Worldwide News

Interview with Konrad Jędrzejczyk – Hacking doesn’t require too much computational power or a specific piece of hardware

Nov 26th, 2017

In this article, we had the pleasure to interview Konrad Jędrzejczyk, Cyber Threat Hunter at PepsiCo and Information and Security expert. Konrad Jędrzejczyk also conducted the Incident Response Investigations across Europe, the Middle East and Africa (EMEA) for leading global corporations.

Wearing various hats, Konrad plays key roles in the Amstelveen data center exit programme within The Royal Bank of Scotland Group and in the migration of IT security monitoring from Belgium to Poland within the ING Group. Konrad is an expert in investigations related to cybersecurity threat hunting, forensic analysis, e-discovery, malware infections and intellectual property theft. He is also very known as a conference speaker that has a comprehensive background in IT Security Incident Response, IT Security Risk Assessment, IT Forensics and general infrastructure security.

No wonder that Konrad will be present this autumn at the eighth edition of DefCamp, the most important annual conference on Hacking & Information Security in Central Eastern Europe, taking place in Bucharest on November 9th-10th. At DefCamp 2017, Konrad will hold a presentation on how modern computers with modern systems can be hacked with the help of an Ethernet card and a Commodore 64 computer, from 1982 running with 64kB of RAM.

Read More

Interview with Yury Chemerkin – Mobile Applications, Cybersecurity Threats and Data Protection

Nov 26th, 2017

 

The second interview we have prepared together with the help of DefCamp team has Yuri Chemerkin as the main guest. Yury Chemerkin is a Security Expert with ten years of experience in information security. He is multi-skilled on security & compliance and mainly focused on privacy and leakage showdown, and his key activities fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance.

Furthermore, Yuri has published many papers on mobile and cloud security, and he regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, etc.

Read More

DefCamp 2017

Nov 26th, 2017

DefCamp holds a one week and provides an opportunity to meet cool speakers and their results. Here is some awesome of them and their presentations:

 

HackMiami 2017

May 5th, 2017

Join us at #HackMiami conference on May 20th! The rise of #security assistants over security audit services – 3PM – 4PM EST

Abstract
Mobile applications have not only become daily things of our lives, but they have also become a part of XXI culture. Corporate IT and security professionals have same needs with typical customers who manage personal information only. To understand a security, users should keep in mind what happens with their OS, applications, and its data and divide risks into vulnerability and privacy group. The first group refers to actions that break either application or OS. It usually designed to rare involve any user actions to break security mechanisms and get access to user data. The second group refers to privacy issues and describes cases when data stored or transmitted insecurely. Developers ignore the data protection until they faced something or someone who makes them implement a protection, as it should be designed. Developer’s privacy policies describe how much every developer cares about data, protect everything and assure users his app provides 100% guarantees. Many security companies develop their risky applications to show customers how much good their data protected. They use (or develop their own) automatic scanners to analyze application code and provide an auto-generated report. Anyway, no one of them can clearly say what data items protected and how bad that protection is. In other words, should user worry about non-protected HTTP connection if he does not know what data transferred over it? The downloading news might be acceptable; transmitting device information, geolocation data and credentials over the network in plaintext is not acceptable. Same to out-of-date OS. Is previous version so bad to worry to rush into an update or not? How was many user data items consumed by 3rd party services like Google/Flurry analytics? The last question is usually how much money user data does worth? The cheapest software costs less than $50; the average one does in 10 times more and forensics software costs over thousand dollars up to $20,000 that gives access to thousand devices and million data items. The saddest part of this story is ‘Speed-to-market’ idea that helps them to grab data from thousand applications improperly protected, especially, if customers use same data among more than one applications and have at least one bad protected the application. More same data shared between applications and more applications you use, the higher risk of data leakage customers obtains eventually. A new set of security challenges has been already raised. To answer this, we have been examining many applications to have the opportunity make results widely useful and available for IT and security professionals as well as non-technical customers to stay informed about app insecurity. The goal is integrating and introducing security, data privacy compliance to mobile application development and management. It helps to educate customers with useful security & privacy behavior mindset. Spreading information in different ways such as bulletins, EMM integrated monitoring service, or simple reports is a way to solve insecurity issues and help to reduce risks when using mobile applications.

 

Read More

Oxygen Forensiс Detective extracts WebKit data from iOS and Android devices

February 24th, 2017

Oxygen Forensics releases a new version of its flagship forensic software, Oxygen Forensiс Detective v.9.2. The updated Oxygen Forensiс Detective extracts WebKit data from iOS and Android devices. By parsing WebKit data you can gain access to the user’s emails and content of visited webpages. Oxygen Forensiс Detective v.9.2 expands cloud extraction capabilities: you can acquire blocked phone numbers and Wi-Fi hot spots from Google account and notes from Google Keep. Moreover, import of full iCloud backups now takes significantly less time.

The new version improves deleted data recovery by adding the ability to recover files from Ext3/Ext4 partitions from the file system journal. Oxygen Forensiс Detective now parses data from two popular ride-sharing services Uber and Lyft and supports devices with new Chinese MTK chipsets: MT6750, MT6755, MT6737, MT6738.

All registered customers may download the new version immediately from their personal customer area. Updated Oxygen Forensic® Analyst and Oxygen Forensic® Passware Analyst are also available for download.

New in Oxygen Forensic® Detective v.9.2:

  • WebKit Data. Added a new section which allows to examine additional evidence that contains information from visited web pages. WebKit data is saved by various web browsers and can be extracted from iOS and Android devices.
  • Oxygen Forensiс Cloud Extractor. Added the ability to extract notes from Google Keep.
  • Oxygen Forensiс Cloud Extractor. Added the ability to extract full iCloud backups made from iOS devices v. 9.0 and later.
  • Oxygen Forensiс Cloud Extractor. Added the ability to acquire WI-Fi hotspots data and blocked phone numbers saved in Google cloud.
  • Enterprise license. Added the ability to borrow a license remotely.
  • Oxygen Forensiс Extractor. Physical. Added recovery of files from Ext3/Ext4 partitions from the file system journal.
  • Oxygen Forensiс Extractor. Physical. Added the ability to create physical dumps from the devices with the latest Chinese MTK chipsets: MT6750, MT6755, MT6737 and MT6738.
  • Oxygen Forensiс Extractor. Added the ability to create the complete SIM card image.
  • Export. Added the ability to export data from contact card to HTML and RTF formats.
  • Export. Added the ability to export messengers chats to separate files.
  • Export. Added the ability to export every conversation to a separate file.
  • Export. Added column filters to table view XLS reports.
  • Applications. Travel. Added data parsing from Uber (3.225.3) from iOS devices and Uber (4.139.5) from Android devices.
  • Applications. Travel. Added data parsing from Lyft (4.15.3) from iOS devices and Lyft (4.16.3) from Android devices.
  • Applications. Messengers. Added data parsing from Google Allo (4.2) from iOS devices and Google Allo (4.0.014_RC09 (arm64-v8a_xxhdpi);5.0.021_RC15 (arm64-v8a_xxhdpi)) from Android devices.
  • General. Added support for 100+ new Android devices: Asus ZenFone 3s Max Dual SIM TD-LTE IN, Huawei Honor 8 Standard Edition TD-LTE, Oppo A57 Dual SIM TD-LTE IN, Samsung Galaxy S8 Plus TD-LTE (Samsung Dream 2), ZTE Axon 7 Mini LTE CA, etc.

Read More

Incident report on memory leak caused by Cloudflare parser bug (Official explanation)

February 24th, 2017

Last Friday, Tavis Ormandy from Google’s Project Zerocontacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.

Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

We are grateful that it was found by one of the world’s top security research teams and reported to us.

This blog post is rather long but, as is our tradition, we prefer to be open and technically detailed about problems that occur with our service.

Read More

CloudFlare Leaked Sensitive Data Across the Internet For Months

February 24th, 2017

CloudFlare, a multibillion-dollar startup that runs a popular content delivery network used by more than 5.5 million sites, accidentally leaked customers’ sensitive information for months, the company said Thursday. The firm has since fixed the issues at the heart of the problem, CloudFlare said.

The leaked data included “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” according to Tavis Ormandy, the Google(GOOGL, -0.88%) security researcher who spotted and reported the issue last week. “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

In a tweet posted Thursday, Ormandy pointed to sites including Uber, 1Password, FitBit, and OKCupid, as having spilled data. Indeed, even sites seemingly protected by HTTPS, a security measure designed to keep hackers and spies from snooping on Internet traffic, were affected.

Get Data Sheet, Fortune’s technology newsletter.

CloudFlare responded promptly to Ormandy’s notification early Saturday morning. Within hours, the security team disabled several new features to its service—for those inclined: email obfuscation, server-side excludes, and automatic HTTPS rewrites—that had caused the problem to surface.

It took a week, however, for the team to fully remedy the issue, CloudFlare said. Search engines such as Google (GOOG, -0.72%), Yahoo (YHOO, -0.04%), and Microsoft’s (MSFT, -0.31%) Bing had inadvertently stored leaked data as part of their web crawlers’ caches, and the CloudFlare team had to work with them to scrub these indexes.

The memory leakage issue, known technically as a buffer overrun, began in September when CloudFlare swapped a new bit of code (an HTML parser) into its system. The program itself didn’t contain the major flaw, according to CloudFlare, but rather its introduction caused a separate and earlier coding error to, for lack of a better term, go kablooey.

In a technical post-mortem of the incident, John Graham-Cumming, CloudFlare’s chief tech officer, detailed what went wrong. “The engineers working on the new HTML parser had been so worried about bugs affecting our service that they had spent hours verifying that it did not contain security problems,” he said.

“Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” he continued. He added that his team has since begun testing CloudFlare’s software for other potential problems.

According to Graham-Cumming’s post, the leakage problem reached a nadir between Feb. 13 and Feb. 18 when 0.00003% of every page request through its network potentially let private information slip. Responding to an inquiry on Y Combinator’s Hacker News forum, Graham-Cumming added his team found data leaked across 3,438 unique domains.

