Privacy Meter Online

December 17, 2016

Oxygen Forensics releases a maintenance version of Oxygen Forensic® Detective. Version 9.0.1 offers functionality and interface improvements of Oxygen Forensic® Cloud Extractor, Oxygen Forensic® Maps and Export Engine. It also adds data parsing from Video Locker and KeepSafe applications and updates support for popular messengers: Kik Messenger, Facebook Messenger, Viber, WatsApp, etc. The total number of supported apps versions exceeds 2400!

The updated version also adds support for 400+ new Android OS devices: Acer Iconia Tab 10, Alcatel One Touch Pixi 4 4.0 4GB, Asus ZenPad 10 TD-LTE, Coolpad 8718 TD-LTE, HTC One S9 TD-LTE, Huawei P9 Plus TD-LTE, etc.

​

New in Oxygen Forensic® Detective v.9.0.1:

• Oxygen Forensic® Cloud Extractor. Added the ability to start a new extraction without restarting the Cloud Extractor.

• Oxygen Forensic® Cloud Extractor. Date range settings are now shown in the extraction statistics window and included into the OCB backup.

• Oxygen Forensic® Cloud Extractor. Added a horizontal scrollbar to conveniently view extraction logs. Also added the ability to copy logs in the popup menu. 

• Oxygen Forensic® Maps. Added the ability to change a scale of the image in the Photo Viewer.

• Export. Added events numbering in the RTF data report.

• Export. Added the ability to set a name of the expert who creates a data report.  

• General. Added display of time zone offset on the sidebar and in the grid.  

• General. Added the hint that shows the original time zone extracted from the database. Available in all the cells that contain time information. 

• Applications. Business. Added data parsing from KeepSafe (7.10.5) from Android OS devices and KeepSafe (7.7) from iOS devices.

• Applications. Business. Added data parsing from Video Locker (1.2.1) from Android OS devices. 

• Applications. Messengers. Updated support for Kik Messenger (10.16.1.9927) for Android OS devices.

• Applications. Messengers. Updated support for Facebook Messenger (93.0) for iOS devices.

• Applications. Social Networks. Updated support for LinkedIn (4.0.79) for Android OS devices.

• Applications. Messengers. Updated support for Viber (6.3.4) for iOS devices. 

• Applications. Messengers. Updated support for WeChat (6.3.28) for iOS devices and WeChat (6.3.23) for Android OS devices. 

• Applications. Messengers. Updated support for WhatsApp (2.16.13) for iOS devices. 

• Oxygen Forensic® Extractor. Added support for iOS 10.1. 

• Oxygen Forensic® Extractor. Added support for 400+ Android OS devices: Acer Iconia Tab 10, Alcatel One Touch Pixi 4 4.0 4GB, Asus ZenPad 10 TD-LTE, BBK Vivo V3 A TD-LTE Dual SIM, Coolpad 8718 TD-LTE, HTC One S9 TD-LTE, Huawei P9 Plus TD-LTE, etc. 

• Export. Fixed the issue with Emoji symbols that were displayed incorrectly in data reports.

• Export. Fixed the issue with RTF files that are larger than 512 MB.

• Export. Fixed the issue with the logo in the header that occurred when the Device information section was not included in the report.

December 17, 2016

Oxygen Forensics releases a major update to its flagship forensic software, Oxygen Forensic® Detective. The software version 9.0 offers extremely fast data extraction from a wide range of Android devices. It also supports Android 7.0 Nougat devices and improves physical extraction via custom forensic recovery from Samsung devices.

The new software version acquires My activity data from Google service and decrypts passwords saved in Google Chrome. Oxygen Forensic® Detective v. 9.0 fully parses encrypted and non-encrypted iTunes backups as well as iCloud backups made from iOS 10 devices. Frequent locations from iOS devices and convenient daylight saving time settings are also available.

The updated Oxygen Forensic® Detective supports 350+ new mobile devices including iPhone 7 and iPhone 7 Plus and 2,300 + apps versions now.

​

New in Oxygen Forensic® Detective v.9.0:

• Redesigned Enterprise license. Due to the completely new engine the Enterprise license has become more cost-efficient and stable. Now experts can borrow license from the server to work offline in the field. Moreover, the remote connection to the network server has been significantly improved. 

• Industry-first! Oxygen Forensic® Cloud Extractor. Added the ability to extract data from Google My Activity which includes web searches, watched videos and other activity. 

• Oxygen Forensic® Cloud Extractor. Added passwords extraction from Google Chrome accounts using either known credentials or token. Forensic experts can extract account details, saved passwords and visited web pages. 

• Oxygen Forensic® Extractor. Added fast dump creation from Android OS devices. The agreement with MITRE Corporation allowed to create a Jet-Imager module that acquires data from Android devices many times faster. 

• Oxygen Forensic® Extractor. Added support for iPhone 7 and iPhone 7 Plus devices.

• Oxygen Forensic® Extractor. Added data parsing from non-encrypted and encrypted iTunes backups made from iOS 10 devices.

• Oxygen Forensic® Extractor. Added data import and parsing from iCloud backups made from iOS 10 devices. 

• Oxygen Forensic® Extractor. Added logical and physical data extraction from Android 7.0 Nougat devices. 

