11 total posts
Access restriction in iOS 6 partially useless
Just a few days after publication of a method for bypassing the passcode on iPhones, another security vulnerability in iOS has been revealed. Users can change the iTunes and App Store accounts even where the system settings have been configured to block such changes.
The update to iOS 6 introduced several new options for restricting the mobile operating system, including the ability to block changes to the accounts enrolled on the device. Designed with institutional users of iPhones and iPads in mind, if this feature is activated, device users can neither set up new accounts nor modify or delete existing accounts. As well as the accounts for Apple's online stores, this also affects accounts such as email and Facebook accounts. Or at least it does if you want to use the system settings to make these changes.
In securing the system, however, Apple appears to have overlooked something - the iTunes and App Store apps pre-installed on every iPhone. Open one of these two apps and scroll down to the bottom of the overview page and the relevant account can simply be changed here. This is a problem in particular for businesses and parents wishing to use the block to prevent installation of unauthorised software. [Screenshot]
Continued : http://www.h-online.com/security/news/item/Access-restriction-in-iOS-6-partially-useless-1805842.html
Trust but verify: when CAs fall short
From the Kaspersky Labs Weblog:
We've recently experienced yet another case of a root certificate authority (CA from now on) losing control of its own certificates. And yet again, we have been waiting for either the CA or the browser to do something about it. This whole mess stems, once again, from both a governance and a technical problem. First, only the very same CA that issued a certificate can later revoke it. Second, although web browsers implement several techniques to check the certificate's revocation status, errors in the procedure are rarely considered hard failures. [Screenshot]
Of these, the first (and oldest) technique involves the CA creating a Certificate Revocation List (CRL). This requires the user to poll the CRL at regular intervals, download the whole list (a revision of the RFC allowed for delta updates), and use the list to verify the certificate revocation status. Since, by default policy, downloaded CRLs can be up to seven days old, it is clear that an adversary still has the possibility to use a compromised certificate. To make the situation worse, CAs normally disseminate CRLs by means of the HTTP protocol, hence replay attacks are possible. Further, even if the standard dictates otherwise, web browsers often consider failure to download the updated CRL a mere soft error, meaning that the connection will not be terminated (which makes the whole verification process useful as a seat-belt that snaps when you crash). [Screenshot]
Continued : http://www.securelist.com/en/blog/208194124/Trust_but_verify_when_CAs_fall_short
Privacy Puzzles at Google Play
From Ben Edelman:
Last week app developer Dan Nolan noticed that Google transaction records were giving him the name, geographic region, and email address of every user who bought an Android app he sold via Google Play. Dan's bottom line was simple: "Under no circumstances should [a developer] be able to get the information of the people who are buying [his] apps unless [the customers] opt into it and it's made crystal clear to them that [app developers are] getting this information." Dan called on Google to cease these data leaks immediately, but Google instead tried to downplay the problem.
In this post, I examine "Google's relevant privacy commitments" and argue that Google has promised not to reveal users' data to developers. I then "critique Google's response" and suggest appropriate "next steps".
Google's Android Privacy Promise
Continued : http://www.benedelman.org/news/021913-1.html
OpLastResort: Anonymous Hacks US Department of State,
... Investment Firm
Anonymous hackers have announced round five of Operation Last Resort, the anti-US government campaign initiated shortly after the suicide of Aaron Swartz. For this round, the hacktivists have breached the websites of the US Department of State (state.gov) and the one of investment firm George K. Baum and Company.
From state.gov, the hackers have leaked hundreds of names, email addresses, and other details.
"Our reasons for this attack are very simple. You've imprisoned or either censored our people. We will not tolerate things as such. You don't see us going around censoring everything that is inappropriate or we do not like," Anonymous wrote next to the leaked data.
"Basically, you tried to put an end to us and you got owned, there's nothing more you can say or do. You took away Topiary, Avunit, Neuron, Pwnsauce, lolspoon, Aaron Swartz shall we go on?" they added.
Continued : http://news.softpedia.com/news/OpLastResort-Anonymous-Hacks-US-Department-of-State-Investment-Firm-330640.shtml
Also: Anonymous OpLastResort hacks investment firm, cites Stratfor ties
TrustGo and Lookout Top Android Mobile Security Test
Today, the independent testing lab AV-Test released their findings from a comprehensive review of 22 Android security apps, looking at how these portable protectors performed on handled Android devices. The competition was tight, but TrustGo and Lookout took the top slots.
The good news is that most apps faired very well in the test, with only GFI Mobile Security failing to receive AV-Test certification. Despite GFI's abysmal 71 percent detection rate for malicious software, the average detection rate across the apps was 94 percent with a median rate of 97 percent. In general, there were very few false-positive results generated during the test.
The Whole App
Of course, security companies no longer rely on mere malware identification to define their product. Many companies provide anti-theft, secure browsing, parental controls, and data encryption with their mobile apps. What's more, mobile security apps need to be unobtrusive and easy on battery life in order to actually be helpful. If it sucks up too much power, or disrupts the normal operation of the device, users will likely uninstall the app.
Continued : http://securitywatch.pcmag.com/none/308184-trustgo-and-lookout-top-android-mobile-security-test
DDoS Attack on Bank Hid $900,000 Cyberheist
A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.
At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company's financial institution - San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.
KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she'd been conned into helping fraudsters.
Continued : http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
The sophistication of risky apps, mobile misbehavior and ..
McAfee released the results of a new report, documenting sophisticated and complex risky apps containing multi-faceted scams, black market crimes, drive-by downloads and near-field communication threats. They identified a new wave of techniques hackers use to steal digital identities, commit financial fraud, and invade users' privacy on mobile devices. [Screenshot]
Mobile platforms have become increasingly attractive to cybercriminals as consumers live more of their digital lives on smartphones and tablets. According to IDC, mobile devices are surpassing PCs as the preferred way to access the Internet and the number of people using PCs to go online will shrink by 15 million over the next four years, while the number of mobile users will increase by 91 million.
With the mobile space becoming a more enticing platform for online mischief, the complexity and volume of threats targeting consumers will continue to increase. Using its extensive global threat intelligence network (GTI), McAfee Labs analysed mobile security data from the last three quarters.
Continued : http://www.net-security.org/secworld.php?id=14441
Google Says Gmail Security Measures Have Reduced Account..
... Hijacks By 99 Percent
Gmail accounts are high-priority targets for attackers of all stripes, particularly spam crews and state-sponsored attackers who use them to monitor the activities of activists and journalists. Hijacking those accounts can be quite useful for spammers and malware gangs as well, but Google said that it has put security measures in place that have greatly reduced the number of successful hijack attempts.
In the last few years, the company has added a number of security systems to Gmail and its other services to help protect users' accounts. The most well-known and visible of those is the Gmail two-factor authentication option that requires users to enter a code that's either generated by an app on their mobile phones or sent via SMS, in addition to entering a password. That system helps prevent account compromises through the use of stolen passwords because even with the password, the attacker would still need the code in order to access the account. That system isn't enabled by default, however.
Continued : https://threatpost.com/en_us/blogs/google-says-gmail-security-measures-have-reduced-account-hijacks-99-percent-021913