After reading the post on CloudFlare’s website, Ormandy commented that “It contains an excellent postmortem, but severely downplays the risk to customers.” Because downloading and caching content from the web is a common practice for so many different organizations, Ormandy said it is likely that other crawlers have collected the leaked data without realizing it.

Ormandy also drew a tongue-in-cheek comparison to the Heartbleed—a computer bug discovered in 2014 that also caused sensitive data to leak from HTTPS sessions—by referring to the CloudFlare bug as “CloudBleed.”

It remains to be seen whether CloudFlare, or any of CloudFlare’s customers, will advise or force people to change their passwords and authentication credentials, though multiple security professionals have recommended taking that precaution.

Read More

Announcing the first SHA1 collision

February 24th, 2017

Сryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.

For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.

We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.

Read More

The Security Impact of HTTPS Interception

February 8th, 2017

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception.
First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and clientside security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community

Read More or download a copy from our web-site

Oxygen Forensiс Detective extracts vital information from Google Chrome!

February 4th, 2017

Oxygen Forensics releases a major update to its flagship forensic software, Oxygen Forensic® Detective v.9.1.2. With this version you can extract additional evidence from Google Chrome account: autocomplete data, list of opened tabs, bookmarks, credit card numbers and addresses. We’ve also updated our Export Engine and improved SIM card data extraction. The new Oxygen Forensic® Detective supports 2,700+ apps versions and 15,500+ devices!

All registered customers may download the new version immediately from their personal customer area. Updated Oxygen Forensic® Analyst and Oxygen Forensic® Passware Analyst are also available for download.

New in Oxygen Forensic® Detective v.9.1.2:

  • Oxygen Forensic® Cloud Extractor. Added the ability to extract additional evidence from Google Chrome. Now forensic experts can acquire autocomplete data, list of opened tabs, bookmarks, credit card numbers and addresses.
  • Export. Added the ability to export items selected by the expert in all program sections.
  • Export. Contact card. Added the ability to export message attachments to PDF and XLS reports.
  • Export. Contact card. Added the ability to preview image thumbnails in XLS reports.
  • Oxygen Forensic® Extractor. Added the ability to import previously extracted SIM card images.
  • Oxygen Forensic® Extractor. Improved data extraction from SIM cards.
  • Applications. Business. Added data parsing from Inbox.lt (6.2.9) from Android devices.
  • Applications. Business. Added data parsing from Inbox.eu (6.2.9) from Android devices.
  • Applications. Business. Added data parsing from Mail.ee (6.2.9) from Android devices.
  • Applications. Messengers. Updated support for Telegram (3.16.0) for Android devices.
  • General. Added support for 100 new devices: Huawei Ascend P1 LTE, Nokia 6, Samsung Galaxy A5 2017 TD-LTE, Samsung Galaxy A5 2017 TD-LTE (SM-A520K), Samsung Galaxy J1 Mini Prime, Samsung, Galaxy J3 Emerge LTE, etc.
  • Export. Timeline. Fixed the issue with data export from contact card.

Read More

Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite

February 4th, 2017

The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public.

In January, Motherboard reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite. The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia.

Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools.

“The debate around backdoors is not going to go away, rather, its is almost certainly going to get more intense as we lurch toward a more authoritarian society,” the hacker told Motherboard in an online chat.

“It’s important to demonstrate that when you create these tools, they will make it out. History should make that clear,” they continued.

Read More

Researchers warn of vast problems with Android VPN apps

January 28th, 2017

There’s a misnomer about VPN networks and what they really do. Claims that they can make you “completely anonymous” online are almost always inaccurate, even if they may increase your privacy to some degree. Unfortunately, the Commonwealth Scientific and Industrial Research Organisation (CSIRO), in partnership with the University of New South Wales and UC Berkley, have learned of greater issues than that.

In CSIRO’s research paper ‘An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,’ the team investigated 283 Android VPN apps to explore their impact on user privacy and security. Here are some of the highlights of what they learned about the apps:

  • 18% do not encrypt traffic at all
  • 84% leak user traffic
  • 2 out of 3 use third-party tracking libraries
  • 38% reveal a malware or malvertising presence
  • More than 80 percent request sensitive data such as user accounts and text messages
  • Less than 1% of app reviews mention security or privacy concerns

Based on these findings, it’s estimated that 4 out of 5 of Android VPN apps will ask for sensitive permissions, 4 out of 5 contain malware, 2 out of 5 aren’t even encrypted and some may be seeking to access your data to sell to third parties.

“The very reason users install these apps — to protect their data — is the very function they are not performing and these apps have been installed by tens of millions of users,” said CSIRO in the paper or our copy paper-1.

Read More

Online surveillance. Microsoft may be accidentally helping Thailand’s government spy on its citizens

January 28th, 2017

The Thailand government has a long history of online surveillance of its citizens, and a new report out Thursday suggests Microsoft may be inadvertently facilitating such government monitoring.

A new report (or our copy thailand_2017_0) from Privacy International entitled “Who’s That Knocking at My Door? Understanding Surveillance in Thailand” says a Microsoft policy involving root certificates enables the state to monitor encrypted communications sent via email or posted on social media sites. Microsoft says that the certificate meets the company’s standards.

The privacy campaign group accuses Microsoft of being the only internet company that automatically trusts a root certificate issued by the Thai government. By doing so, it could allow the government to target Windows users by manipulating websites and capturing login credentials for email, social media sites, and other online services.

“Microsoft only trusts certificates issued by organizations that receive Certificate Authority through the Microsoft Root Certificate Program,” the company said in a statement emailed to VICE News. “This program is an extensive review process that includes regular audits from a third-party web trust auditor. Thailand has met the requirements of our program.”

The company pointed VICE News to two independent auditor reports (here and here, or our copies sealfile-1 and sealfile-2) that were carried out by a Malaysian company called BDO, and appear to cover the same time period (September 2015 to August 2016). The audits say the EDTA has given “reasonable assurance” that “the integrity of keys and certificates it manages is established and protected.”

However, the audits also highlight that the EDTA’s ability to meet these criteria may be limited. “Controls may not prevent or detect and correct, error fraud, unauthorized access to systems, and information or failure to comply with internal and external policies and requirements.”

Read More

Despite revoked CA’s, StartCom and WoSign continue to sell certificates

January 26th, 2017

As it stands, the HTTPs “encrypted web” is built on trust. We use browsers that trust that Certificate Authorities secure their infrastructure and deliver TLS certificates (1) after validating and verifying the request correctly.

It’s all about trust. Browsers trust those CA root certificates and in turn, they accept the certificates that the CA issues.

Read More

How Can I Break Into a Locked iOS 10 iPhone?

January 26th, 2017

Each iteration of iOS is getting more secure. With no jailbreak available for the current version of iOS, what acquisition methods are available for the iPhone 7, 7 Plus and other devices updating to iOS 10? How does the recent update of Elcomsoft iOS Forensic Toolkit help extracting a locked iOS 10 iPhone? Read along to find out!

iOS 10: The Most Secure iOS

When iOS 8 was released, we told you that physical acquisition is dead. Then hackers developed a jailbreak, and we came up with an imaging solution. Then it was iOS 9 that nobody could break for a while. The same thing happened: it was jailbroken, and we made a physical acquisition tool for it. Now it’s time for iOS 10.2 and no jailbreak (again). While eventually it might get a jailbreak, in the meanwhile there is no physical acquisition tool for iOS 10 devices. Considering that iPhone 7 and 7 Plus were released with iOS 10 onboard, your acquisition options for these devices are somewhat limited.

Plan “B”

With no jailbreak available for iOS 10, what are your options? If you have the latest Elcomsoft iOS Forensic Toolkit, use “plan B” instead! By using the “B” command from the main menu, you’ll force the iPhone to dump its content into a local backup. Once the local backup is created, you’ll be able to view it with Elcomsoft Phone Viewer or another forensic tool.

Read More

Fake Netflix App Takes Control of Android Devices

January 26th, 2017

A recently spotted fake Netflix app is in fact installing a Remote Access Trojan (RAT) variant onto the victims’ devices, Zscaler security researchers have discovered.

Preying on the popularity of applications isn’t a new technique, with fake Super Mario Run games for Android recently used to distribute the Marcher and DroidJack Trojans. Now, it seems that the actors behind the SpyNote RAT have decided to use the same technique and leverage the enormous traction Netflix has among users looking to stream full movies and TV programs to their mobile devices.

Instead of a video streaming app, however, users end up with a RAT that can take advantage of their device in numerous ways, such as listening to live conversations by activating the microphone, executing arbitrary commands, sending files to a command and control (C&C) server, recording screen captures, viewing contacts, and reading SMS messages.

Read More

Misissued/Suspicious Symantec Certificates

January 26th, 2017

I. Misissued certificates for example.com

On 2016-07-14, Symantec misissued the following certificates for example.com:
https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6https://crt.sh/?sha256=8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426CF48A6117BFBFAhttps://crt.sh/?sha256=94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E78B5679EAF48https://crt.sh/?sha256=C69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311C2D2794BFCD11

I confirmed with ICANN, the owner of example.com, that they did not
authorize these certificates.  These certificates were already revoked
at the time I found them.


II. Suspicious certificates for domains containing the word "test"

On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
domains containing the word "test" which I strongly suspect were
misissued:

        
https://crt.sh/?sha256=b81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0d416bbd21https://crt.sh/?sha256=f45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c9973f11b841https://crt.sh/?sha256=bcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7c0776cd0bhttps://crt.sh/?sha256=f0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba07fe872559https://crt.sh/?sha256=3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf4672c35652a5

I have not attempted to contact the owners of these domains for
confirmation, as doing so is probably not feasible (many of the domains
are owned by squatters).  However, the following facts lead to me to
believe that these certificates were misissued:

1. The subject DNs contain clearly bogus values, such as:

        C=KR, ST=1, L=1, O=12, OU=1
        C=KR, ST=1, L=1, O=1, OU=1
        C=KR, ST=1, L=1, O=12, OU=1
        C=KR, ST=Test1, L=Test, O=Test

Note that the misissued example.com certificates also contain C=KR in
their subjects.

