Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Apple's Spotty Record of Giving Back To the Tech Industry

chicksdaddy Re:Article is flame bait. Or a troll. (268 comments)

You have to read the whole article - ASF is not the only example cited. It is the only example cited within the first three paragraphs of the story, however.

about 8 months ago

Is Analog the Fix For Cyber Terrorism?

chicksdaddy Re:sure, no problem (245 comments)

really excellent feedback. appreciated.

about 9 months ago

Georgia Cop Issues 800 Tickets To Drivers Texting At Red Lights

chicksdaddy Gloating - but a good idea (1440 comments)

Look, studies have shown that driver reaction time while texting and driving is far, far worse than the reaction time for impaired driving (aka driving drunk), which is clearly illegal. In other words, we (your fellow citizens) are a lot safer with you drunk driving than driving while texting. (See this Car & Driver study: http://www.caranddriver.com/features/texting-while-driving-how-dangerous-is-it) So, apply the same logic as you would with drunk driving. Sure, these drivers were stopped at a red light, but would you expect the cop to look the other way if they were swigging from a bottle of vodka at the same red light ("well, the car isn't moving right now, so...")? He's right to read the law literally and also to assume that if they're texting at a red light, they likely won't stop texting once the car is moving. Take away: texting behind the wheel is a serious danger to public health and should be tolerated to about the same extent that we, as a society, tolerate drunk driving - which is not at all. My 2c.

about a year ago

DARPA Cyber Chief "Mudge" Zatko Going To Google

chicksdaddy Update: He'll work in Motorola Mobility ATAP Unit (30 comments)

Update courtesy of Google: Mudge will be working in Motorola Mobility's Advanced Technology & Projects (ATAP). From the web: "The group's mission is to deliver breakthrough innovations to the company's product line on seemingly impossible short timeframes. ATAP is skunkworks-inspired. Optimized for speed. Small, lean, resourced. With agility, freedom from bureaucratic constraints, and a willingness to embrace risk as core attributes." Hmm...sounds kinda like DARPA! ;-)

about a year and a half ago



Vessel Identification and Tracking System Is Profoundly Insecure

chicksdaddy chicksdaddy writes  |  3 days ago

chicksdaddy (814965) writes "Researchers from the firm Trend Micro are warning that the Automated Identification System (or AIS) — a monitoring system that is used on over 400,000 ocean-going vessels — is profoundly insecure and vulnerable to both software and radio-based hacks, The Security Ledger reports. (https://securityledger.com/2014/12/research-finds-cyber-physical-attacks-against-vessel-tracking-system/)

AIS is a global system for tracking the movement of vessels. It is intended to supplement marine radar and relies on ship, land and satellite-based systems to exchange data on ships’ position, course and speed and is used for everything from collision avoidance to security, ship-to-ship communications and weather forecasting.

AIS is required to be deployed on all passenger vessels and on international-voyaging ships with gross tonnage of 300 or more. However, researchers Marco Balduzzi and Kyle Wilhoit found that AIS is rife with exploitable software- and protocol vulnerabilities. Chief among them are flaws in the AIS protocol which was developed in a “hardware epoch” and lacks even basic security features such as authentication and message integrity checks. While hacks of radio-based systems like AIS would have been expensive and difficult to conduct 10 or 15 years ago, the advent of tools like Software Defined Radio make it possible to craft sophisticated attacks with just a small investment, the researchers discovered.

In their work, Balduzzi and Wilhoit – working with an independent security researcher – were able to use software-defined radio based attacks to trigger a range of phony messages, from false SOS and “man in the water” distress beacons to fake CPA (or Closest Point of Approach) alert and collision warnings on an AIS system set up in a lab environment. A copy of their ACSAC presentation slides can be found here: http://blog.trendmicro.com/tre...

The two have written about AIS vulnerabilities before, including susceptibility of AIS to man-in-the-middle attacks (http://blog.trendmicro.com/trendlabs-security-intelligence/captain-where-is-your-ship-compromising-vessel-tracking-systems/). Their latest work expands the list of attacks and vulnerabilities found in AIS to include both software and RF-based hacks, SQL injection, buffer overflow and so on."