• Oxygen Forensic® Extractor. Added physical data acquisition via forensic custom recovery method from the following Samsung S6, S6 Edge, S6 Edge models: SM-G928P, SM-G928T, SM-G928R4, SM-G920F, SM-G920T, SM-G920I, SM-G920P, SM-G920R4 and SM-G920T1. This method allows the expert to bypass the mobile device screen lock to create a full physical dump from supported Samsung devices. 

• Oxygen Forensic® Extractor. Added import and data parsing from physical images of Android devices with YAFFS file systems. 

• Oxygen Forensic® Extractor. Added support for Android physical images with F2FS file system. 

• Oxygen Forensic® Extractor. Added import and data parsing from BlackBerry 10.3 physical images. 

• Oxygen Forensic® Extractor. Added the ability to extract data via ADB backup from Android 6.x devices. 

• Web Connections. Locations tab. Added extraction of Frequent Locations from jailbroken iOS devices. 

• Device information. Added information about SIM cards that were ever used in the acquired iOS device. 

• General. Added support for daylight saving time in Time Zone Settings. 

• General. Now you can easily select another time zone in the column header in the following sections:  Phonebook, Calendar, Notes, Tasks, File Browser and Web Connections.

• Export. Key Evidence and Timeline. Added the ability to export Key Evidence and Timeline events together with files from the source sections: attachments from Messages, files from File Browser and Applications. 

• Export. Added the ability to add a custom main header for HTML and RTF reports. 

• Applications. Added localization for the column headers. Previously they were only in English. 

• Applications. Business. Added data parsing from Apple Notes from iOS 10 devices. 

• Applications. Messengers. Added data parsing from QQ (5.9.7) from Android OS devices. 

• Applications. Messengers. Added data parsing from Yaxim (0.8.8) from Android OS devices. 

• Applications. Social Networks. Updated support for Facebook (63.0) for iOS devices. 

• Applications. Social Networks. Updated support for LinkedIn (9.0.33) for iOS devices. 

• Applications. Social Networks. Updated support for Twitter (6.61.1) for iOS devices. 

• Applications. Social Networks. Updated support for Instagram (9.2.1) for iOS devices. 

• Applications. Social Networks. Updated support for VK (4.4.2) from Android OS devices. 

• Applications. Messengers. Updated support for WhatsApp (2.16.9, 2.16.10 ) for iOS devices. 

• Applications. Messengers. Updated support for Skype (7.14.0.305) for Android OS devices. 

• Applications. Messengers. Updated support for Facebook Messenger (91.0.0.19.70) for Android OS devices. 

• Applications. Messengers. Updated support for ooVoo (2.9.3) for iOS devices and ooVoo (2.9.2) for Android OS devices. 

• Added support for 350+ Android OS devices: LG K Series K8 LRA 4G LTE (RS500), Lenovo Vibe P2 Dual SIM TD-LTE (P2c72), ZTE ZMax Pro LTE, Motorola Moto E3 Dual SIM TD-LTE (XT1700),  Alcatel One Touch Idol 4 LTE (OT-6055U), Samsung Galaxy Note 7 Duos TD-LTE (SM-N930FD), etc. 

• Oxygen Forensic® Cloud Extractor. Updated support for Google Mail with accelerated data extraction. Mails are now extracted using multiple threads. 

• Oxygen Forensic® Cloud Extractor. Updated support for Google Location History. 

• Oxygen Forensic® Cloud Extractor. Updated support for Twitter. 

• Oxygen Forensic® Extractor. Improved support for encrypted Android ADB backups. Added the ability to enter a password during data extraction to decrypt data. 

• Oxygen Forensic® Extractor. Significantly accelerated physical data extraction via custom forensic recovery from Samsung devices.

December 17, 2016

A security researcher has discovered a critical vulnerability in Facebook Messenger that could allow an attacker to read all your private conversation, affecting the privacy of around 1 Billion Messenger users.

Ysrael Gurt, the security researcher at BugSec and Cynet, reported a cross-origin bypass-attack against Facebook Messenger which allows an attacker to access your private messages, photos as well as attachments sent on the Facebook chat.

To exploit this vulnerability, all an attacker need is to trick a victim into visiting a malicious website; that’s all.

Once clicked, all private conversations by the victim, whether from a Facebook's mobile app or a web browser, would be accessible to the attacker, because the flaw affected both the web chat as well as the mobile application.

Dubbed "Originull," the vulnerability actually lies in the fact that Facebook chats are managed from a server located at {number}-edge-chat.facebook.com, which is separate from Facebook's actual domain (www.facebook.com).

"Communication between the JavaScript and the server is done by XML HTTP Request (XHR). In order to access the data that arrives from 5-edge-chat.facebook.com in JavaScript, Facebook must add the "Access-Control-Allow-Origin" header with the caller’s origin, and the "Access-Control-Allow-Credentials" header with "true" value, so that the data is accessible even when the cookies are sent," Gurt explained.

December 14, 2016

December 12, 2016

Doctor Web’s security researchers found new Trojans incorporated into firmwares of several dozens of Android mobile devices. Found malware programs are stored in system catalogs and covertly download and install programs.

