Category: Security


Symantec says hackers stole source code in 2006

Filed under: Applications, Computers, Cybersecurity, Internet, PC, RootKit, Security, Software, Trojan, Virus by Ryan Boese — 1 Comment
January 18, 2012

Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked.

The world’s biggest maker of security software had previously said that hackers stole the code from a third party, but corrected that statement on Tuesday after an investigation found that Symantec’s own networks had been infiltrated.

The unknown hackers obtained the source code, or blueprint for its software, to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, Symantec spokesman Cris Paden said.

Last week, the hackers released the code to a 2006 version of Norton Utilities and have said they planned to release code to its antivirus software on Tuesday. It was not clear why the source code was being released six years after the theft.

Source code includes instructions written in computer programming languages as well as comments that engineers share to explain the design of their software. For example, a file released last week from the source code of a 2006 version of Norton Utilities included a comment that said “Make all changes in local entry, so we don’t screw up the real entry if we back up early.”

Companies typically heavily guard their source code, which is considered the crown jewels of most software makers. At some companies access is granted on an as-needed basis, with programmers allowed to view code only if it is related to the tasks they are assigned.

The reason for all the secrecy is that companies fear rivals could use the code to figure out the “secret sauce” behind their technology and that hackers could use it to plan attacks.

Paden said that the 2006 attack presented no threat to customers using the most recent versions of Symantec’s software.

“They are protected against any type of cyber attack that might materialize as a result of this code,” he said.

Yet Laura DiDio, an analyst with ITIC who helps companies evaluate security software, said that Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some of the protections in Symantec’s software.

“What we are seeing from Symantec is ‘Let’s put the best public face on this,’” she said. “Unless Symantec wrote all new code from scratch, there are going to be elements of source code in there that are still relevant today.”

Symantec said earlier this month that its own network had not been breached when the source code was taken. But Paden said on Tuesday that an investigation into the matter had revealed that the company’s networks had indeed been compromised.

“We really had to dig way back to find out that this was actually part of a source code theft,” he said. “We are still investigating exactly how it was stolen.”

Paden also said that customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure.

“Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Ryan: This is one of the reasons I had been telling people for years not to use Symantec programs. I knew they had been hacked because Viruses had been disabling out Norton on machines I had been fixing and I was seeing a big trend with this.

Source: Reuters / Yahoo! News

Tags: , , , , , , , , , , , , ,
Comment

Any GSM phone vulnerable to new scam: researcher

Filed under: Cybersecurity, Exploit, GSM, Hackers, Mobile, Security, Tablets, Technology, Telecom, Wireless by Ryan Boese — 3 Comments
December 27, 2011

A well-known expert on mobile phone security says a vulnerability in a widely used wireless technology could allow hackers to gain remote control of phones, instructing them to send text messages or make calls.

They could use the vulnerability in the GSM network technology, which is used by billions of people in about 80 percent of the global mobile market, to make calls or send texts to expensive, premium phone and messaging services in scams, said Karsten Nohl, head of Germany’s Security Research Labs.

Similar attacks against a small number of smartphones have been done before, but the new attack could expose any cellphone using GSM technology.

“We can do it to hundreds of thousands of phones in a short timeframe,” Nohl told Reuters in advance of a presentation at a hacking convention in Berlin on Tuesday.

Attacks on corporate landline phone systems are fairly common, often involving bogus premium-service phone lines that hackers set up across Eastern Europe, Africa and Asia. Fraudsters make calls to the numbers from hacked business phone systems or mobile phones, then collect their cash and move on before the activity is identified.

The phone users typically don’t identify the problem until after they receive their bills and telecommunications carriers often end up footing at least some of the costs.

Even though Nohl will not present details of attack at the conference he said hackers will usually replicate the code needed for attacks within a few weeks.

