Information Security News
The Perfect InfoSec Mindset: Paranoia + Skepticism
Obviously, true delusional paranoia has no place in infosec. Panicked reactions to fictional threats are a recipe for disaster. However, I believe the proper dose of paranoia can be a good thing for security professionals. After all, it does increase ...
by WIRED UK
The technology behind Iron Dome, the missile defense system Israel has been using since 2011, was allegedly stolen by Chinese military hackers.
That claim was made by Cyber Engineering Services to Brian Krebs of security news site Krebs On Security, and it identifies Elisra Group, Israel Aerospace Industries (IAI), and Rafael Advanced Defense Systems as the three defense companies that were compromised during the cyber assault. The perpetrators, Cyber Engineering Services says, are the same ones behind a spate of attacks that have come to light in the past few years, all attributed to Unit 61398, a Shanghai-based arm of the Chinese army. The five Chinese military officers indicted by the US earlier this year for allegedly hacking energy firms in the country also belong to the same unit.
The hacks took place from October 2011, some six months after Iron Dome became operational, and continued up until August 2012. Israel Defense Forces (IDF) has said that many hundreds of rockets fired from Gaza, particularly during the current military operation and a series of clashes in 2012, have been scuppered by the system, which is thought to be one of the most effective missile-defense technologies in the world.
by Sean Gallagher
Stevie Graham, a London-based developer, recently submitted a bug report to Facebook outlining what he saw as a security vulnerability in Instagram that would allow someone to hijack a user’s session based on data captured over a public Wi-Fi network. When he was told that he wouldn’t get a bug bounty from Facebook, which owns Instagram, he tweeted about it—and set about building a proof-of-concept tool to exploit it. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts,” he wrote. “Pretty serious vuln, FB. please fix.”
As we reported in our recent coverage of mobile application privacy holes, Instagram uses HTTP for much of its communications, passing the user’s account name and an identifying account number in the clear. And as Graham demonstrated, there are other pieces of data sent between Instagram’s iOS client and the service that are passed in the clear. Even though the user’s credentials are submitted using a secure connection, information passed back by Instagram’s application interface to the phone client provides a cookie that can be used on the same network without reauthentication to connect via the Web to Instagram as that user and gain access to private messages and other data. “Once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP,” he wrote. Graham said that he has known about the flaw for years.
Graham posted the following steps to reproduce his findings:
The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.
The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID, because, like a fraudulent driver's license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off-limits. Google developers have introduced changes that limit some of the damage that malicious apps can do in Android 4.4, but the underlying bug remains unpatched, even in the Android L preview.
The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.
Posted by InfoSec News on Jul 29http://www.washingtonpost.com/lifestyle/style/hackers-conference-celebrates-one-of-the-oldest-tricks-in-the-book-picking-locks/2014/07/25/c6ef22be-133d-11e4-98ee-daea85133bc9_story.html
Posted by InfoSec News on Jul 29Forwarded from: GroundZero Summit CFP <g0s.cfp (at) gmail.com>
Posted by InfoSec News on Jul 29http://nypost.com/2014/07/27/medical-examiner-employees-have-seen-dead-celebrities-files/
Posted by InfoSec News on Jul 29http://www.nextgov.com/cybersecurity/2014/07/hacker-breached-noaa-satellite-data-contractors-pc/89771/
Posted by InfoSec News on Jul 29http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/
Posted by InfoSec News on Jul 29http://www.ctvnews.ca/canada/chinese-cyberattack-forces-computer-shutdown-at-national-research-council-1.1936483