The security of the Android mobile platform has always been a topic of debate. Due to Google’s open ecosystem and less invasive app policing policies, researchers argue that the Google Play marketplace is home to numerous malicious apps. Reports have surfaced over the past few years that claimed even applications from legitimate companies — such as Facebook, Skype and Path — were exploiting Android permissions and secretly accessing data. Paul Brodeur of Leviathan Security had a simple question: what data can an app access when it has no permissions? What he found may be shocking. More →
U.K.-based Android and iOS app developer Gareth Wright recently discovered a security hole in Facebook’s native mobile apps that can be used to steal a user’s personal information. Facebook’s Android and iOS apps do not encrypt login credentials, instead storing them in plain text files and allowing the information to be easily accessed and transferred over a USB connection, or more likely, through a malicious app. Wright explained in a blog post that Facebook’s plist file, or property list file containing personal data, is stored insecurely and not set to expire for 2,000 years. Once a plist file is copied to another device, one can simply open the normal Facebook app and will automatically be logged in the user’s account. Wright’s claims were confirmed by TheNextWeb, which also discovered that Dropbox’s iOS app includes the same security hole. The vulnerabilities do not require a device to be jailbroken or rooted, and exploits can be performed with a simple file explorer.
Update: Dropbox reached out to BGR regarding the issue, the company’s statement can be found after the break. More →
Notorious hacker group “Anonymous” on Thursday claimed responsibility for attacks on several government Web sites in China. The group has launched various Internet attacks on the country over the past week in response to what it believes to be strict and unfair laws. “All these years, the Chinese Communist government has subjected its People to unfair laws and unhealthy processes,” the group wrote on one Chinese website. “Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall.” The group goes on to warn that further attacks are on the horizon. “So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. Nothing will stop us, nor your anger nor your weapons. You do not scare us, because you cannot afraid an idea.” Anonymous also acknowledged the Chinese people directly, telling them to remain optimistic, “Don’t loose hope, the revolution begins in the heart.” More →
Lookout Mobile Security on Tuesday published a report stating that a known malicious Android program has been updated with the ability to harm a device without depending on a user’s interaction. The new version of the “Legacy Native” (LeNa) app utilizes an exploit called GingerBreak to gain root permission on Android phones. The new variant of LeNa hides its payload just past the End of Image marker of an otherwise fully-functional JPEG. The malware is then able to communicate with a command and control server to install and launch packages unbeknown to the phone’s user. According to the report, this new version of LeNa is currently being distributed in a fake version of Angry Birds Space, but the malicious program is not believed to have made its way into the Google Play marketplace at this time. More →
A report emerged last week from a security researcher claiming Microsoft’s Xbox lacked important security features that might protect owners who sell used consoles from having personal information stolen. Ashley Podhradsky of Drexel University claimed to have purchased a used Xbox console and used readily available hacking tools to recover the prior owner’s credit card number and other personal information. “Microsoft does a great job of protecting their proprietary information, but they don’t do a great job of protecting the user’s data,” Podhradsky said at the time. More →
Research in Motion’s BlackBerry operating system has gone from being a leading smartphone platform to the struggling OS it is today. While adoption rates may be slowing with consumers and businesses, the same cannot be said for U.S. Government workers, a new report claims. The Washington Post on Tuesday reported that nearly half a million federal workers, including President Barack Obama, are still using BlackBerry phones. That number hasn’t dipped over the past few years despite RIM’s plummeting sales. “We appreciate RIM’s focus on security, which is paramount for government use,” said Casey Coleman, chief information officer at the General Services Administration. Some agencies are changing their policies and allowing workers to choose other smartphones, however, which may impact BlackBerry’s government market share moving forward. Coleman added that other platforms are proving equally secure, and that the GSA places “a priority on adoption where appropriate of innovative new technologies.” More →
