Viewing entries tagged
Security

Mobile Security: "The Dawn of a New Era"

Mobile Security: "The Dawn of a New Era"

Mobile technology is a critical tool for successful organizations, but the risks it faces are growing rapidly. Threats from mobile malware, hackers and other vectors are increasing in number and sophistication. A recent survey found that IT security decision-makers consider mobile devices, such as smartphones and tablets, to be IT security's weakest link.

Also Symantec considers a split

Also Symantec considers a split

Security company Symantec is considering a split, following eBay and HP according to Bloomberg reports based on anonymous sources. A branch would be concentrating on security , another branch will focus on storage. Symantec took over Veritas Software in 2005 for $ 10.2 billion and took a step into storage market . Since then there has been a discussion about breaking up the company. Following the resignation of CEO Steve Bennett in March of this year, those discussions became louder. Bloomberg suggests that a split might be a first step towards a sale. Companies ECM and HP are both interested in security solutions.

Source: Bloomberg

Adobe spies on you through e-reader app

Adobe spies on you through e-reader app

According to The Digital Reader, Adobe follows the reading habits of users through its e-reader app Digital Editions 4. In addition, the collected data is being redirected to unencrypted Adobe servers.

Nate Hoffelder of The Digital Reader says that traffic using the network tool Wireshark, IP traffic to Adobe servers is being intercepted containing privacy-sensitive data, derived from its e-reader app Digital Editions 4. The forwared data holds records about which e-books are opened and on which page the reader remains. Also metadata collected about the e-book collection and forwarded to the IP address 192.150.16.235, owned by Adobe. Moreover, the e-reader application also scans the contents of the hard disk for the presence of e-books.

Besides collecting user data Hoffelder points out that Digital Editions 4 also doesn't apply any encryption when forwarding the privacy-sensitive data. As a result, the data can be easily intercepted by a third party.

Hoffelder says he has asked Adobe to  respond, but hasn't received and reaction yet.
He further claims that Adobe with his passion for collecting personal data not only violates American privacy legislation, but also the often stricter European privacy laws. According to Hoffelder e-book users should not use Digital Editions software from Adobe for the time being.

Source: Tweakers.net

Belgian Security Firm unveils 20 year old security risk in all Windows editions!

Belgian Security Firm unveils 20 year old security risk in all Windows editions!

Script bug

Belgian IT firm The Security Factory have unveiled a more than 20 years old Windows security issue. The bug makes it possible to hack file servers and thereby possibly introducing a new category of vulnerabilities.

The security problem is noteworthy because it requires no advanced hacking skills.
Simply create a new folder on a file server with a specific structure in the name is enough to install and take over that server through complete control over by malicious programs.

"The only requirement is that system administrators use scripts (eg for maintenance) which contain an up until now unknown but common vulnerability," explains Raf Cox of The Security Factory: "The vulnerability resembles the well known SQL injection' bug, but can be exploited on file servers, where the injection of malicious code wouldn't be epxected."

Microsoft

The Factory Security claims to have talked to Microsoft about the problem and the communication around it. Microsoft CEO Satya Nadella's Troopers allegedly identified the bug, but assume no action towards a security update release.

"Microsoft suggests that the security bug is related to the way the script is written, and thus is not a problem in the operating system itself," said Cox.

"At the same time Microsoft neglects to issue a warning towards users, resulting in many scripts remaining vulnerable and thus endangering all file servers running this type of script. Even an antivirus program will not provide a solution, because it has no script error detection."

Ampersand

The vulnerability is related to the way the Windows Command Shell (also known as the DOS prompt) the '&' (Ampersand) interprets scripts in which you are working with environment variables.

The '&' character serves as a separator between two consecutive commands on one line. If an environment variable contains this sign and displays or assigns it to another variable, the portion of the value after the '&' character will be interpreted as a new Windows command (or program) and then immediately executed.

Frank Lycops gives an example: "Suppose an environment variable A has the value T & Calc and you populate this variable ('echo% A%') or assign it to another variable (SET B =% A% '), then the command-shell (dos prompt) will launch " calc "(calculator )."

"So far there is no harm done. But the problem is more severe in case an environment variable in this way refers to a malicious program that is installed by a user on a computer."

"If a user creates a folder on a file server with a name 'T & Program' and copies a file 'program.exe' in thar folder (or even simpler through a script like program.cmd), then this program is launched with oftenen full access rights to all files on the system itself. "

Source: DataNews

6 Tips on P@ssworD Security

6 Tips on P@ssworD Security

Yesterday, eBay.com sent me a warm welcome email, thanking me to have created a new Account with eBay ID oha1231.xyz .
The problem is, I didn't create that account. Furthermore the email address being used for the account registration was one of my aliases, I rarely use.
I immediately submitted an inquiry to eBay Belgium to close this account and contacted my mail provider who advised me to change my account and mailbox password.
A lot of questions started spinning through my head:
Have any of my passwords been leaked?
Why didn't the email from eBay contain a validation link, is it really that simple to assume someone else's identity and start bidding or even purchase online?
Why would someone even want to go through all that trouble? - As I learned later on, my credit card or PayPal account where not compromised.
How did the other party get their hands on the rarely used alias by little ol' me?
Aside causing me financial damage, by for example bidding on a private jet, it still doesn't make a lot of sense how someone else could profit from this without having a way to pay for it on my behalf.
As eBay Belgium is closed on weekends, I didn't want to wait and called the U.S. hotline.
Upon lookup of the username, the agent explained to me that there was a database breach back in May and this abuse was directly linked to it.
eBay customer names, their encrypted passwords, email, registered addresses, phone numbers and date of birth where exposed.
The agent immediately took action to have the impersonating account suspended.
The alias used to register the account was used by me in the past for domain registrations.
Up until now I didn't realize that WHOIS lookups in fact can reveal full personal contact details, if not set private.
Am I relieved now? - No! Case closed for eBay? -Yes.

While I'm sure you all well remember the Heartbleed Bug, which made people change their passwords on all affected sites, my wake up call came earlier when I read the story about the hijacked Twitter Account '@N',  a true story about how malicious steps through 'social engineering' can cause damage to someone's account ownership.

Which lessons, if any, can be learned from this?

A password is only as good as the secured environment it's stored in.
Furthermore, you may want to take comfort in the fact that nothing is private: aside external threats, internal threats such as employees with bad intentions and access to customer sensitive data are equally real.

Going forward with password security, I advise the following:

  • Be prepared to memorize one good, strong password or even better a uncommon pass-sentence. It’s worth the effort.
  • Go to a website that generates truly random passwords (like random.org). Create a list of five or ten candidate passwords.
  • Pick a random password that you can convert into a memorable nonsense phrase. Use the phrase to remember the password
  • Use a Password Manager such as LastPass or Keepass and use these tools to keep track of previously used passwords.
  • Change your passwords regularly. Set calendar reminders to do so.
  • Do not ever use the same password twice.

 

Sources and recommended reading:

https://medium.com/cyber-security/24eb09e026dd

http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/

https://medium.com/@littlebrown/how-to-outguess-passwords-3a72ab8b17f4

http://arstechnica.com/security/2014/01/picking-up-the-pieces-after-the-n-twitter-account-theft/