Information Security News
by Robert Lemos
A large text file billed as a list of usernames and passwords for more than 4.9 million Google accounts is likely a collection of credentials from different sources, not from a breach of the company's systems, Google stated on Wednesday.
The file was leaked to the Bitcoin Security board on Tuesday by a user known as "tvskit" who claimed that more than 60 percent of the passwords were good, according to translated content on Russian news site RT. Yet, in its own analysis, Google found that only 2 percent of the credentials would have worked and an even smaller number used successfully.
"Our automated anti-hijacking systems would have blocked many of those login attempts," the company's spam and abuse team said in the analysis. "We’ve protected the affected accounts and have required those users to reset their passwords."
by Sean Gallagher
Apple executives never mentioned the word "security" during the unveiling of the iPhone 6, iPhone 6+, and Apple Watch yesterday, choosing to focus on the sexier features of the upcoming iOS 8 and its connections to Apple's iCloud service. But digital safety is certainly on everyone's mind after the massive iCloud breach that resulted in many celebrity nude photos leaking across the Internet. While the company has promised fixes to both its mobile operating system and cloud storage service in the coming weeks, the perception of Apple's current security feels iffy at best.
In light of one high profile "hack," is it fair to primarily blame Apple's current setup? Is it really that easy to penetrate these defenses?
In the name of security, we did a little testing using family members as guinea pigs. To demonstrate just how much private information on an iPhone can be currently pulled from iCloud and other sources, we enlisted the help of a pair of software tools from Elcomsoft. These tools are essentially professional-level, forensic software used by law enforcement and other organizations to collect data. But to show that an attacker wouldn’t necessarily need that to gain access to phone data, we also used a pair of simpler “hacks,” attacking a family member’s account (again, with permission) by using only an iPhone and iTunes running on a Windows machine.
InfoSec Book Club: What's On Your Fall Reading List?
Dark Reading community members share the books that inform and inspire their decisions and interactions as security professionals. Previous. 1 of 10. Next. I don't know about you but when I see the yellow school buses rolling and the days start getting ...
CSP is an attempt to define a policy informing the browser about what content to expect from a site. Initially, only Firfox supported CSP. But lately, CSP has evolved into a standard, and other browsers started to implement it . The very granular langauge defined by CSP allows sites to specify exactly what content is "legal" on a particular site.
Implementing CSP on a new site isn't terrible hard, and may actually lead to a cleaner site. But the difficult part is to implement CSP on existing sites (like this site). Sites grow "organically" over the years, and it is difficult to come back later and define a policy. You are bound to run into false positives, or your policy is relaxed to the point where it becomes meaningless.
Luckily, CSP has a mechanism to help us. You are able to define a "Report URL", and browsers will report any errors they encounter to said URLs. The reports are reasonably easy to read JSONÂ snippets including the page that caused the problem, the policy they violated, and even an excerpt from the part of the page that caused the problem.
Recently, a few nice tools have cropped up to make it easier to parse these reports and build CSPs. For example Stuart Larsen implementedÂ "CASPR" , a plugin for Chrome that was built to create CSPs and to analyze the reports. Tools like this make implementing CSPs a lot easier.Â
Any other tools or resources you like to help implementing CSPs?
Update: We got a couple of additional resources in via Twitter:
Using "Virtual Patching" to implement CSP on your Web Application Firewall
Twitter account focusing on CSP:Â http://twitter.com/SeeEssPee
Thanks to @imeleven for pointing out that Firefox was the first browser to support CSP. He also pointed to this slide deck:Â http://www.slideshare.net/imelven/evolving-web-security-model-v11-portland-owasp-may-29-2014