Link to Original Source

Sony Attackers Took A Page From The Shamoon Playbook

chicksdaddy chicksdaddy writes  |  about two weeks ago

chicksdaddy (814965) writes "The story about the disastrous hack of Sony is the gift that keeps on giving. There's been a wealth of revelations about Sony Pictures Entertainment's internal culture: its tendency to pay male executives more than their female counterparts (http://fusion.net/story/30838/does-a-powerful-sony-pictures-partnership-have-a-gender-pay-gap/), tepid enthusiasm of employees about SPE's output (http://gawker.com/sony-hack-reveals-25-page-list-of-reasons-it-sucks-to-w-1666264634) and a kind of compulsive transparency within its IT operations (http://gawker.com/sonys-top-secret-password-lists-have-names-like-master_-1666775151). There have also been revelations about the attacks themselves, including analysis that shows both that the malware used was tailored specifically to Sony's network (http://logfile.packetninjas.net/malware-created-specifically-for-sony/) and that the attackers apparently took a page from the 2012 attack on Saudi Aramco known as "Shamoon." Specifically: both the Sony malware and “Disstrack” (the malware used in the “Shamoon” attack on Saudi Aramco) relied on the same commercial tool to access and erase the hard drive, a program called RawDisk by the company Eldos, according to a source with knowledge of the attack, the Christian Science Monitor reported today."
Link to Original Source

FBI Analysis of Wiper Malware Finds Korean Language Packs, Hard Coded Targets

chicksdaddy chicksdaddy writes  |  about three weeks ago

chicksdaddy (814965) writes "A copy of the FBI's recent five page FLASH alert reveals that the malware alleged to have wiped out systems at Sony Pictures Entertainment deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI were also found to contained configuration files created on systems configured with Korean language packs.

The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names.

Media reports have linked the malware to the destructive attack on Sony Pictures Entertainment, though the FBI FLASH alert does not name Sony or any other organization. A group calling itself #GOP – for Guardians of Peace – took responsibility for that attack last week.

Theories about the purpose of the attack on Sony abound. One of the more colorful explanations has the destructive cyber attack as retribution for The Interview, a new Sony film due out at Christmas starring Seth Rogen and James Franco. (http://www.independent.co.uk/arts-entertainment/films/news/did-north-korea-hackers-leak-sony-films-in-revenge-for-comedy-the-interview-9896716.html)The two play western journalists who score an interview with North Korean dictator Kim Jong Un, and are then instructed by the U.S. Central Intelligence Agency to assassinate him. The government of the Democratic Peoples Republic of Korea (DPRK) publicly criticized Sony for plans to release the film and lodged a complaint with the United Nations.(http://www.telegraph.co.uk/news/worldnews/asia/northkorea/10914088/North-Korea-slams-US-film-The-Interview-about-Kim-Jong-un.html)"

Link to Original Source

FIN4 Group Used Phishing Attacks To Steal, Trade On Privileged Corporate Data

chicksdaddy chicksdaddy writes  |  about three weeks ago

chicksdaddy (814965) writes "Reuters has the scoop this morning on a new report out from the folks at FireEye about a cyber espionage ring that targets financial services firms. (http://www.reuters.com/article/2014/12/01/cybersecurity-wall-street-idUSL2N0TK0SE20141201)

The campaign, dubbed FIN4 by FireEye, stole corporate secrets for the purpose of gaming the stock market. FireEye believes that the extensive cyber operation compromised sensitive data about dozens of publicly held companies. According to the report FireEye the victims include financial services firms and those in related sectors, including investment bankers, attorneys and investor relations firms.

Rather than attempting to break into networks overtly, the attackers targeted employees within each organization. Phishing e-mail messages led victims to bogus web sites controlled by the hackers, who harvested login credentials to e-mail and social media accounts. Those accounts were then used to expand the hackers reach within the target organization: sending phishing email messages to other employees."

Link to Original Source

Gridlock In Action: Retailers Demand New Regulations To Protect Consumers

chicksdaddy chicksdaddy writes  |  about a month ago

chicksdaddy (814965) writes "How bad is the gridlock in Washington D.C.? So bad that the nation's retailers are calling for federal legislation on cyber security and data protection to protect consumer information — this even though they would bear the brunt of whatever legislation is passed.

The Security Ledger notes (https://securityledger.com/2014/11/retailers-demanding-federal-action-on-data-breach/) that groups representing many of the nation's retailers sent a letter to Congressional leaders last week urging them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others.