One of these Trojans, dubbed Android.DownLoader.473.origin, was found in firmwares of a large number of popular Android devices operating on the MTK platform. At the time this news article went to posted, the Trojan was detected on the following 26 models of smartphones:

• MegaFon Login 4 LTE

• Irbis TZ85

• Irbis TX97

• Irbis TZ43

• Bravis NB85

• Bravis NB105

• SUPRA M72KG

• SUPRA M729G

• SUPRA V2N10

• Pixus Touch 7.85 3G

• Itell K3300

• General Satellite GS700

• Digma Plane 9.7 3G

• Nomi C07000

• Prestigio MultiPad Wize 3021 3G

• Prestigio MultiPad PMT5001 3G

• Optima 10.1 3G TT1040MG

• Marshal ME-711

• 7 MID

• Explay Imperium 8

• Perfeo 9032_3G

• Ritmix RMD-1121

• Oysters T72HM 3G

• Irbis tz70

• Irbis tz56

• Jeka JK103

However, the number of infected Android devices can be, in fact, even bigger.

December 14, 2016

A facial recognition app out of Russia is raising eyebrows, both because of its abilities and the privacy concerns it sparks.

The app, FindFace, involves users submitting photos— for example, of someone they saw on the street and might like to be able to contact. Then, the app searches a Russian social network called Vkontakte to look for a match with a reported accuracy of about 70 percent among the millions of accounts. It’s even performed better than Google at a competition called MegaFace.

While some have praised the app for its ability to make successful matches— law enforcement and casinos are said to be interested in the tech— others have privacy concerns.

December 14, 2016

IN SEPTEMBER, YAHOO had the unfortunate distinction of disclosing an enormous 500 million-account breach. Tough stuff. Somehow, though, the company seems to have topped even that staggering figure. Yahoo announced on Wednesday that hackers, in what’s likely a separate attack, compromised one billion of the company’s user accounts in August 2013. One billion. That makes this the biggest known hack of user data ever, and it’s not really close.

​

The most important thing we know so far is that Yahoo says “this incident is likely distinct from the incident we disclosed on September 22, 2016.” That other breach happened in late 2014, so this new (even bigger) one took place about a year earlier. Yahoo has been working with law enforcement and a third-party cybersecurity firm to to verify the hack and trace its origin, but the company says that so far it doesn’t know who the perpetrator was.

December 05, 2016

Explore how consumers leave themselves vulnerable to online crime in the 2016 Norton Cyber Security Insight Report. A global omnibus survey of 20,907 consumers in 21 countries, the report examines consumers’ attitudes toward online crime and the personal impact it has on their lives.

Interesting highlights include:

The United States is the most susceptible developed country for cyberattacks, where 39 percent of Americans personally experienced cybercrime within the past year, compared to 31 percent of people globally.

The Netherlands has the lowest rate of cybercrime experienced in the last year (14 percent).

More than any other country, parents in the United States (64 percent) believe their kids are more likely to be bullied online than on a playground, compared to 48 percent of parents globally.

If given the option, the majority of those surveyed across all countries would rather reset their smartphone settings than have their browser history made public.

November 29, 2016

"Everyone might easily track your location through live photos posted on Weibo!" A Chinese mother warned on social media earlier this week, referring to the potential safety risks in using the "live photo" feature on iPhone 6S and 7.

According to people.cn, the mother surnamed Sun from Ningbo, East China's Zhejiang province, took a photo of her daughter waving her goodbye in front of a kindergarten using iPhone 7 and posted it on Twitter-like Sina Weibo.

Half an hour later, a stranger identified the kindergarten and its location.

Sun said she didn't turn on the location service on Weibo when posting the picture, nor did she reveal the name of the kindergarten, so she had no idea how the stranger got the information.

November 29, 2016

A few months ago Uber came out with a new service which allowed businesses to request Uber rides for their customers. UberCENTRAL allowed businesses - large or small - to request, manage and pay for multiple Uber rides on behalf of their customers. The only way to have access to UberCENTRAL is to be approved and luckily I was approved to view the backend.

By using the feature on UberCENTRAL that was provided it allowed the administrator of the company to add operators to their locations. Operators are employees who will request rides on behalf of the companies customers and these operators can be added via their email address, therefore basically any valid email address that was registered with Uber can be added.

November 29, 2016

In this article, we will be detailing an issue we discovered affecting a number of low-cost devices. It allowed for adversaries to remotely execute commands on the devices as a privileged user if they were in a position to conduct a Man-in-the-Middle attack. The binary responsible appears to be an insecure implementation of an OTA (Over-the-air) mechanism for device updates associated to the software company, Ragentek Group, in China. All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands. This issue affected devices out of the box.

On Tuesday, November 15th, the New York Times reported on an issue affecting a similar set of device manufacturers that caused the devices to report sensitive material, such as text messages and the user’s previous physical locations, back to the Chinese software company Shanghai ADUPS Technology Co., Ltd. This was an issue discovered and announced by Kryptowire, and covered in more detail in a posted article on their website. The issue described in this article is unrelated to the one discovered by Kryptowire.

November 29, 2016

Overview
Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.

Description
CWE-494: Download of Code Without Integrity Check - CVE-2016-6564
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.

This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel.

November 13, 2016

Kazakhstan is going to start intercepting HTTPS traffic via "man-in-the-middle attack" starting Jan 1, 2016

​

The law was accepted in December, but now one of our providers announced information for small and medium business how to install government-provided root SSL certificate:https://www.beeline.kz/b2b/sme/ru/press_centers/10040

​

The certificate is valid for 4 years, data size, as I think, 1024 bytes.

