ZitaFTP Server and Why You Should Use FTPS instead of Plain FTP By Kea Sigma Delta 

Source: Sniffing/Stealing FTP Passwords; Or, Why You Should Use FTPS instead of Plain FTP » Kea Sigma Delta

Plain FTP is insecure, and it’s pretty easy to sniff your username and password. Anyone who manages to connect to your network can capture network traffic, sniff out your FTP password, and then access/steal your files. Tools to do so are readily available.

The bottom line is: do NOT use plain FTP for file transfer if you value your data. Or, stick to plain FTP and risk being hacked. It’s up to you.

Personally, I value security. That’s why I wrote ZitaFTP Server. It’s a secure FTP server (i.e., an FTPS server). The password sniffing techniques shown above only work with plain FTP (and HTTP), and fail the moment secure connections are used. I highly recommend you stop using insecure plain FTP, and use FTPS instead. Yes, even within your own private network.

BlackBerry QNX teams with Delphi for self-driving car cybersecurity

BlackBerry will team up with automotive company Delphi to provide some much needed support for self-driving cars — but the project won’t have anything to do with old-school smartphone service. The two companies signed a commercial working partnership that will bring BlackBerry’s QNX operating system to Delphi’s self-driving car platform. BlackBerry’s auto OS is already found in infotainment centers from several carmakers, most notably Ford’s Sync system. The partnership will bring the QNX OS to Delphi’s proposed Centralized Sensing Localization and Planning (CSLP) platform, which the company calls a “fully integrated automated driving solution,” slated for release in 2019. Delphi hopes to offer the CSLP platform to automakers that don’t develop their own autonomous system as an aftermarket self-driving option.

Source: BlackBerry teams with Delphi for cybersecurity for self-driving cars

BBM: Why to use only this App! – UTB Blogs

Whatsapp is the leading purveyor of metadata collection, a “cancer of mobile apps” perhaps. It has spread its tentacles far and wide and is making a mess of users’ privacy.WhatsApp also collects device-specific information when you install, access, or use their service — such as the model of your phone, its operating system, and information from your browser, IP address, and mobile network — including your phone number.Why should so much information be of interest to them? This goes against what they always claimed. That user privacy comes foremost.Please remember that their encryption protocol implementation is closed source; it’s proprietary. At any point in time, your messages can be easily seen by law enforcement. Who can collect it is a matter of debate but they are only interested in metadata which is more than enough to track any user. In fact, WhatsApp leaks your metadata like a sieve. Why do you want to stay invested in it?

Source: BBM: Why to use this app alone? – UTB Blogs

Cellebrite, a Phone-Hacking Firm Got Hacked; 900GB Of Data Stolen

The company that sells digital forensics and mobile hacking tools to others has itself been hacked.Israeli firm Cellebrite, the popular company that provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had 900 GB of its data stolen by an unknown hacker.But the hacker has not yet publicly released anything from the stolen data archive, which includes its customer information, user databases, and a massive amount of technical data regarding its hacking tools and products.Instead, attackers are looking for possible opportunities to sell the access to Cellebrite system and data on a few selected IRC chat rooms, the hacker told Joseph Cox, contributor at Motherboard, who was contacted by the hacker and received a copy of the stolen data.Meanwhile, Cellebrite also admitted that it recently experienced “unauthorized access to an external web server,” and said that it is “conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system.”

Source: Phone-Hacking Firm Cellebrite Got Hacked; 900GB Of Data Stolen

BlackBerry Android January Security Update Available NOW! 

BlackBerry is quick to roll out the first security update of the new year.Here we are three days in to the new year, and BlackBerry is already rolling out the January security update for Android powered BlackBerry devices.Owners of devices purchased through Shop BlackBerry should already have the update available. For the rest of us who purchased our devices through carriers, we will have to wait for our specific carriers to push the update to us.In a not from BlackBerry, “If your BlackBerry powered by Android smartphone does not have an up-to-date software build available, please contact your retailer or carrier directly for security maintenance release availability information.” I’d suggest to do this soon and do it often.Remind your carrier that the update is available and the only thing standing between that update and you is them. Remember, the world of mobile security is constantly moving, and having timely updates are integral to our device security.The latest update is dated January 5, 2017. To verify your version, head to Settings>About Phone. For information about the security fixes included in this update, click here.

