This Week In Application Security News: December 2 – 8

Dec 08, 2013 By Sarah Vonnegut

In this week’s news update, we’re all just tiny specks on the NSA’s enormous surveillance map, Obama can’t have an iPhone like his cooler daughters, the Brightest Flashlight app has a dark history of data stealing, and more.

NSA Tracking Hundreds Of Millions Of Mobile Phone Locations Across The Globe

According to a new report released by Edward Snowden, the NSA gathers almost 5 billion cell phone location records from around the globe on a daily basis. The new allegations of a mass surveillance tool of the world go above and beyond anything we previously thought the NSA was capable of.

The NSA claims to not record American’s locations ‘on purpose,’ but simply obtains the information on domestic cell phone use ‘incidentally’ in the midst of more global surveillance. As reported in the Washington Post, the NSA gets an immense amount of location information globally by tapping into cables that connect mobile networks both within the US and outside.The agency purports that it’s strength in numbers that they’re going after by collecting such a huge amount of data. The analytics tools used by the NSA works best by, analyzing patterns in data troves: the bigger, the better. So big, in fact, that if the report that the NSA holds 27 terabytes of info is correct, they own double the contents of the Library of Congress worth of location data.

Read more about the latest NSA revelation:

President Obama Not Allowed To Own iPhone For Security Reasons

“I’m not allowed for security reasons to have an iPhone”, Obama admitted this week to a young group at an event. The president has used his modified Blackberry since before his inauguration in 2008.

BlackBerry has long been considered the go-to device for American government workers, despite the company’s long-time financial struggles, because of BlackBerry’s strong military-grade encryption practices. There are plenty of reasons to be wary of the iPhone’s security features, including the ways that unlawful owners can use Siri to bypass the lock screen, and the rumors that Apple stores “Voiceprints” for an undisclosed amount of time. In addition, any small security concern would be heavily amplified if discussing how it would apply to President Obama.

In a sign of the changing times, however, Apple’s iOS 6 was granted a certain level of security clearance earlier this year that allows it to be used by some higher level government employees that are still well below Obama’s position. Obama elaborated that both his daughters spend a lot of time on their iPhone’s and that he uses an iPad 2 to read news headlines and surf online. For now, it seems like it will be a while before the latest tech gadgets will also be the most secure and that future presidents will be stuck with BlackBerry – so long as the company holds out!

Read the whole story here:


FTC Shuts Down Location-Tracking “Brightest Flashlight” App

A ‘torch’ flashlight app that has been downloaded at least 50 million times on Android devices has been taken down from the Google Play store for selling their user’s location data and device ID info since February 2011.

The FTC brought a complaint against the Brightest Flashlight developers, Goldenshore Technologies, LLC, for deceiving customers by not disclosing the fact that the information collected would be sent to third parties, such as ad networks. On top of that, an ‘opt-out’ option that supposedly allowed user’s to choose not to partake in the location and device ID sharing was bogus, as information was sent before the user could even choose to refuse.

The development company has to delete all of the personal information they’ve collected and settled charges with the FTC. The company and app are allowed to continue operating so long as they don’t misrepresent the extent to which data is collected, used and shared and the ability for users to choose which information can be collected from them.

Read the FTC Complaint here:


JP Morgan Chase Disclosed Data Breach Of Half a Million Customer Details

The personal details of over 465,000 JPMorgan Chase & Co corporate and government clients who hold prepaid cash cards from the bank may have been compromised in a cyberattack that occurred in July. The bank discovered only in September that the servers supporting their prepaid card website had been hacked with the potential of nearly a half a million cardholder’s information being stolen. Just this week the company reported the incident to government clients, including Connecticut and Louisiana.

The stolen information may have included social security numbers, names, bank account numbers, card numbers, birth dates, passwords, security answers, addresses and phone numbers, though the bank is denying any personal info being taken. The FBI and Secret Service have launched an investigation into the hacking, but there are no solid details as of yet as to how the attack occurred, other than the fact that hackers apparently gained access to temporary files that were not encrypted.

JPMorgan is saying that only UCard customers were affected, and they are now contacting those customers. Since there is no indication that the hackers are using the information they stole, the bank is claiming, then there is no need to replace the cards, and instead are offering affected users a year of complimentary credit monitoring. The pre-paid UCards are used to pay salaries as well as to issue tax refunds and unemployment benefits.

Read about the breach on Reuters:

Details On Paunch, Alleged Author of As Much As 40% Of World Malware Emerges

Details from Russian police and computer security experts emerged this week include info about the luxe lifestyle that the Russian cybercrime kingpin Paunch led. He is the alleged creator of the exploit malware BlackHole and Cool Exploit Kit, which are said to be responsible for up to 40 percent of the world’s malware.

At the time of his arrest in early October, the 27 year old was said to be earning as much as $50,000 a month selling $500 subscriptions to his malware service. He and his cyber-gang are estimated to have earned $2.3 million over the course of 3 years. BlackHole was the malware of choice for many scams involving online banking and other financial cybercrime. On top of the malware, Paunch also wrote and sold a “crypting” service that would keep the malicious software from being detected by antivirus, thereby doubling up on the profits from his scheme.

Here’s Krebs on Paunch:

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.