Link to the cert: https://www.beeline.kz/uploads/document/file/11120/QAZNET.rar

​

http://crypto.stackexchange.com/questions/33570/government-root-ssl-certificate-possible-vulnerabilities

November 13, 2016

Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen -- MySpace gets 2nd place at 360 million. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015

November 13, 2016

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone's UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too).

November 13, 2016

Google is making Certificate Transparency mandatory for its Chrome web browser by October 2017. Google software engineer Ryan Sleevi made the announcement in conjunction with the CA/Browser Forum that took place in Redmond, Washington last week.

The move is an attempt to reduce the number of domain certificates that are compromised and abused by hackers who are taking advantage of structural flaws in the certificate authority system, say experts. Those security flaws have allowed hackers to exploit holes in the certificate authority system and launch man-in-the-middle and website spoofing attacks.

November 13, 2016

The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices.

November 13, 2016

WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI).

By setting up a rogue access point, determining the point in time when a user is entering a PIN (for the Alipay payment system in the demonstrated attack – the largest mobile payments company in the world), and observing the fluctuations in wifi signal, it’s possible to recover the PIN. Particularly with side-channel attacks, I usually feel a mix of “oh wow, you can do that, that’s really ingenious…” coupled with a sense of despair at just how insecure everything really is in the presence of skilled attackers. Today’s paper, as with yesterday’s, is no exception.

​

September 14, 2016

Almost all samples of DualToy are capable of infecting Android devices connected with the compromised Windows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll, DevApi.dll or app.dll.

DualToy assumes ADB is enabled on the connected Android device. If ADB isn’t enabled (which is the default option), the . However, some users, especially those who want to install Android apps from a PC or Mac, or who want to do advanced operations with their Android devices, This is because ADB is both the only official interface for a Windows or Mac computer to operate an Android device via USB and it is a debugging interface.

September 07, 2016

There are many reasons why some mobile devices are better protected than others. The way how you use your device is composite one and impact directly or indirectly to your average protection level

September 07, 2016

Well-known, mobile apps have data types stored, transferred and operated by itself. Some data items are worse or better protected than others. And everyone has his own data he think to be protected. What is the most important data to you?

August 30, 2016

We recently confirmed that an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics. Here is what we can share about the incident:

• OneLogin has a feature called Secure Notes, which end users can use to store information. These notes are stored in our system using multiple levels of AES-256 encryption.

• A bug caused these notes to be visible in our logging system prior to being encrypted and stored in our database.

• We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for that system.

• We have no evidence that any other OneLogin system or user account was compromised.

• Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016.

• Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk.

• This has impacted a small subset of our customers, who we are working with directly on this issue.

Here are the actions we have taken so far:

• The cleartext logging bug was fixed on the same day we detected it.

• Access to the log management system has been locked down to only SAML-based authentication and only from a limited set of IP addresses.

• All passwords have been reset in all external systems that don’t support SAML or allow alternate forms-based authentication.

• Once we verified the initial scope of the incident, we began notifying the impacted customers on August 29, 2016 and will continue to update them as our investigation continues.

August 29, 2016

Say you’re scrolling through your Facebook Newsfeed and you encounter an ad so eerily well-suited, it seems someone has possibly read your brain.

Maybe your mother’s birthday is coming up, and Facebook’s showing ads for her local florist. Or maybe you just made a joke aloud about wanting a Jeep, and Instagram’s promoting Chrysler dealerships.

Whatever the subject, you’ve seen ads like this. You’ve wondered — maybe worried — how they found their way to you.

August 15, 2016

Privacy risks and threats arise and surface even in seemingly innocuous mechanisms. We have seen it before, and we will see it again.

Recently, I participated in a study assessing the risk of W3C Battery Status API. The mechanism allows a web site to read the battery level of a device (smartphone, laptop, etc.). One of the positive use cases may be, for example, stopping the execution of intensive operations if the battery is running low.

Our privacy analysis of Battery Status API revealed interesting results.

August 02, 2016

There were cheers a few months ago when WhatsApp announced that it was using end-to-end encryption for all messages by default, boosting the privacy and security of users.

But now respected iOS security researcher Jonathan Zdziarski claims to have found a worrying weakness in WhatsApp, that could open a door for intelligence agencies and other prying eyes to snoop upon your private conversations, even after they have been “deleted” from the app.

July 23, 2016

Detective introduces additional password bypass and physical support for most popular Samsung Android devices

​

Version 8.3.1 supports physical acquisition via custom forensic recovery method for new Samsung Galaxy devices, like Galaxy Note 4 CDMA Verizon (SM-N910V), Samsung Galaxy Note 5 Sprint (SM-N920P), etc

​

New in Oxygen Forensic® Detective v.8.3.1:

​

• Oxygen Forensic® Maps. Added “Show all” button that zooms a map to show all the geo points. 

• Oxygen Forensic® Maps. Added the ability to calculate several distances on the same map using Ctrl + click shortcut.

• File Browser. Added time stamps extraction for thumbnails from Android OS devices. 

• Web Connections. Added extraction of information about Wi-Fi points from Windows Phone 8 devices.  

