Kategorie

The new documents leaked by former NSA contractor Edward Snowden has exposed a United States secretive facility located near a remote town in Australia's Northern Territory for covertly monitoring wireless communications and aiding US military missions. The leaked documents have come from the massive trove of classified material stolen by Snowden from the US National Security Agency (NSA) in

If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured properly. One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices

Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket.

Your daily round-up of some of the other stories in the news

The metaphor might be hyperbole, but there's real concern about the potential for attacks, warn two experts

Despite yesterday's leak of the Apple iOS Secure Enclave decryption key, experts are urging calm over claims of an immediate threat to user data.

Recently, OWASP (the Open Web Application Security Project) announced an update of their “Ten Most Critical Web Application Security Risks.” OWASP is a nonprofit organization devoted to helping create a more secure internet and the list is considered an important benchmark. (The new 2017 list is currently in the comments phase.) This is one of […]

The post OWASP Top 10 #4: Broken Access Control appeared first on InfoSec Resources.

DJI security patch should ease military fears - but throws up further issues for pilots

If there's one thing we've learned, it's that any new way of DDoSing will reveal that there are a huge number of undefended devices online

Mike Mimoso and Tom Spring discuss this week's security news, including a discussion on recent hijacking of popular Chrome extensions and Adobe's decision to end-of-life Flash Player.

Enlarge (credit: Omer Shwartz et al.)

People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.

The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

The research, in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary." The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there's no reliable way to certify replacement parts haven't been modified.

Read 6 remaining paragraphs | Comments

Introduction and background An application has been developed in PHP, and the source code of the login page is given for source code review to ensure that no serious vulnerabilities are left in the application. Please note that the following setting is enabled in the php.ini file. register_globals = On The application can be accessed […]

The post PHP Lab: Review the code and spot the vulnerability appeared first on InfoSec Resources.

Defending a convicted armed robber's right to privacy feels distasteful, but defending rights are important - as this case seeks to do

LinuxSecurity.com: The New York Times this week published a fascinating story about a young programmer in Ukraine who'd turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It's a good read, as long as you can ignore that the premise of the piece is completely wrong.

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well. Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected

A hacker identified only as xerub published the decryption key unlocking the iOS Secure Enclave Processor.

Apple iCloud Keychain In Mac OS 8.6, Apple introduced its Keychain password management system. Still integrated into every Mac OS release since then, Keychain provides a centralized storage for passwords, network shares, notes, certificates, credit card details and many other sensitive types of data. With the increasing popularity of both cloud applications and password managers […]

The post Steal iCloud Keychain Secrets via OTR appeared first on InfoSec Resources.