“The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact,” the letter reads. “A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”

Retailers would likely bare the brunt of a new federal data protection law. The motivation for pushng for one anyway may be simplicity. Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam. (http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx) There is broad, bi-partisan agreement on the need for a data breach and consumer protection law. However, small differences of opinion on its scope and provisions, exacerbated by political gridlock in Congress since 2010 have combined to stay the federal government’s hand."

Link to Original Source

With Attacks On Fracking Firms, Chinese Hackers Do Mess With Texas

chicksdaddy chicksdaddy writes  |  about a month and a half ago

chicksdaddy (814965) writes "The technology revolution that is “fracking” has created billions in wealth for states like Pennsylvania, Texas, Ohio and Wyoming. But all that oil and all those dollars have attracted the attention of sophisticated spies from near and far to steal valuable trade secrets. (https://digitalguardian.com/blog/industry-spies-do-mess-texas)

Digital Guardian's blog notes this report (http://www.news4sanantonio.com/news/features/top-stories/stories/oil-field-espionage-eagle-ford-shale-16921.shtml) from News 4 San Antonio in Texas which quotes local FBI officials saying they are “very concerned” about theft of trade secrets from companies engaged in “fracking” in the Eagle Ford Shale in Texas.

“It's corporate espionage, there’s no question about it," said Christopher Combs of the San Antonio FBI. “Foreign governments or foreign companies are looking for any competitive advantage. Whether it's the widget that you use to drill, or it's a process that you use to track inventory better. They're really looking at the company as a whole to find out every little thing that you do that makes you a better company on the world market."

Combs declined to name specific firms, but said that Chinese firms are “aggressively” engaged in industrial espionage. However, the problem isn’t limited to China. Companies with ties to governments that are U.S. allies are believed to be conducting espionage against innovative US firms as well.

Hydraulic fracturing – or “fracking” is a method used to extract oil or gas deposits from porous rock like sandstone and shale. The technique was developed in the United States with financial support from the U.S. government and is now used commercially in shale deposits in the U.S., Canada and China. However, the specific technology and methods associated with fracking are closely guarded and highly valuable to drilling outfits.

Recent history suggests that oil and gas exploration is an area of intense activity for cyber spying. In July, the Department of Homeland Security warned of targeted attacks against energy firms in the U.S. and Europe linked to the "Havex" malware, a kind of remote access tool. (https://securityledger.com/2014/07/dhs-warns-energy-firms-of-malware-used-in-targeted-attacks/). That same month, the American Petroleum Institute launched an Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) designed to help protect companies in the industry from attacks and evaluate risks through information sharing.(http://ongisac.org/)"

Link to Original Source

Wanna Breach: Phony Data Leaks Can Cause Real Damage to Companies

chicksdaddy chicksdaddy writes  |  about 2 months ago

chicksdaddy (814965) writes "Headline grabbing data breaches are such a fixture of our modern business environment (https://corporate.homedepot.com/mediacenter/pages/statement1.aspx) that they’ve spawned a knock-off market: phony data breaches designed to look like the real thing, the Security Ledger reports.(https://securityledger.com/2014/10/wanna-breach-counterfeit-data-breaches-are-a-thing/)

A research note from the firm Deloitte & Touche is warning companies about the threat of counterfeit breaches, in which malicious actors use false claims about massive data breaches to bedevil established firms – inflicting real economic and reputation damage.

Bogus breach claims are becoming more common — with gullible or hair trigger 24/7 media coverage a leading contributor to the phenomenon. In October, for example, an individual posted what were purported to be stolen Dropbox account credentials on the site Pastebin. The message claimed the leaked credentials were part of a larger trove of 7 million accounts that were compromised — a claim that was widely reported. Dropbox, however, maintained that it was not hacked and that the leaked credentials – user names and passwords – were stolen from other online services.

Deloitte researcher Allison Nixon said companies need to develop strategies to quickly assess data breach claims: from automated analysis of user names against known customer accounts to statistical analysis of user name and password entropy. And, companies should feel free to use the "sniff test": asking them how likely a real cyber criminal is to behave in the way they are observing.

The public and media should also view claims of data theft and hacks with a more skeptical eye, Nixon says."

Link to Original Source

McKinsey: Consumers Want Smart Cars - But Fear Them Also

chicksdaddy chicksdaddy writes  |  about 2 months ago

chicksdaddy (814965) writes "The Security Ledger reports on a survey from consulting firm McKinsey & Co. (https://securityledger.com/2014/10/mckinsey-consumers-want-connected-cars-and-fear-them-too/#.VDa0dyldXWI) that has some sobering data for car makers: concerns about privacy and the possibility of car hacking are major concerns that could dampen enthusiasm for smart vehicles.

