone 3GS
* iPad 2
* iPad
* iPod touch (4th generation)
* iPod touch (3rd generation)."
(Source: HelpNet Security)
Tuesday, May 3, 2011
24.6 million Sony Online Entertainment accounts stolen
"Sony's ongoing investigation of illegal intrusions into Sony Online Entertainment systems revealed that attackers may have stolen personal information from approximately 24.6 million SOE accounts, as well as certain information from an outdated database from 2007.
The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.
With the current outage of the PlayStation Network and Qriocity services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.
The company is working with the FBI and continuing its own full investigation while working to restore all services.
The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
* name
* address
* e-mail address
* birthdate
* gender
* phone number
* login name
* hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
* bank account number
* customer name
* account name
* customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation 3 MMOs. "
(HelpNet Security)
The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.
With the current outage of the PlayStation Network and Qriocity services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.
The company is working with the FBI and continuing its own full investigation while working to restore all services.
The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
* name
* address
* e-mail address
* birthdate
* gender
* phone number
* login name
* hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
* bank account number
* customer name
* account name
* customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation 3 MMOs. "
(HelpNet Security)
Monday, May 2, 2011
Osama bin Laden spam invades Facebook
"Please make sure that your computer is up to date with all the security patches, that your antivirus is updated and if you do click on the links from Facebook and other social media pages, make sure that you don’t give out any important information (username, passwords).
Since the bad guys seem to be taking advantage of this opportunity quite heavily, we expect to see more malicious code getting triggered by the death of Osama bin Laden."
(HelpNet Security)
Since the bad guys seem to be taking advantage of this opportunity quite heavily, we expect to see more malicious code getting triggered by the death of Osama bin Laden."
(HelpNet Security)
Sunday, May 1, 2011
Researchers crack Nikon image authentication system
This is a very interesting article since it is now possible to produce changed images with valid digital signatures using the exploits. This will also be interesting for forensic examiners as well.
"Credibility of photographic evidence may be extremely important in a variety of situations. Courts, news agencies and insurance companies may accept digitally signed photographs as valid evidence. If such evidence is forged, consequences can be severe. The most famous fakes include cases of fraud committed by enthusiast photographers, photo journalists, editors, political parties, and even the US Army.
ElcomSoft researched Nikon’s Image Authentication System, a secure suite validating if an image has been altered since capture, and discovered a major vulnerability in the manner the secure image signing key is being handled. In turn, this allowed the company to extract the original signing key from a Nikon camera.
The vulnerability, when exploited, makes it possible to produce manipulated images with a fully valid authentication signature. ElcomSoft was able to successfully extract the original image signing key and produce a set of forged images that successfully pass validation with Nikon Image Authentication Software.
When designing a digital security system, it is essential to equally and properly implement all parts of the system. The entire system is only as secure as its weakest link. In the case of Nikon’s Image Authentication System, the company has not done at least one thing right.
The ultimate vulnerability lies in the way the image signing key is being handled. As the signing cryptographic key is handled inappropriately, it can be extracted from the camera. After obtaining the signing key, one can use it to sign any picture, whether or not it’s been altered, edited, or even computer-generated. The signed image will then successfully pass as a valid, genuine piece when verified by Nikon Image Authentication Software.
The vulnerability exists in all current Nikon cameras supporting Nikon Image Authentication, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs.
ElcomSoft has notified CERT and Nikon about the issue, and prepared a set of digitally manipulated images passing as originals when verified with Nikon’s secure authentication software. Nikon has provided no response nor expressed any interest in the existence of the issue."
(From HelpNet Security)
"Credibility of photographic evidence may be extremely important in a variety of situations. Courts, news agencies and insurance companies may accept digitally signed photographs as valid evidence. If such evidence is forged, consequences can be severe. The most famous fakes include cases of fraud committed by enthusiast photographers, photo journalists, editors, political parties, and even the US Army.
ElcomSoft researched Nikon’s Image Authentication System, a secure suite validating if an image has been altered since capture, and discovered a major vulnerability in the manner the secure image signing key is being handled. In turn, this allowed the company to extract the original signing key from a Nikon camera.
The vulnerability, when exploited, makes it possible to produce manipulated images with a fully valid authentication signature. ElcomSoft was able to successfully extract the original image signing key and produce a set of forged images that successfully pass validation with Nikon Image Authentication Software.
When designing a digital security system, it is essential to equally and properly implement all parts of the system. The entire system is only as secure as its weakest link. In the case of Nikon’s Image Authentication System, the company has not done at least one thing right.
