You are here: Home / Archives for security

Hackers: $50,000 to keep Symantec source code private – ZDNet (Steven Musil)

February 7, 2012 By Leave a Comment

As part of a sting operation, Symantec told a hacker group that it would pay $50,000 to keep the source code for some of the its flagship security products off the Internet, the company confirmed to CNET this evening.

An e-mail exchange revealing the extortion attempt posted to Pastebin (see below) today shows a purported Symantec employee named Sam Thomas negotiating payment with an individual named “Yamatough” to prevent the release of PCAnywhere and Norton Antivirus code. Yamatough is the Twitter identity of an individual or group that had previously threatened to release the source code for Norton Antivirus.

via Hackers: $50,000 to keep Symantec source code private – ZDNet.

Filed Under: Tech Bytes Tagged With: , , , , , , ,

Forensic security analysis of Google Wallet – viaForensics « viaForensics

December 15, 2011 By Leave a Comment

Summary of Google Wallet security findings

So, in summary, here are the items of note from my high level analysis.  Bear in mind this is nowhere near the level of testing an app like this deserves but since this is done on our own time, it’s all I could manage thus far.  Anyway, here goes:

A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.

The name on the card, the expiration date, last 4 card digits and email account are all recoverable

[Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.

The Google Analytic tracking provides insights into the Google Wallet activity.  While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)

[Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits).  While this is not enough to use a card, it’s likely enough to launch a social engineering attack.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack.

And this testing was really only very high level. Far more sophisticated and comprehensive security analysis is needed to determine if other vulnerabilities are present.  In addition, privacy conscious consumers so understand that analyzing nearly everything you use Google Wallet for is basically the price you pay for the service. For a tech standpoint, it’s very exciting to see Google Wallet in production. However, it has consistently been viaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology. In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable.

via Forensic security analysis of Google Wallet – viaForensics « viaForensics.

Filed Under: Tech Bytes Tagged With: , , , , , , , ,

Law Firms Limit Use of Cloud Computing Due To Security Concerns | JD Journal

November 22, 2011 By Leave a Comment

Security is important no matter what field you are in. When it comes to law firms this is especially important. Law firms use several types of technology to handle their documents and other processes. While technology managers in law firms were previously interested in cloud computing they are reducing their drive towards it citing security concerns. They are focusing on the security of their information more according to the studies done by The American Lawyer. One of the driving forces behind this is clients asking the firms to detail their policies in security whenever they are working with the firm.

When a survey was done of the ones using the cloud computing, the main functions used are items that are non-core . For example e-discovery and human resources are the bulk of the applications used. Of those surveyed only 8% say they are using the cloud for document management. The biggest drawback sited was their concerns for security. Among the findings that the survey produced the budgets for technology are averaging around $4.7 million for the firms. This is an increase of 7% from last year.

A problem that seems to be complicating security is the increased use of personal devices in the workplace. The CIOS are managing this successfully they report by using the new generation of management software for the mobile devices. One example of that is Good Technology INC’s Good For Enterprise and MobileIron’s Virtual Smartphone Management Platform. These help to deal with the issues that arise in the office because of more occurrences of using mobile data in the offices. This is likely to increase as well each year as more and more new mobile devices come out.

While all the firms that were surveyed still use the BlackBerry phones, there are 96% of those surveyed that have users on iOS systems. Those numbers are up from 2010 with those numbers were only 77%. Android devices have also gone up from 43% to 67% this year. This shows that more and more law firms are increasing their use of the iPhone and iPad as well as other options in the mobile industry.

via Law Firms Limit Use of Cloud Computing Due To Security Concerns | JD Journal.

Filed Under: From The News, Tech Bytes Tagged With: , , , , , ,

Presentation: Creating a Culture of Information Security – JurInnov Ltd.

November 4, 2011 By Leave a Comment
Creating a Culture of Information Security – Eric Vanderburg, CISSP – JurInnov Ltd.

Filed Under: From The News Tagged With: , , , , , , ,

Facebook may track users who leave service, data agency says | The Detroit News

November 2, 2011 By Leave a Comment

Facebook Inc. may be tracking users’ Internet activity even after they cancel their accounts with the social-networking site, a German privacy watchdog said.

