Information Security News
Customer data protection is a corporate social responsibility
"You could bring cost considerations into it, but typically, the way we've seen organisations do this is that it becomes more of a governing philosophy of sorts — not just for the infosec team, but for management in general," Shey said. "It no longer ...
On Verizon Wireless’ website, the company advises customers to “[n]ever give your passwords to anyone over the phone, include them in e-mail messages, [or] give them to anyone.” This is good security advice that experts would agree with. Yet Verizon itself is seeking out customers on Twitter and asking for their billing passwords over the social network’s direct messages platform.
This, obviously, isn’t the best security practice. Security experts who spoke to Ars disagreed on just how dangerous it is but agreed that Verizon should find a better way to verify the identities of customers.
It’s not a new strategy for Verizon, but I wasn’t aware of it until this week when the Verizon Wireless customer support account inserted itself into a Twitter conversation I was having, urged me to follow the account so we could exchange direct messages, and then asked for my mobile number and billing password. (Note: The billing password is akin to a PIN and separate from a customer's primary account password, but I didn't know that because Verizon's customer service account did not make this clear to me, and it seems likely other customers could be confused as well.)
Ushering in a new threat landscape for iPhone users, security researchers have uncovered an active malware operation that compromised the OS X and iOS devices of hundreds of thousands of people.
WireLurker, as the new family of malware has been dubbed, first took hold of Macs when users installed pirated software that had been laced with malicious code, according to a report published Wednesday by researchers from Palo Alto Networks. The trojan then installed itself as an OS X system daemon and waited for iOS devices to connect over USB interfaces. The infected Macs would then grab the serial number, iTunes store identifier, and if available, phone number of the iOS device and send the data to a server controlled by the operators. WireLurker-infected phones were also loaded up with a variety of unwanted apps. Palo Alto Networks researchers found 467 OS X WireLurker-infected applications available on Maiyadi, a third-party app store located in China. The apps were downloaded 356,104 times, a figure indicating that hundreds of thousands of people likely were hit by the infection.
At first blush, WireLurker doesn't look like much of a threat. For one thing, it targeted a relatively small number of people in a limited geography who all appeared to have ties to pirated software. On top of that, once it gained persistence on a Mac or iDevice, WireLurker stole only a small amount of data and installed mostly innocuous apps. But there are reasons WireLurker could be important to iOS users everywhere. Chief among them, the infected Macs were able to compromise non-jailbroken iPhones and iPads by abusing the trusted iOS pairing relationship and enterprise provisioning, a mechanism that allows businesses to install custom-written apps on employee devices.
by Sean Gallagher
When the first Silk Road and its alleged operator, Ross William Ulbricht, were taken down by the US government just over a year ago, it took some technical mojo to track down the server and its operator. That apparently wasn’t the case with Ulbricht’s successor. According to the US Attorney’s office for the Southern District of New York, Silk Road 2.0 was the victim of some old-fashioned social engineering of the most damaging kind. An undercover federal agent was able to join the site's administration team and gather the intelligence that led to the arrest of Blake Benthall—the alleged operator of the Silk Road successor site who went by the name “Defcon.”
The first Silk Road site, like version 2.0, operated as a “hidden service” on the Tor .onion anonymized network. The FBI claimed that it was able to exploit a flaw in a “captcha” feature of the concealed website to obtain Silk Road 1.0's actual IP address and track the server to a data center in Iceland. Ulbricht’s attorneys called the explanation “implausible,” accusing the FBI of unlawfully hacking the server.
However, in its investigation of Silk Road 2.0, the government took a different technical tack. In a statement issued by the US Attorney’s Office about the arrest, a spokesperson said, ”During the Government’s investigation, which was conducted jointly by the FBI and [Homeland Security Investigations], an HSI agent acting in an undercover capacity (the “HSI-UC”) successfully infiltrated the support staff involved in the administration of the Silk Road 2.0 website and was given access to private, restricted areas of the site reserved for Benthall and his administrative staff. By doing so, the HSI-UC was able to interact directly with Benthall throughout his operation of the website.”
Infosec services firms Accuvant and FishNet to merge
Two of the largest players in information security services and consulting, Accuvant Inc. and FishNet Security Inc., announced merger plans Wednesday. Financial details of the merger, set to be completed during Q1 of 2015, have not been made available ...
Posted by InfoSec News on Nov 06http://www.nextgov.com/cybersecurity/2014/11/long-awaited-fisma-reforms-hit-stumbling-block/98294/
Regular reader and contributor Gebhard sent us a pointer to Crypto 101, an introductory course on cryptography, freely available for programmers of all ages and skill levels byLaurens Van Houtven (lvh) available for everyone, for free, forever. Its a pre-release PDF read of a project that will be released in more formats later.
The Crypto 101 course allows you to learn by doing and includes everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash functions, message authentication codes, public key encryption, key agreement protocols, and signature algorithms.
Lvh has written a fine book here, its comprehensive yet accessible, robust but not overwhelming, and accomplishes its intended mission as a learning guide. And did I mention that it">|">@holisticinfosec(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Posted by InfoSec News on Nov 06http://www.theregister.co.uk/2014/11/06/hackers_use_gmail_drafts_as_dead_drops_to_control_malware_bots/
Posted by InfoSec News on Nov 06http://www.theguardian.com/technology/2014/nov/06/apple-mac-iphone-security-malware
Posted by InfoSec News on Nov 06http://www.koreaherald.com/view.php?ud=20141106000958
Posted by InfoSec News on Nov 06http://news.techworld.com/security/3584643/cisco-patches-serious-vulnerabilities-in-small-business-rv-series-routers/
Horrible Apple iOS virus; vectored via USB: WireLurker is 'new brand of threat ...
Apple says it's already fixed the problem, but independent infosec geeks say the company still has a long way to go, and that the problem isn't limited to China. In IT Blogwatch, bloggers cut the cord. Your humble blogwatcher curated these bloggy bits ...