Security News (95 Posts)

<< Next - First ... 6 7 8 9 10 . Last - Previous >>

Koobface, The dangerous game of naming and shaming

There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.

The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.

I am slightly uncomfortable with this approach.

It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right perso...
>>[READ MORE]


Most websites are vulnerable to a hash collision DOS attack

By websites, I should really have said Web Applications, but the end result is the same: A server which is serving pages on the Internet could see its CPU usage increasing to a level making that server unusable for a few minutes or more. All that from a relatively small specially crafted malicious HTTP request.

This vulnerability exists in most languages used to develop web applications: PHP, ASP.Net, Java, Python, Ruby, etc. And it has been known to exist in theory since 2003!

Last week, Alexander Klink and Julian Wälde explained at the 28th Chaos Communication Congress in Germany how exactly the theory became reality and the impact on the different web application languages were affected.

The core of the issue is the way hash lists have been implemented in those languages. By “Hash” they both refer to a specific type of data structure and the cryptographic function. A >>[READ MORE]


Encrypting DNS queries with DNSCrypt from OpenDNS

OpenDNS has just release a beta software to enable encryption of DNS queries called: DNSCrypt.

Not encrypting DNS queries can lead to two main type of attacks, as described by OpenDNS:
First, it prevents man-in-the-middle attacks which can cause malicious DNS responses to be used to trick you into visiting a dangerous website or send traffic to an unintended third party. Second, it prevents snooping by your ISP or any other intermediary who might want to sniff your DNS traffic to see what domains you are resolving.

DNSCrypt can significantly increase a user web security as until now there was no way to encrypt DNS queries. As stated by OpenDNS, DNSCrypt should be seen as complementary to Domain Name System Security Extensions (DNSSEC) because the later is not use to encrypt DNS queries, but to provide authenticat...
>>[READ MORE]


Twitter helping with Android’s Security

Twitter has just announced they will be opening the technology from Whisper Systems they just acquired. This is good news for Android users, and Google. Their technology allows text messages to be encrypted as well as providing full disk encryption, the later will only be made available, well, later!

This has the potential to bring security enhancement to the Android’s mass.

The source code is now available here: GitHub

...
>>[READ MORE]

Carrier IQ, an interesting story of deception or what we could call the Facebook syndrome

...
>>[READ MORE]

Next Generation Firewall

There is a good article on TECHNET on Next Generation Firewall (NGF) and the fact that most, if not all, companies accept port 80 in/out meaning traditional F/W are less and less effective against malware using this port as a mean to call home or come in.

The Article nicely summerize the need to look for more than IP/PORT/PROTOCOL but also for the type of Payload going through.

Although not a new technology, the evolution of Malware is a growing issue which makes that technology more and more relevant.

...
>>[READ MORE]

I used to have one password…

I used to have one password.It was the password to my Unix student account and it was in the mid nineties!

Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.

Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.

The recent >>[READ MORE]


An action on Data Privacy

The Inquirer recently ran a story about a group targeting Facebook and their use of your personal information. This group called “Europe Vs Facebook” claims that Facebook not only stores information about you even after you have deleted it, in other words it never really get deleted, but that they also create ghost profile of users who opted not to be on Facebook in the first place.

I find this very interesting because technically it is quite possible… Even if someone is not on Facebook their photo can be uploaded and their name tagged to it. It would require much more intelligence though to be able to correlate some information about that person discussed in Facebook mails/messages but it is in theory possible.

Although many people have wa...
>>[READ MORE]


New Dropbox Issues and a work around

More issues have been found with Dropbox, they were major issues and the researchers worked with the vendor to fix them before going public.
Although they are now fixed they highlight the time bomb Dropbox is for enterprise users as usage convenience and security risk ignorance means sensitive information is likely to be transferred centrally on Dropbox from many different companies and user profiles.

The 3 security issues discussed in the this article were:
– Hash value spoofing to access other customer’s data
– Stealing Dropbox hostID to access other customer’s data
– Potential replay attack when providing other customer’s data hash combined with any valid host ID (i.e.: the attacker’s host ID) to get access to the corresponding data.

One key point made in the article is ...
>>[READ MORE]


Dropbox in the Enterprise

In the never ending story that is more issues/concerns with Dropbox, there is an interesting article discussing the recent changes of Terms and Conditions with using Dropbox:

TechRepublic Post

In a nutshell, Dropbox is trying to protect themselves with what they do and can do with your data hosted in their data centre. So it means granting Dropbox and those they work with“worldwide, non-exclusive, royalty-free, sub-licensable rights to use, copy, distribute, prepare derivative works “ from your data.

The TechRepublic article stresses that it is already the case with sites such as Facebook. There is however a big difference. Facebook is mainly used for social content, personal “stuff” (to use Dropbox’s term). Dropbox is not only used for personal “stuff” but also for professional “stuff”....
>>[READ MORE]