An in-depth probe of the way cookies are installed after a user opens and then closes their Facebook account has made the Hamburg Data Protection agency “suspicious” the company is unlawfully tracking users, the watchdog said on its website today. While rejecting Facebook’s justifications for the use of cookies, the agency welcomed the company’s offer to explain the technical processes.

“Arguments that all users have to remain recognizable after they leave Facebook to guarantee the service’s security can’t stand up,” Johannes Caspar, the Hamburg data protection representative, said on his agency’s website. “The probe raises the suspicion that Facebook is creating user tracking profiles,” which would be unlawful if users aren’t alerted.

The German regulator’s action adds to probes of Facebook by the Irish data-protection agency and Norway’s privacy watchdog. A group of EU regulators has said they will look for possible privacy violations in Facebook’s facial-recognition feature.

The social network “does not track users across the Web,” and instead uses cookies to personalize content or for safety and security reasons, Palo Alto, California-based Facebook said in an e-mailed statement. The company said it deletes account-specific cookies when a user leaves Facebook and doesn’t receive personally identifiable data when logged-out users browse the Web.

Remaining cookies are used in “identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked,” and blocking underage users from re-registering with a different birth date, Facebook said.

The German privacy regulator said that, while Facebook gave detailed explanations of how it uses cookies — small data files that track browsing habits — the company’s arguments don’t justify its practices.

via Technology | Facebook may track users who leave service, data agency says | The Detroit News.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

‘Nitro’ Hackers Reportedly Attack Dozens Of Companies In Chemical, Defense Industries | Fox News

October 31, 2011 By Leave a Comment

Hackers reportedly used an off-the-shelf virus created in China to compromise the computers of nearly 50 companies, including in the chemical and defense industries — an attack described as being in the same family as the notorious Stuxnet virus, if not as severe.

The goal of the attacks, reported Monday by security software company Symantec, “appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes,” the report said.

Symantec dubbed the attack “Nitro” and said a total of 29 companies in the chemical industry were targeted, in addition to 19 in other sectors. Among the companies were some that develop materials used primarily in military vehicles.

The infected computers spanned the globe, from the United States to Denmark to Saudi Arabia and Japan.

via ‘Nitro’ Hackers Reportedly Attack Dozens Of Companies In Chemical, Defense Industries | Fox News.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

International Businessman Granted Bail – Law Blog – WSJ

October 31, 2011 By Leave a Comment

Victor Dahdaleh, the prominent international businessman accused of bribing officials in Bahrain to score aluminum contracts for metals giant Alcoa has been granted bail in exchange for the equivalent of a $16 million security bond at a U.K. hearing.

Last week the U.K.’s SFO arrested Dahdaleh, a key figure in the bribery investigation of Alcoa’s dealings with Bahrain’s state-owned manufacturing company Alba, short for Aluminum Bahrain BSC. Here’s the coverage on that development and related stories here and here.

The AP today is reporting that District Judge Quentin Purdy told Dahdaleh he would be granted bail until an appearance at London’s Southwark Crown Court on Jan. 13. He ordered Dahdaleh to post 10 million pounds in security and said he must observe a 10 p.m. to 6 a.m. curfew at his central London home.

Dahdaleh has been known to have friends in high places – he has ties to former President Bill Clinton’s philanthropic foundation, having donated between $1 million and $5 million to the organization, and has ties to U.K. Labour Party officials, according to public records.

Yesterday, some of his powerful friends came through for him, according to the AP. Friends and relatives of the billionaire, including senior executives from Credit Suisse and oil giant BP, also agreed to offer 1.42 million pounds (US$2.3 million) in sureties, the AP said.

Charging papers from the SFO accuse Dahdaleh of offering payments to Sheik Isa bin Ali al-Khalifa, son-in-law of Bahrain’s prime minister. He is also accused of offering payments to Bruce Hall, the former CEO of Alba.

via International Businessman Granted Bail – Law Blog – WSJ.

Filed Under: From The News Tagged With: , , , , , , , , ,

Do you REALLY know how to delete data? ( – Security )

August 21, 2011 By Leave a Comment

So here’s something I didn’t know and you likely didn’t either–from an IDG News Service story by tech journalist Robert McMillan, quoting independent computer forensics expert Frank McClain: “Because flash memory cells stop working after they’ve been overwritten too many times, flash devices use tricks called ‘wear leveling’ to even out how the memory cells are used. A side effect of wear leveling is that it is ‘almost impossible’ to completely erase data from a flash device.”

