Category: Cybersecurity


Skype flaw reveals users’ location, file-downloading habits

Filed under: Cybersecurity, Exploit, GPS, Hackers, Internet, Security, Skype by Ryan Boese — Leave a comment
December 2, 2011

Researchers have found a flaw in Skype, the popular Voice-over-Internet-Protocol service which allows users to make video phone calls and internet chat with their computers. The vulnerability can expose your location, identity and the content you’re downloading. Microsoft, which owns Skype, says they are working on the problem.

The issue was uncovered earlier this year by a team of researchers from Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany and INRIA in France and included Keith Ross, Stevens Le Blond, Chao Zhang, Arnaud Legout, and Walid Dabbous. The team presented the research in Berlin recently at the Internet Measurement Conference 2011 in a paper titled “I know where you are and what you are sharing.”

The researchers found several properties of Skype that can track not only users’ locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user’ consent.

Even when a user blocks callers or connects from behind a Network Address Translation (NAT) — a common type of firewall — it does not prevent the privacy risk,” according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user’s location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person’s IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

The research also revealed that marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“We feel the implications are very severe,” Ross told CSO. “For example, a high-school hacker, or anyone with basic programming and hacking skills, could track, for example, all the Congressmen in the United States, or the employees of a company. The attack can be used by blackmailers, stalkers, or journalists looking for a racy story about a politician.”

Skype and Microsoft Corp. were informed of the researchers’ findings and The New York Times reports that Skype is aware of the issue.

“We value the privacy of our users and are committed to making our products as secure as possible,” Adrian Asher, Skype’s chief information security officer, said in a statement. “Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP address. Through research and development, we will continue to make advances in this area and improvements to our software.”

Source: NetworkWorld

Tags: , , , , , , , ,
Comment

BlackBerry, iPhone, Gmail users at risk: WikiLeaks

Filed under: Android, Apple, Blackberry, Cybersecurity, Exploit, Google, Hackers, Internet, Mobile, RIM, Security, Technology, Telecom by Ryan Boese — Leave a comment
December 2, 2011

WikiLeaks is out with yet another explosive expose. It has released 287 files of numerous companies containing details of mass surveillance.

Speaking in London, WikiLeaks founder Julian Assange said more than 150 organisations worldwide were selling information obtained by monitoring people’s mobile phones and computers.

“Today, we release over 287 files, documenting the reality of the international mass surveillance industry. An industry which now sells equipment to dictators and democracies alike, in order to intercept entire populations. 9/11 has provided a license for European countries, for United States, Australia, Canada, South Africa and others to develop spying systems that affect all of us,” Assange said.

He added that iPhone, Blackberry and Gmail users were at risk.

The whistleblower website has in the past released classified US documents on the Iraq and Afghan wars as well as controversial details of US diplomatic cables.

 

 

Source: IBNLive Tech

Tags: , , , , ,
Comment

Dropbox drops a critical update, software wide open to hackers

Filed under: Applications, Cybersecurity, Exploit, Hackers, Security, Software, Windows by Ryan Boese — Leave a comment
November 10, 2011

Today sees Dropbox release a security update that plugs up a serious security vulnerability in the client software.

Prior to this update, all a third party needed to do to gain access to someone’s Dropbox account was to copy the Dropbox configuration files from one PC to another. These configuration files could be copied directly from the PC or extracted from a system backup. Once in possession of these files, the third-party had total access to the Dropbox account even if the user changed their password. The only way to revoke access was to unlink the rogue system from the account using the account setting page over on the Dropbox website.

Dropbox version 1.2.48 fixes this serious vulnerability. However, because the client software can take several weeks to auto update, you have to carry out the procedure manually.

If you’re a Dropbox user I strongly urge you to install this update immediately!

Source: ZDNet

Tags: , , , , ,
Comment

Adobe Abandons Mobile Flash Development

Filed under: Adobe, Android, Computers, Cybersecurity, Exploit, Flash, Hackers, Malware, RootKit, Security by Ryan Boese — 3 Comments
November 9, 2011

Latest Update: Adobe confirmed it will cease Flash development on mobile devices in a press release published Wednesday morning.

In an abrupt about-face in its mobile software strategy, Adobe will soon cease developing its Flash Player plug-in for mobile browsers, according to an e-mail sent to Adobe partners on Tuesday evening.

And with that e-mail flash, Adobe has signaled that it knows, as Steve Jobs predicted, the end of the Flash era on the web is coming soon.

