Thứ Năm, 25 tháng 8, 2016
You can never have too much security. Apple released iOS 9.3.5 with yet another "important security update for your iPhone or iPad" on Thursday. The update is available for iPhone 4S and later and iPad 2 and later and iPod touch (fifth-generation) and later. The update is the second security patch pushed out in August. iOS 9.3.4 was released earlier this month. According to Apple's security update page detailing changes in iOS 9.3.5, the update mainly closes up a few security holes that could be exploited by nefarious hackers and prevents them from running "arbitrary code with kernel privileges." Sounds like the rudimentary update, but a report from The New York Times says the update patches up a serious vulnerability that a company called the NSO Group has been using to secretly track a user's data. Data like text messages, emails, calls and contacts, audio and passwords are all at risk unless you update to iOS 9.3.5. Apple got to work on iOS 9.3.5 after two researchers discovered the exploits 10 days ago. "The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations," Zamir Dahbash, an NSO Grop spokesperson, told the Times. The invisible spyware is crafted to target dissidents and journalists in places like United Arab Emirates, Mexico, Kenya, Mozambique, Yemen and Turkey. If you're not on the latest version of iOS, now's the time to update it.
Thứ Bảy, 13 tháng 8, 2016
House Minority Leader Nancy Pelosi warned fellow Democrats on Saturday to change their cellphone numbers and not let family members read their text messages after personal and official information of Democratic House members and congressional staff was posted online. Pelosi told Democratic lawmakers that the Democratic Congressional Campaign Committee and other Democratic Party entities were the target of "an electronic Watergate break-in." As a result, a mix of personal and official information of Democratic members and hundreds of congressional staff, purportedly from a hack of the DCCC, was posted online, Pelosi said. personal and official information of Democratic members and hundreds of congressional staff was posted online A hacker who calls himself Guccifer 2.0 (an apparent reference to the first hacker called Guccifer) took credit for posting the information Friday night. He had claimed responsibility for the recent hack of Democratic National Committee emails, which roiled the Democratic National Convention last month. Pelosi said she was flying from Florida to California when she heard about the posting of information such as cell phone numbers "Upon landing, I have received scores of mostly obscene and sick calls, voicemails and text messages," Pelosi said in her letter to colleagues. "Please be careful not to allow your children or family members to answer your phone or read incoming text messages. This morning, I am changing my phone number and I advise you to do so as well. " Pelosi said the chief information security officer of the House, John Ramsey, in coordination with U.S. Capitol Police, has sent communications to those people whose email addresses have been made public about how to address the problem. The chief administrative officer of the House has also sent an email stating that the House computer system has not been compromised, but urged members and staff to be vigilant about opening emails and websites. I have received scores of mostly obscene and sick calls, voicemails and text messages Ramsey, in a memo distributed by Pelosi, advised lawmakers to change passwords to all email accounts that they use and strongly consider changing non-House email addresses if possible. Should lawmakers or staff receive any threats or observe suspicious activity, they should contact U.S. Capitol Police and local police, he said in the memo. Rep. Ben Ray Luján, D-N.M., the chairman of the Democratic Congressional Campaign Committee, was holding a conference call with lawmakers on Saturday evening along with cybersecurity experts who have been investigating and responding to the breach. "This is a sad course of events, not only for us, but more importantly for our country," Pelosi said in urging lawmakers to join the conference call with Lujan. While Guccifer 2.0 has described himself as a Romanian hacker and denies working for Russia, online investigators assert that he is linked to Russia. Disclosures of email showing DNC staffers privately supporting Hillary Clinton during the presidential primary while publicly maintaining they were neutral in her race with Bernie Sanders led to the resignation of DNC chair Debbie Wasserman Schultz.