The ultimate vulnerability lies in the way the image signing key is being handled. As the signing cryptographic key is handled inappropriately, it can be extracted from the camera. After obtaining the signing key, one can use it to sign any picture, whether or not it’s been altered, edited, or even computer-generated. The signed image will then successfully pass as a valid, genuine piece when verified by Nikon Image Authentication Software.
The vulnerability exists in all current Nikon cameras supporting Nikon Image Authentication, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs.
ElcomSoft has notified CERT and Nikon about the issue, and prepared a set of digitally manipulated images passing as originals when verified with Nikon’s secure authentication software. Nikon has provided no response nor expressed any interest in the existence of the issue."
(From HelpNet Security)
Google Faces $50 Million Lawsuit Over Android Location Tracking
It all begins now. More tracking the user . . .
"Google has maintained that the collection of the location data is entirely opt-in. “We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices,” Google spokesperson Randall Safara told Ars last week. However, the class action lawsuit claims that Google very well knew that “ordinary consumers acting reasonably would not understand the Google privacy policy to include the extensive location tracking at issue in this case.”
The plaintiffs believe that Google’s actions violate the federal Computer Fraud and Abuse Act, various state consumer protection laws, as well as “common law rights” to privacy.
“It is unconscionable to allow Google to continue unlawfully and without proper consent to extensive tracking of Plaintiffs and proposed Class members,” according to the complaint. “If Google wanted to track the whereabouts of each of its products’ users, it should have obtained specific, particularized informed consent such that Google consumers across America would not have been shocked and alarmed to learn of Google’s practices in recent days.”
The lawsuits asks the court to require Google to either give up tracking Android users or to clearly inform users of “its true intentions about tracking,” including whether that information is released to third partis are used for marketing. It further seeks monetary damages “in excess of $50,000,000.00″ as well as punitive damages on top of that amount.
Both Apple and Google plan to attend a hearing before the Senate Judiciary Subcommittee on Privacy, Technology, and the Law on May 10 to discuss the very issues called into question in the lawsuit. Representatives from the US Department of Justice, Federal Trade Commission, Center for Democracy and Technology, and others will talk about what the latest mobile technology means for privacy and the law. Justin Brookman, who will be testifying at the hearing for the CDT, believes the law needs to be updated to account for the reality of modern mobile technology.
The best way to address these cross-platform, cross-industry questions is through public policy,” Brookman recently wrote in an editorial on CNN.com. “We need legislation that establishes fair information practices for commercial collection, disclosure and use of all consumer data—but especially for sensitive data, like geolocation information—and we need the courts and Congress to update the rules for governmental access, to require a judicial warrant for tracking the location of cell phones and other mobile communications devices.”
(From wired here)
"Google has maintained that the collection of the location data is entirely opt-in. “We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices,” Google spokesperson Randall Safara told Ars last week. However, the class action lawsuit claims that Google very well knew that “ordinary consumers acting reasonably would not understand the Google privacy policy to include the extensive location tracking at issue in this case.”
The plaintiffs believe that Google’s actions violate the federal Computer Fraud and Abuse Act, various state consumer protection laws, as well as “common law rights” to privacy.
“It is unconscionable to allow Google to continue unlawfully and without proper consent to extensive tracking of Plaintiffs and proposed Class members,” according to the complaint. “If Google wanted to track the whereabouts of each of its products’ users, it should have obtained specific, particularized informed consent such that Google consumers across America would not have been shocked and alarmed to learn of Google’s practices in recent days.”
The lawsuits asks the court to require Google to either give up tracking Android users or to clearly inform users of “its true intentions about tracking,” including whether that information is released to third partis are used for marketing. It further seeks monetary damages “in excess of $50,000,000.00″ as well as punitive damages on top of that amount.
Both Apple and Google plan to attend a hearing before the Senate Judiciary Subcommittee on Privacy, Technology, and the Law on May 10 to discuss the very issues called into question in the lawsuit. Representatives from the US Department of Justice, Federal Trade Commission, Center for Democracy and Technology, and others will talk about what the latest mobile technology means for privacy and the law. Justin Brookman, who will be testifying at the hearing for the CDT, believes the law needs to be updated to account for the reality of modern mobile technology.
The best way to address these cross-platform, cross-industry questions is through public policy,” Brookman recently wrote in an editorial on CNN.com. “We need legislation that establishes fair information practices for commercial collection, disclosure and use of all consumer data—but especially for sensitive data, like geolocation information—and we need the courts and Congress to update the rules for governmental access, to require a judicial warrant for tracking the location of cell phones and other mobile communications devices.”
(From wired here)
Subscribe to:
Posts (Atom)