• Applications. Messengers. Added data extraction and parsing from the latest WhatsApp (2.16.1) for Apple iOS devices. All user information is available for analysis, including automatically encrypted messages.

• Applications. Messengers. Added data parsing from Skype (6.15.0.1162) from Blackberry 10 devices.

• Applications. Business. Added data parsing from Yandex.Money (4.4.1) from iOS devices.

• Applications. Messengers. Updated data parsing from Telegram (3.7.0) from Android OS devices. 

• Applications. Messengers. Updated data parsing from Viber (5.8.1) from iOS devices. 

• Applications. Social Networks. Updated data parsing from LinkedIn (9.0.9) from iOS devices. 

• Applications. Social Networks. Updated data parsing from Instagram (7.19.0) from Android OS devices. 

• Applications. Business. Updated data parsing from C-mail (5.00.14) from Android OS devices. 

• Added support for Apple iOS 9.3.1. 

June 27, 2016

Hey! Welcome to the United States. May we have your Twitter handle, please?

That's exactly what you'll likely be asked by the U.S. Customs and Border Protection at the airport prior to entering U.S. soil.

Yes, your Twitter handle may soon be part of the US Visa process as U.S. Customs and Border Protection has entered a new proposal into the federal register, suggesting a new field in which foreign visitors can declare their online presence.

June 18, 2016

These days, there literally is an app for everything. Whether you want to spend hours playing games, watch a person on the other side of the world stream a local sports game, or organize every aspect of your life down to the minutiae.

The downside to this incredible level of choice is that some apps out there disguise themselves as your friend, when in fact they just want to harm you. Google’s Play Store has frequently received criticism for its less-than-robust approach to filtering unsafe content, and if you’re not careful, you could find yourself being tracked, hacked, or conned.

With that in mind, we take a look at ten seemingly-innocent popular apps you shouldn’t install under any circumstances

May 20, 2016

A clean-cut guy with rimmed glasses and a warm smile, Jayson E. Street looks nothing like the stereotypical hacker regularly portrayed in movies (i.e. pale, grim and antisocial). But he is one – he just “hacks” humans.Street is a master of deception: a social engineer, specializing in security awareness and physical compromise engagements. He’s outspoken, friendly, always wearing a smile, and besides working in the field, he’s also the InfoSec Ranger at Pwnie Express, and is well-known for his books and conference talks around the world.

May 18, 2016

Symantec has established one of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 63.8 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services, such as Symantec DeepSight™ Intelligence, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources

May 17, 2016

To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the middle of the host’s communications. We set out to analyze such proxies as there are known problems in other (more matured) TLS processing engines, such as browsers and common TLS libraries. Compared to regular proxies, client-end TLS proxies impose several unique constraints, and must be analyzed for additional attack vectors; e.g., proxies may trust their own root certificates for externally-delivered content and rely on a custom trusted CA store (bypassing OS/browser stores). Covering existing and new attack vectors, we design an integrated framework to analyze such client-end TLS proxies. Using the framework, we perform a thorough analysis of eight antivirus and four parentalcontrol applications for Windows that act as TLS proxies, along with two additional products that only import a root certificate. Our systematic analysis uncovered that several of these tools severely affect TLS security on their host machines. In particular, we found that four products are vulnerable to full server impersonation under an active man-in-the-middle (MITM) attack out-of-the-box, and two more if TLS filtering is enabled. Several of these tools also mislead browsers into believing that a TLS connection is more secure than it actually is, by e.g., artificially upgrading a server’s TLS version at the client. Our work is intended to highlight new risks introduced by TLS interception tools, which are possibly used by millions of users.
 

May 16, 2016

Android smartphones can run penetration testing and security test from hacking Android apps. With the help of a few applications and basic knowledge of the true capabilities of your Android smartphone, you, too, could dig into the world of hacking.

So, here we are sharing a list of 15 Android hacking tools and apps that will turn your Android smartphone into a hacking machine.

May 10, 2016

WAKEFIELD, Mass., 28 April 2016 — Today the PCI Security Standards Council (PCI SSC) published a new version of its data security standard, which businesses around the world use to safeguard payment data before, during and after a purchase is made. PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1 to address growing threats to customer payment information. Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches. Version 3.1 will expire on 31 October 2016.

The update to the standard is part of the regular process for ensuring the PCI DSS addresses current challenges and threats. This process factors in industry feedback from the PCI Council’s more than 700 global Participating Organizations, as well as data breach report findings and changes in payment acceptance.

May 09, 2016

Have you ever wondered how you failed? Is it only of security or UI? Stop guessing, we would like to share with you awesome collection of software failures from a software developer. Here is his quote 

Over the last few years it feels like the quality of software and services across the industry is falling rather than climbing. Everything is always beta (both in name and quality). Things are shipped when marketing wants them to rather than when they’re ready because “we can easily patch them”. End users have basically become testers, but it’s ok, because this is Agile. We’ve started coding to expect failure and somehow with it decided that failure is normal and expected and we don’t need to put so much effort into avoiding it. Supporting millions of customers is complicated so we don’t bother. Why waste time reading bug reports from users when you can just send them into an endless maze of help links with no contact information?

I never used to be this grumpy. The last few years I’ve seen so many ridiculous errors in software and on websites that I just can’t help but feel a little embarassed about what we (as software devs) are unleashing on the world. I know we’re a young, inexperienced industry and that there aren’t enough skilled devs to go around but lately it feels like we’re really not even trying.

