Jump to content

Search the Community

Showing results for tags 'researchers'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 11 results

  1. Dear crew, Does anybody know where to find a vendor in 0days on a professional level? Also are there here researchers available for work? contact me please.
  2. Researchers have revealed that Android's 'factory reset' feature doesn't remove all data from devices, leaving up to 500 million users open to attack. The University of Cambridge has revealed that, even with full-disk encryption in play, performing a factory reset on Android smartphones leaves sensitive information up for grabs on the majority of devices. The university examined 21 phones, running Android versions 2.3 to 4.3, and found could up to 500 million Android devices might be at risk of leaving personal data available to attackers after being 'reset.' For example, the researchers found that they were easily able to access the previous owners Gmail account on 80 percent of the devices it tested. "We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner’s gmail account," the researchers said. All of the 21 phones left some sensitive data behind, including information generated by Facebook and WhatsApp, images, videos and text messages. They researchers noted Google's own-brand Nexus firms fared better than those from the likes of HTC and Samsung, but said that all vendors need to do more to protect user data. "The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings. However the vendors need to do a fair bit of work, and users need to take a fair amount of care." This research follows an investigation carried out back in 2014 which revealed that CEX and Cash Converters have been selling second-hand mobile phones containing sensitive information from their previous owners, despite promising these customers that the phones would be fully wiped before being sold on. In a seperate report, the Cambridge researchers note that such companies could carry out large-scale attacks given the sensitive data they are able to access, made easier by third-party remote wiping service that also fail to clear information from devices. "Antivirus software that relies on a faulty factory reset can only go so far, and there’s only so much you can do with a user process," the researchers said. "These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks." These findings could spell bad news for businesses, with Good Technology revealing earlier this month that Android accounted for 26 percent of enterprise smartphone activiations in the first quarter of 2015. Source
  3. The recently discovered Logjam encryption flaw proves that governments need to aid, not hinder, businesses' efforts to encrypt data, according to experts in the white hat community. Logjam is an encryption flaw that was uncovered on Wednesday by researchers at Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research and the Johns Hopkins, Michigan and Pennsylvania universities. Its discovery sent ripples through the security community as in theory it leaves tens of thousands of web and mail servers open to man-in-the-middle attacks. CipherCloud chief trust officer Bob West said that Logjam should act as a cautionary tale to legislators considering weakening companies' ability to encrypt data. "Logjam is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption," he said. "Diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions." Venafi vice president of security strategy Kevin Bocek agreed, arguing that Logjam proves that weakening encryption will aid cyber criminals. "With more sites using SSL/TLS keys and certificates, the target is getting bigger for the bad guys," he said. "The [bad guys'] interest in intercepting encrypted traffic, spoofing trusted sites, or hiding in encryption is only growing, and many out there predict that a crypto-apocalypse is on the horizon." Logjam's discovery follows widespread concerns about the UK government's intentions concerning encryption. The government indicated plans to force firms to make encrypted data accessible to law enforcement in its election manifesto. At a technical level, Logjam is a flaw in the Diffie-Hellman key exchange cryptographic algorithm used while creating encrypted HTTPS, SSH, IPsec, SMTPS and TLS connections. "We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed," read the researchers' threat advisory. "The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection." The researchers added that the vulnerability is similar to the Freak and Poodle flaws and "affects any server that supports DHE_EXPORT ciphers and all modern web browsers". The advisory said that Logjam renders 8.4 percent of the top one million web domains open to exploitation, but warned that the flaw's reach is significantly higher. Freak is a cross-platform flaw in SSL/TLS protocols that could be exploited to intercept and decrypt HTTPS connections between vulnerable clients and servers. It was uncovered in March. Poodle is a flaw in SSL version 3.0 which could leave users' web data open to attack. It was uncovered by researchers at Google in October 2014. The researchers said that the flaw could be used to intercept data passing between VPN servers, and is consistent with the NSA-led attacks described in leaked PRISM documents. "We carried out this computation against the most common 512-bit prime used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80 percent of TLS servers supporting DHE_EXPORT," read the paper. "We further estimate that an academic team can break a 768-bit prime, and that a nation-state can break a 1,024-bit prime. Breaking the most common 1,024-bit prime used by web servers would allow passive eavesdropping on connections to 18 percent of the top one million HTTPS domains. "A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break," the researchers said. News that the NSA's specialist Office of Target Pursuit maintains a team of engineers dedicated to cracking the encrypted traffic of VPNs broke in December 2014. However, despite the seriousness