Developers Hack Dropbox

Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.

“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”

The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.

“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”

Source

nVidia Launching New Cards

We weren’t expecting this and it is just a rumour, but reports are emerging that Nvidia is readying two new cards for the winter season. AMD of course is launching new cards four weeks from now, so it is possible that Nvidia would try to counter it.

The big question is with what?

VideoCardz claims one of the cards is an Ultra, possibly the GTX Titan Ultra, while the second one is a dual-GPU job, the Geforce GTX 790. The Ultra is supposedly GK110 based, but it has 2880 unlocked CUDA cores, which is a bit more than the 2688 on the Titan.

The GTX 790 is said to feature two GK110 GPUs, but Nvidia will probably have to clip their wings to get a reasonable TDP.

We’re not entirely sure this is legit. It is plausible, but that doesn’t make it true. It would be good for Nvidia’s image, especially if the revamped GK110 products manage to steal the performance crown from AMD’s new Radeons. However, with such specs, they would end up quite pricey and Nvidia wouldn’t sell that many of them – most enthusiasts would probably be better off waiting for Maxwell.

Source

Is The Tesla Hackable?

It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.

Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.

Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.

According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.

“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.

However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.

“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.

Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.

Source

Java 6 Security Hole Found

Security firms are urging users of Oracle’s Java 6 software to upgrade to Java 7 as soon as possible to avoid becoming the victims of active cyber attacks.

F-secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.

PoC for CVE-2013-2463 was released last week, now it’s exploited in the wild. No patch for JRE6… Uninstall or upgrade to JRE7 update 25.

— Timo Hirvonen (@TimoHirvonen) August 26, 2013

CVE-2013-2463 was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 has the same vulnerability, as Oracle acknowledged in the update, but since Java 6 became unsupported in April 2013, there is no patch for the Java 6 vulnerability.

Cloud security provider Qualys described the bug as an “implicit zero-day vulnerability”. The firm’s CTO Wolfgang Kandek said he had seen it included in the spreading Neutrino exploit kit threat, which “guarantees that it will find widespread adoption”.

“We know about its existence, but do not have a patch at hand,” Kandek said in a blog post. “This happens each time a software package loses support and we track these instances in Qualysguard with our ‘EOL/Obsolete’ detections, in this case.

“In addition, we still see very high rates of Java 6 installed, a bit over 50 percent, which means many organisations are vulnerable.”

Like F-secure, Kandek recommended that any users with Java 6 upgrade to Java 7 as soon as they can.

“Without doubt, organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their vendors if an upgrade path exists,” he added.

Source

Marvell Loses In Court

A federal judge denied Marvell’s request to declare a mistrial in a patent infringement case in which a jury awarded $1.17 billion in damages to Carnegie Mellon University.

Carnegie Mellon sued Marvell in March 2009 over patents issued in 2001 and 2002 related to how accurately hard disk-drive circuits read data from high-speed magnetic disks. The suit involved nine Marvell circuits which incorporated the patents, and that the infringement let the Bermuda outfit blog billions of chips with its tech on board.

The damages award in December 2012 was one of the largest by a US jury in a patent infringement case. Marvell asked the judge to declare a mistrial and it claimed that Carnegie Mellon’s lawyer made improper, misleading and prejudicial comments during closing arguments that “inflamed” the jury.

US District Judge Nora Barry Fischer in Pittsburgh federal court disagreed and said that Marvell was trying to do what it could not do at trial convince the court to throw out this case and have another crack at it. Marvel has said that it will appeal so this case will run and run.

Source

U.S. Cloud Vendors Hurt By NSA

Edward Snowden’s public unveiling of the National Security Agency’s Prism surveillance program could cause U.S. providers of cloud-based services to lose 10% to 20% of the foreign market — a slice of business valued at up to $35 billion.

A new report from the Information Technology & Innovation Foundation (ITIF) concludes that European cloud computing companies, in particular, might successfully exploit users’ fears about the secret data collection program to challenge U.S. leadership in the hosted services business.

Daniel Castro, author of the report, acknowledges that the conclusions are based, so far, on thin data, but nonetheless argues that the risks to U.S. cloud vendors are real.