Thứ Năm, 4 tháng 8, 2016
Apple is launching its first security bounty. The news comes on the heels of a presentation from Apple’s Ivan Krstic at the annual Black Hat USA security conference in Las Vegas. Krstic runs security engineering and architecture at Apple and presented an in-depth look at iOS security. This was Apple’s first appearance at Black Hat in four years. Since its battle with the FBI this spring, Apple has been more outwardly focused on discussing its commitment to security. To that end, Apple is opening up its first security bounty program. The program, which will roll out in September, will accept security submissions in a number of areas. Depending on the type of exploit found, researchers and their organizations will get more money. The categories and issues up for consideration, along with their bounties, are as follows: Secure boot firmware components – up to $200,000. Extraction of confidential material protected by the Secure Enclave Processor – up to $100,000. Execution of arbitrary code with kernel privileges – up to $50,000. Unauthorized access to iCloud account data on Apple servers – up to $50,000. Access to sandboxed processes to user data outside of the sandbox – up to $25,000. Organizations can accept the money Apple offers or they can donate it to a charity of their choice. Apple says that if researchers choose to donate to a charity, they will consider matching that donation. Apple tells me it may also award researchers who share significant critical vulnerabilities not outlined above. Unlike many security bounty programs, this program is not open to the public. For now, Apple is partnering with a dozen or so security researchers and organizations to focus on finding flaws. But Apple tells me that this isn’t an attempt to be exclusive. The plan is to open it up to more individuals and organizations over time. Apple also says that if someone not associated with an invited organization responsibly discloses a vulnerability, that feedback will be welcome and they may be invited to join the formal process. Apple says that it spoke to a number of other companies who have already run successful security bounties and that advice – which was to start small (as to reduce the signal/noise ratio) and then ramp up – contributed to the decision to only involve a few organizations and researchers at the start. Although it’s great that Apple is introducing a security bounty, it's worth noting that the company has taken its time getting here. Nearly every other major tech company – including Microsoft, Google and Facebook – have offered security bounties for years. So what took so long? Apple tells me that although it has been working with outside researchers for years, it has consistently received feedback – from experts inside and outside of the company – that it is more difficult to identify significant security vulnerabilities without a bounty program. As a result, it makes sense that the company would look (finally!) to outside organizations and researchers to offer their own feedback. It probably doesn’t hurt that the focus on Apple’s security is now more pointed than ever before. With more eyes on Apple security – and more people trying to bypass it (whether it’s law enforcement or hackers), it makes sense to get more eyes focused on finding flaws. I understand the need to limit — at least initially — involvement in the bounty program, but I do hope Apple commits to expanding the individuals and groups involved quickly. iOS as a platform deserves as many eyes on it as possible. For now, the focus of the bounty is on iOS, but Apple says that it is open to expanding the bounty program to other platforms (including macOS) and other areas, once the program ramps up. Have something to add to this story? Share it in the comments.
A long time coming
Thứ Sáu, 17 tháng 6, 2016
Google started its Android Security Rewards program in June 2015, awarding money to researchers finding vulnerabilities in Android as well as Nexus phones and tablets. One year later, the company posted the results of the program on its blog, and it can be considered a success, both for Google and the researchers involved. So far, Google has paid more than $550,000 to 82 individuals who found more than 250 qualifying vulnerability reports, Google's Android Security Program Manager Quan To wrote. The top researcher, identified by Google as @heisecode, is actually making a decent living finding Android bugs; he won a total of $75,750 for 26 vulnerability reports. He'll get an even bigger enticement to continue searching for bugs in Google's mobile OS, as Google is increasing the awards for reports filled after June 1, 2016. Nice! Google increased Android reward for bugs filed after 6.1! And thanks Google named me as the top researcher! https://t.co/4Yadh3VxVV — Peter Pi (@heisecode) June 16, 2016 From now on, researchers who submit "high-quality" vulnerability reports with proof of concept will receive 33 percent more. High-quality vulnerability reports with a proof of concept, a CTS Test or a patch will get 50 percent more. Also, a "remote or proximal kernel exploit" will now earn $30,000 instead of $20,000, while a "remote exploit chain or exploits leading to TrustZone or Verified Boot compromise" will be rewarded with $50,000 instead of $30,000. The Android Security Rewards program is a part of Google's broader Security Rewards Program, which has been running since 2010. The program financially rewards security researchers who discover security holes in Google's software and hardware. Since January 2015, Google has also been running a program called Vulnerability Research Grants, which gives money to experts to find bugs before they start their work. Have something to add to this story? Share it in the comments.