Hopefully you do know, as McMillan writes: “When [Microsoft] Word saves a document, it automatically saves data, such as the user’s login name, as part of the file.” But given this ‘wear leveling’ function of flash memory, which of course is used in USB thumb-drives, you can delete a Word file, yet it–along with the user’s login name–can be recovered through computer forensics.

This was dramatically demonstrated in a bizarre incident that happened in Sydney this August. A disguised man broke into a teenager’s bedroom and “chained a black box around her neck,” claiming it was a bomb. Fortunately it wasn’t, but it took a Sydney police bomb squad ten hours to cautiously remove the device from the terrified victim.

Curiously, the perpetrator had left a ransom note on “a 4GB USB stick…saved as a PDF file… a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: ‘Paul P.’” Oops.

This was part of a trail of evidence leading to the arrest of Paul “Doug” Peters in the US state of Kentucky. As of this writing, authorities seek to extradite him to Australia to face kidnapping and breaking-and-entering charges.

So now you know that purging data from flash memory devices is even harder than you thought. Fortunately in this case, it helped lead to the capture of a suspect in a threatening incident. But it also shows that computer forensics can uncover information in unlikely situations, leading to real-world consequences. Computer security experts take note.

via Do you REALLY know how to delete data? ( – Security ).

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

What are GCs and Directors Thinking About Corporate Governance? | Law.com

August 17, 2011 By Leave a Comment

Risk

The top concerns for directors this year are operational risk, data security, and managing the company’s reputation.

Over 50 percent of GCs, meanwhile, cite major concerns about electronic discovery for litigation/ investigation, managing outside legal fees, and data security, too.

A bit further on down the line, at least a third of GCs consider governance/compliance, operational risk, the Foreign Corrupt Practices Act, and managing company reputation to be major concerns.

 

Dodd-Frank Act

Not many fans of the 2,300-page financial reform legislation in these parts. Directors and GCs were evenly aligned in their thoughts on Dodd-Frank: 94 percent of directors and counsel alike think the measures need to be re-evaluated, while 94 and 95 percent, respectively, think the law incentivizes employees to bypass internal whistleblower procedures and go straight to the SEC.

Additionally, most directors and GCs “agree that the ultimate impact of Dodd-Frank will be increased oversight, reduced earnings, and a less-attractive capital market environment for prospective public companies.”

 

Compliance

There’s some ambivalence amongst GCs about the possibility of regulatory actions against their companies. Fifty-six percent of general counsel said they are more fearful of regulatory action than in the previous year’s study, while 42 percent said their level of concern is about the same as before.

With regards to the Foreign Corrupt Practices Act, the landscape looks a little dicey: “Just 36% of responding general counsel serving companies subject to FCPA believe their board and management have done a good job with FCPA training and compliance. Another 63%. . .believe there is room for improvement.”

Finally, 69 percent of general counsel respondents think that regulatory compliance is what will increase their law department’s workload the most over the next year. That’s up from 37 percent of GCs who thought that way in 2009.

via What are GCs and Directors Thinking About Corporate Governance?.

Filed Under: From The News Tagged With: , , , , , , , , ,

Department of Defense tries to court hackers – CNN.com

August 5, 2011 By Leave a Comment

Dear hackers: The U.S. government wants you.

Or, at the very least, the Department of Defense’s research wing wants to pay you to help it block cyber threats, a project manager at the Defense Advanced Research Projects Agency said Thursday.

Former hacker Peiter Zatko announced the start of a fund-the-hackers program, called Cyber Fast Track, in a keynote talk at the Black Hat conference, which is aimed at hackers and computer security experts. The program began officially late Wednesday, he said.

Experts say the government has done a lousy job in the past of getting money to security researchers quickly enough for them to actually help mitigate cyber threats. Or the feds have avoided dealing with hackers entirely.

via Department of Defense tries to court hackers – CNN.com.

Filed Under: From The News, Tech Bytes Tagged With: , , , , , , , , ,
« Older Posts