2. The third certificate in the list above contains a SAN for
DNS:*.crosscert.com - note that three of the misissued example.com
certificates contain "Crosscert" in their Subject Organization.

3. None of these certificates have been observed in the wild by Censys.
The live certificate for www.test.com was issued by Network Solutions.

4. The first two certificates in the list above both contain DNS SANs
for *all* of the following domains:

        test.com
        test1.com
        test2.com
        test3.com
        test4.com
        test5.com
        test6.com
        test7.com
        test8.com
        test9.com
        test11.com

With the exception of test4.com and test8.com, these domains are
registered to different entities and appear to be wholly unrelated with
one another in both ownership and operation.  It is unlikely that the
owners of these domains would collaborate to authorize these
certificates.

These certificates were already revoked at the time I found them.


III. Certificates with O=Test

Finally, Symantec has issued a large number of certificates with the
following attributes in the Subject:

        C=KR, ST=test, L=test, O=test, OU=test

e.g.:

        
https://crt.sh/?sha256=09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB3571508EF6D31DD30https://crt.sh/?sha256=CC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B47804874734CFC1Chttps://crt.sh/?sha256=F177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41913FC9D9B45https://crt.sh/?sha256=DA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05FB7C7C6B2A761

For more, see:

        https://crt.sh/?O=test

I doubt there is an organization named "test" located in "test, Korea."

Regards,
Andrew

Read More

How do we measure Internet health?

January 26th, 2017

Welcome to Mozilla’s new open source initiative to document and explain what’s happening to the health of the Internet. Combining research from multiple sources, we collect data on five key topics and offer a brief overview of each.

For offline reading, download the full report (pdf). or our copy of that file internethealthreport_v01

The Internet is an ecosystem. A living entity that billions of people depend on for knowledge, livelihood, self-expression, love…. The health of this system relies on – and influences – everyone it touches. Signs of poor health in any part impacts the whole. We’re all connected.

How healthy is our Internet? How might we understand and diagnose it? We believe this is a timely and necessary conversation, and we hope you’ll join in.

Read More

Android Users Under Attack As Banking Malware Source Code Was Posted Online

January 26th, 2017

Security researchers warn that the source code of an Android banking malware was posted online, along with information on how to use it, which means that users of Android devices are very likely to face an increasing number of attacks in the short term.

Security firm Dr. Web reveals that it has already discovered one malware developed with this leaked source code, adding that it’s distributed as popular applications either directly injected in APKs available online or in third-party stores.

The malware has been flagged as Android.BankBot.149.origin and tries to get administrator privileges on compromised computers. Once it’s granted full privileges, the malware removes the app’s icon from the home screen, trying to trick people into believing it was removed.

Read More

China tightens Great Firewall by declaring unauthorised VPN services illegal

January 26th, 2017

Beijing has launched a 14-month nationwide campaign against unauthorised internet connections, including virtual private network (VPN) services, which allow users to bypass the country’s infamous “Great Firewall”.

A notice released by the Ministry of Industry and Information Technology on Sunday said that all special cable and VPN services on the mainland needed to obtain prior government approval – a move making most VPN service providers illegal.

The “clean-up” of the nation’s internet connections would start immediately and run until March 31, 2018, the notice said.

Read More

PSA: LastPass Does Not Encrypt Everything In Your Vault

January 26th, 2017

As a software engineer and long time LastPass user, I’ve always been an advocate of password managers. With data breaches becoming more and more common these days, it’s critical that we take steps to protect ourselves online. However, over the past year LastPass has made some decisions that have made me question their motives and ultimately has recently caused them to lose my business.

Last year LastPass introduced a new redesign of their vault in which they added nice pretty logos of all the sites in your vault.

Read More

No, CVE Details Did Not Just Prove Android Security Stinks!

January 18th, 2017

It’s January again, and as usual, various media outlets are busy reporting on vulnerability statistics from the previous year. As usual, the CVE Details folks have worked up a lot of hype based on CVE counts, and once again, the media has taken the bait with sensational headlines about Google’s Android being the most vulnerable product of 2016. For context, last year this title was given to OS X, and in 2014, it was Internet Explorer.

While these headlines may have made various factions of fanboys smile year after year, the lessertold story is that these statistics are essentially meaningless and say nothing about the relative security between products. In this post, I will attempt to spell out some of the reasons for this, but I definitely encourage anyone who is interested to check out Steve Cristey and Brian Martin’s 2013 Black Hat talk “Buying into the Bias: Why Vulnerability Statistics Suck” for a far more comprehensive explanation.

Read More

Hacker claims our private cell number on Facebook may not be so private

January 18th, 2017

Inti De Ceukelaire, a Belgian hacker and security researcher has discovered a new method that further sabotages Facebook’s claim to protect users’ data through its supposedly comprehensive privacy setting features. De Ceukelaire has discovered that he can exploit Facebook to obtain cell phone numbers of users; which they want to remain hidden.

According to De Ceukelaire, he can easily identify the cell phone numbers of well-known personalities including top politicians and “Flemish” celebs simply through checking out their Facebook profile. This is done by analyzing the numbers that are associated with their profiles. It must be noted that these numbers are supposed to be confidential information and aren’t viewable by the public.

Must Read: Hacking Facebook Account by Knowing Account Phone Number

Reportedly, De Ceukelaire proved his claim by obtaining the cell number of Jan Jambon, the Interior Minister for Belgium, through his Facebook profile. He further stated that: “For clarity, I could find out his number on his account, not vice versa; roughly, I think you get the number 20 percent of the Flemish people can find that way. Of all the people who have their mobile number linked to their profile goes to the 80 percent.”

Read More

Simple Hack Lets Hackers Listen to Your Facebook Voice Messages Sent Over Chat
Monday

January 17th, 2017

Most people hate typing long messages while chatting on messaging apps, but thanks to voice recording feature provided by WhatsApp and Facebook Messenger, which makes it much easier for users to send longer messages that generally includes a lot of typing effort.

If you too have a habit of sending audio clip, instead of typing long messages, to your friends over Facebook Messenger, you are susceptible to a simple man-in-the-middle (MITM) attack that could leak your private audio clips to the attackers.
What’s more worrisome is that the issue is still not patched by the social media giant.

Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Facebook Messenger’s audio clip recording feature that could allegedly allow any man-in-the-middle attacker to grab your audio clip files from Facebook’s server and listen to your personal voice messages.

Let’s understand how this new attack works.

Read More

“We reverse engineered 16k apps, here’s what we found”

January 17th, 2017

In Nov’16, we created an online tool to reverse engineer any android app to look for secrets. This tool was built because of an internal need — we were constantly required to reverse engineer apps for our customers to examine it from a security standpoint. We felt the process could be automated to a point where we could create a web based tool which could be used by anyone. Couple of months after releasing it, users have reverse engineered approximately 16,000 apps and here are some of the interesting findings.

Out of 16,000 apps, most of the apps didn’t have any sort of key or secret in it. Roughly 2500 apps were found to have either a key or a secret of a third party service hardcoded in the app. Some keys are harmless and are required to be there in the app for example Google’s API key but there were lots of api secrets as well which definitely shouldn’t have been in the apps. There were 304 such apps.

These secrets belonged to a lot of different 3rd party services, for example Uber’s secret which can be used to send in-app notification via the uber app.

Read More

Thoughts on WhatsApp E2E Encryption AKA Security Is Real Only if It’s the Default

January 15th, 2017

Yesterday Tobias Boelter posted on his blog this article which essentially highlights a message rentransmission vulnerability on WhatsApp which makes it leak sensitive information if the recipient’s key changed, only alerting the user after the message has been sent.
The Guardian has then picked up the info and posted the article “WhatsApp vulnerability allows snooping on encrypted messages“.

In a matter of hours, a shit load of experts (and unfortunately also lot of ppl who are not experts at all) pointed their fingers at The Guardian, arguing that it’s not a backdoor and all other kind of sterile polemics. At some point, Moxie from Open Whisper Systems, the noprofit organization who made Signal, the only really secure messaging app we’re aware of and the library that WhatsApp recently integrated in order to give E2E encrypted messaging to all of their users, published on the blog this: “There is no WhatsApp ‘backdoor’“, which seemed to have put the word END to this conversation.

I’m not a cryptographer of a crypto expert of any kind, but I’ve spent quite a few years working on MITM attacks and tools, I’m well aware how easy it is for anyone to exploit the information you leak on a network, and I’m well aware that state sponsored attackers have trillions of other ways to do that more easily and transparently (for the user of course) … we should just stop the drama about it being a backdoor or not and focus on what really matters:

It is definitely a serious security issue for the users privacy and Facebook refused to fix it.

Read More

Oxygen Forensic® Detective extracts current and deleted SIM card data

January 13th, 2017

Oxygen Forensics releases a major update to its flagship forensic software, Oxygen Forensic® Detective v.9.1.1. With this version you can extract actual and deleted contacts, calls, messages and other available data from SIM cards via card reader. The updated Oxygen Forensic®® Detective now displays the detailed Wi-Fi history of Google Mobile Services from Android devices.

Usability and interface improvements have been made to Export and Cloud Extractor Modules. You can collect evidence from new apps, like Mandarin IM and HTC Mail, and acquire data from 130+ new Android OS devices!

Watch Oxygen Forensic® Detective release video.

View Oxygen Forensic® Detective release notes.

