While Apple's iOS 8.3 prevents the installation of an app that has an ID similar to an existing one, security researcher Chilik Tamir discovered a new method, which he dubbed “SandJacking."
Tamir demonstrated the SandJacking attack at the Hack In The Box (HITB) conference in Amsterdam on Thursday using Skype as the targeted application. However, the researcher told SecurityWeek that SandJacking attacks have been successfully tested against numerous popular applications.
The vulnerability was discovered in December 2015 and reported to Apple in January. The tech giant has confirmed the issue, but a patch has yet to be developed. Once Apple addresses the flaw, Tamir says he will release a SandJacker tool that automates the entire process of pushing malicious apps to iOS devices via the SandJacking vulnerability.
msm1267 writes: Researcher Patrick Wardle has found a number of issues in Apple's Mac OS X Gatekeeper that would allow an attacker to bypass the security feature and compromise Apple computers. Apple has twice attempted to fix the flaws, but Wardle says the manner in which Apple addressed the vulnerabilities is incomplete and his attacks still enable Gatekeeper bypasses.
Unknown Lamer writes: After a Twitter meltdown yesterday, it has been confirmed that Ian Murdock has died. From the Docker blog: "It is with great sadness that we inform you that Ian Murdock passed away on Monday night. This is a tragic loss for his family, for the Docker community, and the broader open source world; we all mourn his passing.... Ian helped pioneer the notion of a truly open project and community, embracing open design and open contribution; in fact the formative document of the open source movement itself (the Open Source Definition) was originally a Debian position statement. It is a testament to Ian’s commitment to openness and community that there are now more than 1,000 people currently involved in Debian development."
msm1267 writes: Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.
Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.
msm1267 writes: Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design.
The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so.
HughPickens.com writes: Peter Baker reports at the NYT that in a deal negotiated during 18 months of secret talks hosted largely by Canada and encouraged by Pope Francis, the United States will restore full diplomatic relations with Cuba and open an embassy in Havana for the first time in more than a half-century. In addition, the United States will ease restrictions on remittances, travel and banking relations, and Cuba will release 53 Cuban prisoners identified as political prisoners by the United States government. Although the decades-old American embargo on Cuba will remain in place for now, the administration signaled that it would welcome a move by Congress to ease or lift it should lawmakers choose to. “We cannot keep doing the same thing and expect a different result. It does not serve America’s interests, or the Cuban people, to try to push Cuba toward collapse. We know from hard-learned experience that it is better to encourage and support reform than to impose policies that will render a country a failed state,” said the White House in a written statement. "The United States is taking historic steps to chart a new course in our relations with Cuba and to further engage and empower the Cuban people."
msm1267 writes: Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be.
Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority.
The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.
Capt.Albatross writes: The flat surface of the Racetrack Playa in Death Valley is littered with rocks, some weighing hundreds of kilograms, each at the end of a track indicating that it has somehow slid across the surface. The mechanism behind this has been the subject of much speculation but little evidence, until a trio of scientists caught them in action with cameras and GPS.
The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”
OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.
“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”
msm1267 writes: A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two. The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer.
chicksdaddy writes: The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet (http://en.wikipedia.org/wiki/Room_641A) and the invisible hand behind every flawed crypto implementation (http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331).
Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP — the Internet's lingua franca.
As noted on Veracode's blog (http://blog.veracode.com/2014/04/cerf-classified-nsa-work-mucked-up-security-for-early-tcpip/), Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.
“If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,” Cerf said. (Check it out here: http://www.youtube.com/watch?v...)
Researchers at the time were working on just such a lightweight cryptosystem. On Stanford’s campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn’t yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977).
As it turns out, however, Cerf revealed that he _did_ have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren’t they used? The culprit is one that’s well known now: the National Security Agency.
Cerf told host Leo Laporte that the crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet.
“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”
Hindsight is 20:20, as the saying goes. Neither Cerf, nor the NSA nor anyone else could have predicted how much of our economy and that of the globe would come to depend on what was then a government backed experiment in computer networking. Besides, Cerf didn't elaborate on the cryptographic tools he was working with as part of his secure Internet research or how suitable (and scalable) they would have been.
But it’s hard to listen to Cerf lamenting the absence of strong authentication and encryption in the foundational protocol of the Internet, or to think about the myriad of online ills in the past two decades that might have been preempted with a stronger and more secure protocol and not wonder what might have been.
Advocatus Diaboli writes: Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process. The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.
msm1267 writes: Giant retailer Target has clarified that the partial personal information--including names, addresses, phone numbers and email addresses--of another 70 million individuals was also stolen during a two-week long breach of its systems starting the day before Thanksgiving. Target said: "These are two distinct groups and are not linked. While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time."
Taco Cowboy writes: A Russian foreign ministry statement said most of the 74 people onboard will be rescued by air after icebreakers failed due to poor visibility
It is hoped most of the 74 people on the Academician Shokalskiy will be picked up by the Chinese helicopter, leaving as few as possible onboard.
A Russian foreign ministry statement, cited in an AFP report, said: “A decision has been reached to evacuate 52 passengers and four crew members by helicopter from China’s Xue Long ship, should the weather allow.”