The e-mail, obtained and first reported on by ZDNet, says that Adobe will no longer continue to “adapt Flash Player for mobile devices to new browser, OS version or device configurations,” instead focusing on alternative application packaging programs and the HTML5 protocol.

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores,” the quoted e-mail says.

In the past, Adobe has released software tools for mobile developers that create a single platform programmers can use to make applications that work across three major mobile platforms: Android, iOS and the BlackBerry OS. While it’s seemingly easier than learning all of the native languages for each operating system, some developers have claimed a loss in app performance when coding in a non-native language that then gets translated into other languages.

The move indicates a massive backpedaling on Adobe’s part, a company who championed its Flash platform in the face of years of naysaying about its use on mobile devices. Despite Flash’s near ubiquity across desktop PCs, many in the greater computing industry, including, famously, Apple Computer, have denounced the platform as fundamentally unstable on mobile browsers, and an intense battery drain. In effect, Flash’s drawbacks outweigh the benefits on mobile devices.

Flash became a dominant desktop platform by allowing developers to code interactive games, create animated advertisements and deliver video to any browser that had the plugin installed, without having to take into account the particulars of any given browser. However, with the development of Javascript, CSS, and HTML5, which has native support for video, many web developers are turning away from Flash, which can be a resource hog even on the most advanced browsers.

Apple made its biggest waves in the case against Flash in April of last year, when Steve Jobs penned a 1,500-word screed against the controversial platform, describing it as a technology of the past. Jobs and Apple disliked the platform so intensely, it has since been barred from use on all iOS devices.

Despite attempts to breathe life into Flash on other mobile devices — namely, Android and BlackBerry OS — Adobe has failed to deliver a consistently stable version of the platform on a smartphone or tablet. In WIRED’s testing of the BlackBerry PlayBook in April, Flash use caused the browser to crash on a consistent basis. And when Flash was supposed to come to tablets with Motorola’s Xoom, Adobe was only able to provide an highly unstable Beta version of Flash to ship with the flagship Android device.

“Adobe has lost so much credibility with the community that I’m hoping they are bought by someone else that can bring some stability and eventually some credibility back to the Flash Platform,” wrote software developer Dan Florio in a blog post on Wednesday morning.

The drastic reversal in Adobe’s mobile plans comes in the wake of the company cutting 750 jobs on Tuesday, a move prompted by what Adobe labeled “corporate restructuring.”

An Adobe representative did not immediately respond to a request for comment.

Source: Wired

Tags: , , , , , , ,
Comment

Apple security expert finds apps-software bug

Filed under: Apple, Applications, Cybersecurity, Exploit, Hackers, iPhone, Software, Tablets, Telecom by Ryan Boese — Leave a comment
November 7, 2011

A software flaw in Apple Inc’s iPhones and iPads may allow hackers to build apps that secretly install programs to steal data, send text messages or destroy information, according to an expert on Apple device security.

Charlie Miller, a researcher with Accuvant Labs who identified the problem, built a prototype malicious program to test the flaw. He said Apple’s App Store failed to identify the malicious program, which made it past the security vetting process.

There is as yet no evidence that hackers have exploited the vulnerability in Apple’s iOS software. But Miller said his test demonstrated that there could be real malware in the App Store.

“Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do,” Miller said.

Miller said he proved his theory by building a stock-market monitoring tool, InstaStock, that was programed to connect to his server once downloaded, and to then download whatever program he wants.

Apple did not respond to requests for comment.

Miller, who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices, said that he had contacted the company about the vulnerability.

“They are in the process of fixing it,” he said.

Miller is scheduled to present his detailed research at the SyScan ’11 security conference in Taiwan next week.

 

 

Source: Reuters

Tags: , , , , , , , , ,
Comment

Smartphone scams: Owners warned over malware apps

Filed under: Android, Applications, Cybersecurity, Droid, Exploit, Hackers, Internet, Malware, Mobile, Trojan, WiFi by Ryan Boese — Leave a comment
November 6, 2011

Get Safe Online says that there has been an increase in smartphone malware as the market has grown.

Criminals are typically creating Trojan copies of reputable apps and tricking users into installing them.

Once on the phone, the app can secretly generate cash for criminals through premium rate text messages.

Get Safe Online, a joint initiative between the government, police and industry, said it was concerned that users of smartphones, such as Android devices, were not taking steps to protect their devices.

