Vulnerability On Monday, Zimperium Inc, a maker of mobile security solutions, announced that their security researcher Joshua J Drake (@jduck), had discovered a serious vulnerability in the Stagefright library in Android that allows for arbitrary remote code execution, which could be triggered just by sending a MMS message. (Related coverage here, and here.) Stagefright is Android’s library for handling certain types of media files.
When it comes to data breaches, 2014 was a difficult year for the U.S. retail industry. The FBI warned of this a year ago in the wake of the Target and Neiman Marcus data breaches. The increasing concern in both the industry and government was justified, as we saw many high profile attacks. Beginning with Target, there were data breaches at at least 9 prominent national brands, over half of them linked to malware installed on Point of Sale (POS) terminals.
Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.
A new Ponemon Institute survey, sponsored by Varonis Systems (press release here) examined corporate internal data protection practices as seen by 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health & pharmaceutical, retail, industrial, and technology and software.
Bruce Schneier has an interesting post about a new free and open Certificate Authority, called Let's Encrypt. Let's Encrypt is designed to let any web server administrator obtain a server certificate that is recognized by the major browsers at no charge and even more important automatically. Part of the Let's Encrypt model is automating the steps that can prove to the CA that the certificate request is coming from an entity that controls both the server and the domain.
Living without browser Java has been easy. The only thing I've used that wanted to use the browser plugin for Java was the download manager on a web site that also had direct SSL links. No biggie.
Paul Ducklin has an interesting piece on HTML 5. Although browsers have been building HTML 5 support into their browsers for a while, it officially became a standard as of October 28th. As the press release from the W3C Consortium states HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML);
There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked:
What is the vulnerability? There was a vulnerability announcement on September 24, 2014 of a bug (CVE-2014-6271) in the Bourne-again shell, bash, that is the default command line interpreter in most Linux and many Unix distributions, including variants that form the basis of many embedded devices and appliances. The bug allows for remote code injection that can cause arbitrary commands to be run on the attacked system. There are several avenues for making this happen, but the single most potent one is by attacking web servers that can run CGI commands.
Malware attacks against Point of Sale (POS) terminals came into the collective consciousness with a big splash with the Target breach late last year, and the recent disclosure of data breaches at 51 UPS franchise stores and a major data breach at major chains owned (or recently owned) by SuperValue including SuperValue, Cub Foods, Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets. Last week the U.S. Secret Service warned that over 1000 US business were affected by Backoff, an up-and-coming piece of POS malware. Backoff's method of operation is not new, but is very well executed. Like other POS malware, it installs a memory scraper onto the terminal to capture credit card track data as well as a keystroke logger, establishes communications with a command and control server, and exfiltrates both payment card and keystroke data. The crime syndicates using Backoff have become highly skilled at compromising systems through remote access software in order to establish a "jump server" from which to find and infect POS terminals.
I'm a big fan of using mobile phones, especially smart phones, as security tokens. If the user locks the phone with a passcode, then it's a pretty good bet that your token is in the right hands. And, unlike little hardware tokens, nobody leaves home without their phone anymore. In addition to applications that might send me a token by SMS, I have three token apps on my smartphone: Symantec VIP which I use for Ebay, PayPal, Symantec MSS, remote login to one of my clients, and some others. Google Authenticator for various Google accounts and for WordPress. Duo Security which I use for my own SSH logins. This was cool until I went into a swimming pool with my iPhone in my bathing suit pocket.