Here’s a collection of some screenshots I’ve taken just in the last month showing what I mean. Is it just me? Am I really unlucky? Or does this happen to everyone and it’s just me that likes to put effort into being vocal and annoyed by it?

May 09, 2016

Awesome post from another team who cares about application performace, security, privacy and etc. 

We will quote those related to security & privacy

Version Control System:
 -Do you have a properly configured *ignore file so IDE metadata files and other extraneous elements are not under version control?
 -Are third party libraries versioned in the repository rather than configured as an external dependency?

Build Tools:
 -Are you using libraries you project does not need?
 -Are the external dependencies up to date?
 -Are you respecting every third party library license?
 -Is the project using any deprecated or abandoned/unmaintained third party library?
 -Are the keystore credentials and Google Play Store credentials stored in a secure place?
 -Is the application keystore and the credential stored in a secure place?

Permissions Usage:
Asking for the right permissions builds trust among your users and can help your app to walk the extra mile and seamlessly integrate with other services to deliver a delightful; experience to your users.
 -Are all the requested permissions really needed?
 -Is there any permission used maliciously?
 -Is there any permission missing?
 -Is the target SDK used greater than 23 and the "dangerous permissions" requested using the compatibility permissions system?
 -Are the permission requested when they are going to be used?
 -Is there any feedback shown to the user explaining why the permission is needed?

Security Issues:
As developers we need to be conscious about our app security, we don’t want our user’s data to be leaked or their sessions stolen
 -Is the HTTP client configured to use HTTPS?
 -Is the HTTP client configured to use certificate pinning and messages authentication with HMAC?
 -Is the application persisting user sensitive information? Where?
 -Is the application persisting information out of the internal storage system?
 -Is the application logging traces when running a release build?
 -Is the application code obfuscated?
 -Is the application exposing any Android content provider, receiver or service to other applications?
 -Is the application "debuggable" value disabled in the release build?

Performance:
 - Performance is critical. Nobody wants to use a crappy, sluggish app in their 400-600$ device. Performance is $.
 -Does the application have any memory leak?

 -Storage Implementation:
 -Where is the information stored?
 -Are you reading/writing data from/in the storage using transactions?
 -Is the storage saving user sensitive information securely?
 -Is the storage layer using any third party libraries?
 -Is the storage layer leaking implementation details?
 -Is the storage tables/schemas properly modeled?
 -Are the queries sent to the storage optimized?
 -Are the Android SDK persistence APIs used to store the data in the correct place? Data to the database, preferences or small data to the Shared Preferences and files into disk?

Below you will find a link to the full article written by Pedro Vicente Gómez Sánchez.

May 09, 2016

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

May 04, 2016

Hold Security is reporting that one of its researchers discovered, and then acquired, a mega-size load of 272 million stolen email credentials from a hacker.

The security research firm said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17 billion stolen credentials, from Google, AOL, Yahoo and Mail.ru, from various places on the dark web. When Hold's team boiled this list down, comparing the newly acquired data to data already in its possession, it found 272 million of the email credentials were unique with 42.5 million having never been disclosed. The remainder were already known to be compromised.

In spite of the huge volume of records that were found, the price paid to the hacker by Hold Security is even more amazing.

Nothing.

The original asking price was 50 Rubles, less than $1, but Hold bargained the hacker down.

April 23, 2016

Apple's battle with the FBI portrays them as a security hero going to great lengths to protect user privacy, but our beloved iPhones may not be as secure as many believe.

April 19, 2016

The global telecom network SS7 is still vulnerable to several security flaws that could let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale, despite the most advanced encryption used by cellular networks.

All one need is the target's phone number to track him/her anywhere on the planet and even eavesdrop on the conversations.

SS7 or Signalling System Number 7 is a telephony signaling protocol used by more than 800 telecommunication operators around the world to exchange information with one another, cross-carrier billing, enabling roaming, and other features.

April 19, 2016

A new report from researchers at Columbia University and Google has found that geotagged posts on just two social media apps are enough to draw a line back to a specific user.

Their findings show that digital traces, or metadata, left in the apps by most people are so distinctive that most people could be identified from just a few data points within a single data set. Leaving on geotagging, which many people do to provide locations on Instagram photos and tweets, was just one example of the trail left behind that could be used to connect that anonymous Bieber fan Twitter account to your personal LinkedIn account.

“For example, on LinkedIn you are likely to use your real name … but maybe you are also using Tinder or some or other application which you would not want linked back to your real name,” said Chaintreau. “Using the data in what you have posted, those accounts could be linked, even if in one of them — say Tinder— you believed you were operating in ghost mode.”

January 01, 2020

The equivalent of about $20, or the cost of a large pizza, is the amount of cash British kids would accept in exchange for handing over their personal information, a study has found.

IT solutions and managed service firm Logicalis found kids (aged 13-17) were “instinctively digital” and that they fully comprehended the value of their personal information. Not only were the young scoundrels completely au fait with how much their personally identifiable information (PII) was worth, they were quite happy to sell it—if it meant they didn’t have to work.