Get Safe Online said fraudsters are designing apps which generate cash secretly in the background without the owner realising until their monthly bill.

A typical scam involves an app designed to send texts to premium rate services without the user knowing.

Apps can appear to be bona fide software or sometimes masquerade as stripped down free versions of well-known games.

Rik Ferguson, a hacking researcher with internet security firm Trend Micro, said: “This type of malware is capable of sending a steady stream of text messages to premium rate numbers – in some instances we’ve seen one being sent every minute.

“With costs of up to £6 per message, this can be extremely lucrative. The user won’t know this is taking place, even if they happen to be using the device at the same time, as the activity takes place within the device’s back-end infrastructure.”

Online banking

Another major security firm, Symantec, recently warned in its annual threat assessment that Android phones were at risk and that it had found at least six varieties of malicious software.

Minister for Cyber Security Francis Maude said: “More and more people are using their smartphone to transmit personal and financial information over the internet, whether it’s for online banking, shopping or social networking.

“Research from Get Safe Online shows that 17% of smartphone users now use their phone for money matters and this doesn’t escape the notice of criminals.”

Tony Neate, head of Get Safe Online, urged people to check their phone’s security.

“Mobile phones are very personal. I have talked to people who are never more than a yard away from their mobile phone. Because of that attachment, they start to think that they are in a way invincible.

“It’s the end user that picks up the tab – it’s your phone that incurs the costs. Whether you have pay-as-you-go or a monthly account, that money is going to come from the account and go to the criminal.”

Source: BBC News

Tags: , , , , , , , ,
Comment

Mozilla blocks McAfee Firefox extension, citing “explosive crashes”

Filed under: Applications, Cybersecurity, Exploit, FireFox, Internet, Mozilla by Ryan Boese — Leave a comment
October 5, 2011

Mozilla has taken the rare step of blacklisting a McAfee extension for the Firefox browser.

The Firefox add-ons page for McAfee ScriptScan displays a large red X and notes that the add-on “causes a high volume of crashes.”

Mozilla’s advisory says, “Users are strongly encouraged to disable the problematic add-on or plugin, but may choose to continue using it if they accept the risks described.”

The bug report for the issue goes into greater detail. The report is titled “Blocklist McAfee ScriptScan for Firefox and McAfee SiteAdvisor due to explosive crashes,” and it notes that two separate bugs highly correlated with the two add-ons caused 3,432 and 6,691 crashes in the week ending September 28. The issues reportedly affect users of Firefox 6.0.2 and the just-released Firefox 7.

A comment in the bug report, dated September 28, suggests that the problem is even worse than those numbers would suggest:

We had 1555 processed crashes on 6.* yesterday, with the 10% throttling rate, this means that roughly 15,000 crashes happened during a single day with this signature!

The list of blocked add-ons includes an entry for McAfee SiteAdvisor from last March. Three Microsoft products, including the Bing Bar, were blocked in October 2010 at Microsoft’s request, to address security issues.

This isn’t the first time that McAfee’s add-on has been flagged for performance or reliability issues. An IBM TechNote from 2008 reports that an earlier version of ScriptScan “causes a four to seven seconds delay in rendering pages” from IBM’s WebSphere application. In that case, according to IBM, McAfee acknowledged the performance issues with the tool.

A support thread at Mcafee.com acknowledges the current issue and says “McAfee is aware of it, has a bug filed and is working with Mozilla to address the problem.”

This sort of incompatibility isn’t surprising. Mozilla’s decision to shift to a rapid-release schedule plays havoc with the makers of browser add-ons. On October 1, Symantec updated its Norton Toolbar and Norton Vulnerability Protection add-ons for Firefox. That followed a “minor product update” on September 20. A separate support note advised “This patch is necessary to prepare your Norton 2012 Product for the upcoming Firefox 7 compatibility update that we will release to Norton Products at a future date.” The Firefox 7.0 Compatibility Patch was released on September 27.

Source: ZDNet

Tags: , , , , , , ,
Comment

Security expert warns hackers can attack Android

Filed under: Android, Applications, Cybersecurity, Exploit, Hackers, Internet, Security, Technology, Telecom, Wireless by Ryan Boese — Leave a comment
August 12, 2011

A mobile security expert says he has found new ways for hackers to attack phones running Google Inc’s Android operating system.