Source: Reuters

Tags: , , , , , , , , , , ,
Comment

Windows Phone SMS attack discovered, reboots device and disables messaging hub

Filed under: Cybersecurity, Exploit, Hackers, Microsoft, Security, Technology, Telecom, Windows, Windows Phone 7, Wireless by Ryan Boese — Leave a comment
December 13, 2011

Microsoft’s range of Windows Phone devices suffer from a denial-of-service attack that allows attackers to disable the messaging functionality on a device.

The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts. We have tested the attack on a range of Windows Phone devices, including HTC’s TITAN and Samsung’s Focus Flash. Some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720. The attack is not device specific and appears to be an issue with the way the Windows Phone messaging hub handles messages. The bug is also triggered if a user sends a Facebook chat message or Windows Live Messenger message to a recipient.

The flaw appears to affect other aspects of the Windows Phone operating system too. If a user has pinned a friend as a live tile on their device and the friend posts a particular message on Facebook then the live tile will update and causes the device to lock up. Thankfully there’s a workaround for the live tile issue, at initial boot up you have a small amount of time to get past the lock screen and into the home screen to remove the pinned live tile before it flips over and locks the device.

Both Apple and Google have suffered from SMS bugs with their iOS and Android devices. Security researcher Charlie Miller discovered a flaw in the iOS 3.0 software that allowed attackers complete control over an iPhone at the time. Android-based phones also suffered in the SMS attack, but attackers could only knock a phone offline rather than gain full access. The attack described in this article does not appear to be security related. It appears, from our limited testing, that the bug is related to the way Windows Phone handles messages.

Khaled Salameh discovered the flaw and reported it to us on Monday. WinRumors is in the process of disclosing the bug directly to Microsoft privately in co-operation with Khaled. At this stage there doesn’t appear to be a workaround to fix the messaging hub apart from hard resetting and wiping the device. Please see the video below for a demonstration.

 

 

Source: WinRumors

Tags: , , , , , , , , , , , , , , , , , , , ,
Comment

Skype flaw reveals users’ location, file-downloading habits

Filed under: Cybersecurity, Exploit, GPS, Hackers, Internet, Security, Skype by Ryan Boese — Leave a comment
December 2, 2011

Researchers have found a flaw in Skype, the popular Voice-over-Internet-Protocol service which allows users to make video phone calls and internet chat with their computers. The vulnerability can expose your location, identity and the content you’re downloading. Microsoft, which owns Skype, says they are working on the problem.

The issue was uncovered earlier this year by a team of researchers from Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany and INRIA in France and included Keith Ross, Stevens Le Blond, Chao Zhang, Arnaud Legout, and Walid Dabbous. The team presented the research in Berlin recently at the Internet Measurement Conference 2011 in a paper titled “I know where you are and what you are sharing.”

The researchers found several properties of Skype that can track not only users’ locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user’ consent.

Even when a user blocks callers or connects from behind a Network Address Translation (NAT) — a common type of firewall — it does not prevent the privacy risk,” according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user’s location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person’s IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

The research also revealed that marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“We feel the implications are very severe,” Ross told CSO. “For example, a high-school hacker, or anyone with basic programming and hacking skills, could track, for example, all the Congressmen in the United States, or the employees of a company. The attack can be used by blackmailers, stalkers, or journalists looking for a racy story about a politician.”

Skype and Microsoft Corp. were informed of the researchers’ findings and The New York Times reports that Skype is aware of the issue.

“We value the privacy of our users and are committed to making our products as secure as possible,” Adrian Asher, Skype’s chief information security officer, said in a statement. “Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP address. Through research and development, we will continue to make advances in this area and improvements to our software.”

Source: NetworkWorld

Tags: , , , , , , , ,
Comment

BlackBerry, iPhone, Gmail users at risk: WikiLeaks

Filed under: Android, Apple, Blackberry, Cybersecurity, Exploit, Google, Hackers, Internet, Mobile, RIM, Security, Technology, Telecom by Ryan Boese — Leave a comment
December 2, 2011

WikiLeaks is out with yet another explosive expose. It has released 287 files of numerous companies containing details of mass surveillance.