Thứ Sáu, 10 tháng 6, 2016
The recently leaked database containing nearly 33 million Twitter login credentials, including passwords in plain text, is definitely the real deal. In a blog post Friday, Twitter confirmed it started warning users whose accounts may have been affected, as well as locking some accounts and sending a password reset request to the account owners. Twitter maintains the stolen passwords were not the result of a hack, but have rather been "amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both." The post doesn't say how many users were affected; only that "a number of Twitter accounts were identified for extra protection." However, Twitter confirmed to the Wall Street Journal that the number is "in the millions." Leakedsource, a site that collects stolen login credentials and puts them in an online database, said Wednesday this particular leak contains 32,880,300 Twitter credentials. The leak follows a string of high-profile Twitter accounts being hacked, including those belonging to Katy Perry, Drake, Mark Zuckerberg and Evan Williams. It's hard to say whether those hacks are related to this latest password leak; a recently unearthed stash of LinkedIn usernames and passwords, dating from 2012, could also be to blame as many users tend to use the same password on multiple sites. To protect your social accounts from hackers, you should follow a few simple rules: Use a password that's hard to guess or crack, never use the same password twice, and use two-factor authentication whenever possible. Here's our detailed post on the subject. Have something to add to this story? Share it in the comments.
Thứ Năm, 5 tháng 5, 2016
Did you know today is World Password Day? Neither did we, but nonagenarian actress and living legend Betty White does and apparently has a whole bunch of advice for keeping our digital stuff safe. White partnered up with Passwordday.org to create a series of informational, humorous and suggestive videos to promote keeping your password protected. The video, featured above, may be the first password instructional video to feature the "F" word. These "pep-talks" dig into the ways multi-factor authentication can protect your information from prying eyes. Standard password protection is one factor, usually just your password. However, multifactor authentication asks for another element, like your fingerprint, eyes, face or even a pin code sent to a separate device, such as your smartphone. "You don't get to my age unless you're practicing safe sec... [security]," she says. The site, which offers more detail on how to get your password life in order, is chiefly the work of Intel (along with a bunch of co-sponsors), a company that makes all kinds of hardware that can help you log into your computer with more than just a password. Its Intel RealSense infrared cameras are what allow some Windows 10 users to log into their computers with their faces. White plays up solid security information for laughs and peppers the videos with saucy lines like, "If those tablets got a hold of my passwords... Well, it would be quite an endorsement for hot yoga." And another: "You don't get to my age unless you're practicing safe sec..." Yes, that sounds like "sex," but the words "safe security" appear just below. Even if all the jokes don't land, there is a certain pleasure in hearing White say the words "multifactor authentication." Considering all the times celebrities have been the victims of hacks, largely due to weak passwords, it's part genius to have one of the most senior and wisest celebrities around deliver a strong, humor-laced message about password security.
Thứ Ba, 3 tháng 5, 2016
Before he even reached the age requirement to make a Facebook account, a 10-year-old found a major flaw in Instagram, earning him a cool $10,000 from Facebook. Jani (his parents withheld his last name, figured out a way to get into Instagram's servers and delete text posted by Instagram users, Finnish news site Iltalehti reported. Jani was rewarded $10,000 by Facebook as part of its bug bounty program, which offers cash rewards to people who find bugs and flaws in Facebook's digital infrastructure. That includes the Facebook-owned Instagram. He could delete what people wrote The boy told Iltalehti that he could delete what people wrote on the picture-sharing social media, demonstrating it to Instagram by deleting a comment they made on a test account. Jani said he could even delete Justin Bieber's comments with the flaw he found. According to the boy's father, Jani and his twin brother have found security flaws in websites before, but they haven't been significant enough to justify a payout, until this one. Facebook's bug bounty program welcomes anyone to find bugs and flaws, and offers cash rewards to problems that are significant, similar to Google's own security rewards program. According to the most recent release from Facebook, the company received over 13,000 submissions from researchers in 2015 alone, 526 of which were valid reports. In 2015, Facebook paid out a total of $936,000 to 210 researchers, averaging about $1,780 per submission. Have something to add to this story? Share it in the comments.
