AEL (Association Electronique Libre) - planet and surrounding

Apple security blunder exposes Lion login passwords in clear text

by Emil Protalinski

An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

See full article here

Terrorists ‘build secure VoIP over GPRS network’

by Simon Sharwood

Terror group Lashkar-e-Taiba has developed its own VoIP network that connects its members over GPRS networks, according to the Times of India.
[...] The VoIP network is frustrating India’s intelligence community, the report says, because it means they can no longer trace the group’s members as it is far harder to spy on than email or commercial VoIP services.

See full article here

Elgamal, Marlinspike join dream team tackling SSL screw-ups

by John Leyden

A non-profit organisation has brought together a team of experts to tackle SSL governance and implementation issues and promote best practice.
The Trustworthy Internet Movement (TIM) is convening a task force [...] SSL Labs, a research project to measure and track the effective security of SSL on the internet. Earlier this week, the organisation launched SSL Pulse, a service that aims to track the progress of how well SSL is implemented across top websites. The SSL Pulse dashboard, launched on Wednesday, currently indicates that only 10 per cent of the world’s top websites follow SSL deployment best practices.

See full article here

Skype leaking user IP addresses, TCP ports

by Ryan Naraine

Microsoft-owned Skype is leaking sensitive user data, including internal and external IP addresses and TCP ports.
The issue has been publicly disclosed and I’ve confirmed that a web-based tool is available to help attackers pinpoint the last known IP address of a Skype user.

See full article here

Kaspersky: Apple ’10 years behind Microsoft in terms of security’

by Emil Protalinski

“Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on,” Kaspersky said. “We now expect to see more and more because cyber criminals learn from success and this was the first successful one. They will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software. That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do that].”

See full article here

Biometric Passports Make it Harder for Undercover CIA Officers

via Bruce Schneier

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents.
[...] “If you go to one of those countries under an alias, you can’t go again under another name. So it’s a one-time thing — one and done. The biometric data on your passport, and maybe your iris, too, has been linked forever to whatever name was on your passport the first time.”

See full article here

RuggedCom – Backdoor Accounts in my SCADA network? You don’t say…

RuggedCom Rugged Operating System (ROS), used in RuggedCom network infrastructure devices, contains a hard-coded user account named “factory” that cannot be disabled. The password for this account is based on the device’s MAC address and can be reverse engineered easily (CWE-261: Weak Cryptography for Passwords).
[...]An attacker with knowledge of an ROS device’s MAC address may be able to gain complete administrative control of the device. The MAC address is displayed in the pre-authentication banner.

See full article here and here

Spy tech exports from Europe face tighter scrutiny

by Brid-Aine Parnell

The EU could soon introduce rules to monitor the deployment of internet censorship technology in autocratic regimes including China and Saudi Arabia.
The European Parliament is proposing a resolution to strengthen the accountability of countries that export gear used to block websites and eavesdrop on mobile communications.

See full article here

Boeing plans super-secure Android smartphone for top echelons

by Iain Thomson

Boeing is planning to launch an own-brand super secure Android smartphone for military, government, and high-level commercial users by the end of the year.Brian Palma, vice president of the Boeing’s secure infrastructure group, said that similar secure phones at that level of the market were selling for $15,000 to $20,000 apiece. The company was aiming for a considerably cheaper price point, but this handset won’t be a mass-market device.

See full article here

Australia OKs iOS for classified comms

by Simon Sharwood

Australia’s Defence Signals Directorate, an agency charged with collecting signals intelligence and educating the rest of the government about security, has green-lit Apple’s iOS for use in “classified Australian government communications”.
The decision doesn’t mean spooks can nip out to a phone shop and start chattering away on the iDevice of their dreams. Instead they’ll need to adhere to a ‘Hardening Guide’ [PDF] that insists on iOS 5.1 or later and also offers lots of rules to make sure Apple’s devices are used safely.

See full article here