Whatsapp is the leading purveyor of metadata collection, a “cancer of mobile apps” perhaps. It has spread its tentacles far and wide and is making a mess of users’ privacy.WhatsApp also collects device-specific information when you install, access, or use their service — such as the model of your phone, its operating system, and information from your browser, IP address, and mobile network — including your phone number.Why should so much information be of interest to them? This goes against what they always claimed. That user privacy comes foremost.Please remember that their encryption protocol implementation is closed source; it’s proprietary. At any point in time, your messages can be easily seen by law enforcement. Who can collect it is a matter of debate but they are only interested in metadata which is more than enough to track any user. In fact, WhatsApp leaks your metadata like a sieve. Why do you want to stay invested in it?
The company that sells digital forensics and mobile hacking tools to others has itself been hacked.Israeli firm Cellebrite, the popular company that provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had 900 GB of its data stolen by an unknown hacker.But the hacker has not yet publicly released anything from the stolen data archive, which includes its customer information, user databases, and a massive amount of technical data regarding its hacking tools and products.Instead, attackers are looking for possible opportunities to sell the access to Cellebrite system and data on a few selected IRC chat rooms, the hacker told Joseph Cox, contributor at Motherboard, who was contacted by the hacker and received a copy of the stolen data.Meanwhile, Cellebrite also admitted that it recently experienced “unauthorized access to an external web server,” and said that it is “conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system.”
BlackBerry is quick to roll out the first security update of the new year.Here we are three days in to the new year, and BlackBerry is already rolling out the January security update for Android powered BlackBerry devices.Owners of devices purchased through Shop BlackBerry should already have the update available. For the rest of us who purchased our devices through carriers, we will have to wait for our specific carriers to push the update to us.In a not from BlackBerry, “If your BlackBerry powered by Android smartphone does not have an up-to-date software build available, please contact your retailer or carrier directly for security maintenance release availability information.” I’d suggest to do this soon and do it often.Remind your carrier that the update is available and the only thing standing between that update and you is them. Remember, the world of mobile security is constantly moving, and having timely updates are integral to our device security.The latest update is dated January 5, 2017. To verify your version, head to Settings>About Phone. For information about the security fixes included in this update, click here.
Dear Mr. Finch and Mr. DePaul, I read your article, “Don’t Let Yourself (Or Your Kid) Be The Next BlackBerry” this morning and felt compelled to respond. As a father, I agree that kids should “recognize the value of life beyond their grades” and “invest in different dimensions of their life.” Where I disagree with you, is the thought that kids shouldn’t be like BlackBerry. The notion of being “well-rounded,” which you allude to in your article, is BlackBerry. You might not know this, but we are no longer just about the smartphone, but the smart in everything from devices and cars to containers and medical equipment. For example, if you drive a Ford, GM, Audi (or Mercedes), BlackBerry software is most likely powering its infotainment system. Your new iPhone uses BlackBerry software if you work at one of the thousands of enterprises that use our mobile management platform. If you know a UCLA faculty member or student, they most likely received an alert, powered by our software, when the unfortunate shooting took place on campus in June. Your health records, personal information and bank accounts are kept safe and secure because BlackBerry software is trusted by some of the world’s largest companies in industries such as banking, healthcare and legal. In the future, you may experience less scarring, less recovery time, and less pain should you need a heart transplant thanks to our software. These are just a few examples. The reason I would want my kids (and your kids) to be like BlackBerry is this: Resiliency. We’re in the midst of an incredible transformation, bringing our software business – something we’ve always had – finally to the fore. And, it’s working due to the simple fact that BlackBerry has more than doubled its software revenue on a year-over-year basis for the past two quarters. We’re not letting one product/idea define us; rather, we are transforming our thinking, addressing our obstacles head-on to nimbly innovate in cutting-edge areas such as the Enterprise of Things. There is a lot going on at BlackBerry today, which makes me want to leave you with one piece of advice: “just because you knew someone, doesn’t mean you know them.” Your old employer certainly looks a lot different these days. Best, Marty Beard
By Erwin Friethoff Application security practices and tools can help ensure that embarrassing and costly vulnerabilities are shut out of your website or app.