Thứ Bảy, 30 tháng 4, 2016
Ransomware, a type of malware that holds your computer hostage until you pay a certain amount of money, seems to be getting more popular since it sprouted up in large-scale form in 2013. The website of Maisto International, a toymaker that primarily sells model vehicles and remote control vehicles, is playing host to some ransomware, Malwarebytes wrote Thursday. On the maisto.com homepage, malicious files can download themselves onto visitors' computers via something called Angler. Angler is a type of exploit toolkit that installs malicious files on your computer. In this case, the Angler kit is infecting computers with CryptXXX, a ransomware that encrypts users' files, offering to unlock them for a fee. Malwarebytes got a computer infected with the CryptXXX ransomware, which displayed this message. Image: malwarebytes According to Malwarebytes Senior Security Researcher Jérôme Segura, there is a tool that infected users can download to remove the ransomware without paying the ransom. The Angler toolkit exploits outdated plugins like Java, Flash Player or Silverlight to install files on computers, so making sure your plugins are either up to date or disabled should keep you safe from this particular ransomware. Exploits like this one is why browsers have been disabling plugins, leading to the end of Java and other similar services. Maisto International became a host to this malware because it's using an outdated content management system, which allowed hackers to plant their malicious software right on the website, Segura told Mashable. "Sites running outdated versions of CMS [content management systems] such as WordPress or Joomla are vulnerable to automated or targeted hacks," Segura said. "Just like with Windows computers, hackers can exploit a flaw to gain access to the site and upload malicious code or perform other nefarious tasks." Malwarebytes reached out to Maisto International about the malicious software on its website, and the website is now in maintenance mode. Have something to add to this story? Share it in the comments.
Thứ Tư, 27 tháng 4, 2016
The FBI on Wednesday opted not to share its method for hacking into the iPhone used by one of the San Bernardino shooters with Apple. After a legal battle that dragged on for more than six weeks, the FBI was able to bypass the encryption on the iPhone 5C used by Syed Farook, thanks to a still unnamed outside party. SEE ALSO: A timeline of Apple's fight with the FBI The question was then: Would the FBI tell Apple how it got into the killer's phone? When Mashable spoke to legal experts last month, the consensus was that no, the government would not reveal the method it used to access the phone. But as recently as Tuesday, the FBI was discussing whether it would reveal the method to Apple under what is known as the Vulnerability Equities Process (VEP). The VEP was created in 2014 to basically determine whether law enforcement or government agencies need to turn over software vulnerabilities to manufacturers so that they can patch those holes to protect their customers from hackers. In a statement, FBI Executive Assistant Director for Science and Technology Amy Hess said that “the FBI assesses that it cannot submit the method to the VEP.” “The FBI purchased the method from an outside party so that we could unlock the San Bernardino device. We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.” Statement from FBI's Amy Hess on bureau not submitting SB iPhone tool to White House VEP. pic.twitter.com/pTW1JEcx6H — Eric Geller (@ericgeller) April 27, 2016 In past conversations, Apple has expressed confidence that its code review process will help it patch the method used to bypass Farook's iPhone. Moreover, its broader commitment to pushing software updates to all of its users means that if it is able to patch the vulnerability, there is a good chance users will actually be protected from that method. Farook and his wife Tashfeen Malik carried out a brutal terrorist attack in December at an office holiday party hosted by Farook's employer. They killed 14 people. Authorities had said unlocking Farook's work-issued iPhone may reveal unknown details about the attack, but the FBI has not revealed, what, if anything, the hack drummed up. Have something to add to this story? Share it in the comments.
Thứ Bảy, 23 tháng 4, 2016
Bots are taking over our messaging apps. Last week, at its F8 developer conference, Facebook revealed the first wave of Bots for Messenger. These automated, interactive programs respond to natural language and allow users to shop, order food, read the news and get personalized weather forecasts — all without leaving the Messenger app. Separately, messaging app Kik also revealed its bot store, while Slack and Telegram have been experimenting with bots for some time. Microsoft also made a big push for bots at its Build 2016 conference, introducing developer tools for creating bots for Skype and other Microsoft services. While bots are undoubtedly a big deal in tech right now, one area we've heard little about is security. That's because the issue of how these platforms will tackle it is still largely up in the air, even though bots could present a unique threat compared with typical malware and other malicious software, security experts say. Right now, most bots have a pretty narrow focus: you can order food or catch up on headlines or shop for a new pair of shoes — tasks you're likely used to completing through websites or apps. But, unlike the web, which often provides at least a few signals that an interaction is secure (for instance, the lock icon in your browser, the security certificate, or even simply the URL), there's no obvious way to tell a good bot from a bad bot. there's no obvious way to tell if a bot is secure. What's more, bots haven't been around long enough for users to be savvy enough to distinguish between