New in Oxygen Forensic® Detective v.9.1:

  • Oxygen Forensiс Extractor. Added the ability to extract SIM card data. You can acquire actual and deleted contacts, messages, calls and other available information from any SIM card connected via card reader.
  • Oxygen Forensiс Extractor. Now custom forensic recovery packages for physical acquisition of Samsung Android devices can be downloaded in the customer area.
  • Web Connections. Added the ability to extract and analyze WLAN network history of Google Mobile Services from Android OS devices.
  • Oxygen Forensiс Cloud Extractor. Added support for 2-factor authentication for VKontakte service.
  • Oxygen Forensiс Cloud Extractor. Added the ability to download audio and video files from VKontakte service.
  • Applications. Messengers. Added data parsing from Mandarin IM (1.9) from Android OS devices.
  • Applications. Business. Added data parsing from HTC Mail (10.00.783771) from Android OS devices.
  • Applications. Messengers. Updated data parsing from Hangouts (13.5.0) from iOS devices.
  • Applications. Messengers. Improved data parsing from several accounts of WeChat from Android OS devices.
  • Applications. Messengers. Updated data parsing from Skype (6.30) from iOS devices.
  • Applications. Social Networks. Updated data parsing from Snapchat (9.43.1.0) from iOS devices and Snapchat (9.45.1.0) from Android OS devices.
  • Applications. Business. Updated data parsing from Inbox.lv (6.0.29) from Android OS devices.
  • Added support for 130 new Android devices: BLU Diamond M, BLU Studio G HD LTE, Nokia D1C Dual SIM LTE, OnePlus 3T Dual SIM Global TD-LTE, Samsung Galaxy S7 Edge Duos TD-LTE, Verizon Ellipsis 8 HD XLTE, etc.
  • Export. XLS report. Added Table of Contents with hyperlinks to the sections.
  • Export. File Browser. Added hyperlinks to the file types in the report.

Read More

WhatsApp discovered a vulnerability that allows to intercept users ‘ messages

January 13th, 2017

Researchers from the University of Berkeley have discovered a vulnerability in WhatsApp messenger, which allows you to read the correspondence of users. About it writes on Friday, The Guardian.

The encryption system end-to-end was implemented in WhatsApp this way to leave a loophole through which a Facebook user that owns the messenger, would be able if necessary to intercept the communications of users. For this WhatsApp independently re-generates the encryption keys, then sends back messages that have not been marked as “delivered”.

The recipient does not know about the shift key, and the sender can detect the problem in case if in your account settings enabled notifications about suspicious activity with the encryption keys. An alert about the problem he will get only once the message will be yet and re-sent to the recipient.

According to experts, to regenerate the encryption keys and sending messages allow WhatsApp to intercept and read messages.

Read More

Cyber thieves have a sneaky new way to steal your fingerprints

January 13th, 2017

If flashing a peace sign is your go-to selfie move, you might want to think about coming up with a new signature look. Turns out, your light-hearted display of goodwill to the world could be putting your personal data at risk — if you come across a truly determined hacker, anyway.

According to research from a team at Japan’s National Institute of Informatics (NII), cyber thieves can lift your fingerprints from a photo in order to access your biometrically protected data (like the info secured on your iPhone by the Touch ID system). But while it’s technically possible, biometrics experts say there’s no need to panic.

Read More

Mobile Forensics Firm Cellebrite Hacked

January 13th, 2017

A hacker claims to have stolen hundreds of gigabytes of data from Cellebrite, the Israel-based mobile forensics company rumored to have helped the FBI hack an iPhone belonging to the terrorist Syed Rizwan Farook.

Vice’s Motherboard reported that an unnamed hacker breached Cellebrite’s systems and managed to steal 900 Gb of data, including customer usernames and passwords, databases, data collected by the company from mobile devices, and other technical information.

Read More

GoDaddy Revokes Nearly 9,000 SSL Certificates

January 13th, 2017

GoDaddy informed customers this week that it has revoked nearly 9,000 SSL certificates after discovering a software bug that made its domain validation process unreliable.

According to the company, the bug was introduced on July 29, 2016, as part of a routine code change meant to improve the certificate issuance process. GoDaddy learned about the problem from Microsoft on January 6 and revoked the affected certificates on January 10. The certificates will be reissued in the upcoming period.

When it validates a domain name for an SSL certificate, GoDaddy provides the customer a random code and asks them to place it in a specific location on their website. The validation process is complete when GoDaddy’s systems find the code on the customer’s website.

As a result of the bug introduced in July, if the web server was configured in a certain way, the system validated domains even when the code was not found.

Read More

GEMALTO: BUILDING TRUST IN MOBILE APPS

January 13th, 2017

Among the mobile and desktop operating systems ringing up the 50 most vulnerabilities last year, Android was on top with 523 such flaws. In comparison, iOS was number 15 with 161 such issues. That was a reversal from 2015. That year, it was iOS that had the most vulnerabilities between the two with 387 compared to 125 for Android. Overall, iOS had the second most vulnerabilities in 2015 while Android ranked 15th.

Read More

In 2016, Android was more vulnerable to hackers than iOS was

January 13th, 2017

Among the mobile and desktop operating systems ringing up the 50 most vulnerabilities last year, Android was on top with 523 such flaws. In comparison, iOS was number 15 with 161 such issues. That was a reversal from 2015. That year, it was iOS that had the most vulnerabilities between the two with 387 compared to 125 for Android. Overall, iOS had the second most vulnerabilities in 2015 while Android ranked 15th.

Read More

Speak louder, Google is recording

January 13th, 2017

  • Google makes audio and voice records via a device microphone
  • However, you can wipe it

Read More

Creepy spying website lets your friends see what you’ve downloaded without you ever knowing

January 4th, 2017

  • Iknowwhatyoudownload.com lets you see downloads for 24 hours
  • It creates a fake link to share, which tracks downloads through the IP address
  • To prevent your downloads being seen, you can use a Virtual Private Network
  • Despite privacy concerns, the makers of the website claim it could be used for good, and could even help victims of revenge-porn

Read More

Oxygen Forensic® Detective adds support for new applications and devices!

December 18, 2016

Oxygen Forensics releases a maintenance version of Oxygen Forensic® Detective. Version 9.0.1 offers functionality and interface improvements of Oxygen Forensic® Cloud Extractor, Oxygen Forensic® Maps and Export Engine. It also adds data parsing from Video Locker and KeepSafe applications and updates support for popular messengers: Kik Messenger, Facebook Messenger, Viber, WatsApp, etc. The total number of supported apps versions exceeds 2400!

The updated version also adds support for 400+ new Android OS devices: Acer Iconia Tab 10, Alcatel One Touch Pixi 4 4.0 4GB, Asus ZenPad 10 TD-LTE, Coolpad 8718 TD-LTE, HTC One S9 TD-LTE, Huawei P9 Plus TD-LTE, etc.

New in Oxygen Forensic® Detective v.9.0.1:

  • Oxygen Forensic® Cloud Extractor. Added the ability to start a new extraction without restarting the Cloud Extractor.
  • Oxygen Forensic® Cloud Extractor. Date range settings are now shown in the extraction statistics window and included into the OCB backup.
  • Oxygen Forensic® Cloud Extractor. Added a horizontal scrollbar to conveniently view extraction logs. Also added the ability to copy logs in the popup menu.
  • Oxygen Forensic® Maps. Added the ability to change a scale of the image in the Photo Viewer.
  • Export. Added events numbering in the RTF data report.
  • Export. Added the ability to set a name of the expert who creates a data report.
  • General. Added display of time zone offset on the sidebar and in the grid.
  • General. Added the hint that shows the original time zone extracted from the database. Available in all the cells that contain time information.
  • Applications. Business. Added data parsing from KeepSafe (7.10.5) from Android OS devices and KeepSafe (7.7) from iOS devices.
  • Applications. Business. Added data parsing from Video Locker (1.2.1) from Android OS devices.
  • Applications. Messengers. Updated support for Kik Messenger (10.16.1.9927) for Android OS devices.
  • Applications. Messengers. Updated support for Facebook Messenger (93.0) for iOS devices.
  • Applications. Social Networks. Updated support for LinkedIn (4.0.79) for Android OS devices.
  • Applications. Messengers. Updated support for Viber (6.3.4) for iOS devices.
  • Applications. Messengers. Updated support for WeChat (6.3.28) for iOS devices and WeChat (6.3.23) for Android OS devices.
  • Applications. Messengers. Updated support for WhatsApp (2.16.13) for iOS devices.
  • Oxygen Forensic® Extractor. Added support for iOS 10.1.
  • Oxygen Forensic® Extractor. Added support for 400+ Android OS devices: Acer Iconia Tab 10, Alcatel One Touch Pixi 4 4.0 4GB, Asus ZenPad 10 TD-LTE, BBK Vivo V3 A TD-LTE Dual SIM, Coolpad 8718 TD-LTE, HTC One S9 TD-LTE, Huawei P9 Plus TD-LTE, etc.
  • Export. Fixed the issue with Emoji symbols that were displayed incorrectly in data reports.
  • Export. Fixed the issue with RTF files that are larger than 512 MB.
  • Export. Fixed the issue with the logo in the header that occurred when the Device information section was not included in the report.

Read More

Oxygen Forensic® Detective significantly speeds up Android data extraction!

December 18, 2016

Oxygen Forensics releases a major update to its flagship forensic software, Oxygen Forensic® Detective. The software version 9.0 offers extremely fast data extraction from a wide range of Android devices. It also supports Android 7.0 Nougat devices and improves physical extraction via custom forensic recovery from Samsung devices.

The new software version acquires My activity data from Google service and decrypts passwords saved in Google Chrome. Oxygen Forensic® Detective v. 9.0 fully parses encrypted and non-encrypted iTunes backups as well as iCloud backups made from iOS 10 devices. Frequent locations from iOS devices and convenient daylight saving time settings are also available.

The updated Oxygen Forensic® Detective supports 350+ new mobile devices including iPhone 7 and iPhone 7 Plus and 2,300 + apps versions now.

