Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS.
“The Early Random PRNG in iOS 7 is surprisingly weak,” said Tarjei Mandt senior security researcher at Azimuth Security. “The one in iOS 6 is better because this one is deterministic and trivial to brute force.”
The Early Random PRNG is important to securing the mitigations used by the iOS kernel.
“All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,” Mandt said. “It must provide sufficient entropy and non-predictable output.”"
Trailrunner7 writes "Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he’s revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they’ve accumulated in the last decade, they’re never giving them back.
Whatever your feelings are about Snowden, listening to him speak about why he did what he did, what he hoped to accomplish and how he feels about the public reaction is informative. He spoke Monday for about an hour from an undisclosed location in Moscow and, while he touched on many subjects, Snowden returned several times to the idea that the NSA and other government agencies have hijacked the Internet for their own purposes, all in the name of protecting us fromsomething.
Given those abilities, and more importantly, the legal authority to use them, the NSA is, of course, going to do so. If you have a Ferrari, you don’t leave it sitting in the garage, you drive the hell out of it. Technology advances, regardless of our desire for it to slow down sometimes, and, as Bruce Schneier often says, attacks only get better, not worse. And the NSA is the apex predator of this environment. The agency hasn’t abandoned its defensive mission, not by a long shot, but offense is sexy and provides tangible results to show the higher-ups.
Offense is the present and it’s also the future. And, to borrow a phrase, the future will retire undefeated."
Advocatus Diaboli writes "Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process. The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks."Link to Original Source
harrymcc writes "It's well known that the World Wide Web originated in Tim Berners-Lee's 1989 proposal for an information-management system for his employer, CERN. That document turns 25 today, and there's no better way to celebrate the web's birthday than to celebrate it. What Berners-Lee proposed was simple, expandable, social, compatible and distributed — so smart an approach to sharing information that it's easy to envision it going strong generations from now. Over at TIME.com, I posted an appreciation."Link to Original Source
Trailrunner7 writes "Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.
Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year."
Trailrunner7 writes "As more Web-based services are encrypted, privacy advocates are concerned the next wave of aggressive surveillance activity could target automated update services that essentially provide Internet companies root access to machines.
Chris Soghoian, principal technologist with the American Civil Liberties Union, said today at TrustyCon that current malware delivery mechanisms such as phishing schemes and watering hole attacks could soon be insufficient for intelligence agencies and law enforcement such as the NSA and FBI.
“The FBI is in the hacking business. The FBI is in the malware business,” Soghoian said. “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.”"
Trailrunner7 writes "The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS.
Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found.
Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable."
Trailrunner7 writes "Apple on Friday quietly pushed out a security update to iOS that restores some certificate-validation checks that had apparently been missing from the operating system for an unspecified amount of time.
“Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,” the Apple advisory says.
The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim’s network would be able to read supposedly secure communications. It’s not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."
Trailrunner7 writes "The Facebook acquisition of mobile messaging service WhatsApp has captivated the tech world this week. Much of that has to do with the massive $19 billion price tag and, to a lesser extent, the incredibly fast rise of the company. But while analysts and customers have been examining the deal, some security researchers decided to look at the security of WhatsApp itself.
WhatsApp is a text and multimedia messaging service that uses the Internet, rather than a cellular data network, as its base. The app grew slowly at first but exploded in the last couple of years and today claims 450 million active users. Security researchers at Praetorian, who have been running a project known as Project Neptune to assess the security of mobile apps, did a limited assessment of the iOS and Android versions of WhatsApp and discovered a number of issues around the way the app uses SSL.
The most serious problem they found was that WhatsApp does not enforce certificate pinning. The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically man-in-the-middle attacks that rely on spoofing the certificate for a trusted site. Many of the major Web browsers support certificate pinning now, but its adoption in the mobile world has been somewhat slower. Praetorian found that WhatsApp doesn’t enforce SSL pinning, potentially opening users up to MITM attacks."
Trailrunner7 writes "AT&T, in its first transparency report, said that it received at least 2,000 National Security Letters and nearly 38,000 requests for location data on its subscribers in 2013.
The new report from AT&T is the latest in a growing list of publications from telecom companies, Web providers and cell phone carriers who have been under pressure from privacy advocates and security experts in the wake of the Edward Snowden NSA surveillance revelations. Telecoms had been resistant to providing such information in the past and it’s really only in the last month or so, since the Department of Justice loosened its restrictions on the way that companies can report NSL and Foreign Intelligence Surveillance Act requests that more companies have come around on the issue.
AT&T’s report shows a higher number of NSLs and subpoenas in 2013 than its most relevant competitor, Verizon. In January, Verizon’s first transparency report showed that the company received between 1,000 and 1,999 NSLs in 2013 and 164,000 subpoenas. AT&T said it got 2,000-2,999 NSLs and 248,343 subpoenas last year. AT&T also received nearly 37,000 court orders and more than 16,000 search warrants."
Trailrunner7 writes "The term APT often is used as a generic descriptor for any group–typically presumed to be government-backed and heavily financed–that is seen attacking high-value targets such as government agencies, critical infrastructure and financial systems. But the range of targets APT groups are going after is widening, as are the levels of talent and financing these groups possess.