The report, “What’s Driving the Connected Car?” (http://www.mckinsey.com/insights/manufacturing/whats_driving_the_connected_car) finds that connectivity features will be a major driver of car sales in the coming years. The survey of 2,000 new car buyers in Brazil, China, Germany and the U.S. found that a quarter of respondents considered connectivity a more important feature than engine power or even fuel efficiency.

Connected (or "smart") car features will become ubiquitous and expected, McKinsey predicts, but won't demand a premium from buyers as they do today.

However, car makers also face a considerable hurdle in convincing the buying public to accept connected car technologies. According to McKinsey, 37 percent of respondents to their survey said they “would not even consider a connected car.”At the root of resistance to connected vehicle technology were ubiquitous fears about vehicles being hacked – which were evident in each country that McKinsey surveyed.

In Germany and Brazil, 59 percent of those surveyed strongly agreed with the statement “I am afraid that people can hack into my car and manipulate it (eg, the braking system) if the car is connected to the Internet.” 53 percent of respondents agreed with that statement in China and 43% in the U.S.

That leaves car makers in a tricky position: trying to satisfy customers who "demand connectivity, have security concerns regarding it, and are only marginally willing to pay for it." Hmm...where have we heard that before??"

Link to Original Source

FDA issues Guidance on Cybersecurity of Medical Devices

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/10/fda-issues-guidance-on-security-of-medical-devices) that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices.(http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm)
The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf) asks device makers seeking FDA approval of medical devices to disclose any “risks identified and controls in place to mitigate those risks” in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run.

While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers."

Link to Original Source

Senate Report: Military In The Dark As China Hacked Transportation Command

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/09/senate-report-warns-of-attacks-on-military-transport-contractors/#.VBrO4C5dXWI) on a Senate Armed Services Committee investigation that found evidence that hackers associated with the Chinese government compromised the computer systems of U.S. Transportation Command contractors at least 20 times in a single year. The attacks pose a serious risk to the system that moves military troops and equipment.

U.S. Transportation Command – a joint military/civilian program – was targeted by hackers believed to be affiliated with the Chinese government, a Senate Intelligence Committee investigation found.

The Committee released the report on Wednesday. (http://www.armed-services.senate.gov/imo/media/doc/SASC_Cyberreport_091714.pdf) It found a serious gap in awareness and reporting requirements. TRANSCOM was only aware of two of the 20 intrusions, while U.S. Transportation Command remained mostly unaware of the computer compromises of contractors during and after the attacks.
The incidents include an attack that spanned two years – from 2008 to 2010 – and that captured emails, documents, passwords and computer code. A 2012 attack gained access to “multiple systems” onboard a commercial ship contracted by TRANSCOM, the Committee found.

Information sharing about cyber attacks was woeful. An audit of a subset of TRANSCOM contractors uncovered 11 cyber intrusions believed to be linked to China. The Committee said the FBI or DoD had already identified another 9 linked to TRANSCOM contractors. Of those 20, however, information on just two was relayed back to TRANSCOM."

Link to Original Source

Facebook Awards $50,000 Prize For Internet Defense

chicksdaddy chicksdaddy writes  |  about 3 months ago

chicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/08/facebook-awards-internet-defense-prize-for-work-on-securing-web-apps/) on Facebook awarding its first ever monetary prize for groundbreaking work on cyber defense.
In a blog post on Wednesday, the company announced its first ever, $50,000 Internet Defense Prize was awarded to Johannes Dahse and Thorsten Holz, both of Ruhr-Universität Bochum in Germany for their work on a method for making software less prone to being hacked.(https://www.facebook.com/notes/protect-the-graph/internet-defense-prize-awarded-at-23rd-usenix-security-symposium/1491475121092634)

Dahse and Holz developed a method for detecting so-called “second-order” vulnerabilities in Web applications using automated static code analysis. Their paper (https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-dahse.pdf) was presented at the 23rd USENIX Security Symposium in San Diego.(https://www.usenix.org/conference/usenixsecurity14/technical-sessions)

In a blog post announcing the prize, John Flynn, a security engineering manager at Facebook, said the Internet Defense Prize recognizes “superior quality research that combines a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense.”

