Mobile Apps Threaten Your Privacy

big brother John Leyden at The Register reports that security experts uncovered privacy concerns in mobile applications available from both the Barack Obama and Mitt Romney presidential campaigns. Researchers at GFI Software examined the Android versions of both products and are alarmed at the invasive nature of the offerings.

Obama for America and Mitt’s VP request permissions, access to services and data and demonstrate capabilities beyond product expectations.  Each of the apps cross-posts on users' behalf and report back to base.  More alarmingly, both apps slurp the details of users' contacts and log location data. The Romney app even requests permission to record audio for unspecified purposes.

Useless Business Jargon

jargonThe next time you feel the need to reach out, touch base, shift a paradigm, leverage a best practice or join a tiger team, by all means do it. Just don’t say you’re doing it.

People use jargon as a substitute for thinking hard and clearly about their goals and the direction they wish to give others.  Jargon masks meaning.  Jargon can mean different things to different people.  You might be saying one thing -- while your audience is hearing another.

Flame, the Cyber Weapon

wormA highly sophisticated computer virus is infecting computers in Middle Eastern and North African countries.  It appears to have been at least five years ago.  Is this state-sponsored cyber espionage?

Kaspersky Lab, a Russian cyber-security software maker, said it discovered the virus, dubbed Flame, after a U.N. telecommunications agency asked it to analyze data on malicious software across the Middle East in search of the data-wiping virus reported by Iran.

Yahoo Leaks Private Key

omgYahoo released its Axis extension for Chrome and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo software.  The result is that a miscreant could forge malicious software to run amok on unsuspecting victim computers and it would appear to be coming from Yahoo.

An Australian researcher exposed the certificate mistake, and said users should not install the extension "until the issue is clarified." He examined the extension’s source code and found the private certificate, which Yahoo uses to sign the application to prove it is genuine and unaltered.

Ogres Disrupt the Workplace

ogre

Do you know an ogre? Are you an ogre?

Ogres can exist at any level in an organization.

Ogres come from many backgrounds and can be any color, gender, belief system, or orientation. But ogres are easy to spot. What gives them away? Perhaps, it is the Ogres' lack of etiquette in the office place. Or is it the ogres' dysfunctional (or broken) ethical compass. Whether you are an Ogre or the victim of an Ogre, there are five Ogre specific disruptors of performance you should look out for that will negatively affect you and your stakeholders...

Malware Hijacks Webcams and Microphones

webcamA new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their Web cams and microphones, according to security researchers from Kaspersky Lab May 21. SpyEye is a computer trojan that specifically targets online banking users.

Like its older cousin, Zeus, SpyEye is no longer being developed by its original author but is still widely used by cybercriminals. SpyEye’s plug-in-based architecture allows third-party malware developers to extend its original functionality, a Kaspersky Lab malware researcher said.

NASA Investigates SSL Compromise

nasaA NASA spokesperson told SecurityWeek they were investigating claims made by a group of Iranian hackers May 16 that they have compromised the SSL certificate used on the NASA Solicitation and Proposal Integrated Review and Evaluation System (NSPIRES) Web site.

The Iranian student group comprised of programmers and hackers — known as the Cyber Warriors Team claimed to have compromised the SSL cert was compromised by exploiting an existing vulnerability within the portal’s log-in system.

HULK DDoS Tool Smash Web Servers

hulkResearchers from Kapersky Lab recently reported on a new distributed denial-of-service (DDoS) tool. The HTTP Unbearable Load King (HULK) tool is different from others of its kind in that it does not simply hit a server with a massive load of TCP SYN requests or other predictable packets.

Instead, HULK generates numerous unique requests designed to prevent server defenses from recognizing a pattern and filtering the attack traffic. The HULK DDoS tool is the work of Barry Shteiman, a security pro who developed it out of frustration with the obvious patterns produced by other such tools.

Spammers Hijack Joomla and WordPress Sites

hacker2Security experts found many compromised WordPress and Joomla Web sites used by spammers to advertise sketchy diet pills and counterfeit luxury goods. The owners of these sites are most likely unaware of what is going on.

Web masters often fail to check their sites’ subdirectories for signs of malicious files and Web pages, thus allowing cybercriminals to use the domain’s reputation to host their scams. Attackers often brute-force administrator passwords to gain access to a site’s back end.

Information

Pragmatic Journey is Richard (rich) Wermske's life of recovery; a spiritual journey inspired by Buddhism, a career in technology and management with linux, digital security, bpm, and paralegal stuff; augmented with gaming, literature, philosophy, art and music; and compassionate kinship with all things living -- especially cats; and people with whom I share no common language.