New in Oxygen Forensic® Detective v.9.0:

  • Redesigned Enterprise license. Due to the completely new engine the Enterprise license has become more cost-efficient and stable. Now experts can borrow license from the server to work offline in the field. Moreover, the remote connection to the network server has been significantly improved.
  • Industry-first! Oxygen Forensic® Cloud Extractor. Added the ability to extract data from Google My Activity which includes web searches, watched videos and other activity.
  • Oxygen Forensic® Cloud Extractor. Added passwords extraction from Google Chrome accounts using either known credentials or token. Forensic experts can extract account details, saved passwords and visited web pages.
  • Oxygen Forensic® Extractor. Added fast dump creation from Android OS devices. The agreement with MITRE Corporation allowed to create a Jet-Imager module that acquires data from Android devices many times faster.
  • Oxygen Forensic® Extractor. Added support for iPhone 7 and iPhone 7 Plus devices.
  • Oxygen Forensic® Extractor. Added data parsing from non-encrypted and encrypted iTunes backups made from iOS 10 devices.
  • Oxygen Forensic® Extractor. Added data import and parsing from iCloud backups made from iOS 10 devices.
  • Oxygen Forensic® Extractor. Added logical and physical data extraction from Android 7.0 Nougat devices.
  • Oxygen Forensic® Extractor. Added physical data acquisition via forensic custom recovery method from the following Samsung S6, S6 Edge, S6 Edge models: SM-G928P, SM-G928T, SM-G928R4, SM-G920F, SM-G920T, SM-G920I, SM-G920P, SM-G920R4 and SM-G920T1. This method allows the expert to bypass the mobile device screen lock to create a full physical dump from supported Samsung devices.
  • Oxygen Forensic® Extractor. Added import and data parsing from physical images of Android devices with YAFFS file systems.
  • Oxygen Forensic® Extractor. Added support for Android physical images with F2FS file system.
  • Oxygen Forensic® Extractor. Added import and data parsing from BlackBerry 10.3 physical images.
  • Oxygen Forensic® Extractor. Added the ability to extract data via ADB backup from Android 6.x devices.
  • Web Connections. Locations tab. Added extraction of Frequent Locations from jailbroken iOS devices.
  • Device information. Added information about SIM cards that were ever used in the acquired iOS device.
  • General. Added support for daylight saving time in Time Zone Settings.
  • General. Now you can easily select another time zone in the column header in the following sections:  Phonebook, Calendar, Notes, Tasks, File Browser and Web Connections.
  • Export. Key Evidence and Timeline. Added the ability to export Key Evidence and Timeline events together with files from the source sections: attachments from Messages, files from File Browser and Applications.
  • Export. Added the ability to add a custom main header for HTML and RTF reports.
  • Applications. Added localization for the column headers. Previously they were only in English.
  • Applications. Business. Added data parsing from Apple Notes from iOS 10 devices.
  • Applications. Messengers. Added data parsing from QQ (5.9.7) from Android OS devices.
  • Applications. Messengers. Added data parsing from Yaxim (0.8.8) from Android OS devices.
  • Applications. Social Networks. Updated support for Facebook (63.0) for iOS devices.
  • Applications. Social Networks. Updated support for LinkedIn (9.0.33) for iOS devices.
  • Applications. Social Networks. Updated support for Twitter (6.61.1) for iOS devices.
  • Applications. Social Networks. Updated support for Instagram (9.2.1) for iOS devices.
  • Applications. Social Networks. Updated support for VK (4.4.2) from Android OS devices.
  • Applications. Messengers. Updated support for WhatsApp (2.16.9, 2.16.10 ) for iOS devices.
  • Applications. Messengers. Updated support for Skype (7.14.0.305) for Android OS devices.
  • Applications. Messengers. Updated support for Facebook Messenger (91.0.0.19.70) for Android OS devices.
  • Applications. Messengers. Updated support for ooVoo (2.9.3) for iOS devices and ooVoo (2.9.2) for Android OS devices.
  • Added support for 350+ Android OS devices: LG K Series K8 LRA 4G LTE (RS500), Lenovo Vibe P2 Dual SIM TD-LTE (P2c72), ZTE ZMax Pro LTE, Motorola Moto E3 Dual SIM TD-LTE (XT1700),  Alcatel One Touch Idol 4 LTE (OT-6055U), Samsung Galaxy Note 7 Duos TD-LTE (SM-N930FD), etc.
  • Oxygen Forensic® Cloud Extractor. Updated support for Google Mail with accelerated data extraction. Mails are now extracted using multiple threads.
  • Oxygen Forensic® Cloud Extractor. Updated support for Google Location History.
  • Oxygen Forensic® Cloud Extractor. Updated support for Twitter.
  • Oxygen Forensic® Extractor. Improved support for encrypted Android ADB backups. Added the ability to enter a password during data extraction to decrypt data.
  • Oxygen Forensic® Extractor. Significantly accelerated physical data extraction via custom forensic recovery from Samsung devices.

Read More

Simple Bug allows Hackers to Read all your Private Facebook Messenger Chats

December 18, 2016

A security researcher has discovered a critical vulnerability in Facebook Messenger that could allow an attacker to read all your private conversation, affecting the privacy of around 1 Billion Messenger users.

Ysrael Gurt, the security researcher at BugSec and Cynet, reported a cross-origin bypass-attack against Facebook Messenger which allows an attacker to access your private messages, photos as well as attachmentssent on the Facebook chat.

To exploit this vulnerability, all an attacker need is to trick a victim into visiting a malicious website; that’s all.Once clicked, all private conversations by the victim, whether from a Facebook’s mobile app or a web browser, would be accessible to the attacker, because the flaw affected both the web chat as well as the mobile application.

Dubbed “Originull,” the vulnerability actually lies in the fact that Facebook chats are managed from a server located at {number}-edge-chat.facebook.com, which is separate from Facebook’s actual domain (www.facebook.com).

“Communication between the JavaScript and the server is done by XML HTTP Request (XHR). In order to access the data that arrives from 5-edge-chat.facebook.com in JavaScript, Facebook must add the “Access-Control-Allow-Origin” header with the caller’s origin, and the “Access-Control-Allow-Credentials” header with “true” value, so that the data is accessible even when the cookies are sent,” Gurt explained.

Read More

Doctor Web discovers Trojans in firmware of well-known Android mobile devices

December 15, 2016

Doctor Web’s security researchers found new Trojans incorporated into firmwares of several dozens of Android mobile devices. Found malware programs are stored in system catalogs and covertly download and install programs.

One of these Trojans, dubbed Android.DownLoader.473.origin, was found in firmwares of a large number of popular Android devices operating on the MTK platform. At the time this news article went to posted, the Trojan was detected on the following 26 models of smartphones:

  • MegaFon Login 4 LTE

  • Irbis TZ85

  • Irbis TX97

  • Irbis TZ43

  • Bravis NB85

  • Bravis NB105

  • SUPRA M72KG

  • SUPRA M729G

  • SUPRA V2N10

  • Pixus Touch 7.85 3G

  • Itell K3300

  • General Satellite GS700

  • Digma Plane 9.7 3G

  • Nomi C07000

  • Prestigio MultiPad Wize 3021 3G

  • Prestigio MultiPad PMT5001 3G

  • Optima 10.1 3G TT1040MG

  • Marshal ME-711

  • 7 MID

  • Explay Imperium 8

  • Perfeo 9032_3G

  • Ritmix RMD-1121

  • Oysters T72HM 3G

  • Irbis tz70

  • Irbis tz56

  • Jeka JK103

However, the number of infected Android devices can be, in fact, even bigger.

Read More

Russian facial recognition app sparks interest, controversy

December 15, 2016

A facial recognition app out of Russia is raising eyebrows, both because of its abilities and the privacy concerns it sparks.
The app, FindFace, involves users submitting photos— for example, of someone they saw on the street and might like to be able to contact. Then, the app searches a Russian social network called Vkontakte to look for a match with a reported accuracy of about 70 percent among the millions of accounts. It’s even performed better than Google at a competition called MegaFace.
While some have praised the app for its ability to make successful matches— law enforcement and casinos are said to be interested in the tech— others have privacy concerns.

Read More

Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion

December 15, 2016

IN SEPTEMBER, YAHOO had the unfortunate distinction of disclosing an enormous 500 million-account breach. Tough stuff. Somehow, though, the company seems to have topped even that staggering figure. Yahoo announced on Wednesday that hackers, in what’s likely a separate attack, compromised one billion of the company’s user accounts in August 2013. One billion. That makes this the biggest known hack of user data ever, and it’s not really close.

The most important thing we know so far is that Yahoo says “this incident is likely distinct from the incident we disclosed on September 22, 2016.” That other breach happened in late 2014, so this new (even bigger) one took place about a year earlier. Yahoo has been working with law enforcement and a third-party cybersecurity firm to verify the hack and trace its origin, but the company says that so far it doesn’t know who the perpetrator was

Read More

Norton Cyber Security Insights Report 2016

November 30, 2016

Explore how consumers leave themselves vulnerable to online crime in the 2016 Norton Cyber Security Insight Report. A global omnibus survey of 20,907 consumers in 21 countries, the report examines consumers’ attitudes toward online crime and the personal impact it has on their lives.

Interesting highlights include:

The United States is the most susceptible developed country for cyberattacks, where 39 percent of Americans personally experienced cybercrime within the past year, compared to 31 percent of people globally.
The Netherlands has the lowest rate of cybercrime experienced in the last year (14 percent).
More than any other country, parents in the United States (64 percent) believe their kids are more likely to be bullied online than on a playground, compared to 48 percent of parents globally.
If given the option, the majority of those surveyed across all countries would rather reset their smartphone settings than have their browser history made public.

Read More

iPhone ‘live photo’ may leak location

November 30, 2016

“Everyone might easily track your location through live photos posted on Weibo!” A Chinese mother warned on social media earlier this week, referring to the potential safety risks in using the “live photo” feature on iPhone 6S and 7.