of the Logjam flaw, experts have pointed out Logjam is more significant as a cautionary tale than game changing vulnerability. Rapid7 engineering manager Tod Beardsley explained that the high degree of sophistication required to mount a Logjam attack makes it unlikely that it will be widely targeted. "The only two groups really in a position to take advantage of this vulnerability are criminals on coffee shop WiFi networks, and state actors who already control a huge chunk of the local internet," he said. LogRhythm vice president Ross Brewer agreed, pointing out that patches for the flaw are already being rolled out. "The fact that Logjam can only be exploited when hackers and targets are on the same network, as well as patches being imminent, means that hype around it is likely to be a bit of a storm in a teacup," he said. "Organisations should, however, use flaws like this as an excuse to give themselves a security health check." The white hat community is one of many calling for an end to governments rethink their surveillance strategies. Over 140 big name companies sent a letter to US president Barack Obama on Tuesday urging him to cease the government's war on encryption. Source
  4. When heat from one computer is emitted and detected by an adjacent computer, a channel can be opened that researchers are claiming can facilitate the spread of keys, passwords and even malware. According to researchers from the Cyber Security Research Center at Ben Gurion University in Israel, the bridge, something they’ve dubbed BitWhisper, can allow for communication between the two air-gapped machines. Researchers Mordechai Guri and Matan Munitz discovered the method and were overseen by Yuval Elovici, a professor at the school’s Department of Information Systems Engineering. The three plan to publish a paper on their research, “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,” soon. To connect two otherwise separate computers – a common sight in specialized computer labs, military networks, etc. – the channel relies on something the researchers call “thermal pings,” the repeated fusion of two networks via proximity and heat. This helps grant a bridge between the public network and the internal network. “At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses,” the report reads. Once the airgap has been bridged, attackers can do a handful of things, including using the channel to spread keys, unleash a worm, send a command to an industrial control system, or spread malware to other parts of the network. “BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages, and leaking short chunks of sensitive data such as passwords,” the paper warns. In a video posted to YouTube, the researchers demonstrate how they were able to send a command from one machine to another in order to reposition and then launch a small, toy missle: For their study the researchers positioned personal computers next to one another – side-by-side, back-to-back, even stacked on top of each other – to determine how quickly data traveled between the two. The researchers then ran the machines through a rigorous series of calculations and “busy loops” in order to get them to give off more heat. From there they were able to gauge which of the computers’ temperature sensors were affected by a difference in heat and in turn could be manipulated. Guri and company were left with a complicated attack environment that’s dependent upon multiple, highly-calibrated parameters being set in place in order to carry out an attack. It’s not the speediest method to transfer information – the thermal signal’s rate of change between computers can be slow – very slow – oftentimes taking several minutes to transfer just one signal; at the most, BitWhisper can process eight signals per hour. While slow, the team’s video helps illustrate that the mode of transfer is possible but it just may make more sense to transfer small bits of information. The attack requires no special hardware or additional components, it just requires that both machines are infected by malware. On top of that the channel is bi-directional, meaning the sender could be the receiver in some instances. The attack should work as long as one computer is producing heat and another is monitoring that heat. End-users who wanted to theoretically prevent an attack like this from happening could keep computers far apart from each other. While that may seem like the most sensible move, researchers stress it may be difficult. “Keeping minimal distances between computers is not practical,” the researchers said, “and obviously, managing physical distances between different networks has its complexity in terms of space and administration overheads that increases with every air-gap network used.” Guri and a trio of researchers found a technique last year to use FM waves for data exfiltration. Guri and his team presented the malicious program, AirHopper, at MALCON, a conference in Mumbai last year, and showed how it could be used to decode a radio signal sent from a computer’s video card. That attack helped clarify what is and isn’t possible when it comes to staging threats against air-gapped machines. The threat landscape is a field of great interest to researchers at the university. Going forward Guri states that he and his team are hoping to see if they can get two computers to send and receive information at the same time and to see if it’s possible to get two computers in the same room, giving off heat, to boost the channel’s effective transmission range. Source