Speaking in London, WikiLeaks founder Julian Assange said more than 150 organisations worldwide were selling information obtained by monitoring people’s mobile phones and computers.

“Today, we release over 287 files, documenting the reality of the international mass surveillance industry. An industry which now sells equipment to dictators and democracies alike, in order to intercept entire populations. 9/11 has provided a license for European countries, for United States, Australia, Canada, South Africa and others to develop spying systems that affect all of us,” Assange said.

He added that iPhone, Blackberry and Gmail users were at risk.

The whistleblower website has in the past released classified US documents on the Iraq and Afghan wars as well as controversial details of US diplomatic cables.

 

 

Source: IBNLive Tech

Tags: , , , , ,
Comment

Dropbox drops a critical update, software wide open to hackers

Filed under: Applications, Cybersecurity, Exploit, Hackers, Security, Software, Windows by Ryan Boese — Leave a comment
November 10, 2011

Today sees Dropbox release a security update that plugs up a serious security vulnerability in the client software.

Prior to this update, all a third party needed to do to gain access to someone’s Dropbox account was to copy the Dropbox configuration files from one PC to another. These configuration files could be copied directly from the PC or extracted from a system backup. Once in possession of these files, the third-party had total access to the Dropbox account even if the user changed their password. The only way to revoke access was to unlink the rogue system from the account using the account setting page over on the Dropbox website.

Dropbox version 1.2.48 fixes this serious vulnerability. However, because the client software can take several weeks to auto update, you have to carry out the procedure manually.

If you’re a Dropbox user I strongly urge you to install this update immediately!

Source: ZDNet

Tags: , , , , ,
Comment

Adobe Abandons Mobile Flash Development

Filed under: Adobe, Android, Computers, Cybersecurity, Exploit, Flash, Hackers, Malware, RootKit, Security by Ryan Boese — 3 Comments
November 9, 2011

Latest Update: Adobe confirmed it will cease Flash development on mobile devices in a press release published Wednesday morning.

In an abrupt about-face in its mobile software strategy, Adobe will soon cease developing its Flash Player plug-in for mobile browsers, according to an e-mail sent to Adobe partners on Tuesday evening.

And with that e-mail flash, Adobe has signaled that it knows, as Steve Jobs predicted, the end of the Flash era on the web is coming soon.

The e-mail, obtained and first reported on by ZDNet, says that Adobe will no longer continue to “adapt Flash Player for mobile devices to new browser, OS version or device configurations,” instead focusing on alternative application packaging programs and the HTML5 protocol.

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores,” the quoted e-mail says.

In the past, Adobe has released software tools for mobile developers that create a single platform programmers can use to make applications that work across three major mobile platforms: Android, iOS and the BlackBerry OS. While it’s seemingly easier than learning all of the native languages for each operating system, some developers have claimed a loss in app performance when coding in a non-native language that then gets translated into other languages.

The move indicates a massive backpedaling on Adobe’s part, a company who championed its Flash platform in the face of years of naysaying about its use on mobile devices. Despite Flash’s near ubiquity across desktop PCs, many in the greater computing industry, including, famously, Apple Computer, have denounced the platform as fundamentally unstable on mobile browsers, and an intense battery drain. In effect, Flash’s drawbacks outweigh the benefits on mobile devices.

Flash became a dominant desktop platform by allowing developers to code interactive games, create animated advertisements and deliver video to any browser that had the plugin installed, without having to take into account the particulars of any given browser. However, with the development of Javascript, CSS, and HTML5, which has native support for video, many web developers are turning away from Flash, which can be a resource hog even on the most advanced browsers.

Apple made its biggest waves in the case against Flash in April of last year, when Steve Jobs penned a 1,500-word screed against the controversial platform, describing it as a technology of the past. Jobs and Apple disliked the platform so intensely, it has since been barred from use on all iOS devices.