Second order vulnerabilities are distinct from ‘first order’ security holes like SQL injection and cross site scripting. They allow an attacker to use one of those first-order flaws to manipulate a web application and store a malicious payload on a web server. That payload, which may be stored as a shared resource on the application server, can later be used to target all users of the application.

Dahse and Holz’s work was chosen by a panel to receive the prize both on its technical merit and because panelists could “could see a clear path for applying the award funds to push the research to the next level,” Flynn wrote."

Link to Original Source

Antivirus Hapless In Protecting China's Uyghurs From Targeted Attacks

chicksdaddy chicksdaddy writes  |  about 4 months ago

chicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/08/study-finds-unrelenting-cyber-attacks-against-chinas-uyghurs/) on a new study of China's persecuted Uyghur minority that describes a community besieged by cyber attacks and with little protection from punchless antivirus software.

The study, “A Look at Targeted Attacks Through the Lense of an NGO” (http://www.mpi-sws.org/~stevens/pubs/sec14.pdf) is being presented at the USENIX Security Conference in San Diego on August 21. In it, researchers at Northeastern University and The Max Plank Institute studied a trove of more than 1,400 suspicious email messages sent to 724 individuals at 108 separate organizations affiliated with the Uyghur World Congress, an umbrella group representing Uyghur interests.

The study found that the "APT" style targeted attack weren't so "advanced" after all. The individuals or groups behind the attacks relied heavily on malicious e-mail attachments to gain a foothold on computers with malicious Microsoft Office or Adobe PDF attachments the favorite bait. The groups behind the attacks did not rely on – or need – previously unknown (or “zero day” ) software vulnerabilities to carry out attacks. Known (but recent and unpatched) software vulnerabilities were enough to compromise victim systems.

NGO groups are depicted as having few defenses against the attacks: anti virus software was largely ineffective at stopping malicious programs used in the attacks.“No single tool detected all of the attacks, and some attacks evaded detection from all of the antivirus scanners,” wrote Engin Kirda, a researcher at Northeastern University in a blog post.(http://labs.lastline.com/a-look-at-advanced-targeted-attacks-through-the-lense-of-a-human-rights-ngo-world-uyghur-congress) Even months after the malware was used against the WUC, “standard anti-virus (AV) detection software was insufficient in detecting these targeted attacks,” Kirda wrote."

Link to Original Source

Popular Web Sites Still Getting Gamed For SEO Attacks

chicksdaddy chicksdaddy writes  |  about 4 months ago

chicksdaddy (814965) writes "The security community has been aware of the danger posed by open redirect vulnerabilities (http://cwe.mitre.org/data/definitions/601.html) for years, but that hasn't added any urgency to calls to fix them.

Now data from Akamai shows that open redirects are a leading culprit in SEO attacks, in which scammers use redirects from legitimate web sites to plant malicious software on the computers of unsuspecting visitors. "Open redirect vulnerabilities are frequently left un-patched on major sites across the Internet, and these vulnerabilities are being exploited extensively by malicious actors and organizations," writes Akamai researcher Or Katz in a post on The Security Ledger.

In just one example, Akamai observed an SEO attack in which 4,000 compromised web servers at legitimate web sites were used to redirect visitors to more than 10,000 malicious domains. The activity also served to boost the search engine ranking of the malicious sites, Akamai said."

Link to Original Source

Old Apache Code at Root of Android FakeID Mess

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "The Security Ledger reports that a four year-old vulnerability in an open source component that is a critical part of Android mobile OS leaves hundreds of millions of mobile devices susceptible silent malware infections. (https://securityledger.com/2014/07/old-apache-code-at-root-of-android-fakeid-mess/)

The vulnerability was disclosed on Tuesday (http://bluebox.com/news/). It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes “an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim.”

The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual ‘sandbox’ environments that keep malicious programs from accessing sensitive data and other applications running on the Android device.

In a scenario that is becoming all too common: the flaw appears to have been introduced to Android through an open source component — this time from Apache Harmony (http://harmony.apache.org/), an open source alternative to Oracle’s Java. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged."

Link to Original Source

CNN iPhone App Sends iReporters' Passwords In The Clear

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application — one of the leading mobile news apps — transmits user login session information in clear text. (https://securityledger.com/2014/07/cnn-app-leaks-passwords-of-citizen-reporters/). The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events, zScaler warned in a blog post.

According to a zScaler analysis (http://research.zscaler.com/2014/07/cnn-app-for-iphone.html), CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.