According to people.cn, the mother surnamed Sun from Ningbo, East China’s Zhejiang province, took a photo of her daughter waving her goodbye in front of a kindergarten using iPhone 7 and posted it on Twitter-like Sina Weibo.

Half an hour later, a stranger identified the kindergarten and its location.

Sun said she didn’t turn on the location service on Weibo when posting the picture, nor did she reveal the name of the kindergarten, so she had no idea how the stranger got the information

Read More

You get a UUID! You get a UUID! Everybody gets a UUID!

November 30, 2016

A few months ago Uber came out with a new service which allowed businesses to request Uber rides for their customers. UberCENTRAL allowed businesses – large or small – to request, manage and pay for multiple Uber rides on behalf of their customers. The only way to have access to UberCENTRAL is to be approved and luckily I was approved to view the backend.

By using the feature on UberCENTRAL that was provided it allowed the administrator of the company to add operators to their locations. Operators are employees who will request rides on behalf of the companies customers and these operators can be added via their email address, therefore basically any valid email address that was registered with Uber can be added.

Read More

RAGENTEK ANDROID OTA UPDATE MECHANISM VULNERABLE TO MITM ATTACK

November 30, 2016

In this article, we will be detailing an issue we discovered affecting some low-cost devices. It allowed for adversaries to remotely execute commands on the devices as a privileged user if they were in a position to conduct a Man-in-the-Middle attack. The binary responsible appears to be an insecure implementation of an OTA (Over-the-air) mechanism for device updates associated with the software company, Ragentek Group, in China. All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands. This issue affected devices out of the box.

On Tuesday, November 15th, the New York Times reported on an issue affecting a similar set of device manufacturers that caused the devices to report sensitive material, such as text messages and the user’s previous physical locations, back to the Chinese software company Shanghai ADUPS Technology Co., Ltd. This was an issue discovered and announced by Kryptowire, and covered in more detail in a posted article on their website. The issue described in this article is unrelated to the one discovered by Kryptowire.

Read More

iOS WebView auto dialer bug

November 30, 2016

Overview
Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.

Description
CWE-494: Download of Code Without Integrity Check – CVE-2016-6564
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behaviour could be described as a rootkit.

This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel.

Read More

Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016

November 14, 2016

Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016

The law was accepted in December, but now one of our providers announced information for small and medium business how to install government-provided root SSL certificate:https://www.beeline.kz/b2b/sme/ru/press_centers/10040

The certificate is valid for 4 years, data size, as I think, 1024 bytes.

Link to the cert: https://www.beeline.kz/uploads/document/file/11120/QAZNET.rar

Government root SSL certificate possible vulnerabilities

Update:

Mozilla bug report – Add Root Cert of Republic of Kazakhstan

Mozilla CA Program (in pdf)

Gov Cert of Kazakhstan

Read More

iOS WebView auto dialer bug

November 14, 2016

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from cancelling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too).

Read More

GOOGLE TO MAKE CERTIFICATE TRANSPARENCY MANDATORY BY 2017

November 14, 2016

Google is making Certificate Transparency mandatory for its Chrome web browser by October 2017. Google software engineer Ryan Sleevi made the announcement in conjunction with the CA/Browser Forum that took place in Redmond, Washington last week.
The move is an attempt to reduce the number of domain certificates that are compromised and abused by hackers who are taking advantage of structural flaws in the certificate authority system, say experts. Those security flaws have allowed hackers to exploit holes in the certificate authority system and launch man-in-the-middle and website spoofing attacks.

Read More

How to block the ultrasonic signals you didn’t know were tracking you

November 14, 2016

The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices.

Read More

When CSI meets public wifi: Inferring your mobile phone password via wifi signals

November 14, 2016

WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI).
By setting up a rogue access point, determining the point in time when a user is entering a PIN (for the Alipay payment system in the demonstrated attack – the largest mobile payments company in the world), and observing the fluctuations in wifi signal, it’s possible to recover the PIN. Particularly with side-channel attacks, I usually feel a mix of “oh wow, you can do that, that’s really ingenious…” coupled with a sense of despair at just how insecure everything really is in the presence of skilled attackers. Today’s paper, as with yesterday’s, is no exception

Read More

DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices

September 15, 2016

Almost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll.
DualToy assumes ADB is enabled on the connected Android device. If ADB isn’t enabled (which is the default option), the . However, some users, especially those who want to install Android apps from a PC or Mac, or who want to do advanced operations with their Android devices, This is because ADB is both the only official interface for a Windows or Mac computer to operate an Android device via USB and it is a debugging interface.

Read More

Mobile Customer. Poll

September 08, 2016

There are many reasons why some mobile devices are better protected than others. The way how you use your device is composite one and impact directly or indirectly to your average protection level

Read More

Customer Data. Poll

September 08, 2016

Well-known, mobile apps have data types stored, transferred and operated by itself. Some data items are worse or better protected than others. And everyone has his own data he thinks to be protected. What is the most important data to you?

Read More

Onelogin August 2016 Incident

August 31, 2016

We recently confirmed that an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics. Here is what we can share about the incident:

  • OneLogin has a feature called Secure Notes, which end users can use to store information. These notes are stored in our system using multiple levels of AES-256 encryption.

  • A bug caused these notes to be visible in our logging system prior to being encrypted and stored in our database.

  • We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for that system.

  • We have no evidence that any other OneLogin system or user account was compromised.

  • Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016.

  • Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk.

  • This has impacted a small subset of our customers, who we are working with directly on this issue.

Here are the actions we have taken so far:

  • The cleartext logging bug was fixed on the same day we detected it.

  • Access to the log management system has been locked down to only SAML-based authentication and only from a limited set of IP addresses.

  • All passwords have been reset in all external systems that don’t support SAML or allow alternate forms-based authentication.

  • Once we verified the initial scope of the incident, we began notifying the impacted customers on August 29, 2016 and will continue to update them as our investigation continues.

Read More

98 personal data points that Facebook uses to target ads to you

August 24, 2016

Say you’re scrolling through your Facebook Newsfeed and you encounter an ad so eerily well-suited, it seems someone has possibly read your brain.
Maybe your mother’s birthday is coming up, and Facebook’s showing ads for her local florist. Or maybe you just made a joke aloud about wanting a Jeep, and Instagram’s promoting Chrysler dealerships.
Whatever the subject, you’ve seen ads like this. You’ve wondered — maybe worried — how they found their way to you.

Read More

Have you ever wondering your battery helps to spy on you?

August 16, 2016

Privacy risks and threats arise and surface even in seemingly innocuous mechanisms. We have seen it before, and we will see it again.

Recently, I participated in a study assessing the risk of W3C Battery Status API. The mechanism allows a web-site to read the battery level of a device (smartphone, laptop, etc.). One of the positive use cases may be, for example, stopping the execution of intensive operations if the battery is running low.

Our privacy analysis of Battery Status API revealed interesting results.

Read More

Don’t be surprised. WhatsApp doesn’t properly erase your deleted messages, researcher reveals

August 03, 2016

There were cheers a few months ago when WhatsApp announced that it was using end-to-end encryption for all messages by default, boosting the privacy and security of users.
But now respected iOS security researcher Jonathan Zdziarski claims to have found a worrying weakness in WhatsApp, that could open a door for intelligence agencies and other prying eyes to snoop upon your private conversations, even after they have been “deleted” from the app

Read More

Think your data is safe enough? Think again!

July 24, 2016

Detective introduces additional password bypass and physical support for most popular Samsung Android devices

Version 8.3.1 supports physical acquisition via custom forensic recovery method for new Samsung Galaxy devices, like Galaxy Note 4 CDMA Verizon (SM-N910V), Samsung Galaxy Note 5 Sprint (SM-N920P), etc

New in Oxygen Forensic® Detective v.8.3.1:

Oxygen Forensic® Maps. Added “Show all” button that zooms a map to show all the geo points.
Oxygen Forensic® Maps. Added the ability to calculate several distances on the same map using Ctrl + click shortcut.
File Browser. Added time stamps extraction for thumbnails from Android OS devices.
Web Connections. Added extraction of information about Wi-Fi points from Windows Phone 8 devices.
Applications. Messengers. Added data extraction and parsing from the latest WhatsApp (2.16.1) for Apple iOS devices. All user information is available for analysis, including automatically encrypted messages.
Applications. Messengers. Added data parsing from Skype (6.15.0.1162) from Blackberry 10 devices.
Applications. Business. Added data parsing from Yandex.Money (4.4.1) from iOS devices.
Applications. Messengers. Updated data parsing from Telegram (3.7.0) from Android OS devices.
Applications. Messengers. Updated data parsing from Viber (5.8.1) from iOS devices.
Applications. Social Networks. Updated data parsing from LinkedIn (9.0.9) from iOS devices.
Applications. Social Networks. Updated data parsing from Instagram (7.19.0) from Android OS devices.
Applications. Business. Updated data parsing from C-mail (5.00.14) from Android OS devices.
Added support for Apple iOS 9.3.1.

