Information Security News
To stoke maximum fear, Android-Trojan.Koler.A uses geolocation functions to tailor the warnings to whatever country a victim happens to reside in. The screenshot to the right invoking the FBI, for instance, is the notice that's displayed on infected phones connecting from a US-based IP address. People in Romania and other countries will see slightly different warnings. The malware prevents users from accessing the home screen of their phones, making it impossible to use most other apps installed on the phone. The normal phone functions in some cases can be restored only when the user pays a "fine" of about $300, using untraceable payment mechanisms such as Paysafecard or uKash.
The discovery of Koler.A comes 18 months after researchers from Symantec found that so-called ransomware extorts an estimated $5 million a year from users of traditional PCs. Ransomware refers to malware that disables computers and demands that cash payments be paid to purported law-enforcement agencies before the machines are restored. More recently, ransomware scammers upped their game by building strong cryptography into malware, known as Cryptolocker, that holds entire hard drives hostage until end users pay a Bitcoin ransom of $300.
David Helkowski stood waiting outside a restaurant in Towson, Maryland, fresh from a visit to the unemployment office. Recently let go from his computer consulting job after engaging in some “freelance hacking” of a client’s network, Helkowski was still insistent on one point: his hack, designed to draw attention to security flaws, had been a noble act.
The FBI had a slightly different take on what happened, raiding Helkowski’s home and seizing his gear. Helkowski described the event on reddit in a thread he titled, “IamA Hacker who was Raided by the FBI and Secret Service AMAA!” Recently Ars sat down with him, hoping to get a better understanding of how this whitehat entered a world of gray. Helkowski was willing to tell practically everything—even in the middle of an ongoing investigation.
Until recently, Helkowski worked for The Canton Group, a Baltimore-based computer consulting firm serving, among other clients, the University of Maryland. Helkowski’s job title at The Canton Group was “team lead of open source solutions,” but he began to shift his concerns toward security after identifying problems on a University of Maryland server.
Dropbox has disabled access to previously created shared links to certain kinds of documents after the discovery that some users' sensitive files—including tax returns and bank records—were exposed through Google AdWords campaigns.
The flaw, which is reportedly also present on Box, impacts shared files that contain hyperlinks. "Dropbox users can share links to any file or folder in their Dropbox," the company noted yesterday while confirming the vulnerability:
Files shared via links are only accessible to people who have the link. However, shared links to documents can be inadvertently disclosed to unintended recipients in the following scenario:
- A Dropbox user shares a link to a document that contains a hyperlink to a third-party website.
- The user, or an authorized recipient of the link, clicks on a hyperlink in the document.
- At that point, the referrer header discloses the original shared link to the third-party website.
- Someone with access to that header, such as the webmaster of the third-party website, could then access the link to the shared document.
Dropbox said it's not aware of this vulnerability being exploited.
10 tips to attract women to infosec jobs
“It fosters women of all backgrounds, in all functional organizations – not just infosec or IT – helping them more forward in terms of management at BAE,” said Jo Cangianelli, vice president of business development for BAE System's intelligence and ...
As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so.
This weekend we just had yet another post about people picking bad passwords. The only real way around this problem is a password manager. For a long time, browsers included features to allow you to save passwords. But historically, these features were not liked very well as they tended to protect the password inadequately. But with the number of leaked passwords going up and up, and browser makers feeling more confident about their built in password safe features, some browsers started to ignore this setting. For example recent versions of Chrome and Safari will offer saving your password no matter if the "autocomplete=off" attribute is set or not.
BTW: You may still need to keep your autocomplete=off attribute in your forms to pass the PCI audit. After all, in this case you are not defending against hackers but against auditors and the attribute still works great to fend of auditor questions.
In the end, this means it is up to the user to decide to enable or disable this feature, and what password safe to use. Personally I don't think you can do without a password safe. But some people still think they can remember > 100 random passwords/passphrases. (I am having a hard time with one or two).
"nobody" ever really used the Cookie2 header. It was supposed to address privacy concerns people had with regular cookies. Cookies set via the Cookie2 header are essentially session cookies. They can not be set "cross domain" and they expire as soon as you close the browser. But that was back in the day when people still considered privacy as something attainable. RFC 6265 officially obsoletes Cookie2 back in 2011. I guess nobody noticed (me neither) because nobody uses it.
Another "good old days" feature of many browsers was URL bars. They are slowly disappearing. The simple reason is that most users (no... you are not "most users" as you are reading this post) have no idea what a URL is or how to decipher it. It all started with mobile browsers who pushed the URL off the screen as soon as possible to save the few mega pixels it would take to render the URL bar. I think it was Internet Explorer 8 where I first noticed that the URL bar got squished into a corner in order to provide more space for the search bar. Google now is tying to make this change more official by only showing the hostname, not the full URL, in recent beta releases of Chrome. The idea here is that the hostname is what matters and the other parts of the URL are usually just used by phishers to confuse the user as to the actual location of the page.
Anything I missed? Not looking for brand new features like HTTP/2.0 but for old features that no longer work in new browsers and are somewhat security related. I may add a couple more items to this post or as a comment as I remember them.
Posted by InfoSec News on May 06http://online.wsj.com/news/articles/SB10001424052702303417104579544551961937712.html
Posted by InfoSec News on May 06http://www.defenseone.com/technology/2014/05/were-saved-experts-show-how-fix-us-cybersecurity/83734/
Posted by InfoSec News on May 06http://www.computerworld.com/s/article/9248129/Canada_woes_breach_seen_as_cause_for_Target_CEO_s_exit
Posted by InfoSec News on May 06http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/
Posted by InfoSec News on May 06Forwarded from: cfp () ruxcon org au
Posted by InfoSec News on May 06http://abclocal.go.com/wls/story?section=news/iteam&id=9526738