Tinder leaked data

If you haven’t heard the app Tinder has had another data leak but does this concern anyone? A security firm called IncludeSec revealed this leak last week and explained using simple math a hacker could get the pinpoint location of someone with in 100 feet of where they actually are located.  This is the same issue that had happened last year and the company still did not release anything saying they had a leak in the system.

Tinder’s founder and CEO said that the app has in total been “swiped” 30 billion times and 300 matches total. And stated that once contacted about the issue the fixed the leak.

Most recent leak article: http://techcrunch.com/2014/02/20/problem-in-tinder-dating-app-leaked-user-locations/

Last years leak article: http://qz.com/107739/tinders-privacy-breach-lasted-much-longer-than-the-company-claimed/

Belkin WeMo smart home networks in danger of hacks

When the article first came out on February 18th, researchers warned that an astounding amount of home automation devices, more than 500,000, have vulnerabilities that would allow hackers to take control of various items in your home from thermostats to sprinkler systems, and more. A security firm IOActive released the advisory.  What the WeMo devices do is allow homeowners to control different items in their home while they are away by adding internet connectivity and their Smartphone.

Hackers would have the ability to either simply turn on and off your lights or as dangerous as starting a fire. In addition hackers would also be able to get into the homeowner’s networks; giving them access to their computers and even their smart phones. When IOActive put out the advisory to all WeMo users, they instructed them to discontinue using the product.

Belkin did come up with patches for the 5 vulnerabilities using firmware updates which included the following:

 

  • Update to the WeMo API server on November 5th that prevents an XML injection attack for gaining access to other WeMo devices
  • A WeMo firmware update that was published on Jan 24th that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack.
  • An update to the WeMo app for both iOS and Android that contains the most recent firmware update.

 

We are becoming such a technologically needed society where even when we are not home to have control over it, it is the growing more important for the companies that come up with these products to ensure the security of their consumers to reduce these types of risks from happening.

 

Source:

http://news.cnet.com/8301-1009_3-57619082-83/belkin-wemo-smart-home-networks-in-danger-of-hacks/

Attention Deficit Disorder (ADD)

A Concept tool that allows cyber-criminals to conceal their tracks by altering memory contents.

During Shmoo-Con 2014 Jacob Williams, Chief Scientist at CSR-Group and creator of DropSmack along with co-presenter Alissa Torres, a digital-forensics investigator with Sibertor Forensics, described a concept tool that will force forensic scientists to rethink how they analyze memory used in computing equipment.

According to Mr. Williams, Digital forensic scientists can no longer trust their automated tools when looking for information from memory dumps. It will soon be possible to manipulate stored data in memory and mislead experts. Thus Forensic scientists and digital-crime investigators will have their work cut out and will have to spend more time validating results.

Basically, a memory dump is a snapshot of everything running on a computer. A forensic analyst will use tools to parse through a memory dump looking for artifacts of a crime or misconduct, etc. If you think about your average computer today, it might have a 1TB hard drive, but only 4GB of RAM. This data on the hard drive is unencrypted for processing in memory. Memory offers an analyst a much confined space to search for the following things:

  1. Evidence of private browsing sessions that are never written to disk
  2. Malware that only operates in memory without ever touching the disk
  3. Unsaved files
  4. Passwords typed into forms and applications

For example recently, a company told a computer employee his services were no longer needed for his hand in data manipulation, but they didn’t actually terminate him for weeks. During that time, the employee attempted to remove traces of his illicit activity from the computer. He then challenged the termination, claiming there was no evidence for what the company alleged. The company,using memory forensics, showed that the employee altered the computer in an incriminating fashion after his termination.

The work of the ADD tool is that it creates fake artifacts in memory before a memory dump is taken. Specifically, ADD allows an attacker to preposition fake files, network connections, and processes in memory. If the computer is confiscated, and a memory dump obtained by a forensic analyst: the fake artifacts will make him wander in a maze. It is named so because its use would distract forensics analysts from examining the legitimate artifacts while they chase down forgeries.

Source :

http://www.techrepublic.com/blog/it-security/researchers-describe-tool-that-manipulates-ram-misleads-cybercrime-investigators/

Sony Hack October 2011: Thousands Of PlayStation Network Accounts Targeted By Massive Attack

Sony corporation was attacked several times in 2011. In October the specified type of attack was identity theft of its Play Station Network Users in Tokyo. There was about 93,000 accounts who IDS and passwords that were successfully ascertained. The attacker or attackers began  unauthorized access attempts occurred on October 7th 2011 to October 10th 2011.

Sony took action by temporarily locking these accounts. Sony proceeded with sending email notifications and password reset procedures to all affected customers on the Play Station Network. Sony claims that credit card numbers linked to the accounts were not at risk. Sony has taken steps to mitigate the activity and are investigating any wrongful use of the accounts. The article state this was just type unauthorized access identity theft and a server breach like in April 26th 2011.

Source:

http://www.huffingtonpost.com/2011/10/12/sony-hack-october-2011-playstation-network_n_1006661.html

Apple releases security fix for “gotofail”

Apple has finally rolled out a fix for the security vulnerability on Mac OS X. The security flaw, which has come to be known as “gotofail” allowed for a man in the middle attack on unsecure networks. The attacker would be able to send a fake verification to the client, and potentially hijack traffic. Some of the affected apps were iMessage, Mail, and Facetime.

The issue lay hidden in Apple’s SSL implementation, where apparently a goto statement had been used improperly, resulting in the security issue. This fix comes not long after a similar fix was distributed last Friday for the same problem on iOS devices.

Apple has received criticism for two of their choices made on handling this issue. When Apple first admitted there was an issue, they had no fix readily available for OS X. Secondly, once a fix was found, Apple decided not to release it immediately, but wait and bundle it with the 10.9.2 release. Furthermore, Apple did not mention this security update in the patch notes.

Sources:

http://www.forbes.com/sites/andygreenberg/2014/02/25/apple-patches-its-gotofail-security-bug-for-osx-after-four-days-of-heckling/

http://www.reuters.com/article/2014/02/25/us-apple-security-idUSBREA1O1Q820140225