The privacy of journalists' private communications has never been more a risk. Reporters find themselves in the crosshairs of sophisticated hacking crews, often working at the beck and call of anti-democratic regimes. They have infiltrated the networks of newspapers like The New York Times and The Washington Post — often in search of confidential communications between reporters and policy makers or human rights activists. (http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html) Here in the U.S., the Obama Administration is aggressively pursuing Pulitzer Prize winning journalist James Risen of The New York Times in order to uncover the source for a chapter in his book State of War concerning a covert US operation against Iran. (http://www.npr.org/blogs/thetwo-way/2014/06/02/318214947/times-reporter-must-testify-about-source-court-decides)"

Link to Original Source

Tired of playing cyber cop, Microsoft looks for partners in crime fighting

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "When it comes to fighting cyber crime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP.

The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. (http://www.itworld.com/it-management/425601/no-ip-regains-control-some-domains-wrested-microsoft)

There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors.

Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston (http://www.first.org/conference/2014), she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.

Redmond is willing use its clout to help other companies stomp out malicious software like botnets and Trojan horse programs. Stewart said Microsoft will use its recently announced Coordinated Malware Eradication (CME) program to empower researchers, industry groups and even other security firms that are looking to eradicate online threats. That includes everything from teams of malware researchers and PR professionals to software and cloud-based resources like the company's Malicious Software Removal Tool and Windows update.

"Use MSRC as a big hammer to stomp out a malware family," Stewart implored the audience, referring to the Microsoft Security Response Center. "Go ahead and nominate a malware family to include in MSRT," she said, referring to the Malicious Software Removal Tool."

Link to Original Source

FDA: We Can't Scale To Regulate Mobile Health Apps

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "Mobile health and wellness is one of the fastest growing categories of mobile apps. Already, apps exist that measure your blood pressure (http://www.withings.com/us/blood-pressure-monitor.html) and take your pulse (https://itunes.apple.com/us/app/thinklabs-stethoscope-app/id346239083?mt=8)- jobs traditionally done by tried and true instruments like blood pressure cuffs and stethoscopes .

If that sounds to you like the kind of thing the FDA should be vetting, don't hold your breath. A senior advisor to the U.S. Food and Drug Administration (FDA) has warned that the current process for approving medical devices couldn’t possibly meet the challenge of policing mobile health and wellness apps and that, in most cases, the agency won't even try.

Bakul Patel, and advisor to the FDA, said the Agency couldn't scale to police hundreds of new health and wellness apps released each month to online marketplaces like the iTunes AppStore and Google Play.

“It’s just not possible,” Patel said at a panel discussion of medical device security hosted by that National Institute of Standards and Technology’s (NIST’s) Information Security and Privacy Advisory Board (ISPAB) in June. (podcast available here: http://blog.secure-medicine.or...)

Estimates put the number of new, mobile health applications created each month at 500. But the FDA has reviewed no more than 80 so far – a small (and shrinking) fraction of the population.

In September, 2013, the FDA issued guidance to mobile application publishers about what kinds of mobile applications would qualify as medical devices. (https://securityledger.com/2013/09/fda-says-some-medical-apps-a-kind-of-medical-device/) The FDA said it will exercise oversight of mobile medical applications that are accessories to regulated medical devices, or that transform a mobile device into a regulated medical device. In those cases, the FDA said that mobile applications will be assessed “using the same regulatory standards and risk-based approach that the agency applies to other medical devices.”

Speaking on the NIST panel in June, Patel reiterated that guidance. Most mobile medical applications were really “health and wellness” tools that couldn’t adversely affect patient health. But he said the agency would treat applications that are mobile companions to regulated medical devices – like insulin pumps – differently. And he said that was a fine place to draw the line: most mobile health applications have short lifespans on the Appstore or Google Play. Diverting FDA resources to vetting them would be a waste of time.

“The whole mobile application world has its own ecosystem. Mobile apps live and die and its all user or consumer driven," he said. "The end-of-life cycle is so short compared to any other products we see. We need to focus on oversight of what is sustained and maintained.”"