Following a massive security breach, Visa has dropped Global Payments from its registry of providers that meet data security standards, The Associated Press reported on Monday. Global Payments CEO Paul Garcia said that the company will continue to process Visa transactions, however being dropped from the registry “could give our partners some pause that they’re doing business with someone who experienced a breach.” Garcia fully expects his company to be reinstated once it has been issued a new report of compliance, although he declined to specify when that might happen. The CEO maintains that the situation is “absolutely contained” and is being fully investigated. Global Payments confirmed on Sunday that hackers stole credit card numbers belonging to as many as 1.5 million MasterCard and Visa customers, however cardholder names, addresses and Social Security numbers were not compromised. The company plans to set up a website to assist consumers who might have been affected by the breach. More →
Hackers stole credit card numbers belonging to as many as 1.5 million MasterCard and Visa customers, Global Payments, Inc. confirmed on Sunday. The international credit card processor was blocked by Visa after it reported the possibility of a major security breach on Friday. The company did not indicate how the hackers gained access to its system or who might be responsible for the attack. “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” the firm told The Wall Street Journal while noting that cardholder names, addresses and Social Security numbers were not compromised. The company did say that the credit card numbers were downloaded during the attack rather than just being accessed, however, indicating that the perpetrators may intend to use the information to create counterfeit credit cards. Affected Visa and MasterCard customers have not yet been notified that their account information was stolen.
Android users who are looking to sell their old devices should be wary of the possible consequences. McAfee identity theft researcher Robert Siciliano warned that personal data from Android devices is not completely removed after a user activates the built-in wipe option, The Los Angeles Times reported on Friday. “What’s really scary is even if you follow protocol, the data is still there,” Siciliano said. If you have a BlackBerry or Apple device, Siciliano said your data can be fully deleted by following the manufacturer’s directions. As for smartphones running the Android operating system and computers running Windows XP, Siciliano recommends that people don’t bother with selling them at all. “Put it in the back of a closet, or put it in a vise and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it,” he said. “You don’t want to sell your identity for 50 bucks.” To test the security of various platforms, Siciliano purchased 30 smartphones and computers from Craigslist. The researcher was able to access personal data from 15 of the 30 devices through his own hacking efforts and the help of a forensic expert. The data obtained included bank account information, Social Security numbers, child support documents and credit card account log-ins. More →
Notorious hacker group Anonymous has previously stated its intentions to shutdown the Internet on Saturday, March 31st, as a form of protest. “To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, on March 31, anonymous will shut the Internet down,” the group stated last month. “Remember, this is a protest, we are not trying to ‘kill’ the Internet we are only temporarily shutting it down where it hurts the most.” Operation Global Blackout 2012 looks to shut down the Internet by disabling its core DNS servers, thus making websites inaccessible. Cyber security experts claim that it is unlikely that such an attack would be effective, however, and there is really no need to fear. Read on for more. More →
As a standard security measure, Apple’s iPhone can be set to require a four-digit passcode whenever the phone’s screen is powered on in order to prevent unauthorized access. With passcode security enabled, a user’s information is theoretically kept private if his or her device ever falls into the wrong hands. A recent Forbes report reveals that law enforcement agencies can bypass the iPhone’s passcode requirement in less than two minutes, however, gaining access to all of the private data stored on the devices. Read on for more. More →
Researchers from North Carolina State University have found that mobile applications that integrate advertisements pose privacy and a security risks. The team conducted a study that examined 100,000 apps from the Google Play market and noticed that more than half contained “ad libraries,” while 297 of the apps included “aggressive ad libraries” that could download and run code from remote servers. Researchers also found that more than 48,000 of the apps that were examined could track location via GPS, while others could access call logs, phone numbers and a list of all the apps a user has stored on his or her phone. Read on for more. More →
The United States Transportation Security Administration recently invested $1 billion in body scanner technology it claimed would make air travel safer, but the scanners have come under fire since the agency first revealed its intentions. Some people argued that the nude scanners were an invasion of privacy while others were concerned with radiation emitted by the machines. Now, however, it appears as though past arguments pale in comparison to recent information brought to light by scientist and blogger Jonathan Corbett. Read on for more. More →