April 18, 2016

NowSecure has published a mobile security reports. Here's quote:

A clear view into the state of mobile security
IT and security pros can use this report to make informed decisions about managing and securing mobile devices, mobile apps, and their enterprises’ mobile ecosystem.
Our research uncovered a number of eye-opening mobile security statistics including:

    * 24.7 percent of mobile apps include at least one high-risk security flaw
    * The average device connects to 160 unique IP addresses every day
    * 35 percent of communications sent by mobile devices are unencrypted
    * Business apps are three times more likely to leak login credentials than the average app
    * Games are one-and-a-half times more likely to include a high risk vulnerability than the average app
 

April 17, 2016

It takes almost 1 year to fix simple vulnerability. Check the timeline for Panda SM iOS App !

Timeline

July 19, 2015 - Notified Panda Security via
security () pandasecurity com, e-mail bounced
July 20, 2015 - Resent vulnerability report to
corporatesupport () us pandasecurity com & security () us pandasecurity com
July 20, 2015 - Panda Security responded stating they will investigate
July 31, 2015 - Asked for an update on their investigation
August 3, 2015 - Panda Security responded stating that the issue has
been escalated and is still being reviewed
August 14, 2015 - Asked for an update on their investigation
October 16, 2015 - Asked for an update on their investigation
March 1, 2016 - Panda Security released version 2.6.0 which resolves
this vulnerability
 

February 14, 2016

The set of guideline documents promotes a methodology for developing secure IoT services to ensure security best practices are implemented throughout the life cycle of the service. The documents provide recommendations on how to mitigate common security threats and weaknesses within IoT services.

The scope the document set is limited to recommendations pertaining to the design and implementation of IoT services and network elements. This document set is not intended to drive the creation of new IoT specifications or standards, but will refer to currently available solutions, standards and best practice.

Download all files here

February 09, 2016

Privacy Scope analyzes unmodified application binaries as they run to accerately track the movement of sensiive data. It can detect when and where applications reveal sensitive data to check that they respect security and privacy policies.  Privacy Scope graphics user interface illustratrates that it can track keyboard inputs, file reads/writes, and network activities (left). Privacy Scope tracks and updates the memory map as the sensitive input data is processed by the application. The highlighted region in the figure shows in real-time where the sensitive data is being stored in the applications' memory space (middle). It notifies the user immediately if any copies of the sensitive data are leaked to local files or sent to remote servers (right). The user can see the details of the leak in the last window.

February 04, 2016

Data Protection is nowadays a hot topic to any industry, whether we are talking about private companies or governmental institutions. This is why, we’ve proposed Yury Chemerkin, speaker at DefCamp in 2015 and 2014 to tell us a bit more about how companies and individuals are working on this threat.

February 01, 2016

Don't you think you could build your security in alignment with best practices excluding critical points in your infrastructure. Get unexpected truth from great speaker M.S. in Comp.Science Georgia Weidman who is a penetration tester, security researcher, and trainer. Her work in the field of smartphone exploitation has been featured in print and on television internationally. 

Integrating Mobile Devices into Your Penetration Testing Program
Though still an imperfect science in many ways, penetration testing is often our only way of assessing the effectiveness of our security programs against actual attackers. As mobile devices enter the enterprise en masse, much focus has been on securing them and limiting the risk of BYOD using EMM, MDM, MIM, pick your favorite security control acronym. While many shops are engaging in code review, static analysis, pentesting, etc. against custom mobile applications built in house, even enterprises with mature security programs are often ignoring mobile devices and the surrounding infrastructure in their security testing. It seems like common sense to provide adequate security testing for all devices on corporate networks, particularly when spending large chunks of budget on security controls around BYOD. If we have a DoS protection, we put it in front of staging and hit it with DoS attacks. If it falls down, the control is not providing return on investment. If we have a patch management practice we make sure there are no missing patches leading to compromise during our penetration tests, and if there are, we augment our security program accordingly. We need to be doing the same around mobile. How secure are these devices really against attack? If they are compromised what data on the device is in jeopardy? What other assets in the enterprise are now at risk of attack from the compromised mobile device? By using traditional penetration testing techniques augmented for the unique attack vectors for mobile devices we can assess these risks and get a clear picture of the risk of BYOD in the environment. In this workshop we will discuss techniques along with live demonstration scenarios of penetration tests on mobile devices and the surrounding infrastructure. From mobile phishing to undermining security controls to using compromised mobile devices as pivot points, the mobile risk is real and we need to be simulating it in our security testing. We will discuss how these techniques can augment and extend penet! ration testing and how they can be seamlessly integrated into your existing security program.