  5. Security researchers have banged another nail into the coffin of the ageing RC4 encryption algorithm. The latest password recovery attacks against RC4 in TLS by Christina Garman of Johns Hopkins University, Prof. Kenny Paterson and research student Thyla van der Merwe (both of Royal Holloway, University of London) show that attacks against the scheme are getting better and easier so RC4 "needs to die", as the researchers themselves put it. The continued use of RC4 in TLS is "increasingly indefensible", the researchers conclude in an abstract of their work. The research - which also involved the development of "proof of concept" implementations of the attacks against the BasicAuth and IMAP protocols – is explained in full in a paper here (PDF, 34 pages). Independent researchers agree that RC4 needs to be pensioned off even though some question whether the attack developed by is a practical concern. "RC4 must die. Despite, not because of, attacks like the one described here which is extremely impractical," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher. Caveats about whether or not attacks could be economically pulled off aside, there's little or no disagreement about the direction of travel, which is that the cipher ought to be consigned straight towards the cyber equivalent of Boot Hill cemetery. The only reason it's still around is that websites are reluctant to drop support even for obsolete technology. RC4, developed in 1987, is a popular stream cipher that's often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses. Potential attacks have been documented for years but they are now decreasing in complexity to the point where using the cipher is risky even before considering the implication of the revelations from NSA whistleblower Edward Snowden. Leaks from Snowden suggested that US and UK spies have developed "groundbreaking cryptanalysis capabilities", which ultimately allow the intelligence agencies to break RC4 encryption. Distrust of the cipher is spreading. Microsoft urged Windows developers to ditch the RC4 encryption algorithm and pick something stronger back in November 2013. Cisco also told its customers to "avoid" the cipher around the same time. The IETF moved towards killing off the venerable-but-vulnerable RC4 cipher with a proposal that net-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS) that surfaced in December 2014. Source
  6. Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say. The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers. More than 1700 malicious advertising requests have been detected that led to malicious .swf Flash files being downloaded over hundreds of unnamed sites. "We believe this activity is part of an active malvertising operation," FireEye Labs researchers say in an advisory. "These ads can come from ad servers that are part of a legitimate ad network or rogue ad servers controlled by attackers." The attacks target a vulnerability (CVE-2014-0569) patched October last year affecting Adobe Flash and Air which was integrated quickly into exploit kits including the popular Angler. Damage to victims varied; FireEye bods say attackers foisted both the dangerous Cryptowall ransomware and what appear to be benign Windows files. Two .swf files are loaded and load the exploit then throw up an unrelated advertisement which varied across attacks. Researchers probing deeper discovered the studied advertising sites used a tool dubbed 'F**k AdBlock' designed to detect 'nasty' ad blockers across popular web browsers. URLs involved in the advertising network revealed the bid pricing, impressions, and information on operating systems and web browsers. Malvertising is a popular method for infecting web users. Last month some 1800 subdomains linked to GoDaddy accounts were found spreading the Angler exploit kit using a then Flash zero day exploit in a surreptitious malvertising campaign. Source
  7. On May 30, 2014, law enforcement officials from the FBI and Europol seized a series of servers that were being used to help operate the GameOver Zeus botnet, an especially pernicious and troublesome piece of malware. The authorities also began an international manhunt for a Russian man they said was connected to operating the botnet, but the most significant piece of the operation was a side effect: the disruption of the infrastructure used to distribute the CryptoLocker ransomware. The takedown was the result of months of investigation by law enforcement and security researchers, many of whom were collaborating as part of a working group that had come together to dig into CryptoLocker’s inner workings. The cadre of researchers included reverse engineers, mathematicians and botnet experts, and the group quickly discovered that the gang behind CryptoLocker, which emerged in 2013, knew what it was doing. Not only was the crew piggybacking on the GameOver Zeus infections to reach a broader audience, but it also was using a sophisticated domain-generation algorithm to generate fresh command-and-control domains quickly. That kept the CryptoLocker crew ahead of researchers and law enforcement for a time. “The interesting thing is all the opsec involved in this. The architecture thought out with this was really clear. The people working on this really sat down and architected and then engineered something,” said Lance James of Deloitte & Touche, who spoke about the takedown effort at Black Hat last year. “It took a lot more people on our side to hit it harder.” CryptoLocker has become the poster child for a new wave of threats that are designed to relieve victims of their money through the threat of losing all of their files. The malware, like its descendants Cryptowall, Critroni, Crowti and many others, encrypt the contents of victims’ PCs and demands a payment, usually in Bitcoin, in order to get the decryption key. Millions of victims have been hit by these threats in the last couple of years, but putting a number on infections and a dollar value on how much money the crews are making is difficult. However, with ransom payments ranging from less than $100 to as much as $300 or more, the criminals behind these ransomware families are building multimillion dollar businesses on the fear and desperation of their victims. Despite the sudden appearance of CryptoLocker and the other more recent kinds of ransomware, the concept itself is not new. As far back as the late 1980s, early versions of crypto ransomware were showing up and security researchers began looking at the problem by the mid-1990s. By the mid-2000s, more and