Almost everything can be done online nowadays, and even some of the oldest professions in the world are modernizing and moving to the Web. Application security is becoming more and more important with the online enablement of all kinds of new services.
Since everyone and everything is online, the Dutch government decided that one of the basics of a modern society — law and order — should be facilitated through online channels as well. For example, when a lawyer wants to start a procedure, he or she can do so digitally. Proponents argued that it was good for speed and better for the environment.
The website has been modernized and, next to publishing court decisions, a lawyer or legal representative can launch a new case and upload the accompanying documents. Since it is run by the government, one would expect that the application security would be top-notch, right?
A Big Team, Lots of Money and an XSS Vulnerability
A new user experience, a new, up-to-date design, case manager tooling — the website had it all. Highly skilled people worked on the site for years, at the cost of millions of euros, so it was expected to be the best and most secure government website yet produced. Think again: Within a couple of days, an ethical hacker found a DOM-based cross-site scripting (XSS) vulnerability
According to OWASP, a DOM-based XSS attack occurs when the payload is executed by changing the DOM environment in the victim’s browser, which causes page code to operate differently.
A DOM-based XSS vulnerability is one of the vulnerabilities named in the OWASP Top 10, a powerful awareness document for Web application security. It represents a broad consensus about what the most critical flaws are — and these vulnerabilities tend to be present in many applications.
How Application Security Could Have Helped
Could this have been prevented? The answer is yes! But what steps should have been taken to ensure that the vulnerability did not exist in the first place?
To enable clients to prevent these kinds of exploits and vulnerabilities, IBM provides the AppScan portfolio. IBM AppScanscans source code and Web applications for vulnerabilities. It reports on known issues, giving advice on how to repair them and how to prevent them from being exploited. The video below shows how the IBM AppScan XSS Analyzer optimizes the success of the scan.
A train journey to work is a very innocuous thing. But when a man slowly bumped into me and my pocket for a bit too long, it took me a second to realise what had just happened. I called my bank and found out that said individual had managed to steal £20 from my account via a contactless card payment; my bank promptly reimbursed me. Technologically speaking, I’m very curious about how something like this happened. Contactless payment cards do contain normal RFID chips, but they also have secure microprocessors and memory, which have the ability to perform cryptographic processing. Meaning it wouldn’t just give away card details to anyone who asks for them. Europay, MasterCard and Visa, the three companies that created the EMV standard for processing card transactions say that due to the security on the card, it is not possible to steal things like a person’s billing address and CVV code, so the hacker wouldn’t be able to process online transactions after-the-fact. The consumer research group Which? conducted a study back in July 2015 that refuted this however – “Contactless cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back). We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong.”
Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for grsecurity is available through Open Source Security, Inc.
It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple
with OS X and iOS is at the top, followed by Linux kernel.
2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.
After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on.
While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.
How does this happen?
First, we have to analyze in detail, the shutting down process.
On Android devices, when the power off button is pressed it will invoke the interceptKeyBeforeQueueingfunction of the class interceptKeyBeforeQueueing.interceptKeyBeforeQueueing will check if the power off button is pressed and go to certain process.
As posted on the Fortinet Blog!
What does the malware do?
To summarize the malware’s goals, it fetches commands via HTTP GET from a remote C&C, and uploads information via HTTP POST. The command it recognizes are listed in the table below.
0 Get Info Device
1 Start Record
2 Get Audio File
3 Get Contact List
4 Current Location
5 Get Installed Apps
6 Wifi Status
7 Get all Pictures from Photo Library
8 List a given directory
9 Get a given file
10 Get process list
11 Get SMS
The code shows a few interesting things: