Syber Group
Toll Free : 855-568-TSTG(8784)
Subscribe To : Envelop Twitter Facebook Feed linkedin

Verizon Fixes Serious Securty Flaw In FiOS

January 29, 2015 by  
Filed under Security

Comments Off on Verizon Fixes Serious Securty Flaw In FiOS

Verizon corrected a serious vulnerability in its My FiOS mobile application that granted unfettered access to email accounts, according to a developer who found the problem.

Randy Westergren, a senior software developer with XDA Developers, looked at the Android version of My FiOS, which is used for account management, email and scheduling video recordings.

“Since Verizon has a good amount of my information, I thought it would be a good candidate for research,” Westergren wrote on his personal blog. “I was right, and the results were astonishing.”

The flaw, contained in the application’s API, could have allowed an attacker to read individual messages from a person’s Verizon inbox and even send emails from an account, he wrote.

Westergren looked at the traffic sent back and forth between My FiOS and Verizon’s servers. He found My FiOS would return the content of someone else’s email inbox by simply substituting a different user ID in a request.

He contacted Verizony, which later acknowledged the problem. Verizon issued a fix last Friday, Westergren wrote.

“Verizon’s security group seemed to immediately realize the impact of this vulnerability and took it very seriously,” Westergren wrote. “They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude.”

Source

Google Moves To Drop CAPTCHA

December 16, 2014 by  
Filed under Around The Net

Comments Off on Google Moves To Drop CAPTCHA

Google announced that it is trying to get rid of those annoying CAPTCHAs required by websites, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart.

Instead of requiring that users fill in the letters and numbers shown in a distorted image, sites that use Google’s reCAPTCHA service will be able to use just one click, answering a simple question: Are you a robot?

“reCAPTCHA protects the websites you love from spam and abuse,” wrote Vinay Shet, product manager for Google’s reCAPTCHA service, in a blog post. “For years, we’ve prompted users to confirm they aren’t robots by asking them to read distorted text and type it into a box… But, we figured it would be easier to just directly ask our users whether or not they are robots. So, we did! ”

Google on Wednesday began rolling out a new API that rethinks the reCAPTCHA experience.

CAPTCHA “can be hard to read and frustrating for people, particularly on mobile devices,” said Zeus Kerravala, an analyst with ZK Research. “People often have to put in the text several times. On the surface, this seems a good way to improve the user experience. It still requires human intervention, just something simpler.”

CAPTCHAs were created to foil computer programs that hackers or spammers use to troll for access to websites or to collect email addresses.

Google said CAPTCHAs are less useful than they have been, although they are still frustrating to everyday users.

“CAPTCHAs have long relied on the inability of robots to solve distorted text,’ wrote Shet. “However, our research recently showed that today’s artificial intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy. Thus distorted text, on its own, is no longer a dependable test.”

The new API, along with Google’s ability to analyze a user’s actions — before, during, and after clicking on the reCAPTCHA box — let’s the new technology figure out if the user is human or not.

“The new API is the next step in this steady evolution,” Shet stated. “Now humans can just check the box and in most cases, they’re through the challenge.”

Source

Google Expands Malware Blocker

November 15, 2013 by  
Filed under Computing

Comments Off on Google Expands Malware Blocker

Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.

Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.

Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.

Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.

Chrome is now at version 30.

Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.

“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.

In Canary, there is no way for the user to contradict the malware blocking.

That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.

As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a  blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.

Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.

In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.

Source

Developers Hack Dropbox

September 11, 2013 by  
Filed under Security

Comments Off on Developers Hack Dropbox

Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.

“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”

The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.

“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”

Source

Is The Tesla Hackable?

September 9, 2013 by  
Filed under Security

Comments Off on Is The Tesla Hackable?

It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.

Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.

Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.

According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.

“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.

However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.

“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.

Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.

Source

LinkedIn DropS BWP API

February 18, 2013 by  
Filed under Around The Net

Comments Off on LinkedIn DropS BWP API

LinkedIn has shut off its API access to “Bang With Professionals,” a Web service that was intended to facilitate more, say, intimate connections among users of the business-oriented social networking site.

The service was designed to allow LinkedIn users to anonymously search for people in their LinkedIn network who would be interested in meeting up for casual sex.

“We all had a good laugh,” the founders of Bang With Professionals said on last Friday on the website, less than a month after its launch. “We all knew it was a matter of time before our API key was revoked.”

LinkedIn said it shut off API (application programming interface) access for the free site, which was intended to work on all desktops and mobile devices, because it violated the social network’s terms of use in a manner that was “inconsistent with the goals of our developer program.”

Among other things, API access isn’t allowed for any application that contains or displays adult content.

Data about the site’s 6,000 subscribers is safe and all their user IDs have been deleted, the founders said. The only thing that remains now is the site’slanding page.

The origins of Bang With Professionals are not unique in the fast-paced social networking landscape. The site was built “by two guys in three days,” the landing page says. The total launch cost was US$57: $40 for stock images, $12 for the domain name and $5 for an account on the server CloudFlare.

The Twitter handle for the site has since been deactivated, but at press time, the Bang With Professionals blog on Tumblr was still accessible.

