A large text file billed as a list of usernames and passwords for more than 4.9 million Google accounts is likely a collection of credentials from different sources, not from a breach of the company's systems, Google stated on Wednesday.

The file was leaked to the Bitcoin Security board on Tuesday by a user known as "tvskit" who claimed that more than 60 percent of the passwords were good, according to translated content on Russian news site RT. Yet, in its own analysis, Google found that only 2 percent of the credentials would have worked and an even smaller number used successfully.

"Our automated anti-hijacking systems would have blocked many of those login attempts," the company's spam and abuse team said in the analysis. "We’ve protected the affected accounts and have required those users to reset their passwords."

Read 4 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Jailbreaking an iPhone to steal its secrets in the name of security research, we unleash Elcomsoft iOS Forensics Toolkit.
Sean Gallagher

Apple executives never mentioned the word "security" during the unveiling of the iPhone 6, iPhone 6+, and Apple Watch yesterday, choosing to focus on the sexier features of the upcoming iOS 8 and its connections to Apple's iCloud service. But digital safety is certainly on everyone's mind after the massive iCloud breach that resulted in many celebrity nude photos leaking across the Internet. While the company has promised fixes to both its mobile operating system and cloud storage service in the coming weeks, the perception of Apple's current security feels iffy at best.

In light of one high profile "hack," is it fair to primarily blame Apple's current setup? Is it really that easy to penetrate these defenses?

In the name of security, we did a little testing using family members as guinea pigs. To demonstrate just how much private information on an iPhone can be currently pulled from iCloud and other sources, we enlisted the help of a pair of software tools from Elcomsoft. These tools are essentially professional-level, forensic software used by law enforcement and other organizations to collect data. But to show that an attacker wouldn’t necessarily need that to gain access to phone data, we also used a pair of simpler “hacks,” attacking a family member’s account (again, with permission) by using only an iPhone and iTunes running on a Windows machine.

Read 29 remaining paragraphs | Comments


InfoSec Book Club: What's On Your Fall Reading List?
Dark Reading
Dark Reading community members share the books that inform and inspire their decisions and interactions as security professionals. Previous. 1 of 10. Next. I don't know about you but when I see the yellow school buses rolling and the days start getting ...

and more »
Adobe Flash Player and AIR CVE-2014-0548 Same Origin Policy Security Bypass Vulnerability
Adobe Flash Player and AIR CVE-2014-0553 Use After Free Remote Code Execution Vulnerability
Adobe Flash Player and AIR CVE-2014-0555 Unspecified Memory Corruption Vulnerability
Adobe Flash Player and AIR CVE-2014-0559 Unspecified Heap Based Buffer Overflow Vulnerability
RETIRED: Microsoft September 2014 Advance Notification Multiple Vulnerabilities
[SECURITY] [DSA 3020-1] acpi-support security update
[SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat
Django 'contrib.admin' Information Disclosure Vulnerability
Django 'return()' Function URI Redirection Vulnerability

We have talked here about Content Security Policy (CSP) in the past. CSP is trying to tackle a pretty difficult problem. When it comes to cross-site-scripting (XSS), the browser and the user is usually the victim, not so much the server that is susceptible to XSS. As a result, it makes a lot of sense to add protections to the browser to prevent XSS. This isn't easy, because the browser has no idea what Javascript (or other content) to expect from a particular site. Microsoft implemented a simple filter in IE 8 and later, matching content submitted by the user to content reflected back by the site, but this approach is quite limited.

CSP is an attempt to define a policy informing the browser about what content to expect from a site. Initially, only Firfox supported CSP. But lately, CSP has evolved into a standard, and other browsers started to implement it [1]. The very granular langauge defined by CSP allows sites to specify exactly what content is "legal" on a particular site.

Implementing CSP on a new site isn't terrible hard, and may actually lead to a cleaner site. But the difficult part is to implement CSP on existing sites (like this site). Sites grow "organically" over the years, and it is difficult to come back later and define a policy. You are bound to run into false positives, or your policy is relaxed to the point where it becomes meaningless.

Luckily, CSP has a mechanism to help us. You are able to define a "Report URL", and browsers will report any errors they encounter to said URLs. The reports are reasonably easy to read JSON snippets including the page that caused the problem, the policy they violated, and even an excerpt from the part of the page that caused the problem.

Recently, a few nice tools have cropped up to make it easier to parse these reports and build CSPs. For example Stuart Larsen implemented "CASPR" [2], a plugin for Chrome that was built to create CSPs and to analyze the reports. Tools like this make implementing CSPs a lot easier. 

Any other tools or resources you like to help implementing CSPs?

Update: We got a couple of additional resources in via Twitter:

Using "Virtual Patching" to implement CSP on your Web Application Firewall
Twitter account focusing on CSP: http://twitter.com/SeeEssPee

Thanks to @imeleven for pointing out that Firefox was the first browser to support CSP. He also pointed to this slide deck: http://www.slideshare.net/imelven/evolving-web-security-model-v11-portland-owasp-may-29-2014



[1] http://www.w3.org/TR/CSP/
[2] http://caspr.io


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBMU03075 rev.1 - HP Network Node Manager I (NNMi) for Windows and Linux, Remote Execution of Arbitrary Code
NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries
[slackware-security] seamonkey (SSA:2014-252-01)
Re: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities
Xen 'evtchn_fifo_set_pending()' Local Denial of Service Vulnerability
PHP DNS TXT Record Handling CVE-2014-3597 Heap Buffer Overflow Vulnerability
Internet Storm Center Infocon Status