Friday, April 6, 2012

Thinking about jailbreaking your phone?


Facebook: Android, iOS security hole only for jailbroken devices

News broke today of a new security vulnerability discovered in Facebook for Android and Facebook for iOS that means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad. U.K. app developer Gareth Wright, who discovered the issue, said it comes down to Facebook's native apps for the two platforms not encrypting your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps. Facebook has responded that this issue only applies to compromised or jailbroken devices.

"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device," a Facebook spokesperson said in a statement. "We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, 'unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.' To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."

Something didn't add up for me when I first read this. Wright previously stated that "Facebook are aware and working on closing the hole" so why does Menlo Park's statement make it look as if this really isn't an issue? Facebook clarified this inconsistency by telling me it is looking into ways to mitigate this problem, but it won't be easy.

You might be scratching your head about the fact that these authentication tokens keys are stored in plain text. Facebook explains that encrypting them won't do much good because the key to decrypt them would also have to live on the device. Facebook could force you to enter your password every time you open the Facebook app, but everyone knows that's a pain (although Facebook.com will sometimes prompt you to enter your password again).

As for the USB connection scenario, Facebook says there's no way to fix this problem. Note that in this case it doesn't matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.

I wasn't worried about this part, because it's nothing new, and it certainly doesn't just apply to Facebook. After all, nobody can write software that will protect your data from a scenario where you give someone physical access to your computer or phone.

I pressed on to get this part confirmed. "We are constantly looking into making our applications more secure, however you should ALWAYS think twice before plugging any device into an unsecure PC same as you wouldn't plug an unknown USB key into your device," a Facebook spokesperson said in a statement.

Can the FBI say TOR?




Pitt police chief asks person responsible for bomb threats to contact him


Story posted 2012.04.05 at 03:52 PM EDT

After four more bomb threats were reported on the University of Pittsburgh's campus on Thursday, the Pitt campus police chief said he'd like the person responsible to contact him.

"Maybe he'll talk to me. I don't know what the issue is. Maybe I'd be able to find out exacty. I can refer him to somebody," said Chief Tim Delaney. "This is terrorism. The contractors can't work so they can't get paid. The students are paying for an education they can't get."

Delaney said the FBI is working to trace the source of the emailed bomb threats. Two threats were emailed to reporters at two local newspapers, including the Tribune Review.

"One of the newspapers that received this threat ran the headers and it came back that the messages are pinging back from Austria," Delaney said.

Pitt computer science major Jake Wilder said it's possible for the highly skilled to set up a fake IP address and make emails look like they originated in another country.

"This is essentially like domestic terrorism," Wilder said. "They're wasting resources and they're causing first responders to be overstressed."

There have been 23 threats made on the campus over the past few weeks.




Now come on, you mean to tell me the FBI never heard of TOR? And email bomb threats? Really? This kids are mailing the press so it goes in the paper then others see it and join in on the bandwagon. 

For more about TOR check this out:

https://www.torproject.org/

This is the site to read up all about it, download it. And start using it.  They made it so easy anymore to use a 5 grader could be doing it.