Voice Chat App Aids Anti-Government Uprisings Across the World

From Defense One:
Entrepreneur Bill Moore was in his Austin, Texas, office last Thursday, watching explosive growth for his company’s walkie-talkpublic dissatisfaction over crime and multiple other factors.
ie app, Zello, inside Venezuela. Zello had become the favorite app of protest organizers there after recently hitting the mark as the most popular app in Ukraine. Over the past few days in Venezuela, the protests ballooned following rapidly rising food prices, controversy over President Nicolas Maduro’s economic policies,
Moore was finding that in Venezuela that popularity had a price. Shortly after 9 p.m., his Twitter feed blew up with messages from users inside the country. The government-owned Internet service provider, CANTV, which hosts 90 percent of Venezuela’s Internet traffic, was blocking the app as well as access to Zello’s website. Downloads were dropping off considerably.
Check out Zello here.
Posted by on No comments:
Labels:

Goto Fail: Apple iOS Bug Compromises SSL, Opens Vector for Attackers

From ZDNet:
Apple on Friday revealed a major SSL (Secure Socket Layer) vulnerability in
its software that affects all devices, allowing hackers to intercept and alter communications such as email and login credentials for countless Apple hardware users.

A new version of Apple's iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.

The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).

Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.
Imperial Violet has details on the bug itself:

So here's the Apple bug:

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
 OSStatus        err;
 ...

 if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
  goto fail;
 if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
  goto fail;
  goto fail;
 if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
  goto fail;
 ...

fail:
 SSLFreeBuffer(&signedHashes);
 SSLFreeBuffer(&hashCtx);
 return err;
}
 
(Quoted from Apple's published source code.)
Note the two goto fail lines in a row. The first one is correctly bound to the if statement but the second, despite the indentation, isn't conditional at all. The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail.
If you're worried your system may be affected, follow the link above to Imperial Violent, who has created a tool to do a quick check.

Posted by on No comments:
Labels:

Massive Data Breach at University of Maryland

Governments, corporations, educational institutions, all of them completely incompetent when it comes to basic data security.  This is going to be a headache for a lot of people.  From Malwarebytes:
The University of Maryland (UMD) said it was the victim of a recent cyberattack, according to their statement released Wednesday. In the letter, UMD President Wallace D. Loh said he was informed of the breach yesterday evening by Brian Voss, the Vice President of Information Technology at the university.

“A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel,” Dr. Loh said. “The records included name, Social Security number, date of birth, and University identification number.”
Posted by on No comments:
Labels: ,

Snowden Leaks Spurred Massive Growth at DuckDuckGo

From Fastcolabs:
When Gabriel Weinberg launched a search engine in 2008, plenty of people thought he was insane. How could DuckDuckGo, a tiny, Philadelphia-based startup, go up against Google? One way, he wagered, was by respecting user privacy. Six years later, we're living in the post-Snowden era, and the idea doesn't seem so crazy.
In fact, DuckDuckGo is exploding.  Looking at a chart of DuckDuckGo's daily search queries, the milestones are obvious. A $3 million investment from Union Square Ventures in 2011. Just prior to that, a San Francisco billboard campaign. Inclusion in Time's 50 Best Websites of 2011. Each of these things moved the traffic needle for DuckDuckGo, but none of them came close to sparking anything like the massive spike in queries the company saw last July. That's when Edward Snowden first revealed the NSA's extensive digital surveillance program to the world. The little blue line on the chart hasn't stopped climbing north since.
Posted by on No comments:
Labels:

Google Exploring Plans to Roll Out Fiber to 34 New Cities

Given the planned Comcast/Time Warner merger, we need as much real competition as we can get.  From Google:
Over the last few years, gigabit Internet has moved from idea to reality, with dozens of communities (PDF) working hard to build networks with speeds 100 times faster than what most of us live with today. People are hungrier than ever for faster Internet, and as a result, cities across America are making speed a priority. Hundreds of mayors from across the U.S. have stated (PDF) that abundant high-speed Internet accessPortland, Nashville (PDF) and dozens of others have made high-speed broadband a pillar of their economic development plans. And Julian Castro, the mayor of San Antonio, declared in June that every school should have access to gigabit speeds by 2020.

We've long believed that the Internet’s next chapter will be built on gigabit speeds, so it’s fantastic to see this momentum. And now that we’ve learned a lot from our Google Fiber projects in Kansas City, Austin and Provo, we want to help build more ultra-fast networks. So we’ve invited cities in nine metro areas around the U.S.—34 cities altogether—to work with us to explore what it would take to bring them Google Fiber.
is essential for sparking innovation, driving economic growth and improving education.
Posted by on No comments:
Labels:

Europe Considers Digital Independence

From the Register:
German Chancellor Angela Merkel has lent her support to the idea of building
out new European data networks to help keep Europeans' email and other data out of the hands of US spies.
In the latest edition of her weekly podcast on Saturday, Merkel said she planned to raise the issue among other topics in a meeting with French President François Hollande this week.
"We'll talk, above all, about which European suppliers we have that provide security for the citizens," Merkel said, speaking in German, "that they need not cross the Atlantic with their emails and other things, but we can also build communications networks within Europe."
Posted by on No comments:
Labels: ,

Kickstarter Compromised: Info Hacked

If you're on Kickstarter, you should probably be busy changing up your passwords.  From CNET:
Hackers hit crowd-funding site Kickstarter and made off with user information,
the site said Saturday.  Though no credit card information was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.
"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, adding that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."
Posted by on No comments:
Labels:
Subscribe to: Posts (Atom)