Information Security News
The No. 2 official at the Justice Department recently warned top Apple executives that stronger encryption protections added to iPhones would lead to a horrific tragedy, such as a child dying, because police couldn't access a suspect's device, The Wall Street Journal reported Wednesday.
The beefed up protections, Apple recently disclosed, mean that even when company officials are served with a court order, they will be unable to retrieve potentially crucial evidence such as photos, messages, or contacts stored on iPhones and iPads. Instead, the data can be accessed only by people who know the passcode that serves as the encryption key.
Justice Department officials wasted no time objecting to the changes and used the scenario of a child being kidnapped and murdered to drive home their claim that Apple was "marketing to criminals." According to the WSJ, Justice Department officials including Deputy Attorney General James Cole met with Apple General Counsel Bruce Sewell and two other company employees on October 1. Reporters Devlin Barrett, Danny Yadron, and Daisuke Wakabayashi gave the following account, which they attributed to the recollections of people who attended.
Windows tech support scams have been conning PC users out of money for years, and there's seemingly no end in sight. The Federal Trade Commission today announced that "a federal court has temporarily shut down two massive telemarketing operations that conned tens of thousands of consumers out of more than $120 million by deceptively marketing computer software and tech support services."
This is the third in a series of actions against such operations, the FTC said, and if the past is any indication, it won't be the last. The FTC announced a big crackdown in late 2012 and another in late 2013. But PC users continued to hand over money to nearly identical scammers, according to the latest FTC complaints. Today's FTC press release described a method that has tricked PC users time and again:
According to the FTC’s complaints, each scam starts with computer software that purports to enhance the security or performance of consumers’ computers. Typically, consumers download a free trial version of software that runs a computer system scan. The defendants’ software scan always identifies numerous errors on consumers’ computers, regardless of whether the computer has any performance problems.
The software then tells consumers that, in order to fix the identified errors, they will have to purchase the paid version of the software. In reality, the FTC alleges, the defendants pitching the software designed these highly deceptive scans to identify hundreds or even thousands of “errors” that have nothing to do with a computer’s performance or security. After consumers purchase the “full” version of the software at a cost of $29 to $49, the software directs them to call a toll-free number to “activate” the software.
When consumers call the activation number, however, they are connected to telemarketers who try to sell computer repair services and computer software using deceptive scare tactics to deceive consumers into paying for unneeded computer support services.
According to the FTC, the telemarketers tell consumers that, in order to activate the software they have just purchased, they must provide the telemarketers with remote access to their computers. The telemarketers then launch into a scripted sales pitch that includes showing consumers various screens on their computers, such as the Windows Event Viewer, and falsely claiming that these screens show signs that consumers’ computers have significant damage. After convincing consumers that their computers need immediate help, the telemarketers then pitch security software and tech support services that cost as much as $500.
The FTC teamed up with the State of Florida on the latest cases, winning federal court orders against the companies that "also temporarily freeze the defendants’ assets and place the businesses under the control of a court-appointed receiver." The complaints say the defendants have been scamming consumers since at least 2012.
When the fine folks at Portswigger updated Burp Suite last month to 1.6.07 (Nov 3), I was really glad to see NoSQL injection in the list of new features.
Whats NoSQL you ask? If your director is talking to you about Big Data or your Marketing is talking to you about customer metrics, likely what they mean is an app with a back-end database that uses NoSQL instead of real SQL.
Im tripping over this requirement this month in the retail space. Ive got clients that want to track a retail customers visit to the store (tracking their cellphones using the store wireless access points), to see:
In other words, using the wireless system to track customer movements, then correlating it back to purchase behaviour to determine how effective each feature sale might be.
So what database do folks use for applications like this? Front-runners in the NoSQL race these days include MongoDB and CouchDB. Both databases do cool things with large volumes of data.">Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.
CouchDB has a similar statement at http://guide.couchdb.org/draft/security.html ">it should be obvious that putting a default installation into the wild is adventurous
So, where do I see folks deploying these databases? Why, in PUBLIC CLOUDs, thats where!" />
And what happens after you stand up your almost-free database and the analysis on that dataset is done? In most cases, the marketing folks who are using it simply abandon it, in a running state. What could possibly go wrong with that? Especially if they didnt tell anyone in either the IT or Security group that this database even existed?
Given that weve got hundreds of new ways to collect data that weve never had access to before, its pretty obvious that if big data infrastructures like these arent part of our current plans, they likely should be. All I ask is that folks do the risk assessments tha they would if this server was going up in their own datacenter. Ask some questions like:
Smartmeter applications are another big data thing Ive come across lately. Laying this out end-to-end - collecting data from hundreds of thousands of embedded devices that may or may not be securable, over a public network to be stored in an insecurable database in a public cloud. Oh, and the collected data impinges on at least 2 regulatory frameworks - PCI and NERC/FERC, possibly also privacy legislation depending on the country. Ouch!
Back to the tools to assess these databases - Burp isnt your only option to scan NoSQL database servers - in fact, Burp is more concerned with the web front-end to NoSQL itself. NoSQLMAP (http://www.nosqlmap.net/) is another tool thats seeing a lot of traction, and of course the standard usual suspects list of tools have NoSQL scripts, components and plugins - Nessus has a nice set of compliance checks for the database itself, NMAP has scripts for both couchdb, mongodbb and hadoop detection, as well as mining for database-specific information. OWASP has a good page on NoSQL injection at https://www.owasp.org/index.php/Testing_for_NoSQL_injection, and also check out http://opensecurity.in/nosql-exploitation-framework/.
Shodan is also a nice place to look in an assessment during your recon phase (for instance, take a look at http://www.shodanhq.com/search?q=MongoDB+Server+Information )
Have you used a different tool to assess a NoSQL Database? Or have you had - lets say an interesting conversation around securing data in such a database with your management or marketing group? Please, add to the story in our comment form!
by Robert Lemos
Cyber criminals have started targeting the password managers that protect an individual's most sensitive credentials by using a keylogger to steal the master password in certain cases, according to research from data-protection company IBM Trusteer.
The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers. While malware has previously targeted the credentials stored in the password managers included in popular Web browsers, third-party password managers have typically not been targeted.
While the current impact of the attack is low, the implications of the attacker’s focus is that password managers will soon come under more widespread assault, Dana Tamir, director of enterprise security for IBM Trusteer, told Ars Technica.