Information Security News
by Nate Anderson
Matthew Green is a well-known cryptography professor, currently teaching in the computer science department of Johns Hopkins University in Baltimore. Last week, Green authored a long and interesting blog post about the recent revelations that the NSA has, among much else, subverted crypto standards. In his words, "The TL;DR ['too long; didn't read' version] is that the NSA has been doing some very bad things." And Green went on to speculate at some length about what those "bad things" were and what they might mean.
Today, Green's academic dean contacted him to ask that "all copies" of the blog post be removed from university servers. Green said that the move was not "my Dean's fault," but he did not elaborate. Were cryptology professors at Johns Hopkins not allowed to say, as Green had, things like:
I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough.
Was basic academic freedom on the line? Had the request even come initially from Johns Hopkins or from outside the school—perhaps someone at the NSA headquarters just up the road from Baltimore?
The latest revelation about the National Security Agency's (NSA) expansive surveillance program isn't really a revelation at all. It comes from Germany's Der Spiegel magazine, which reports that smartphones powered by Apple's iOS, Google's Android, and Blackberry's operating systems are among the devices government spies exploit when they want to intercept a target's communications.
Buried in Monday's ho-hum report, however, is this intriguing nugget:
The NSA analysts are especially enthusiastic about the geolocation data stored in smartphones and many of their apps, data that enables them to determine a user's whereabouts at a given time.
According to one presentation, it was even possible to track a person's whereabouts over extended periods of time, until Apple eliminated this "error" with version 4.3.3 of its mobile operating system and restricted the memory to seven days.
The lack of specifics in the article makes it hard identify the iOS bug, but it sure sounds like the one a pair of researchers reported in April 2011. It allowed anyone with physical access to an iPhone or iPad, or potentially a data backup of the device, to reconstruct a detailed account of the user's comings and goings, often down to the second, over an extended period of time. The geolocation data was stored in an easy-to-read file that was updated in real time, putting users at increased risk should their devices, computers, or backups ever fall into the hands of a hacker or government snoop who knew about the undocumented behavior.
Five Minute Interview: Ross Baker, AppRiver
When I saw him at Infosec the following year I took great pleasure in saying (with a smile) “thanks for the best advice I never took.” I would add to that by stating the obvious advice which I was given when younger. Never burn your bridges. It is ...
Sophos has reported a combination of vulnerabilties that can be used to perform a remote privilege escalation and gain unauthorised privileged access to the the device. Details can be found here http://www.sophos.com/en-us/support/knowledgebase/119773.aspx .
If automatic updating is enabled the fix should be applied without further intervention.
Mark H(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Network access control in the real world
At the Infosec Europe event in April this year, Quocirca chaired a panel session where three users of NAC from very different business sectors explained why they had invested in the technology, how it helps them overcome GRC challenges and better ...
Posted by InfoSec News on Sep 09http://www.wired.com/threatlevel/2013/09/tech-industry-tainted/
Posted by InfoSec News on Sep 09http://www.v3.co.uk/v3-uk/news/2293021/small-businesses-byod-practices-leave-them-one-cyber-attack-away-from-bankruptcy
Posted by InfoSec News on Sep 09http://www.theregister.co.uk/2013/09/06/yahoo_gridiron_game_uncryption/
Posted by InfoSec News on Sep 09http://bc.ctvnews.ca/jepsen-s-hacker-used-inactive-email-to-download-sensitive-photos-court-hears-1.1443211