background preloader

Internet Security

Facebook Twitter

Skype for iPhone makes stealing address books a snap. High performance access to file storage If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device's address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child's play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you'll have a fully-searchable copy of the victim's address book. “I'm going to send a user on an iPhone a message, and when he sees the message, the exploit will run,” the narrator says. The attack exploits two oversights that just go to show that even elaborately erected walled gardens such as Apple's can contain threats that menace its blissful inhabitants.

In a Web 2.0 kind of world, contacts for many people aren't exactly closely guarded secrets. Exclusive: Google, CIA Invest in ‘Future’ of Web Monitoring | Danger Room. The investment arms of the CIA and Google are both backing a company that monitors the web in real time — and says it uses that information to predict the future. The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents — both present and still-to-come. In a white paper, the company says its temporal analytics engine “goes beyond search” by “looking at the ‘invisible links’ between documents that talk about the same, or related, entities and events.”

The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online “momentum” for any given event. “The cool thing is, you can actually predict the curve, in many cases,” says company CEO Christopher Ahlberg, a former Swedish Army Ranger with a PhD in computer science.

But unease has been growing. See Also: Untitled. Mozilla addons site targeted in same attack that hit Google. High performance access to file storage The secure webpage hosting addons for Mozilla Firefox was targeted in the same attack that minted a fraudulent authentication credential for Google websites, the maker of the open-source browser said. "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue," Johnathan Nightingale, Mozilla's director of Firefox development, wrote in a statement. "In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users. " Nightingale didn't say how many Mozilla certificates were issued and if they were actively used to intercept the communications of people accessing the address.

On Tuesday, Google said a bogus secure sockets layer certificate issued by Dutch firm DigiNotar was used to spy on people located in Iran while visiting Gmail. Fraudulent Google credential found in the wild. High performance access to file storage Security researchers have discovered a counterfeit web certificate for Google.com circulating on the internet that gives attackers the encryption keys needed to impersonate Gmail and virtually every other digitally signed Google property. The forged certificate was issued on July 10 to digitally sign Google pages protected by SSL, or secure sockets layer.

It was issued by DigiNotar, a certificate authority located in the Netherlands. The forged certificate is valid for *.google.com, giving its unknown holders the means to mount transparent attacks on a wide range of Google users who access pages on networks controlled by the counterfeiters. It's at least the second time in five months that unauthorized parties have gotten hold of valid SSL certificates used to cryptographically prove that a sensitive website is authentic rather than a forgery. Representatives from DigiNotar didn't respond to repeated requests for comment.