more crypto ransomware variants were popping up, but it wasn’t until CryptoLocker reared its head in 2013 that the scope and potential damage of the threat came into sharp focus. Victims, researchers and law enforcement soon realized that the game had changed. “Just imagine the scale of how many people are being held for ransom with these threats. It’s mind-boggling,” said Anup Ghosh, CEO of security vendor Invincea, which has done research on ransomware threats. “It’s someone else’s problem until your own personal information gets encrypted and you can’t access your work data and photos. The personal pain is so much more dramatic than any other intrusion.” For all the attention that CryptoLocker and Cryptowall and the other variants have gotten from the media and security researchers, enterprises haven’t yet totally caught on to the severity of the threat. Much of the infection activity by crypto ransomware has targeted consumers thus far, as they’re more likely to pay the ransom to get their data back. But Ghosh said that’s likely to change soon. “It’s not even on their radar. It’s similar to banking Trojans in terms of what IT guys think of it,” Ghosh said. “They treat it as an individual problem and as a reason to slap people on the wrist. ‘Oh, you must have done something bad’.” Ransomware gangs use a variety of methods to infect new victims, including riding shotgun on other malware infections and through drive-by downloads. But perhaps the most common infection method is through spam messages carrying infected attachments. These often look like FedEx shipping notifications or fake invoices. When a user opens the attachment, the malware infects the machine and encrypts the files. But the crypto ransomware gangs don’t operate on their own. They have support systems, developers and other systems in place to help them create their malware and cash out the profits. “CryptoLocker and GameOver Zeus were often installed alongside each other, and now you see these groups improving from there and specializing,” said John Miller, manager, ThreatScape cyber crime, at iSIGHT Partners. “There’s so much momentum behind ransomware operations and the black markets that support it, we expect it to be a problem for the foreseeable future. There are people selling ransomware, customization services for countries and distribution services for getting it onto machines or phones.” How much money is involved? Millions and millions of dollars. In just the first six months of operation, the Cryptowall malware generated more than a million dollars in revenue for its creators, according to research from Dell SecureWorks. That’s one group using one variant of crypto ransomware. And there are dozens, if not hundreds, of other groups running similar operations. Where CryptoLocker innovated with the use of strong encryption and demand for Bitcoin as ransom, other groups have taken the concept and run with it. The Critroni, or CTB-Locker, ransomware not only accepts Bitcoin, but it also uses elliptic curve cryptography and employs the Tor network for command-and-control. The group behind Cryptowall also goes to some lengths to ensure that the ransomware is on the right kind of machine before it runs. “They went through a lot of work to hide the executable in encryption, to check if it’s running in a virtual machine, and the ability to exploit multiple environments,” said Cisco Talos security research engineer Earl Carter. “So much was put into Cryptowall 2.0. Someone went to a lot of work on the front end to avoid detection.” The piles of money and growing complaints from victims has begun to draw the attention of law enforcement, as evidenced by the GameOver Zeus-CryptoLocker takedown and actions against the Reveton ransomware operation. Researchers expect the level of law enforcement interest to grow, especially as ransomware infects more enterprises and the profits for attackers continue to grow. “Now that it’s become apparent how much damage ransomware is causing, law enforcement is paying attention,” Miller said. “It’s gotten their attention in a big way. It’s in their scope. But it hasn’t been targeted very much by takedown activity. A lot of the criminals operating this feel that because what they’re doing is stealing virtual currency from individuals it’s less likely to see law enforcement attention. “The biggest reason this environment will change is sustained law enforcement action.” Source
  8. Google is opting to make its annual Pwnium competition a year-round global opportunity with an endless bounty of reward money. In previous years, Pwnium was held once a year during a security conference, and security researchers would need to have a bug chain in March, pre-register for the event and be present at the competition's location, Google wrote on its blog. Now, researchers can submit bugs throughout the year through the Chrome Vulnerability Reward Program. “By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren't duplicating their efforts on the same bugs,” Google wrote. The top available reward is $50,000, but the company's lawyers also noted in the post that, “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Source
