In-brief: IBM researchers say they discovered a flaw in an SDK from the cloud storage firm Dropbox that could result in Android users accidentally sending their data to a Dropbox account controlled by a malicious actor.
API
Malicious or Obnoxious? Chinese Mobile Vendor CoolPad Uses Secret Backdoors
CoolPad, an up-and-coming Chinese mobile phone maker, is shipping high-end, Android smart phones with so-called “back door” access built into the phone’s software. That, according to research by the firm Palo Alto Networks. Palo Alto researchers Claud Xiao and Ryan Olson released a report identifying the suspicious remote access software, which they dubbed “CoolReaper” on Wednesday. According to the report, the so-called “backdoor” program was shipped with stock operating systems (or ROMs) used by Coolpad’s “high end” phones in China and Taiwan. The software, which appears to have been created and managed by Coolpad, runs on top of the Android operating system and allows the company to remotely manage the phone independent of the wishes of its owner: pushing applications to the device without the user’s consent or notification, wiping data and applications, sending over-the-air (or OTA) updates to the phone, transmitting device data and sending arbitrary phone calls and SMS […]
Are You Creating A Culture of Security?
Here at The Security Ledger, we’ve written often about the barriers to improving the security practices of software development organizations. It is simple enough to say things like “we have to teach people to write code that is secure. But to actually accomplish that across the myriad of companies that do software development is akin to boiling the ocean. Still, it is a far more manageable problem at the level of a single organization. In fact: it is quite do-able. How? That’s the subject of a Google Hangout Security Ledger is doing this afternoon in conjunction with Veracode. The topic: creating a culture of security within your organization. In the hangout, I will be speaking with Veracode’s Chris Eng and Greg Nicastro about how Veracode, itself, built its secure development culture from the ground up. This is going to be a great discussion. Greg is the Executive Vice President of […]
Essentials for Visibility-Driven Security
Visibility is surprisingly tricky. The security industry offers many disparate tools to provide customers “visibility” into what is happening on their networks. Among them are tools that track what applications are on the network, tools for enumerating and tracking software vulnerabilities, tools for determining when sensitive data has left a network, tools that indicate when attacks are underway and tools that identify and analyze network data flows – to name just a few. Of course, layered on top of all this “visibility” are further systems that correlate and analyze what the mission-specific tools are seeing. Promises of a “single pane of glass” aside, the result is often a mishmash of data and events that require skilled security practitioners to analyze and interpret. The mishmash, in turn, leads to errors in analysis and prioritization. Albert Einstein famously said “Any fool can know. The point is to understand.” So it is in the information security industry, where a common refrain is “you can’t protect […]
AllSeen Alliance Announces Smart Lighting Framework
Smart lightbulbs aren’t anything new. In fact, products like the Philips Hue bulb have been in the market for years. The devices, which typically couple a standard incandescent or CF bulb with a wireless transmitter, allow lights to be managed via mobile device and also respond to environmental changes monitored by other sensors. But – as with much of the Internet of Things – each family of smart bulbs is something of an island: interacting- and communicating mostly with other smart home products from the same manufacturer. That’s good for the lightbulb maker, but bad for smart home advocates, see out-of-the box connectivity across product silos as a precursor to broad adoption of smart home technologies. It’s also been the case that the products that have been released have often fallen short in areas like security. In August, 2013, security researcher Nitesh Dhanjani disclosed a proof of concept hack […]