Indeed, a month prior, the Cloud Security Alliance reported that in a survey of 207 officials of non-U.S. companies, 10% of the respondents said that they had canceled contracts with U.S. service providers after Snowden’s leak of NSA Prism documents earlier this year.

“If U.S. companies lose market share in the short term, it will have long-term implications on their competitive advantage in this new industry,” said Castro in the ITIF report. “Rival countries have noted this opportunity and will try to exploit it.”

To counter such efforts, the U.S. must challenge overstated claims about the program by foreign companies and governments, said Jason Weinstein, a partner in the Washington office of law firm Steptoe & Johnson and a former federal prosecutor and deputy assistant attorney general specializing in computer crime.

“There are a lot of reasons to be concerned about just how significant those consequences will be,” Weinstein said. “The effort by European governments and European cloud providers to cloud the truth about data protection in the U.S. was going on well before anyone knew who Edward Snowden was. It just picked up new momentum once the Prism disclosures came out.”

Weinstein contends that European countries have fewer data protection rules than the U.S.

For example, he said that in the U.K. and France, a wiretap to get content can be issued by a government official without court authority, but that can’t happen in the U.S.

“U.S. providers have done nothing other than comply with their legal obligations,” he said. But because of Snowden’s leaks, “they are facing potentially significant economic consequences.”

Gartner analyst Ed Anderson said his firm has yet to see any revenue impact on cloud providers since the Prism disclosures, but added, “I don’t think Prism does U.S. providers any favors, that’s for sure.”

Nonetheless, Anderson added, “I think the reality is [the controversy] is likely to die down over time, and we expect adoption to probably continue on the path that it has been on.”

One reason why U.S. providers may not suffer is because “the alternatives aren’t great if you are a European company looking for a cloud service,” he said.

Source

Apple To Acquire Embark

Apple is reportedly purchasing mapping app developer Embark, in a move that could lend more real-time navigation features for public transit to Apple’s own Maps app.

The acquisition, which was first reported by tech journalist Jessica Lessin, follows other recent mapping purchases for Apple: HopStop, another maker of apps for public transit directions; and Locationary, which provides data about local businesses; and WifiSLAM, an indoor location and mapping company.

Apple did not directly confirm its acquisition of Embark, but in an emailed statement said, “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans.”

Apple declined to comment further on the deal.

Apple has faced some serious challenges over the past year in providing a consistently solid mapping product with its Maps app. Last September Apple CEO Tim Cook was forced to publicly apologize for a series of issues plaguing the company’s Maps app in Apple’s iOS 6 operating system.

Embark is a company based in the San Francisco Bay Area that makes a mobile mapping app designed to help people navigate mass transit systems. The company’s app provides “tailored trips” specific to the user’s region, along with notifications for late-running trains and other advisories and closures.

Embark’s technology, if it does find its way into a future Apple product, could enhance Apple’s mapping products and make the company a stronger competitor to rivals like Google. Google’s Maps app already offers real-time public transit navigation features, as do some smaller players like iTransitBuddy.

Embark’s app is available for free on the iPhone for 10 transit systems including Boston’s MBTA, Chicago’s L, the New York City Subway and San Francisco’s Bart and Caltrain systems, with more on the way, according to Embark’s website.

It is not clear whether Embark’s app will be shut down as part of the acquisition. The app was still available in Apple’s App Store at the time of this article’s posting.

Embark’s team could not be immediately reached to comment on the deal.

Source

FTC Warns Google And FB

The Federal Trade Commission (FTC) has promised that her organisation will come down hard on companies that do not meet requirements for handling personal data.

FTC Chairwoman Edith Ramirez gave a keynote speech at the Technology Policy Institute at the Aspen Forum. She said that the FTC has a responsibility to protect consumers and prevent them from falling victim to unfair commercial practices.

“In the FTC’s actions against Google, Facebook, Myspace and others, we alleged that each of these companies deceived consumers by breaching commitments to keep their data confidential. That isn’t okay, and it is the FTC’s responsibility to make sure that companies live up to their commitments,” she said.