  9. When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser. A team of experts from HP’s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they’d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense. A chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs. “We were very excited when we heard the results from Microsoft,” Gorenc, ZDI lead researcher, said. “We put a lot of time and effort into that research. We’re glad to hear Microsoft got good data out of it.” Gorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR). “We use one mitigation to defeat another,” he said. “Stuff like this has been done in the past, but what’s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we’ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.” Use-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part, bypasses of and attacks against mitigations have largely been confined to researchers and academics, but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, scanned for the presence of EMET and would not execute if the tool was detected. Internet Explorer has been plagued by memory corruption bugs forever it seems, with Microsoft releasing almost monthly cumulative updates for the browser which is constantly being used in targeted attacks and has been easy pickings for hackers. “The attack surface is valuable and has to exist,” Gorenc said of IE and use-after-free bugs. “It’s an attack surface where with slight manipulations, you can gain code execution on the browser.” ZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities. Gorenc’s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun reverse engineered MemProtect, studying how it stymied use-after-free vulnerabilities. Hariri focused on bypassing Isolated Heap. Together with Gorenc’s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft. The reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM. “HP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,” Gorenc said. “We look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.” Source
  10. Google is offering grants worth up to $3,000 to investigate suspected security flaws as a part of a new "experimental" initiative. Google security engineer Eduardo Vela Nava announced the move in a blog post, promising to offer further incentives for researchers to investigate suspected problems that they would otherwise ignore. "Today we're rolling out a new, experimental programme: Vulnerability Research Grants. These are upfront awards that we will provide to researchers before they ever submit a bug," he explained. "We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards. "We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual. There will be various tiers of grants, with a maximum of $3,133.70." Google also announced plans to expand its existing bug bounty programme to include flaws in mobile applications. "Also starting today, all mobile applications officially developed by Google on Google Play and iTunes will now be within the scope of the Vulnerability Reward Programme," read the post. Google has been a constant supporter of bug bounty schemes, and announced reforms to its programmes in 2014. Google tripled Chrome bug bounty payments to $15,000 in October prior to launching the Project Zero initiative. Project Zero was launched in July 2014 with the apparent intention of speeding up companies' patch release schedules. The team of researchers does this by initially disclosing flaws privately to the firms responsible and giving them 90 days to release a fix before making the research public. The project was criticised earlier this year for the public disclosure of bugs in Microsoft's Windows and Apple's Mac OS X operating systems. Nava credited the schemes as a success despite the controversy. He revealed that Google paid researchers more than $1.5m for discovering over 500 bugs last year. Source
  11. Attackers living on any network are all about one thing: persistence. They want to get on quietly and stay on quietly. But what about moving stolen data off a network? How quiet can that be? Two researchers believe they’ve figured out a way to combine Siri, Apple iOS’ native voice-activated service, and tenets of steganography to sneak data from jailbroken iPhones and iPads to a remote server. Luca Caviglione of the National Research Council of Italy, and Wojciech Mazurczyk of Warsaw University of Technology published an academic paper called “Understanding Information Hiding in iOS” in which they describe three steps how to pull it off. Their method, called iStegSiri, takes advantage of the data Siri sends to Apple servers for translation and manipulates that traffic, which is then observed by an attacker who must intercept it before it reaches Apple’s servers. Before that happens, an attacker would have to convert the secret to an audio sequence based on the “proper alternation of voice and silence,” the researchers wrote. Next, that altered sound pattern is fed to Siri via the iOS device’s internal microphone. Siri sends voice-to-text translation input to an Apple server where it is translated and sent back to the device. The attacker must be able to passively inspect the traffic, the researchers said, and apply a decoding scheme to learn the secret, which can be anything from a credit card number to an Apple ID and password combination. “The covert listener must capture the traffic and decode the secret. The former can be achieved in several ways, including transparent proxies or probes that dump traffic for offline processing,” the researchers wrote. “The decoding algorithm implements a voting-like method using two decision windows to determine whether a run of throughput values belongs to voice or silence (1 or 0).” IStegSiri does not require the installation of a malicious app, or an alteration of any kind. The researchers said that the method is relatively slow; secrets are sent at 0.5 bytes per second, meaning that it would take two minutes to transmit a 16-digit credit card number. “[iStegSiri] requires access to Siri’s inner workings; this means that only jailbroken iOS devices can currently be used. However, iStegSiri showcases the principle of using real-time voice traffic to embed data,” the researchers wrote. “Therefore, it can be further exploited on existing similar applications such as Google Voice or Shazam, or implemented in future applications by taking advantage of coding errors.” The paper states that the ideal countermeasure lies with Apple server-side. “For example, Apple should analyze patterns within the recognized text to determine if the sequence of words deviates significantly from the used language’s typical behaviors,” the researchers wrote. “Accordingly, the connection could be dropped to limit the covert communication’s data rate. This approach wouldn’t rely on the device, so additional functionalities or battery consumptions wouldn’t be required.” Source
×
×
  • Create New...