Saturday, October 25, 2014

IAF asks personnel not to use Xiaomi phones

 IAF personnel and their families have been asked to desist from Chinese 'using Xiaomi Redmi 1s' phones as these are believed to be transferring data to their servers in China and could be a security risk.

"F-secure, a leading security solution company, recently carried out a test of Xiaomi Redmi 1s, the company's budget smartphone, and found that the phone was forwarding carrier name, phone number, IMEI (the device identifier) plus numbers from address book and text messages back to Beijing," says an advisory issued by the IAF to its personnel.

The IAF note, issued some weeks back, has been prepared by the intelligence unit based on the inputs from Indian Computer Emergency Response Team (CERT-In), according to IAF sources.


Thursday, October 23, 2014

New Fitbit activity tracker release, price, specs, new features

Here we look at what to expect from the next Fitbit tracker, when it will be available, and what it will cost. We're basing our report on the latest rumours and leaks, historical data, rival trackers, and recent Fitbit trademark applications for a Fitbit Surge, Fitbit Charge and PurePulse. In what may be no coincidence, just weeks after the razzmatazz unveiling of the Apple Watch, first Gizmodo then The Verge suddenly get leaked information each on one of the new trackers.

Fitbit Charge activity tracker leak

New Fitbit Charge and Charge HR trackers: new features – Force replacement and heart-rate monitor


Thursday, October 16, 2014

This POODLE bites: exploiting the SSL 3.0 fallback

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Tuesday, October 14, 2014

Truly scary SSL 3.0 vuln to be revealed soon: sources

Gird your loins, sysadmins: The Register has learned that news of yet another major security vulnerability - this time in SSL 3.0 - is probably imminent.


Maintainers have kept quiet about the vulnerability in the lead-up to a patch release expected in in the late European evening, or not far from high noon Pacific Time.


Details of the problem are under wraps due to the severity of the vulnerability.


To that end it is unknown what platforms were impacted, but as SSL is very widely used any flaw will require plenty of urgent attention ... and probably be unwelcome news to a tech community already reeling from the recent Shellshock vulnerability in Bash and the Heartbleed flaw.


The SSL flaw won't be the only thing keeping security bods and system administrators busy. A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012.



Saturday, October 11, 2014

DEFCON Router Hacking Contest Reveals 15 Major Vulnerabilities

According to the rules of the contest, an entry wasn't considered valid unless the contestant also showed proof of disclosure to the manufacturer. Here's a full list of routers in which 0-days were reported in Track 0, along with our current understanding of the fix in progress:

  • ASUS AC66U; reported, but no response from the manufacturer.
  • Netgear WNDR4700; reported, but no response from the manufacturer.
  • D-LINK 865L; reported, and manufacturer confirms it is working on a fix, currently in beta.
  • Belkin N900; reported, and manufacturer acknowledgedbut was unclear on providing a fix.
  • TRENDnet TEW-812DRU; reported, and manufacturer claims all reported 0-days are fixed.
  • Actiontec Q1000; reported, and manufacturer acknowledged the report.

For details please see the full contest results.

Tuesday, October 7, 2014

OMB gives DHS new powers to scan some civilian agency networks for cyber threats

OMB added this new requirement for DHS to scan civilian agency networks in the aftermath of the Heartbleed vulnerability. During that time, DHS had to get permission from agencies to scan their networks, which delayed its mitigation strategy by a few days.

DHS made it clear in May during a House hearing that it needed Congress to give it more authorities to scan agency networks.

Andy Ozment, the assistant secretary of the Office of Cybersecurity and Communications in DHS, told Federal News Radio in an interview before OMB issued the FISMA guidance that when DHS doesn't have the explicit authorities that it needs and Congress wants them to have, it makes everything harder.


Friday, October 3, 2014

Hackers’ Attack on JPMorgan Chase Affects Millions -

Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.

As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.

The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity.