The Security Pub

Random Thoughts About Security

Category Archives: Data Security

Top Vulnerable Smartphone’s of 2011

Bit9’s new research on “The Most Vulnerable Smartphones of 2011” lists the devices that pose the most serious security and privacy risk to consumers and corporations. In the Bit9 research report, Android phones overwhelmingly topped the list, accounting for the “dirty dozen” most vulnerable devices.

Location Tracking on Mobile Devices Introduce More Privacy Concerns

Last week it was brought to everyone’s attention that a hidden Apple IOS version 4 feature is secretly tracking and saving geolocation data on iphone and iPads. This data is also stored on any computer you are using iTunes to sync the device(s).

A video of Warden and Allan discussing their discovery is below, courtesy of O’Reilly and Where 2.0. The two have also published a FAQ that provides more details on the discovery and its implications.

Later that week there was the talks of this same type of information being collected and stored on droid mobile devices. According to new research by security analyst Samy Kamkar, an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.

According to research firm Gartner, Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the market for location-based services.

And now today it has been reported that the Windows phone is also collecting and sending location data to Microsoft. Microsoft has said that when location services for Windows phones are switched on, the devices transmit a unique ID along with nearby wireless networks, their signal strength, and GPS-extracted location to the company’s servers. They are also claiming that Windows phones don’t store any of the locations on the device itself.

 

 

Sony Admits PlayStation Network Compromised

 

 

Sony has confirmed that a data breach was the cause for the PSN outage. In a vague letter to customers, the gaming giant warned that 70 million users’ personal information was compromised. In addition, it fears credit card details were also included in the loss.

On April 17, an unknown number of PSN and Qriocity accounts were compromised. As a result, Sony shut things down in an attempt to mitigate the situation, allowing it time to correct underlying issues and launch a full investigation. Initially, the service outage was blamed on Anonymous, considering the group’s past actions against the Japanese electronics giant.

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained,” Sony’s letter explained [click here for the full letter].


 

 

Report: NSA Looks Into NASDAQ Hack

The National Security Agency, the top U.S. electronic intelligence service, has joined a probe of the October cyber attack on Nasdaq OMX Group Inc. amid evidence the intrusion by hackers was more severe than first disclosed, according to people familiar with the investigation.

The involvement of the NSA, which uses some of the world’s most powerful computers for electronic surveillance and decryption, may help the initial investigators — Nasdaq and the FBI — determine more easily who attacked and what was taken. It may also show the attack endangered the security of the nation’s financial infrastructure.

“By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack or it’s an extraordinarily capable criminal organization,” said Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, now at the Washington offices of the law firm Cooley LLP.

Check out the entire article – Bloomberg

IEEE Database Breached, Personal Information Compromised

IEEE, the world’s leading society for technical professionals, has warned some 800 members that their credit card and personal information may have been stolen. The FBI has been notified of the breach.

The group disclosed the November, 2010 breach in a letter to the New Hampshire Attorney General, dated February 24, in keeping with that state’s data privacy law. While the source and purpose of the security breach aren’t known, IEEE’s membership of technical professionals raises concerns about whether group members might be the targets of sophisticated phishing and social engineering attacks using stolen data.

Check out the full article – ThreatPost

Domains Used in the RSA Attack

RSA TokenDetails about the recent cyber attacks against security firm RSA suggest the assailants may have been taunting the industry giant and the United States as they stole secrets from a company whose technology is used to secure many banks and government agencies

Earlier this month, RSA disclosed that

“an extremely sophisticated cyber attack” targeting its business unit “resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products.” The company was careful to caution that while data gleaned did not enable a successful direct attack on any of its SecurID customers, the information “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

Read the full article at KrebsOnSecurity