“All told, the FTC has brought over 40 data security cases under our unfairness and deception authority, many against very large data companies, including Lexisnexis, Choicepoint and Twitter, for failing to provide reasonable security safeguards.”

Ramirez spoke about the importance of consumer privacy, saying that there is too much “shrouding” of what happens in that area. She said that under her leadership the FTC will not be afraid of suing companies when it sees fit.

“A recurring theme I have emphasized – and one that runs through the agency’s privacy work – is the need to move commercial data practices into the sunlight. For too long, the way personal information is collected and used has been at best an enigma enshrouded in considerable smog. We need to clear the air,” she said.

Ramirez compared the work of the FTC to the work carried out by lifeguards, saying that it too has to be vigilant.

“Lifeguards have to be mindful not just of the people swimming, surfing, and playing in the sand. They also have to be alert to approaching storms, tidal patterns, and shifts in the ocean’s current. With consumer privacy, the FTC is doing just that – we are alert to the risks but confident that those risks can be managed,” she added.

“The FTC recognizes that the effective use of big data has the potential to unleash a new wave of productivity and growth. Like the lifeguard at the beach, though, the FTC will remain vigilant to ensure that while innovation pushes forward, consumer privacy is not engulfed by that wave.”

It’s all just lip service, of course. Companies might be nominally bound by US privacy laws in online commerce, and that might be overseen by the FTC, but the US National Security Agency (NSA) collects all internet traffic anyway, and makes data available to other US government agencies and even some private companies.

Source

Hackers Dupe Apple

Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.

According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.

They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.

The instructions for reassembly of the app arrive through a phone-home after the app is installed.

The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Source

Chinese Hackers Go After Dissidents

The “Comment Crew,” a group of China-based hackers whose outing earlier this year in major media outlets caused a conflict with the U.S., have resumed their attacks against dissidents.

FireEye, a security vendor that specializes in trying to stop sophisticated attacks, has noticed attackers using a fresh set of tools and evasion techniques against some of its newer clients, which it can’t name. But Rob Rachwald, director of market research for FireEye, said in an interview Monday that those clients include an organization in Taiwan and others involved in dissident activity.

The Comment Crew was known for many years by security analysts, but its attacks on The New York Times, described in an extensive report in February from vendor Mandiant, thrust them into an uncomfortable spotlight, causing tense relations between the U.S. and China.

Rachwald said it is difficult to determine if the organizations being targeted now were targeted by the Comment Crew previously, but FireEye said last month that the group didn’t appear to be hitting organizations they had compromised before.

Organizations opposing Chinese government policies have frequently been targeted by hackers in what are believed to be politically motivated surveillance operations.

The Comment Crew laid low for about four months following the report, but emerging clues indicate they haven’t gone away and in fact have undertaken a major re-engineering effort to continue spying. The media attention “didn’t stop them, but it clearly did something to dramatically alter their operations,” Rachwald said in an interview.

“If you look at it from a chronological perspective, this malware hasn’t been touched for about 18 months or so,” he said. “Suddenly, they took it off the market and started overhauling it fairly dramatically.”

FireEye researchers Ned Moran and Nart Villeneuve described the new techniques on Monday on FireEye’s blog.

Two malware samples, called Aumlib and Ixeshe, had been used by the Comment Crew but not updated since 2011. Both malware programs have now been altered to change the appearance of their network traffic, Rachwald said.

Many vendors use intrusion detection systems to spot how malware sends data back to an attacker, which helps determine if a network has been compromised. Altering the method and format for how the data is sent can trick those systems into thinking everything is fine.

In another improvement, encryption is now employed to mask certain components of the programs’ networking communication, Rachwald said. The malware programs themselves, which are designed to steal data and log keystrokes, are basically the same.

Mandiant’s report traced the hacking activity to a specific Chinese military unit called “61398.” The company alleged that it waged a seven-year hacking spree that compromised 141 organizations.

Rachwald said it is strongly believed the Comment Crew is behind the new attacks given its previous use of Aumlib and Ixeshe. But the group has also re-engineered its attack infrastructure so much over the last few months that it is difficult to say for sure.

Source

« Previous Page — Next Page »