Riley Hassell, who caused a stir when he called off an appearance at a hacker’s conference last week, told Reuters he and colleague Shane Macaulay decided not to lay out their research at the gathering for fear criminals would use it attack Android phones.

He said in an interview he identified more than a dozen widely used Android applications that make the phones vulnerable to attack.

“App developers frequently fail to follow security guidelines and write applications properly,” he said.

“Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message.”

He declined to identify those apps, saying he fears hackers might exploit the vulnerabilities.

“When you release a threat and there’s no patch ready, then there is mayhem,” said Hassell, founder of boutique security firm Privateer Labs.

Hassell said he and Macaulay alerted Google to the software shortcomings they unearthed.

Google spokesman Jay Nancarrow said Android security experts discussed the research with Hassell and did not believe he had uncovered problems with Android.

“The identified bugs are not present in Android,” he said, declining to elaborate.

It was the first public explanation for the failure of Hassell and Macaulay to make a scheduled presentation at the annual Black Hat hacking conference in Las Vegas, the hacking community’s largest annual gathering.

They had been scheduled to talk about “Hacking Androids for Profit.” Hundreds of people waited for them to show up at a crowded conference room.

Hassell said in an interview late on Thursday the pair also learned — at the last minute — that some of their work may have replicated previously published research and they wanted to make sure they properly acknowledged that work.

“This was a choice we made, to prevent an unacceptable window of risk to consumers worldwide and to guarantee credit where it was due,” he said.

A mobile security researcher familiar with the work of Hassell and Macaulay said he understood why the pair decided not to disclose their findings.

“When something can be used for exploitation and there is no way to fix it, it is very dangerous to go out publicly with that information,” the researcher said. “When there is not a lot that people can do to protect themselves, disclosure is sometimes not the best policy.”

Hassell said he plans to give his talk at the Hack in The Box security conference in Kuala Lumpur in October.

Ryan:  If you are running an Android phone, two must have apps for your phone are:  Lookout Mobile Security for Android & Advanced Task Killer.

Source: Reuters

Tags: , , , ,
Comment

German hackers crack mobile phone GPRS code

Filed under: Cybersecurity, GPRS, Hackers, Security, Technology, Telecom, Wireless by Ryan Boese — Leave a comment
August 10, 2011

The discovery of a way to eavesdrop so-called General Packet Radio Service (GPRS) technology allows a user to read emails and observe the Internet use of a person whose phone is hacked, said Karsten Nohl, head of Security Research Labs.

“With our technology we can capture GPRS data communications in a radius of 5 km,” he told the paper before heading to a meeting of the Chaos Computer Club, a group that describes itself as Europe’s largest hacker coalition.

Phones using the newer UMTS standard are safer, Nohl said, but the crack effects industrial equipment, toll systems and anything using GPRS — including newer devices like Apple Inc’s iPhone or iPad which switch to the older GPRS in remote areas.

Source: Reuters

Tags: , , , , , , , ,
Comment

Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

Filed under: Adobe, Applications, Cybersecurity, Exploit, Google, Security, Windows by Ryan Boese — Leave a comment
August 10, 2011

A high-profile Google researcher has accused Adobe of hiding the fact that it patched a whopping 400 unique vulnerabilities in yesterday’s critical Flash Player update.

According to Tavis Ormandy, an information security engineer at Google who has a history of controversial vulnerability disclosures, the 400 unique Flash Player vulnerabilities were sent to Adobe as part of an ongoing security audit but there’s no documentation on these fixes in the new update.

“Apparently that number was embarrassingly high, and they’re trying to bury the results, so I’ll publish my own advisory later today,” Ormandy said on his Twitter feed.

Adobe’s advisory that accompanies the Flash Player update does in fact acknowledge Ormandy’s work:

Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release.

However, only 13 unique vulnerabilities are documented in the release and this prompted a series of snippy back-and-forth Twitter messages between Ormandy and Adobe spokeswoman Wiebke Lips.

“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?” Lips said. (This Twitter message has since been deleted).

Ormandy’s response:

“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”

Almost lost in the public spat is the fact that Adobe’s ubiquitous Flash Player contains vulnerabilities that could lead to remote code execution attacks.  The security flaws, described as “critical,” affect Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for Android.

“These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned.

Adobe also shipped separate advisories to warn about security holes in Shockwave, Flash Media Server, Photoshop and RoboHelp.

Source: ZDNet

Tags: , , , , , , , ,
Comment