Information Security News
In a rare press release issued Wednesday morning, Hacking Team, the embattled Italian surveillance software vendor, reiterated that it did not and does not have a "backdoor" into its clients’ installations of the Remote Control System, or RCS. But new analysis of its leaked source code seems to directly contradict this claim.
Hacking team said:
There have been reports that our software contained some sort of "backdoor" that permitted Hacking Team insight into the operations of our clients or the ability to disable their software. This is not true. No such backdoors were ever present, and clients have been permitted to examine the source code to reassure themselves of this fact.
According to new research by Joseph Greenwood, a UK-based researcher with 4Armed who has been examining the leaked RCS source code in detail, this is a distinction without a difference.
A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware.
The privilege-escalation bug, which was reported in a blog post published Tuesday by security researcher Stefan Esser, is the type of security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications. Hacking Team, the Italian malware-as-a-service provider that catered to governments around the world, recently exploited similar elevation-of-privileges bugs in Microsoft Windows. When combined with a zero-day exploit targeting Adobe's Flash media player, Hacking Team was able to pierce security protections built into Google Chrome, widely regarded as the Internet's most secure browser by default.
According to Esser, the OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that allows attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
by Sean Gallagher
US government officials are nearly certain that the Chinese government was involved in the theft of sensitive personal information about millions of government employees, members of the US military, and employees of government contractors requiring background checks or security clearances from the systems of the Office of Personnel Management. But according to a report by the Washington Post, the Obama administration has decided to not publicly and officially call out China for the attack—in part because it might require the administration to reveal some of the US' hacking of China to make the case, and expose other information intelligence and warfare capabilities of the National Security Agency, Department of Homeland Security, and FBI.
Ellen Nakashima, the Post's national security reporter, citied anonymous conversations with officials involved with the White House's decision-making process surrounding the OPM, and reported that the administration "has not ruled out economic sanctions or other punitive measures" for the theft of data from OPM. But US officials, including Director of National Intelligence James Clapper, have "even expressed grudging admiration for the OPM hack, saying US spy agencies would do the same against other governments," she reported.
Part of the calculus that went into the decision, one official told Nakashima, was that “we don’t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities.” Another official said that the White House might opt to simply put sanctions in place under other justifications, and then privately communicate to the Chinese government that the sanctions were in fact in retaliation for the OPM hack.
Infosec experts hack Jeep, gain control of moving car - Security - News ...
A pair of veteran cybersecurity researchers have shown they can use the internet to turn off a car's engine as it drives, sharply escalating the stakes in the debate about the safety of increasingly connected cars and trucks. Former NSA hacker Charlie ...