January 31, 2016

Pretty interesting researching results on data security & privacy

Untrusted Mobile Applications. State of Art of Security App-Apocalypse
Security and Privacy of Mobile Applications have been under fire last years since 2010. Native & 3rd-party apps like Gmail or Instagram had various problems on data protection. You could credentials or sensitive information in plaintext, in logs, everywhere. There were many recent disclosures about it in 2014 and dive into transport security, stored data, log leakages, encryption fails. On another side, the mobile market has been growing very fast. Mobile apps go everywhere, it carried everywhere. Software development pay a little attention to the security that it’s need. Some methodologies prevent vulnerabilities and known security fails due to compilation process. Most of secure coding guides are implemented wrong even it’s written by Apple or Google. Both factors (insecurity & growing market) lead us to App-Apocalypse. Do we really have a solution? Having a good understanding of security mechanism of the mobile environment (incl. application) can help keeping us our devices more protected. Only findings in apps made by security-trained experts are a way to decrease the level of untrustiness.
However, security life-circle looks like “we’ve it done once, let’s stop here”. But we can’t really stop anywhere. New apps are releasing, new updates are coming. We really have to talk about community based knowledge database on data insecurity. It’s first step. If you familiar with NVD or CVE databases, you should know it doesn’t contain anything about data protection of mobile apps. We found a few records on it. It absolutely doesn’t mean the databases are very bad, these databases solve another problems by design since they has appeared. Second step is a way to keep users informed about insecurity use cases.In fact, it’s about mobile secure awareness. If you go with your device to the public place, you should know what application fails to protect you data and what data may be leaked out your devices. There are many cases when you prefer to wipe you app data before doing something but you don’t know what application you have to apply ‘wiping’ to. Moreover, corporate mobile users have another way to control their by implementing EMM solutions. Does is solve the problem? No, it doesn’t, because to control it, they have to know what data exactly is out of protection. However, they have an opportunity to protect it by sandbox’ing app data in-rest and vpn’ing data in-transfer on application level. It’s a quick way to bypass the real problem and it works at the moment. What non-corporate users should to do and is there any solution for them. No solutions, even AV (antiviruses) solutions can’t help because it’s goal on preventing malware spreading. What This presentation is going to present new results on mobile apps insecurity and a way to solve the current problem for general public.

November 30, 2015

Dissecting Data Breaches – The Everyday Cybercrime

Data breaches are daily news items. Reports of data breaches in Government, Hospitals, Universities, Financial Institutions, Retailers, etc. A wide range of sensitive data is compromised across all industries from businesses both big and small, and also from individuals. These include: Personally Identifiable Information (PII), Financial data, Health data, Education data, Payment Card data, Login Credentials, Intellectual Property, etc. In this talk we present statistical analysis of publicly disclosed data breach incident reports. We look at the different types of crimes commonly committed using stolen sensitive data. We survey criminal marketplaces hosted in the Deep Web to profile the different types of sensitive data available for purchase and their asking prices. Finally we outline defensive methods businesses and individuals can practice to prevent becoming victims of data breach crimes.

October 22, 2015

The app refuses to run on jailbroken devices. I press a button. What happens now? I have patched one instance of jb detection but it is run again elsewhere. How can we find all of them? Where does the app use this method of this object?

Semi-automated mapping of iOS binaries

Since his childhood Zsombor Kovács’s favourite hobby has always been to take things apart and put them together again if luck was on his side – so as a penetration tester he has found the job of his dreams. He worked in all kind of projects from breaking into wi-fi networks through protocol analysis and social engineering to testing web applications. He prefers physical penetration testing which makes him visit places where he shouldn’t be.

October 19, 2015

1Password makers AgileBits have promised to change one of the default file formats in the software in response to a blog post by Microsoft engineer Dale Myers, who revealed that an AgileKeychain file was displaying unencrypted metadata. In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012, but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.

October 18, 2015

“In Russia will be kept of phone numbers, logins and passwords of users. Messages we do not store, they are on the devices of users,” Moscow representative of the company Viber said. According to the company’s lawyers, messengers also fall under the law which requires to store personal data of Russians on servers located on the territory of the country.

If original link doesn't work, use this one

October 18, 2015

FireEye researchers discovered SSL vulnerabilities in the widely used Camere360 app and many other popular applications. These vulnerabilities were exploitable by Man-in-the-Middle (MITM) attacks and posed a serious threat to user privacy.

UPDATE 9/15/15: FireEye worked closely with the Camera360 team to address the personal information leaks that are described in this blog. The Camera360 team responded quickly and worked diligently to address the issues. In particular, their latest release of the Camera360 app version 7.0 no longer leaks password hash and email address to logcat. Camera360 has informed us that they will process a comprehensive check on all http portals and apply dynamic token refresh in October 2015. For the leaks affecting users of Camera360 v6.2.3 and versions before, code in previous versions can not be modified now so Camera360 is encouraging their users to update to avoid any possible hidden threats.

October 14, 2015

After initially downloading an app, we tend to dive right into its features and decide whether or not it’s worth the storage space on our mobile devices or tablets. According to an infographic created by International Translation Resources (ITR), the reasons why consumers uninstall thier mobile applications, user stated 'privacy concerns' as the third reason for deleting apps

May 31, 2015

AppSec, the untrustable dev

We have lost the war for secure software, hackers won, because codes contain vulnerabilities anyway -- as the current state of software production is such, the quality of developers is such. Let's face it: general devs will never care about security. QA methodologies and EH robots may change the landscape of AppSec someday. Until then let's focus on those few developer brigades who are disposed to improve. Secure coding trainings are essential and should be used in conjunction with vuln audits and coaching. Only findings in software made by such trained brigades are to cause satisfaction for a real EH professional. And please LOL at those clients who still believe they cannot afford preventive AppSec.

September 07, 2014

Private messaging isn't so private, say University of New Haven researchers who found Android apps transmitting and storing unencrypted images, chats, screenshots and even passwords. By sniffing out the details of network communications, University of New Haven researchers have uncovered a host of data-leakage problems in Instagram, Vine, Nimbuzz, OoVoo, Voxer and several other Android apps.