Android bug allowing SOP bypass a ‘privacy disaster,’ researcher warns

September 17, 2014 – 5:14 PM

Researchers are warning Android users of a major vulnerability that impacts a vital browser security mechanism called Same-Origin Policy (SOP).

The bug – called a “privacy disaster” by Tod Beardsley, an engineering manager at Rapid7 who blogged about the issue Monday – is serious because SOP, “the cornerstone of web privacy,” can be bypassed via exploitation, he explained.

While Google has patched the issue, Beardsley told in a Tuesday interview, it could still take months for many users to get the update through their device manufacturers or service providers. The bug, CVE-2014-6041, could allow a saboteur to circumvent the Android Open Source Platform (AOSP) browser’s Same-Origin Policy (SOP), a concern that impacts approximately 75 percent of Android users who run platforms older than version 4.4.

In addition to Android users with lower-end prepaid phones being vulnerable (where AOSP may be shipped as the default browser as opposed to Chrome, for instance), tech savvy users, who simply prefer the AOSP browser, could be targets for attackers, Beardsley said.


Cleaning up after password dumps

September 10, 2014 – 8:20 PM

One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials.

We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

We’re constantly working to keep your accounts secure from phishing, malware and spam. For instance, if we see unusual account activity, we’ll stop sign-in attempts from unfamiliar locations and devices. You can review this activity and confirm whether or not you actually took the action.


So Your Nude Selfies Were Just Hacked…

September 2, 2014 – 7:19 PM

If you haven’t been following the most recent news regarding a wide swath of celebrities whose accounts were hacked and private photos shared, you must have been having a lot of fun on Labor Day and I salute you.

Probably the very first thing most of the victimized celebrities are doing now is damage control – limiting their exposure as much as possible. Yes, their names are going to be put out there. Yes, it’s horribly embarrassing, but it’s also not a time to get caught up in self-pity (or self-blame): there’s work to be done. Being cool-headed and reducing the exposure will reduce the pain overall. Some people might go down the path of making examples out of the alleged perpetrators — but beware the Barbra Streisand effect. The harder you try to hide things, the more people want to see those things — like arial photos of Ms. Streisand’s lavish house, for instance.

But these events bring up an interesting point: What would you do if you were a celebrity who had dodged the bullet, but had similar incriminating photos on their computers, cell phones, etc.? More importantly, what should you be doing right now, this very minute, to make sure that anything you have posted to the cloud and want to keep private actually remains so?


Credit Card Breach at Home Depot

September 2, 2014 – 6:48 PM

Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has a occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”

There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.


Malware steals Gmail password, online banking data

August 22, 2014 – 9:38 PM

University researchers have built an Android app that secretly snatches valuable personal data from other mobile apps, such as webmail, shopping and online banking.

The app, demonstrated Friday at the USENIX Security Conference in San Diego, stole login credentials from Google Gmail, a social security number from an H&R Block app, a credit card number from a NewEgg app and a bank-check image from a Chase Bank app.

The attack developed by researchers from the University of Michigan and the University of California, Riverside, did not exploit a flaw in any of the apps.

Instead, the researchers took advantage of the operating system’s graphical user interface (GUI) design. While the malicious app was demonstrated on Android, it could theoretically work on iOS, Mac OS X and Windows, which use the same GUI design.

Because the weakness is a design problem, there is no easy fix, Zhiyun Qian, a co-author of the research, said. The GUI portion of the OS would have to be redesigned, which would cause compatibility problems for apps already in the market.