Tag Archives: security

Facebook Hacks Points to Much Bigger Threat for Mobile Developers

Posted on by

In this case, the website of a legitimate mobile developer was targeted, with the attackers knowing the people they were really targeting (Facebook, Twitter etc) would sooner or later come to visit the site, allowing them to infect the computers of these organisations.

This type of attack allows hackers to infiltrate systems otherwise closed off to them as Facebook’s own security would spot a straight forward attack.

via Facebook Hacks Points to Much Bigger Threat for Mobile Developers – IBTimes UK.

The article mentions how many app developers on Mac platforms are operating with a false sense of security.  Interesting read.

Sullivan has this advice for mobile app developers:

“Any developer who has Java enabled in his browser, has visited mobile developer websites in the last couple of months, and finds evidence his computer is compromised – probably should use his source code versioning system to check recent commits.”

Security Firm Bit9 Hacked, Used to Spread Malware

Posted on by

An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9′s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9′s secret code-signing certificates.

via Security Firm Bit9 Hacked, Used to Spread Malware — Krebs on Security.

RSA, IBM Bet On Big Data Analytics To Boost Security

Posted on by

“So think of a host beaconing out to a C2 (command-and-control) site on a regularly scheduled basis,” he tells Dark Reading. “If an analyst can isolate the suspect host, they can eyeball a graph to see that they’re reaching out to this host regularly. But with a big data approach, you can create a rule that computes and analyzes the interval between sessions and determines whether we’re talking about normal human activity, or machine-generated — which is innocuous — or scheduled activity like malware might do.”

via RSA, IBM Bet On Big Data Analytics To Boost Security – Dark Reading.

I recently caught a piece of malware on a PC on my open wifi doing something similar.

5 years after major DNS flaw is discovered, few US companies have deployed long-term fix

Posted on by

Network World – Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat.

via 5 years after major DNS flaw is discovered, few US companies have deployed long-term fix.

ACM Classic: Reflections on Trusting Trust

Posted on by

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

via ACM Classic: Reflections on Trusting Trust.

A wireless router that tracks user activity—but for a good reason

Posted on by

The optimal policies for each application are then packaged into periodic firmware updates sent back to routers. People who sign up for the cloud service and contribute data will get the updated policies in automatic updates. Even those who want nothing to do with the cloud service can get the benefits by updating their router whenever they’d like.

via A wireless router that tracks user activity—but for a good reason | Ars Technica.

What could possibly go wrong with this plan?  🙂

The ICSI Certificate Notary

Posted on by

Much of the Internet’s end-to-end security relies on the SSL protocol, along with its underlying X.509 certificate infrastructure. However, the system remains quite brittle due to its liberal delegation of signing authority: a single compromised certification authority undermines trust globally. The ICSI Notary helps clients to identify malicious certificates by providing a third-party perspective on what they should expect to receive from a server. While similar in spirit to existing efforts, such as Convergence and the EFF’s SSL observatory, our notary collects certificates passively from live upstream traffic at multiple independent Internet sites, aggregating them into a central database in near-realtime.

via The ICSI Certificate Notary.

Security Hole in Samsung Smart TVs Could Allow Remote Spying

Posted on by

ReVuln’s policy of disclosing security holes only to paying customers has met with disapproval from both vendors and security pros, who argue that companies should do what they can to eradicate dangerous software holes. However, the company is unbowed, maintaining that selling knowledge of software security holes is a legitimate business and helps the company recoup the costs of researcher the holes and developing proof of concept exploits for them.

via Security Hole in Samsung Smart TVs Could Allow Remote Spying | The Security Ledger.

A little short on details as I wondered how this could be done sitting behind a proper firewall.

How Skype & Co. get round firewalls

Posted on by

Network administrators who do not appreciate this sort of hole in their firewall and are worried about abuse, are left with only one option – they have to block outgoing UDP traffic, or limit it to essential individual cases. UDP is not required for normal internet communication anyway – the web, e-mail and suchlike all use TCP. Streaming protocols may, however, encounter problems, as they often use UDP because of the reduced overhead.

via How Skype & Co. get round firewalls – The H Security: News and Features.