Read More

Privacy Alert to help to avoid installing non-trusted apps

June 19, 2016

These days, there literally is an app for everything. Whether you want to spend hours playing games, watch a person on the other side of the world stream a local sports game, or organize every aspect of your life down to the minutiae.
The downside to this incredible level of choice is that some apps out there disguise themselves as your friend, when in fact they just want to harm you. Google’s Play Store has frequently received criticism for its less-than-robust approach to filtering unsafe content, and if you’re not careful, you could find yourself being tracked, hacked, or conned.
With that in mind, we take a look at ten seemingly-innocent popular apps you shouldn’t install under any circumstances

Read More

The life of a social engineer: Hacking the human

May 20, 2016

A clean-cut guy with rimmed glasses and a warm smile, Jayson E. Street looks nothing like the stereotypical hacker regularly portrayed in movies (i.e. pale, grim and antisocial). But he is one – he just “hacks” humans.Street is a master of deception: a social engineer, specializing in security awareness and physical compromise engagements. He’s outspoken, friendly, always wearing a smile, and besides working in the field, he’s also the InfoSec Ranger at Pwnie Express, and is well-known for his books and conference talks around the world

Read More

Symantec. Internet Security Threat Report. Vol. 21. April, 201

May 19, 2016

Symantec has established one of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 63.8 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services, such as Symantec DeepSight™ Intelligence, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources

Read More

Killed by Proxy: Analyzing Client-end TLS Interception Software

May 17, 2016

To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host’s communications. We set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries. Compared to regular proxies, client-end TLS proxies impose several unique constraints, and must be analyzed for additional attack vectors; e.g., proxies may trust their own root certificates for externally-delivered content and rely on a custom trusted CA store (bypassing OS/browser stores). Covering existing and new attack vectors, we design an integrated framework to analyze such client-end TLS proxies. Using the framework, we perform a thorough analysis of eight antivirus and four parentalcontrol applications for Windows that act as TLS proxies, along with two additional products that only import a root certificate. Our systematic analysis uncovered that several of these tools severely affect TLS security on their host machines. In particular, we found that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack out-of-the-box, and two more if TLS filtering is enabled. Several of these tools also mislead browsers into believing that a TLS connection is more secure than it actually is, by e.g., artificially upgrading a server’s TLS version at the client. Our work is intended to highlight new risks introduced by TLS interception tools, which are possibly used by millions of users.

Read More

Top 15 Android Hacking Apps and Tools of 2016

May 10, 2016

Android smartphones can run penetration testing and security test from hacking Android apps. With the help of a few applications and basic knowledge of the true capabilities of your Android smartphone, you, too, could dig into the world of hacking.
So, here we are sharing a list of 15 Android hacking tools and apps that will turn your Android smartphone into a hacking machine.

Read More

Payment Card Industry Security Standards Council Releases PCI Data Security Standard

May 09, 2016

WAKEFIELD, Mass., 28 April 2016 — Today the PCI Security Standards Council (PCI SSC) published a new version of its data security standard, which businesses around the world use to safeguard payment data before, during and after a purchase is made. PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1 to address growing threats to customer payment information. Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches. Version 3.1 will expire on 31 October 2016.

The update to the standard is part of the regular process for ensuring the PCI DSS addresses current challenges and threats. This process factors in industry feedback from the PCI Council’s more than 700 global Participating Organizations, as well as data breach report findings and changes in payment acceptance.

Read More

Have Software Developers Given Up? Sorry, You’re among of them!

May 09, 2016

Have you ever wondered how you failed? Is it only of security or UI? Stop guessing, we would like to share with you awesome collection of software failures from a software developer. Here is his quote

Over the last few years it feels like the quality of software and services across the industry is falling rather than climbing. Everything is always beta (both in name and quality). Things are shipped when marketing wants them to rather than when they’re ready because “we can easily patch them”. End users have basically become testers, but it’s ok, because this is Agile. We’ve started coding to expect failure and somehow with it decided that failure is normal and expected and we don’t need to put so much effort into avoiding it. Supporting millions of customers is complicated so we don’t bother. Why waste time reading bug reports from users when you can just send them into an endless maze of help links with no contact information?
I never used to be this grumpy. The last few years I’ve seen so many ridiculous errors in software and on websites that I just can’t help but feel a little embarassed about what we (as software devs) are unleashing on the world. I know we’re a young, inexperienced industry and that there aren’t enough skilled devs to go around but lately it feels like we’re really not even trying.
Here’s a collection of some screenshots I’ve taken just in the last month showing what I mean. Is it just me? Am I really unlucky? Or does this happen to everyone and it’s just me that likes to put effort into being vocal and annoyed by it?

Read More

Your Android app as a crime scene! Aren’t yours?

May 09, 2016

Awesome post from another team who cares about application performace, security, privacy and etc.

We will quote those related to security & privacy

Version Control System:
-Do you have a properly configured *ignore file so IDE metadata files and other extraneous elements are not under version control?
-Are third party libraries versioned in the repository rather than configured as an external dependency?

Build Tools:
-Are you using libraries you project does not need?
-Are the external dependencies up to date?
-Are you respecting every third party library license?
-Is the project using any deprecated or abandoned/unmaintained third party library?
-Are the keystore credentials and Google Play Store credentials stored in a secure place?
-Is the application keystore and the credential stored in a secure place?

Permissions Usage:
Asking for the right permissions builds trust among your users and can help your app to walk the extra mile and seamlessly integrate with other services to deliver a delightful; experience to your users.
-Are all the requested permissions really needed?
-Is there any permission used maliciously?
-Is there any permission missing?
-Is the target SDK used greater than 23 and the “dangerous permissions” requested using the compatibility permissions system?
-Are the permission requested when they are going to be used?
-Is there any feedback shown to the user explaining why the permission is needed?

Security Issues:
As developers we need to be conscious about our app security, we don’t want our user’s data to be leaked or their sessions stolen
-Is the HTTP client configured to use HTTPS?
-Is the HTTP client configured to use certificate pinning and messages authentication with HMAC?
-Is the application persisting user sensitive information? Where?
-Is the application persisting information out of the internal storage system?
-Is the application logging traces when running a release build?
-Is the application code obfuscated?
-Is the application exposing any Android content provider, receiver or service to other applications?
-Is the application “debuggable” value disabled in the release build?

Performance:
– Performance is critical. Nobody wants to use a crappy, sluggish app in their 400-600$ device. Performance is $.
-Does the application have any memory leak?
-Storage Implementation:
-Where is the information stored?
-Are you reading/writing data from/in the storage using transactions?
-Is the storage saving user sensitive information securely?
-Is the storage layer using any third party libraries?
-Is the storage layer leaking implementation details?
-Is the storage tables/schemas properly modeled?
-Are the queries sent to the storage optimized?
-Are the Android SDK persistence APIs used to store the data in the correct place? Data to the database, preferences or small data to the Shared Preferences and files into disk?

Below you will find a link to the full article written by Pedro Vicente Gómez Sánchez.

Read More

One step closer to understand what applications do (Mobile Security Framework)

May 09, 2016

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Read More

Dark Web. What can you find here?

May 04, 2016

Hold Security is reporting that one of its researchers discovered, and then acquired, a mega-size load of 272 million stolen email credentials from a hacker.
The security research firm said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17 billion stolen credentials, from Google, AOL, Yahoo and Mail.ru, from various places on the dark web. When Hold’s team boiled this list down, comparing the newly acquired data to data already in its possession, it found 272 million of the email credentials were unique with 42.5 million having never been disclosed. The remainder were already known to be compromised.
In spite of the huge volume of records that were found, the price paid to the hacker by Hold Security is even more amazing.
Nothing.
The original asking price was 50 Rubles, less than $1, but Hold bargained the hacker down.

Read More

An insider’s look at iOS security

April 24, 2016

Apple’s battle with the FBI portrays them as a security hero going to great lengths to protect user privacy, but our beloved iPhones may not be as secure as many believe.

Read More

Hackers can spy on your calls and track location, using just your phone number

April 19, 2016

The global telecom network SS7 is still vulnerable to several security flaws that could let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale, despite the most advanced encryption used by cellular networks.

All one need is the target’s phone number to track him/her anywhere on the planet and even eavesdrop on the conversations.

SS7 or Signalling System Number 7 is a telephony signaling protocol used by more than 800 telecommunication operators around the world to exchange information with one another, cross-carrier billing, enabling roaming, and other features.

Read More

The Location Data From Just Two Of Your Apps Is Enough To Identify You

April 19, 2016

A new report from researchers at Columbia University and Google has found that geotagged posts on just two social media apps are enough to draw a line back to a specific user.
Their findings show that digital traces, or metadata, left in the apps by most people are so distinctive that most people could be identified from just a few data points within a single data set. Leaving on geotagging, which many people do to provide locations on Instagram photos and tweets, was just one example of the trail left behind that could be used to connect that anonymous Bieber fan Twitter account to your personal LinkedIn account.
“For example, on LinkedIn you are likely to use your real name … but maybe you are also using Tinder or some or other application which you would not want linked back to your real name,” said Chaintreau. “Using the data in what you have posted, those accounts could be linked, even if in one of them — say Tinder— you believed you were operating in ghost mode.”

Read More

The equivalent of about $20, or the cost of a large pizza, is the amount of cash

April 19, 2016

The equivalent of about $20, or the cost of a large pizza, is the amount of cash British kids would accept in exchange for handing over their personal information, a study has found.
IT solutions and managed service firm Logicalis found kids (aged 13-17) were “instinctively digital” and that they fully comprehended the value of their personal information. Not only were the young scoundrels completely au fait with how much their personally identifiable information (PII) was worth, they were quite happy to sell it—if it meant they didn’t have to work.

Read More

NowSecure has published mobile security reports

April 18, 2016

NowSecure has published a mobile security reports. Here’s quote:

A clear view of the state of mobile security
IT and security pros can use this report to make informed decisions about managing and securing mobile devices, mobile apps, and their enterprises’ mobile ecosystem.
Our research uncovered a number of eye-opening mobile security statistics including:

    * 24.7 percent of mobile apps include at least one high-risk security flaw
* The average device connects to 160 unique IP addresses every day
* 35 percent of communications sent by mobile devices are unencrypted
* Business apps are three times more likely to leak login credentials than the average app
* Games are one-and-a-half times more likely to include a high risk vulnerability than the average app

Read More

Do you ever think of how much time developers need to fix vulnerability?

April 18, 2016

It takes almost 1 year to fix simple vulnerability. Check the timeline for Panda SM iOS App !

