Information Security News
Civil liberties advocates have asked the US Federal Trade Commission to take action against the nation's four major wireless carriers for selling millions of Android smartphones that never, or only rarely, receive updates to patch dangerous security vulnerabilities.
The request for investigation and complaint for injunctive relief was filed Tuesday by the American Civil Liberties Union against AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA. The vast majority of phones that the carriers sell run Google's Android operating system and rarely receive software updates, the 16-page document stated. It went on to allege that the practice violates provisions of the Federal Trade Commission Act barring deceptive and unfair business practices, since the carriers don't disclose that the failure to provide updates in a timely manner puts customers at greater risk of hacking attacks. Among other things, the filing seeks an order allowing customers to terminate contracts that cover a phone that's no longer eligible to receive updates.
"All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices," Christopher Soghoian, principal technologist and senior policy analyst for the ACLU, wrote in the document. "The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials."
Venture Capital's Role in InfoSec
What's the role of venture capital in today's information security market? Alberto Yépez of Trident Capital describes start-up companies and the unique qualities that separate winners from losers. Yépez, managing director of Silicon Valley-based ...
by Sean Gallagher
A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.
The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.
But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.
Several of our readers have written in to let us know about the latest Java Update.
So why isn't this a normal one-liner with a pointer off to the readme? Because Oracle has significantly changed how Java runs with this version. Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed. They now alert on unsigned, signed-but-expired and self-signed certificates.
We'll even need to click "OK" when we try to download and execute signed and trusted Java.
This is a really positive move on their part - with as many problems as Java has, it'll be nice to stop blaming the developers of the language entirely for malicious code - Java doesn't give you malware, running malware gives you malware.
(not that Java is perfect, mind you)
The graphics you can expect to see once you update are:
|Valid Certificate||Self-Signed Certificate|
|Expired Certificate||Unsigned Application|
Full details on the new run policy can be found here ==> https://www.java.com/en/download/help/appsecuritydialogs.xml
And more information can be found here ==> http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html
Bobsguide (press release) (blog)
Show Preview: InfoSec Europe 2013 and securing your financial future
Bobsguide (press release) (blog)
Infosecurity Europe, running 23-25 April at the London Earls Court Exhibition Centre, is expected to attract more than 10,000 infosec delegates, 350 exhibitors, and numerous bank chief information security officers (CISOs) such as Michael Paisley at ...
NPR's Web publishing system and several of the news agency's Twitter accounts were hacked yesterday by a group supportive of the Syrian government that calls itself the "Syrian Electronic Army."
"Late Monday evening, several stories on the NPR website were defaced with headlines and text that said 'Syrian Electronic Army Was Here,'" an NPR statement published in a NPR.orgnews story on the incident said. "Some of these stories were distributed to and appeared on NPR Member Station websites. We have made the necessary corrections to those stories on NPR.org and are continuing to work with our Member Stations. Similar statements were posted on several NPR Twitter accounts. Those Twitter accounts have been addressed. We are closely monitoring the situation."
Sophos's Naked Security blog published a summary of the hack, including a screenshot of a Google search showing some of the headlines edited by the Syrian Electronic Army:
Yesterday, TheDomains reported there was 125 potentially fake domains registered just hours after the attack in Boston. By my current count, I see 234. Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed. Oh, and one lawsuit-lawyer related site in connection to the event but that's a different kind of scum then we typically deal with here. But so far, most of the domains are parked (typically at GoDaddy, but don't read that as a swipe at them) or they don't resolve anywhere.
In short, I would have thought this would have picked up quicker than it had.
That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automagically to start looking for indicators and to see when (or if) they ever come out of "parked" status.
As usual, the standard advice applies in events like these. If you want to donate (or have friends/family/collegaues who do) work through well-known and established charities to do so.
Feel free to send any suspicious sites/spam/twitter accounts/etc to use so we can keep doing analysis.
bambenek \at\ gmail /dot/ com
Bradford Networks Addresses BYOD Security Threats at InfoSec World 2013
Marketwire (press release)
ORLANDO, FL--(Marketwired - Apr 15, 2013) - InfoSec World Expo and Conference, Booth #104 -- Bradford Networks™, the best choice to secure network access for BYOD, today announced its participation in the InfoSec World Expo and Conference. During ...