“The cost of entry for APT is decreasing,” said Costin Raiu, head of the Global Research and Analysis Team at Kaspersky Lab, in a talk on the threat landscape at the company’s Industry Analyst Summit Thursday. “We’re going to see more surgical strikes and critical infrastructure attacks.”
One example of this phenomenon is the Icefog group. Discovered last fall, the Icefog attackers targeted a variety of organizations and government agencies in Japan and South Korea and researchers believe the group comprised a small number of highly skilled operators who went after select targets very quickly. Raiu estimated that the Icefog campaign probably required an investment of no more than $10,000. By comparison, he said that the NetTraveler campaign likely cost about $500,000, while Stuxnet was in the range of $100 million."
cartechboy writes "We all talk about the Tesla Model S and Nissan Leaf as if electric cars are brand-new. Reality check: Electric cars were around long before you were alive, or your father, or maybe even your grandfather. In fact, it turns out that the very first Porsche ever built was an electric car--way back in 1898. It wasn't called a Porsche, but an "Egger-Lohner electric vehicle, C.2 Phaeton model"--or P1 for short. Designed by Ferdinand Porsche when he was just 22 years old, it has a rear electric drive unit producing all of 3 horsepower--and an overdrive mode to boost that to a frightening 5 hp! It had an impressive range of 49 miles, not that much less than many of today's plug-in cars. Porsche recently recovered the P1 from a warehouse--where it has supposedly sat untouched since 1902--and plans to display it in original, unrestored condition at the Porsche Museum in Zuffenhausen, Germany. So what have we learned? First, Porsche is no stranger to electric cars. Second, electric cars aren't quite as new as you may have thought"
Trailrunner7 writes "As the noise and drama surrounding the NSA surveillance leaks and its central character, Edward Snowden, have continued to grow in the last few months, many people and organizations involved in the story have taken great pains to line up on either side of the traitor/hero line regarding Snowden’s actions. While the story has continued to evolve and become increasingly complex, the opinions and rhetoric on either side has only grown more strident and inflexible, leaving no room for nuanced opinions or the possibility that Snowden perhaps is neither a traitor nor a hero but something else entirely.
In some ways, the people pushing the Snowden-as-traitor narrative have a decided advantage here. This group comprises politicians, intelligence officials, lawmakers and others whose opinions carry the implicit power and weight of their offices. Whatever one thinks of Obama, Director of National Intelligence James Clapper and Alexander, they are among the more powerful men on earth and their public pronouncements by definition are important. If one of them declares Snowden to be a traitor or says that he should spend the rest of his life in prison for his actions, there is a sizable portion of the population who accepts that as fact.
That is not necessarily the case on the other side of the argument. However, many members of both the hero and traitor crowds formed their opinions reflexively, aligning themselves with the voices they support and then standing pat, regardless of the revelation of any new facts or evidence. They take the bits and pieces of Snowden’s story arc that fit with their own philosophy, use them to bolster their arguments and ignore the things that don’t help. This, of course, is in no way unique to the Snowden melodrama. It is a fact of life in today’s hyper-fragmented and hype-driven media environment, a climate in which strident opinions that fit on the CNN ticker or in a tweet have all but destroyed the possibility of nuanced discourse."
Trailrunner7 writes "A group of six Congressmen have asked President Barack Obama to remove James Clapper as director of national intelligence as a result of his misstatements to Congress about the NSA’s dragnet data-collection programs. The group, led by Rep. Darrell Issa (R-Calif.), said that Clapper’s role as DNI “is incompatible with the goal of restoring trust in our security programs”.
Clapper is the former head of the National Geospatial Intelligence Agency and has been DNI since 2010. In their letter to Obama, the group of Congressmen calling for his ouster said that he lied to Congress and should no longer be in office.
“The continued role of James Clapper as Director of National Intelligence is incompatible with the goal of restoring trust in our security programs and ensuring the highest level of transparency. Director Clapper continues to hold his position despite lying to Congress, under oath, about the existence of bulk data collection programs in March 2013. Asking Director Clapper, and other federal intelligence officials who misrepresented programs to Congress and the courts, to report to you on needed reforms and the future role of government surveillance is not a credible solution,” the letter from Issa, Ted Poe, Paul Broun, Doug Collins, Walter Jones and Alan Grayson says."
Trailrunner7 writes "Building on the success of the last couple of years, Google plans to offer more than $2.7 million in potential rewards in the next iteration of its Pwnium hacking competition at this year’s CanSecWest conference in Vancouver. The company has run the contest in parallel with the older Pwn2Own competition at the conference, with somewhat different rules, and this year plans to allow researchers to go after Chrome OS running on both ARM- and Intel-based Chromebooks,
Pwnium began as Google’s answer to Pwn2Own, the well-known hacking contest that has attracted some of the top researchers in the industry over the course of the last few years, including Dino Dai Zovi, Charlie Miller, Chaouki Bekrar and the Vupen team and many others. Pwn2Own has traditionally not required contestants to submit complete exploit information, but rather the details of the vulnerability and the crash data. Pwnium requires researchers to submit full exploits, something that has kept some of the potential contestants away, notably the Vupen team.
But the money that Google is putting up for new compromises of Chrome OS is far beyond what’s available at Pwn2Own or any of the other major contests and has attracted a small, but elite, group of contestants in past years. The company is promising rewards of as much as $150,000 plus some bonuses, paid at Google’s discretion, for especially innovative or serious exploits."