HTTPS-istock-300x199

This Week In Application Security News: November 18-24

Nov 24, 2013 By Sarah Vonnegut

Start your week on top of all the most recent application security news: Bug Bounties programs proved their real worth with a major find in Gmail, Cupid Media was shot with a hacked bow, Twitter stepped up their privacy plan, and more. We’ll get you up to speed on all of AppSec’s latest!

 

Tweeting Gets A Bit Safer

Tweeters worldwide have gained a bit more encryption protection with the microblogging service. Twitter this week announced a significant increase in its data security by adding an extra layer of encryption to its clients on desktop, mobile and through third-party sites.  

The method of extra security, called Perfect Forward Secrecy, revolves around creating shared keys between networks, and adding new parts to the key with each new session. The result is that a hacker will not be able to decrypt recorded traffic, even if they stole or somehow gained Twitter’s private keys. Forward Secrecy extends to not only publicly published tweets, but also protected tweets and direct messages, as well as various other user data.

The introduction of increased layers of security comes amid Snowden revelations that the NSA has been gathering huge troves of data from Twitter users, among other platforms.  In Twitter’s own tweet-sized words: “Forward Secrecy is just the latest way in which Twitter is trying to defend and protect the user’s voice.” Twitter is following in the footsteps of Google, Facebook and Yahoo, who have all employed Forward Secrecy.

Read more on Twitter’s bloghttps://blog.twitter.com/2013/forward-secrecy-at-twitter-0

 

Google Password Issue Discovered and Reported By Hacker

Oren Hafif, a ‘friendly’ hacker and security researcher, discovered a gaping hole in Google’s account recovery process that could allow hackers to trick users into handing over their passwords using a phishing attack. The attack would email victims a spoof of a reminder to reset their Gmail password, send them to the legitimate password-reset page and then use a cross-site scripting attack (XSS) to capture the victim’s log-in and authentication cookie from Google, allowing the attacker to take control of all of the victim’s Google accounts and bypass the CAPTCHA and secret questions that a hacker would have a difficult time answering.

This week, just ten days after being presented with the information, Google announced they had fixed the issue – and promptly rewarded Hafif a $5,100 ‘High Impact’ bounty on behalf of its’ Bug Bounty program.

Read Hafif’s blog on his findings:  http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html

 

NSA Has Been Cultivating ‘Digital Sleeper Agents’ Since 1998

A new revelation was brought to light this weekend when Edward Snowden released a new leak, this one detailing NSA’s deployment of malware against 50,000 networks across the globe, designed to steal sensitive information. The program collecting the data is called Computer Network Exploitation, or CNE, and the malware enables the agency to control the “sleeper cells” remotely and allows them to be turned on and off at will.

The NSA, which employs over 1,000 hackers in a special department called TAO (Tailored Access Operations), has been working in cooperation with the British GCHQ agency, which has been ‘recruiting’ its own ‘sleeper cells’ within England using LinkedIn phishing scams, no less.

Read more from TechCrunch: http://techcrunch.com/2013/11/23/nsa-has-50000-digital-sleeper-agents-snowden/

 

Cupid Media Hack Exposes Lots ‘o Love (Searchers)

A breach that occurred last January was just found to have included up to 42 million people’s names, birth dates, emails and passwords, all users of Cupid Media’s 30+ niche dating sites, including MilitaryCupid.com, IranianSinglesConnection.com and AfroIntroductions.com (but NOT OKCupid.com, which has no relation to Cupid Media). Security researcher and blogger Brian Krebs discovered this breach on the same server that hosted stolen data from Adobe, the MacRumors Forum and other sites, with the difference being all the data from Cupid Media was completely unencrypted and in plain-text. Since the breach in January, the company says they’ve taken measures towards better protection and encryption, including salting and hashing passwords and requiring stronger passwords.

Read Brian Krebs’ Blog Post On Cupid Media: http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.