Despite attempts to breathe life into Flash on other mobile devices — namely, Android and BlackBerry OS — Adobe has failed to deliver a consistently stable version of the platform on a smartphone or tablet. In WIRED’s testing of the BlackBerry PlayBook in April, Flash use caused the browser to crash on a consistent basis. And when Flash was supposed to come to tablets with Motorola’s Xoom, Adobe was only able to provide an highly unstable Beta version of Flash to ship with the flagship Android device.

“Adobe has lost so much credibility with the community that I’m hoping they are bought by someone else that can bring some stability and eventually some credibility back to the Flash Platform,” wrote software developer Dan Florio in a blog post on Wednesday morning.

The drastic reversal in Adobe’s mobile plans comes in the wake of the company cutting 750 jobs on Tuesday, a move prompted by what Adobe labeled “corporate restructuring.”

An Adobe representative did not immediately respond to a request for comment.

Source: Wired

Tags: , , , , , , ,
Comment

Microsoft quietly finding, reporting security holes in Apple, Google products

Filed under: Android, Apple, Applications, Exploit, Google, Internet, Microsoft, Security, Windows by Ryan Boese — Leave a comment
August 26, 2011

Researchers at Microsoft have been quietly finding — and helping to fix — security defects in products made by third-party vendors, including Apple and Google.

This month alone, the MSVR (Microsoft Security Vulnerability Research) team released advisories to document vulnerabilities in WordPress and Apple’s Safari browser and in July, software flaws were found and fixed in Google Picasa and Facebook.

The MSVR program, launched two years ago, gives Microsoft researchers freedom to audit the code of third-party software and work in a collaborative way with the affected vendor to get those issues fixed before they are publicly compromised.

The team’s work gained prominence in 2009 when a dangerous security hole in Google Chrome Frame was found and fixed but it’s not very well known that the team has spent the last year disclosing hundreds of security defects in third-party software.

Since July 2010, Microsoft said the MSVR team identified and responsibly disclosed 109 different software vulnerabilities affecting a total of 38 vendors.

More than 93 percent of the third-party vulnerabilities found through MSVR since July 2010 were rated as Critical or Important, the company explained.

“Vendors have responded and have coordinated on 97 percent of all reported vulnerabilities; 29 percent of third-party vulnerabilities found since July 2010 have already been resolved, and none of the vulnerabilities without updates have been observed in any attacks,” Microsoft said.

This week’s discoveries:

  • A vulnerability exists in the way Safari handles certain content types. An attacker could exploit this vulnerability to cause Safari to execute script content and disclose potentially sensitive information. An attacker who successfully exploited this vulnerability would gain sensitive information that could be used in further attacks.
  • A vulnerability exists in the way that WordPress previously implemented protection against cross site scripting and content-type validation. An attacker could exploit this vulnerability to achieve script execution.

Source: ZDNet

Tags: , , , , , , , , , ,
Comment

Firefox 6 patches 10 dangerous security holes

Filed under: Exploit, FireFox, Internet, Mozilla, Security, Windows by Ryan Boese — Leave a comment
August 16, 2011

Mozilla has shipped a critical Firefox update to fix at least 10 security vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

According to an advisory from the open-source group, 8 of the 10 vulnerabilities are rated “critical,” meaning that they can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Here’s a glimpse of the critical issues:

Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

These include a WebGL crash, a JavaScript crash, a crash in the Ogg reader, memory safety issues and unsigned scripts.  These all affected Firefox 4 and 5.

Mozilla also credited researcher Michael Jordon of Context IS  with reporting a pair of critical issues — that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code; and a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation.

Some additional security problems fixed:

  • Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability.
  • Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.
  • nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Firefox 6 is being distributed via the browser’s automatic update mechanism.

Source: ZDNet
Tags: , , , ,
Comment