There are numerous reports that Apple's App store has been used to spread malware to customers forcing Apple to purge numerous Apps from the store (archived). The attack involved a social engineering vector where developers were convinced to use versions of Apple's Xcode IDE which had been implanted to spread malware in Apps produced with the implanted development software. This incident highlights serious risks posed by relying on gatekeepers to police malware in the way consumers have come to expect.
Category Archives: Security
Trump Campaign Payment Processor Fleeces Donors
MWTW in Portland, Maine alleges a third party payment processor used by Donald Trump's presidential campaign is repeating donation charges and in at least one case was reported to have charged a man who entered payment information but decided not to purchase anything from the campaign's online store (archived). In all 13 charges were attempted of which 6 ended up successfully debiting a balance from the man's bank account. The station is referring to the charges as unauthorized while the payment processor blames a 'glitch' in their system. Continue reading
US Increases Fee to Relinquish Citizenship and Residency
The United States State Department has increased the processing fee for relinquishing United States Citizenship or Permanent Residence through means other than explicit renunciation to 2350 United States dollars from 450 United States dollars (archived). The change brings the fee in line with that for having the State Department acknowledge an explicit renunciation of citizenship even though a number of the acts leading to the relinquishment of citizenship create a loss of United States nationality even without a Certificate acknowledging the loss of nationality from the State Department. A few acts that until recently allowed one to certify their loss of United States nationality at a discount include: Continue reading
Cryptome PGP Keys Compromised, Revoked
Today Cryptome and operator John Young announced the compromise and revocation of their PGP keys. Relevant text posted to Cryptome below. Not the user agent string disclosing the use of Symantec's PGP Desktop product for Microsoft Windows. Continue reading
Coinwallet Turns Stress Test Into Dust Givaway
Spam generator Coinwallet has taken a different avenue to carry out its latest network "stress test" by presenting its latest round as a "giveaway" where they are posting private keys owning numerous dust outputs on the Bitcointalk forum. According to their announcement they intend to distribute roughly 200 Bitcoin in this manner. Attempts to claim these outputs may explain the recent increase in the number of weird non-standard transactions hitting certain Bitcoin nodes. Previously suggested countermeasures for surviving a transaction flood including demands for a higher base transaction fee per kilobyte of transaction data should still work to help keep nodes running happily throughout this event.
Enhanced Spyware Comes to Older Versions of Windows
The telemetry spyware which lead to Windows 10 users being banned from a number of torrent trackers has now arrived for Windows 7 and 8 in Microsoft's latest batch of "updates" (archived). Attempting to stop the reporting of data to Microsoft on infected machines requires a firewall between the machine and the wider internet, though euthanasia is likely the only effective remedy in the long run for machines subjected to this infection. Any operator of serious internet ventures ought to be giving serious consideration to following in the footsteps of the torrent trackers and deal with Windows users through shunning and the quarantine of their machines. It would also likely be prudent to consider any cryptographic key material living on a machine running Windows to be in the possession of Microsoft or soon to be in the possession of Microsoft.
Mozilla Vulnerability Hoard Compromised For a Year
This weekend news emerged that the Mozilla Foundation's Bugzilla tracker's hoard of vulnerabilities in the Firefox web browser had been breached for more than a year and potentially as long as two years. By Mozilla's own admission critical security vulnerabilities left unfixed for months had been available to the breaching party who had complete access to a goldmine of ways to abuse Mozilla users that Mozilla itself had been sitting on. Mozilla's handling of this episode has been nothing short of abusive to its users. Continue reading
Many Network Appliances Leak Master TLS Private Keys Through "Forward Secrecy"
Florian Weimer has published a paper (pdf, txt) showing that a wide variety of purpose built network hardware leaks transport layer security keys when forward secrecy is enabled. The leaks occur due to faulty RSA signatures produced when the RSA software uses an optimization derived from the "Chinese Remainer Theorem" without any further hardening or error checking. The problem with the Chinese Remainer Theorem optimization has been known since 1996 when Arjen Lenstra brought these concerns about faults during RSA signature generation into the literature (pdf, png). Two decades later GNUTLS, PolarSSL and Libgcrypt lack checks for this potential calamity by default, though other software implementations have ways to disable checks. With the affected appliances once the signature flaw occurs the "forward secrecy" key agreement protocol serves as a channel for acquiring the private key. Continue reading
XT Node Blacklists Fail to Prevent DDoS Attack
Mike Hearn and Gavin Andressen recently chose to use the Bitcoin-XT project to attempt to provoke a hard fork in the blockchain to increase the block size limit. Users who support Gavin's code to hard fork the network to increase the block size, began switching to, and launching Bitcoin-XT nodes. After Mike Hearn's declaration of war, the number of XT-Nodes on the network began to increase. However Mike Hearn began seeing a pattern of nodes getting attacked by heavy DDoS attacks. Continue reading
Peoria Pays $125,000 in Satire Settlement
According to the Journal Star the city of Peoria, Illinois has agreed to pay an eighth of a million United States Dollars (archived) to Jon Daniel in order to settle a civil suit arising from the city's persecution of Daniel for daring to run a twitter account parodying Mayor Jim Ardis. Daniel's home was raided on April 15th, 2014 as a part of a police operation to identify and suppress the operator of a satire twitter feed for mocking Mayor Ardis. Daniel and his representatives provided by the ACLU alleged Daniel's 1st and 4th amendment rights were violated, that he was falsely imprisoned, and that his personal privacy was violated as a part of the manhunt and police raid directed at his parodic writing activities.