those from legitimate sources and potential bad actors. Think of email phishing scams: While it's not uncommon for a scammer to send an email purporting to be from, say, your financial institution, most email software has gotten pretty good at flagging these types of messages so they're accompanied by a warning or go straight to your junk folder. But there's no analogous mechanism for bots. Hypothetically, you could begin interacting with, say, a shopping bot and have no idea that it's a fake meant to steal your credit card info or other personal information. While other types of bots have been closely followed within the security industry for years, the consumer-facing conversational bots used in Facebook Messenger, Slack, Kik, Telegram and other social apps are still new enough that they haven't been extensively studied. Still, just as mobile apps could have hidden malware, bots could pose a significant threat to users. Since bots are embedded within the messaging and social apps we're already using, bots could be even better positioned to carry out certain exploits like the mining of personal data or harvesting login credentials, says Rami Essaid, CEO of Distil Networks, a security company that specializes in bot attacks. Without a ton of scrutiny you could potentially have those trojan horses just built into apps "What’s potentially dangerous is they [bots] are being built into the app. Without a ton of scrutiny you could potentially have those trojan horses just built into apps, they don’t have to work from the outside in — they’re already in." Essaid notes that while it's too early for this to be an immediate threat — we're only just starting to see the first wave of conversational bots hit social apps — platforms will need to step in to identify and expunge malicious bots. "Once you can execute code on any platform, the world’s your oyster in terms of what you can and can’t do, and it’s just going to come down to the scrutiny of the Facebooks and these messenger apps to review and keep all of their apps clean," Essaid says. Complicating all this is that unlike the app stores, which are mostly kept in check by Apple and Google, it's up to each app to police the bots on their platform. And each app has different policies in place for how they deal with developers. it's up to each app to police the bots on their platform Some apps, like Telegram and Slack, are relatively open — just about any developer can cobble together a bot and make it available to other users. Facebook, on the other hand, is taking a more cautious approach. Messenger bots are still in beta so each bot is currently reviewed individually before its approved to roll out to all of Facebook's users. In fact, Facebook says protecting users' security and privacy is one of the the bigger factors in why they are taking a slower approach. "We have a lot of [security] policies and that's actually one of the main reasons we're rolling out slowly right now," Facebook's director of product management for Messenger Peter Martinazzi told Mashable. "It started as a beta program because we want to make sure we have the best ways to enforce violations as they come up." He declined to discuss details around how individual developers are vetted but noted the company is actively enforcing various platform policies around security to protect users. The company will also be watching closely to see how users interact with bots, he said. David Marcus, Facebook vice president of messaging products, talks about bots for Messenger during the keynote address at the F8 Facebook developer conference. Image: Eric Risberg/AP "There's a lot of user signals, like whether someone is marking something as spam whether they're blocking the bot, and all of that will help factor in how we'll monitor when things are behaving well and people are having a good experience." Though careful scrutiny is undoubtedly a good thing, this approach is far from foolproof. Look at Apple, which, despite taking similar care in carefully reviewing apps before they're allowed into the App Store, still let dozens of malware-ridden apps slip in over the years. It seems almost inevitable that a shady bot could eventually get past even the strictest security policies once the messaging platforms begin to scale. Unfortunately, there isn't a foolproof way of making sure the bots you're using in messaging apps are only doing what they say they are — at least, not yet. "Think back to how long it took us to get any kind of malware detection on mobile devices," Essaid says. "There’s going to be a big window of time before any kind of antivirus comes out for these platforms." In the meantime, he recommends users follow similar practices as they would in downloading mobile apps or other software. First off, make sure the bots your are using are coming from a trusted source. Second, don't forget to uninstall or deactivate the bots your are no longer actively using to minimize any potential risk. Certainly, the surest way of protecting yourself would be to ignore bots altogether, but that would also mean cutting yourself off from the considerable convenience they promise. The jury is still out on whether the current crop of messaging bots actually live up to the hype, but with huge investments from Microsoft, Facebook and (reportedly) Google, it seems likely they'll play an increasingly significant role in our digital lives. Security has always been about finding a balance between convenience and protection. If bots truly do deliver on the former, does that inherently swing the pendulum away from the latter? Or is this simply the same security growing pains that every nascent platform encounters? For bots to truly take off, those questions might need answering sooner than later. Have something to add to this story? Share it in the comments.What's at risk
So what about the platforms?
How to protect yourself
