SpacemanukBEJY.53u writes: A Denver-based mobile app development company, Possible Mobile, had a tough time figuring out why Apple recently rejected its app from the App Store. After a lot of head scratching, it eventually found the XcodeGhost malware hidden in an unlikely place — a third-party framework that it had wrapped into its own app. Their experience shows that the efforts of malware writers can have far-ranging effects on the mobile app component supply chain.
SpacemanukBEJY.53u writes: After a threat from a law firm, two New Zealand ISPs have withdrawn services that let their customers navigate to content sites outside the country that world normally be geo-blocked. Using VPNs or other services to access content restricted by region isn't specifically outlawed in either New Zealand or in neighboring Australia, but it appears the entertainment industry is prepared to court to try and argue that such services can violate copyright law. Intellectual property experts said the situation in New Zealand, if it goes to court, could result in the first test case over the legality of skirting regional restrictions.
SpacemanukBEJY.53u writes: Earlier this week, an indictment was unsealed outlining a long list of charges against a group of men that stole intellectual property from gaming companies such as Epic Games, Valve, Activision and Microsoft. An Australian member of the group, Dylan Wheeler, describes how it was betrayed by an informant working for the FBI, which bought a hardware mockup of an Xbox One that the group built using source code stolen from Microsoft's Game Developer Network Portal. The device, which the FBI paid $5,000 for, was supposed to be sent to the Seychelles, but never arrived, which indicated the hacking collective had a mole.
SpacemanukBEJY.53u writes: A paper due to be presented at the Usenix Security Symposium next Wednesday in San Diego describes a way to load malicious applications onto an iPhone without using a software vulnerability. The method takes advantage of lowered defenses when an iOS device is connected to a desktop computer via USB or Wi-Fi, offering a way for hackers to stealthily slip applications onto a phone or delete others. Apple has seen the research but has so far not said what action it may take.
SpacemanukBEJY.53u writes: It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers.
SpacemanukBEJY.53u writes: Two researchers managed to find a gaping fault in a ransomware program called CryptoDefense, one in a long line of insidious programs that encrypt people's files and demands payment to free the data. They started a low-key project to help victims decrypt their files, but Symantec blogged about the fault. The cybercriminals subsequently updated the program to close the hole. Ransomware scams similar to CryptoDefense have been around for at least a decade but have suddenly surged because of their effectiveness in spooking people and strong profitability. Users have been left enraged and helpless.
SpacemanukBEJY.53u writes: The researcher who discovered the Target and Adobe data breaches has another find: a 7,000-strong list of FTP sites run by a variety of companies, complete with login credentials. The hackers have uploaded malicious PHP scripts in some cases, perhaps as a launch pad for further attacks. The passwords for the FTP applications are complex and not default ones, indicating the hackers may have other malware installed on people's systems in those organizations.