Source

Chase Building 1/2 Billion Dollar Data Center

August 24, 2012 by  
Filed under Around The Net

Comments Off on Chase Building 1/2 Billion Dollar Data Center

The enthusiastic backer of Enron and serial over charger of  mortgage payers, JPMorgan Chase has just splashed out on a new $500 million data center.

CEO Jamie Dimon announced the move which practically everyone in the IT industry finds a bit strange. While Chase is the US’s largest bank, the new facilities are a little big by anyone’s standard. It is about the same about of money that Google and Microsoft in their largest data centres for their cloud networks.

Dimon cited the figure as one of the advantages of being a big size. It can afford to invest cash in this way. Size lets Chase build a $500 million data centre that speeds up transactions and invest billions of dollars in products like ATMs and apps that allow your iPhone to deposit cheques, he enthused.

JPMorgan Chase operates two large data centres in Delaware and a 400,000 square foot facility. It also acquired data centres in its deals for distressed rivals Bear Stearns and Washington Mutual in the early days of the 2008 financial crisis. So why it needs a huge new one is anyone’s guess.

Source…

Cisco Lends A Hand In Fighting Fraud

May 15, 2012 by  
Filed under Computing

Comments Off on Cisco Lends A Hand In Fighting Fraud

Cisco released an API at the Interop 2012 Conference this week for its branch routers designed to enable third-party developers to write applications to beef up the security of phone calls over the router network.

The Cisco UC Gateway Services API is a Web-based programming interface that allows customers and developers access to call information over a Cisco ISR G2 router at the edge of a voice network, such as signaling and media. This information can be used to detect and help prevent malicious activity such as social engineering and identity theft scams, contact center account takeover fraud, unauthorized network and service use, and denial-of-service attacks.

Applications written to the API can then apply appropriate action to terminate, redirect or record the call.

Cisco, citing data from the Communications Fraud Control Association, says global telecom fraud losses are estimated to be $40 billion annually.

Source…

Rackspace Goes Openstack

April 24, 2012 by  
Filed under Computing

Comments Off on Rackspace Goes Openstack

Rackspace has finally deployed an Openstack based cloud, playing down claims that it benefits the most from the alliance.

Rackspace is one of the leaders of the Openstack alliance, an open source cloud initiative that aims to break Amazon’s stranglehold on the industry by offering open application programmable interfaces (APIs). Until now Openstack has largely been all talk, but Rackspace has deployed a production Openstack cloud that the firm claims will help it sell Openstack to the enterprise.

Fabio Torlini, VP of cloud at Rackspace said the firm has been “going flat out to make the code production ready”. Torlini said Rackspace’s decision to deploy an Openstack based cloud could be a tipping point in deployment. “It’s going to be the catalyst for many other companies deploying Openstack,” said Torlini.

Rackspace has been the largest contributor to Openstack and the fact that it has the first major Openstack deployment support claims that Rackspace is getting the most out of Openstack.

However Torlini said, “For us, we’re able to be the first one to launch a large scale Openstack compute platform because, yes, we are one of the main providers of the original code and we are a founder of Openstack, so we have tried to develop Openstack as a neutral foundation and it is a foundation to provide a service to all its members. But we’re lucky enough to be one of the founder members, to be able to drive it, and get there [deployment] first.”

Torlini defended Rackspace’s role in the Openstack alliance, claiming the strong leadership shown by the firm is good for the community. Torlini said, “Openstack is beneficial to the product itself but that’s the whole point. The whole idea of many more providers going onto Openstack helping develop the Openstack cloud, helping advance the actual products and code is the whole point of Openstack. On the counter side of that argument is if it’s beneficial for us it is just as beneficial for any other member of Openstack because they have access to the same code and they are able to provide.”

Torlini admitted that Openstack and the community is an advantage for the firm but claimed it wasn’t possible for Rackspace to dominate. “You have companies in Openstack that are far larger than Rackspace enabled to put much more resources into Openstack as well, it’s impossible for us to dominate Openstack – it’s an independent foundation. Is it advantageous from a product perspective? I should damn well hope so,” said Torlini.

Source…

Symantec’s Virus Code Hacked

January 14, 2012 by  
Filed under Computing

Comments Off on Symantec’s Virus Code Hacked

Symantec is looking into an Indian hacking group’s claims that it accessed source code used in the company’s flagship Norton Antivirus program.

A spokesman for the company on Thursday said that one claim by the group was false, while another is still being investigated.

Meanwhile, the Indian group, which calls itself Lords of Dharmaraja, has threatened to publicly disclose the source code very soon.

On Wednesday, the group posted on Pastebin what it claimed was confidential documentation related to Norton AntiVirus source code. A review of the material showed what appears to be a description of an application programming interface (API) for Symantec’s AV product.

The group also posted what it claimed was the complete source code tree file for Norton Antivirus. That document appears to have been taken down.

‘Yama Tough,’ the hacker who posted the documents, released at least two more on Google+ allegedly related to Symantec source code. One of the documents appears to be a detailed technical overview of Norton Anti-Virus, Quarantine Server Packaging API Specification, v1.0. The other document, from 2000, describes a Symantec Immune System Gateway Array Setup technology.

.

Source…

Next Page »