Timeline

July 19, 2015 – Notified Panda Security via
security () pandasecurity com, e-mail bounced
July 20, 2015 – Resent vulnerability report to
corporatesupport () us pandasecurity com & security () us pandasecurity com
July 20, 2015 – Panda Security responded stating they will investigate
July 31, 2015 – Asked for an update on their investigation
August 3, 2015 – Panda Security responded stating that the issue has
been escalated and is still being reviewed
August 14, 2015 – Asked for an update on their investigation
October 16, 2015 – Asked for an update on their investigation
March 1, 2016 – Panda Security released version 2.6.0 which resolves
this vulnerability

Read More

GSMA outlines thoroughly sensible IoT security rules

February 15, 2016

The set of guideline documents promotes a methodology for developing secure IoT services to ensure security best practices are implemented throughout the life cycle of the service. The documents provide recommendations on how to mitigate common security threats and weaknesses within IoT services.

The scope the document set is limited to recommendations pertaining to the design and implementation of IoT services and network elements. This document set is not intended to drive the creation of new IoT specifications or standards, but will refer to currently available solutions, standards and best practice.

Download all files here

Read More

Every developer rushes to ignore the data protection / Interview with DefCamp speaker

February 05, 2016

Data Protection is nowadays a hot topic to any industry, whether we are talking about private companies or governmental institutions. This is why, we’ve proposed Yury Chemerkin, speaker at DefCamp in 2015 and 2014 to tell us a bit more about how companies and individuals are working on this threat.

Read More

A few words about importance of including mobile devices into pentesting program plan

February 02, 2016

Don’t you think you could build your security in alignment with best practices excluding critical points in your infrastructure. Get unexpected truth from great speaker M.S. in Comp.Science Georgia Weidman who is a penetration tester, security researcher, and trainer. Her work in the field of smartphone exploitation has been featured in print and on television internationally.

Integrating Mobile Devices into Your Penetration Testing Program
Though still an imperfect science in many ways, penetration testing is often our only way of assessing the effectiveness of our security programs against actual attackers. As mobile devices enter the enterprise en masse, much focus has been on securing them and limiting the risk of BYOD using EMM, MDM, MIM, pick your favorite security control acronym. While many shops are engaging in code review, static analysis, pentesting, etc. against custom mobile applications built in house, even enterprises with mature security programs are often ignoring mobile devices and the surrounding infrastructure in their security testing. It seems like common sense to provide adequate security testing for all devices on corporate networks, particularly when spending large chunks of budget on security controls around BYOD. If we have a DoS protection, we put it in front of staging and hit it with DoS attacks. If it falls down, the control is not providing return on investment. If we have a patch management practice we make sure there are no missing patches leading to compromise during our penetration tests, and if there are, we augment our security program accordingly. We need to be doing the same around mobile. How secure are these devices really against attack? If they are compromised what data on the device is in jeopardy? What other assets in the enterprise are now at risk of attack from the compromised mobile device? By using traditional penetration testing techniques augmented for the unique attack vectors for mobile devices we can assess these risks and get a clear picture of the risk of BYOD in the environment. In this workshop we will discuss techniques along with live demonstration scenarios of penetration tests on mobile devices and the surrounding infrastructure. From mobile phishing to undermining security controls to using compromised mobile devices as pivot points, the mobile risk is real and we need to be simulating it in our security testing. We will discuss how these techniques can augment and extend penet! ration testing and how they can be seamlessly integrated into your existing security program.

Read More

Untrusted mobile applications. Will you uninstall your ‘leakageable’ apps?

February 01, 2016

Pretty interesting researching results on data security & privacy

Untrusted Mobile Applications. State of Art of Security App-Apocalypse
Security and Privacy of Mobile Applications have been under fire last years since 2010. Native & 3rd-party apps like Gmail or Instagram had various problems on data protection. You could credentials or sensitive information in plaintext, in logs, everywhere. There were many recent disclosures about it in 2014 and dive into transport security, stored data, log leakages, encryption fails. On another side, the mobile market has been growing very fast. Mobile apps go everywhere, it carried everywhere. Software development pays little attention to the security that it’s needed. Some methodologies prevent vulnerabilities and known security fails due to the compilation process. Most of the secure coding guides are implemented wrong even it’s written by Apple or Google. Both factors (insecurity & growing market) lead us to App-Apocalypse. Do we really have a solution? Having a good understanding of security mechanism of the mobile environment (incl. application) can help keeping us our devices more protected. Only findings in apps made by security-trained experts are a way to decrease the level of untrustiness.
However, security life-circle looks like “we’ve it done once, let’s stop here”. But we can’t really stop anywhere. New apps are releasing, new updates are coming. We really have to talk about community-based knowledge database on data insecurity. It’s the first step. If you were familiar with NVD or CVE databases, you should know it doesn’t contain anything about data protection of mobile apps. We found a few records on it. It absolutely doesn’t mean the databases are very bad, these databases solve another problem by design since they have appeared. The second step is a way to keep users informed about insecurity use cases.In fact, it’s about secure mobile awareness. If you go with your device to the public place, you should know what application fails to protect your data and what data may be leaked out your devices. There are many cases when you prefer to wipe you app data before doing something, but you don’t know what application you have to apply ‘wiping’ to. Moreover, corporate mobile users have another way to control theirs by implementing EMM solutions. Does is solve the problem? No, it doesn’t, because to control it, they have to know what data exactly is out of protection. However, they have an opportunity to protect it by sandboxing app data in-rest and vpn’ing data in-transfer on the application level. It’s a quick way to bypass the real problem, and it works at the moment. What non-corporate users should do and is there any solution for them. No solutions, even AV (antiviruses) solutions can’t help because it’s goal of preventing malware spreading. What This presentation is going to present new results on mobile apps insecurity and a way to solve the current problem for general public.

Read More

Each day like Holiday or Cybercrime (by TrendMicro)

December 01, 2015

Data breaches are daily news items. Reports of data breaches in Government, Hospitals, Universities, Financial Institutions, Retailers, etc. A wide range of sensitive data is compromised across all industries from businesses both big and small, and also from individuals. These include: Personally Identifiable Information (PII), Financial data, Health data, Education data, Payment Card data, Login Credentials, Intellectual Property, etc. In this talk we present statistical analysis of publicly disclosed data breach incident reports. We look at the different types of crimes commonly committed using stolen sensitive data. We survey criminal marketplaces hosted in the Deep Web to profile the different types of sensitive data available for purchase and their asking prices. Finally we outline defensive methods businesses and individuals can practice to prevent becoming victims of data breach crimes.

Read More

Practicing in reversing apps and want to know how to avoid jailbreak protection?

October 23, 2015

The app refuses to run on jailbroken devices. I press a button. What happens now? I have patched one instance of jb detection but it is run again elsewhere. How can we find all of them? Where does the app use this method of this object?

Semi-automated mapping of iOS binaries

Since his childhood Zsombor Kovács’s favourite hobby has always been to take things apart and put them together again if luck was on his side – so as a penetration tester he has found the job of his dreams. He worked in all kind of projects from breaking into wi-fi networks through protocol analysis and social engineering to testing web applications. He prefers physical penetration testing which makes him visit places where he shouldn’t be

Read More

1Password to change file formats after key file found to contain unencrypted data

October 20, 2015

1Password makers AgileBits have promised to change one of the default file formats in the software in response to a blog post by Microsoft engineer Dale Myers, who revealed that an AgileKeychain file was displaying unencrypted metadata. In its defence, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012 but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.

Read More

Unexpected truth. Viber Team classified the user passwords as personal data obliged to be stored on servers

October 19, 2015

“In Russia will be kept of phone numbers, logins and passwords of users. Messages we do not store, they are on the devices of users,” Moscow representative of the company Viber said. According to the company’s lawyers, messengers also fall under the law which requires storing personal data of Russians on servers located on the territory of the country.

If original link doesn’t work, use this one

Read More

Camera360. ANOTHER POPULAR ANDROID APPLICATION, ANOTHER LEAK

October 15, 2015

FireEye researchers discovered SSL vulnerabilities in the widely used Camere360 app and many other popular applications. These vulnerabilities were exploitable by Man-in-the-Middle (MITM) attacks and posed a serious threat to user privacy.

UPDATE 9/15/15: FireEye worked closely with the Camera360 team to address the personal information leaks that are described in this blog. The Camera360 team responded quickly and worked diligently to address the issues. In particular, their latest release of the Camera360 app version 7.0 no longer leaks password hash and email address to logcat. Camera360 has informed us that they will process a comprehensive check on all http portals and apply dynamic token refresh in October 2015. For the leaks affecting users of Camera360 v6.2.3 and versions before, code in previous versions can not be modified now so Camera360 is encouraging their users to update to avoid any possible hidden threats.

Read More

Have you ever wondered the privacy issues led to uninstalling mobile apps?

October 15, 2015

After initially downloading an app, we tend to dive right into its features and decide whether or not it’s worth the storage space on our mobile devices or tablets. According to an infographic created by International Translation Resources (ITR), the reasons why consumers uninstall their mobile applications, user stated ‘privacy concerns’ as the third reason for deleting apps

Read More

Still believe in protection and trust developers? Think again!

June 01, 2015

We have lost the war for secure software, hackers won, because codes contain vulnerabilities anyway — as the current state of software production is such, the quality of developers is such. Let’s face it: general devs will never care about security. QA methodologies and EH robots may change the landscape of AppSec someday. Until then let’s focus on those few developer brigades who are disposed to improve. Secure coding trainings are essential and should be used in conjunction with vuln audits and coaching. Only findings in software made by such trained brigades are to cause satisfaction for a real EH professional. And please LOL at those clients who still believe they cannot afford preventive AppSec.

Read More

Researchers find data leaks in Instagram, Grindr, OoVoo and more

September 08, 2014

Private messaging isn’t so private, say University of New Haven researchers who found Android apps transmitting and storing unencrypted images, chats, screenshots and even passwords. By sniffing out the details of network communications, University of New Haven researchers have uncovered a host of data leakage problems in Instagram, Vine, Nimbuzz, OoVoo, Voxer and several other Android apps.

Read More