Posted by Kevin on October 8, 2014.
The ITsecurity daily security briefing: Wednesday, October 8, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Bugzilla issues security update
Bugzilla, a widely used web-based bug-tracking system, issued a security update on Monday. One of the fixes was for ‘Unauthorized Account Creation’. “The ‘realname’ parameter is not correctly filtered on user account creation, which could lead to user data override,” says the security advisory.
Brian Krebs yesterday gave more details from the bug finder: “‘Our exploit allows us to bypass that and register using any email we want, even if we don’t have access to it, because there is no validation that you actually control that domain,’ said Shahar Tal, vulnerability research team leader for Check Point. ‘Because of the way permissions work on Bugzilla, we can get administrative privileges by simply registering using an address from one of the domains of the Bugzilla installation owner. For example, we registered as firstname.lastname@example.org, and suddenly we could see every private bug under Firefox and everything else under Mozilla.’”
Is Symantec doing an HP?
Bloomberg thinks so: “Symantec Corp. (SYMC) is exploring a breakup, according to people with knowledge of the matter, joining other large technology companies that are trying to make their businesses more focused and nimble.
“The Mountain View, California-based software company is in advanced talks to split up its business into two entities, with one that sells security programs and another that does data storage, said the people, who asked not to be identified because the conversations are private. An announcement may be a few weeks away, one of the people said.”
A brief history of the Adobe book spying story
Nate Hoffelder at The Digital Reader reported Monday, “Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text…
“Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.”
Adobe responded, “All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers… User privacy is very important to Adobe…”
“Update: [from Digital Book World] Adobe acknowledges that transmitting unencrypted data could pose a security risk: “In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue.” Adobe says further that more information on when that update will be in place and of what it will consist is forthcoming.”
And Adobe used to be such a nice company.
The Digital Reader:
Twitter takes the fight for #transparency to court
“As part of our latest transparency report released in July, wedescribed how we were being prohibited from reporting on the actual scope of surveillance of Twitter users by the U.S. government. Our ability to speak has been restricted by laws that prohibit and even criminalize a service provider like us from disclosing the exact number of national security letters (‘NSLs’) and Foreign Intelligence Surveillance Act (‘FISA’) court orders received — even if that number is zero…
“So, today, we have filed a lawsuit in federal court seeking to publish our full Transparency Report, and asking the court to declare these restrictions on our ability to speak about government surveillance as unconstitutional under the First Amendment.”
The court filing is here.
Tech and telecoms groups fight to dominate ‘internet of things’
“An intense battle is developing between technology and telecoms groups over who will provide the software and services to enable the internet of things. At the moment the market is fragmented, but companies including Arm, Google and Vodafone are trying to secure leading positions in the technology infrastructure that will provide connections to smart devices.
“Technology companies such as Apple and Google have achieved dominant positions in the smartphone market – much to the dismay of some telecoms groups. But analysts say these groups have a chance to claim significant roles in the development of the internet of things, also known as the machine-to-machine communications market, because it usually involves one device connecting with another.”
A new and effective method for encrypting telephone conversations
“Professor Lars Ramkilde Knudsen from DTU Compute has invented a new way to encrypt telephone conversations that makes it very difficult to ‘eavesdrop’. His invention can help to curb industrial espionage…
““When my phone calls you up, it selects a system on which to encrypt the conversation. Technically speaking, it adds more components to the known algorithm. The next time I call you, it chooses a different system and some new components. The clever thing about it is that your phone can decrypt the information without knowing which system you have chosen. It is as if the person you are communicating with is continually changing language and yet you still understand,” he says.
“Because any eavesdroppers would have to decipher the encryption key and encryption method—and both are thrown away by the phone after each call and replaced by a new combination—the conversation is extremely difficult to decrypt when dynamically encrypted. They new system can prove hugely effective in combating industrial espionage, says Lars Ramkilde Knudsen.”
Technical University of Denmark:
PCI 3.0 is knocking
Watch the webinar live on 16 October, 10AM UK
The implementation deadline for PCI DSS version 3.0 is right around the corner – is your organization prepared? With an evolving threat landscape, it may seem overwhelming to approach the new requirements of PCI 3.0. Join Trustwave, in partnership with ETA, for our educational webinar to help prepare you for the change.
16th October 2014: 10:00 am UK, 11:00 am Europe
New WhatsApp scam
According to Panda Security the Spanish police have issued a WhatsApp alert. “It appears that cyber-criminals have invented a new version of the messaging app: WhatsApp Oro (WhatsApp Gold). As you can probably imagine, there is no ‘Gold’ version of WhatsApp, and it’s really just another fraud to subscribe you to Premium SMS services.”
This is not the first, and it won’t be the last WhatsApp scam – it really is best to stick with the official app stores.