Link to Original Source

Industrial Control System Firms in Dragonfly Attack Identified

chicksdaddy chicksdaddy writes  |  about 5 months ago

chicksdaddy (814965) writes "Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified, The Security Ledger reports. (https://securityledger.com/2014/07/industrial-control-vendors-identified-in-dragonfly-attack/)

Dale Peterson of the firm Digitalbond identified the vendors (http://www.digitalbond.com/blog/2014/07/02/havex-hype-unhelpful-mystery/) as MB Connect Line (http://mbconnectline.com/index.php/en/contact/company), a German maker of industrial routers and remote access appliances and eWon (http://www.ewon.biz/en/home.html), a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS’s ICS CERT said it was alerted to compromises of the vendors’ by researchers at the security firms Symantec and F-Secure. (https://securityledger.com/2014/07/dhs-warns-energy-firms-of-malware-used-in-targeted-attacks/) DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed “Havex” was being spread by way of so-called “watering hole” attacks that involved compromises of vendors web sites.

According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Symantec described the group behind the Dragonfly/Havex malware as “well resourced, with a range of malware tools at its disposal.” The security firm Crowdstrike said the attacks were part of a cybercrime group it dubbed “Energetic Bear” (http://www.reuters.com/article/2014/07/02/us-cybersecurity-energeticbear-idUSKBN0F722V20140702) that was focused on espionage and of Russian origin.

Contacted by The Security Ledger, Gérald Olivier, a Marketing Manager at eWon said the compromise of its website occurred in January, 2014. According to an incident report prepared by the company, the attackers compromised the content management system (CMS) used to manage the company’s website and uploaded a corrupted version of a setup program for an eWon product called Talk2M. Hyperlinks on the eWon page that linked to the legitimate Setup file were changed to point to the malicious file. If installed, the malware could capture the login credentials of eWon Talk2M customers. The second firm, MB Connect Line, did not respond to requests for comment from the Security Ledger."

Link to Original Source

Trivial Bypass of PayPal Two-Factor Authentication On Mobile Devices

chicksdaddy chicksdaddy writes  |  about 6 months ago

chicksdaddy (814965) writes "The Security Ledger reports on research from DUO Labs that exposes a serious gap in protection with PayPal Security Key, the company's two-factor authentication service.

According to DUO (https://duosecurity.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication), PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically.

However, researchers at DUO noticed that the PayPal iOS application would briefly display a user’s account information and transaction history prior to displaying that error message and logging them out. The behavior suggested that mobile users were, in fact, being signed in to their account prior to being logged off. The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal’s back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled.

They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client – not on the server.

An attacker with knowledge of the flaw and a Paypal user's login and password could easily evade the requirement to enter a second factor before access the account and transmitting money."

Link to Original Source

FTC Lobbies To Be Top Cop For Geolocation

chicksdaddy chicksdaddy writes  |  about 6 months ago

chicksdaddy (814965) writes "As the U.S. Senate considers draft legislation governing the commercial use of location data, The Federal Trade Commission (FTC) is asking Congress to make it — not the Department of Justice — the chief rule maker and enforcer of policies for the collection and sharing of geolocation information, the Security Ledger reports. (https://securityledger.com/2014/06/ftc-wants-to-be-top-cop-on-geolocation/)

Jessica Rich, Director of the FTC Bureau of Consumer Protection, told the Senate Judiciary Committee’s Subcommittee for Privacy, Technology that the Commission would like to see changes to the wording of the Location Privacy Protection Act of 2014 (LPPA) (http://www.ftc.gov/news-events/press-releases/2014/06/ftc-testifies-geolocation-privacy). The LPPA is draft legislation introduced by Sen. Al Franken that carves out new consumer protections for location data sent and received by mobile phones, tablets and other portable computing devices. Rich said that the FTC, as the U.S. Government’s leading privacy enforcement agency, should be given rule making and enforcement authority for the civil provisions of the LPPA. The current draft of the law instead gives that authority to the Department of Justice (DOJ).

The LPPA updates the Electronic Communications Privacy Act to take into account the widespread and availability and commercial use of geolocation information provided. LPPA requires that companies get individuals’ permission before collecting location data off of smartphones, tablets, or in-car navigation devices, and before sharing it with others.

It would prevent what Franken refers to as “GPS stalking,” preventing companies from collecting location data in secret. LPPA also requires companies to reveal the kinds of data they collect and how they share and use it, bans the development, operation, and sale of GPS stalking apps and requires the federal government to collect data on GPS stalking and facilitate reporting of GPS stalking by the public.(http://www.franken.senate.gov/files/documents/140327Locationprivacy.pdf)"

Link to Original Source


chicksdaddy has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?