Tuesday, February 19, 2013

Find: Facebook, Twitter, Apple hack sprung from iPhone developer forum

Watering hole attack on the big guys uses a zero day java exploit. 


Facebook, Twitter, Apple hack sprung from iPhone developer forum

iPhone Dev SDK, the web forum that was at the center of the hack of Facebook and other companies in January.

The website used to infect engineers at Facebook with espionage malware has been identified as an iPhone developer forum by people close to the investigation into the hacking incident.

That page, at the iPhone developer website iphonedevsdk.com, was used to expose visitors to a previously undocumented vulnerability in Oracle's Java browser plugin. The "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site. Ars readers shouldn't visit the site because it still may still be compromised.

iphonedevsdk.com is an example of a "watering hole" attack. These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors. In this case, the site, which hosts a Web forum for iPhone developers, netted the hackers access to the computers of software engineers and developers working on mobile application projects for a number of companies, including Facebook. The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers. The source requested anonymity because he was not authorized to provide the details to the press.

Sunday, February 17, 2013

Find: Securing your website: A tough job, but someone's got to do it

Good survey of web security and attacks. 


Securing your website: A tough job, but someone's got to do it

In 2006, members of a notorious crime gang cased the online storefronts belonging to 7-Eleven, Hannaford Brothers, and other retailers. Their objective: to find an opening that would allow their payment card fraud ring to gather enough data to pull off a major haul. In the waning days of that year they hit the mother lode, thanks to Russian hackers identified by federal investigators as Hacker 1 and Hacker 2.

Located in the Netherlands and California, the hackers identified a garden-variety flaw on the website of Heartland Payment Systems, a payment card processor that handled some 100 million transactions per month for about 250,000 merchants. By exploiting the so-called SQL injection vulnerability, they were able to gain a toe-hold in the processor's network, paving the way for a breach that cost Heartland more than $12.6 million.

The hack was masterminded by the now-convicted Albert Gonzalez and it's among the most graphic examples of the damage that can result from vulnerabilities that riddle just about any computer that serves up a webpage. Web application security experts have long cautioned such bugs can cost businesses dearly, yet those warnings largely fall on deaf ears. But in the wake of the Heartland breach there was no denying the damage they can cause. In addition to the millions of dollars the SQL injection flaw cost Heartland, the company also paid with its loss of reputation among customers and investors.

Saturday, February 2, 2013

Find: indystate, browsing - safari dominates mobile browsing at 60 %

Internet Explorer still growing as Windows 7 starts its decline

In the first month of 2013, Internet Explorer's desktop market share is continuing to slowly climb upwards, with Firefox consolidating its number two spot. There are signs that Windows 7 may have peaked as Windows 8 is slowly picking up users.

January was a good month for Microsoft's browser, up 0.37 points to 55.14 percent. Firefox also grew, up 0.12 points to 19.94 percent. Chrome fell, down 0.56 points to 17.48 percent. Safari was unchanged at 5.24 percent, and Opera up a hair, gaining 0.04 points to reach 1.75 percent.

The improvement of Internet Explorer's position masks a story that's decidedly mixed for Microsoft. Windows 7 fell for the first time in January, dropping 0.63 points from a high of 45.11 percent to 44.48 percent. Windows 8's slow growth is continuing, up 0.54 points from 1.72 percent to 2.26 percent. There's also a small number of tablet users, with 0.08 percent on Windows 8 Touch and a minuscule 0.02 percent on Windows RT Touch.