Source: BlackBerry Android January Security Update Rolling Out – UTB Blogs

BlackBerry COO Marty Beard: We’re not letting one product or idea define us | CrackBerry.com

Dear Mr. Finch and Mr. DePaul, I read your article, “Don’t Let Yourself (Or Your Kid) Be The Next BlackBerry” this morning and felt compelled to respond. As a father, I agree that kids should “recognize the value of life beyond their grades” and “invest in different dimensions of their life.” Where I disagree with you, is the thought that kids shouldn’t be like BlackBerry. The notion of being “well-rounded,” which you allude to in your article, is BlackBerry. You might not know this, but we are no longer just about the smartphone, but the smart in everything from devices and cars to containers and medical equipment. For example, if you drive a Ford, GM, Audi (or Mercedes), BlackBerry software is most likely powering its infotainment system. Your new iPhone uses BlackBerry software if you work at one of the thousands of enterprises that use our mobile management platform. If you know a UCLA faculty member or student, they most likely received an alert, powered by our software, when the unfortunate shooting took place on campus in June. Your health records, personal information and bank accounts are kept safe and secure because BlackBerry software is trusted by some of the world’s largest companies in industries such as banking, healthcare and legal. In the future, you may experience less scarring, less recovery time, and less pain should you need a heart transplant thanks to our software. These are just a few examples. The reason I would want my kids (and your kids) to be like BlackBerry is this: Resiliency. We’re in the midst of an incredible transformation, bringing our software business – something we’ve always had – finally to the fore. And, it’s working due to the simple fact that BlackBerry has more than doubled its software revenue on a year-over-year basis for the past two quarters. We’re not letting one product/idea define us; rather, we are transforming our thinking, addressing our obstacles head-on to nimbly innovate in cutting-edge areas such as the Enterprise of Things. There is a lot going on at BlackBerry today, which makes me want to leave you with one piece of advice: “just because you knew someone, doesn’t mean you know them.” Your old employer certainly looks a lot different these days. Best, Marty Beard

Source: BlackBerry COO Marty Beard: We’re not letting one product or idea define us | CrackBerry.com

How to Protect Your Website From XSS Vulnerabilities With IBM Application Security

By Erwin Friethoff Application security practices and tools can help ensure that embarrassing and costly vulnerabilities are shut out of your website or app.

Almost everything can be done online nowadays, and even some of the oldest professions in the world are modernizing and moving to the Web. Application security is becoming more and more important with the online enablement of all kinds of new services.

Since everyone and everything is online, the Dutch government decided that one of the basics of a modern society — law and order — should be facilitated through online channels as well. For example, when a lawyer wants to start a procedure, he or she can do so digitally. Proponents argued that it was good for speed and better for the environment.

The website has been modernized and, next to publishing court decisions, a lawyer or legal representative can launch a new case and upload the accompanying documents. Since it is run by the government, one would expect that the application security would be top-notch, right?

A Big Team, Lots of Money and an XSS Vulnerability

A new user experience, a new, up-to-date design, case manager tooling — the website had it all. Highly skilled people worked on the site for years, at the cost of millions of euros, so it was expected to be the best and most secure government website yet produced. Think again: Within a couple of days, an ethical hacker found a DOM-based cross-site scripting (XSS) vulnerability

According to OWASP, a DOM-based XSS attack occurs when the payload is executed by changing the DOM environment in the victim’s browser, which causes page code to operate differently.

A DOM-based XSS vulnerability is one of the vulnerabilities named in the OWASP Top 10, a powerful awareness document for Web application security. It represents a broad consensus about what the most critical flaws are — and these vulnerabilities tend to be present in many applications.

How Application Security Could Have Helped

Could this have been prevented? The answer is yes! But what steps should have been taken to ensure that the vulnerability did not exist in the first place?

To enable clients to prevent these kinds of exploits and vulnerabilities, IBM provides the AppScan portfolio. IBM AppScanscans source code and Web applications for vulnerabilities. It reports on known issues, giving advice on how to repair them and how to prevent them from being exploited. The video below shows how the IBM AppScan XSS Analyzer optimizes the success of the scan.

 

Source: How to Protect Your Website From XSS Vulnerabilities With IBM Application Security

NFC Theft.. Beware! SC staff hit by contactless card theft.

A train journey to work is a very innocuous thing. But when a man slowly bumped into me and my pocket for a bit too long, it took me a second to realise what had just happened. I called my bank and found out that said individual had managed to steal £20 from my account via a contactless card payment; my bank promptly reimbursed me. Technologically speaking, I’m very curious about how something like this happened. Contactless payment cards do contain normal RFID chips, but they also have secure microprocessors and memory, which have the ability to perform cryptographic processing. Meaning it wouldn’t just give away card details to anyone who asks for them. Europay, MasterCard and Visa, the three companies that created the EMV standard for processing card transactions say that due to the security on the card, it is not possible to steal things like a person’s billing address and CVV code, so the hacker wouldn’t be able to process online transactions after-the-fact. The consumer research group Which? conducted a study back in July 2015 that refuted this however – “Contactless cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back). We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong.”

Source: SC staff hit by contactless card theft – SC Magazine UK

BlackBerry’s Priv is Using a Hardened Linux Kernel

Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for grsecurity is available through Open Source Security, Inc.

Source: BlackBerry’s Android Slider Using Hardened Linux Kernel

Most vulnerable operating systems of 2014 are Apple

GFI Reports…

It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple

with OS X and iOS is at the top, followed by Linux kernel.

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

via Most vulnerable operating systems and applications in 2014.