Dangers of Online Shopping



Good Versus Evil: How to Further Protect Your Privacy on Mobile Devices and Wireless Networks”

Your bank account has just been drained and the bank says that you willingly did it and there is no chance for a reversal. Well, for all purposes, you did. Your username, password and security questions were all answered correctly just prior to the transaction, but the problem is, it wasn’t you, it was the work of a hacker who gained your information through a public forum in which you had both joined the same wireless network. Can it happen? Yes it can, and it does. One party figures out how to gain information for the benefit of the consumer and the other party figures out the information for the detriment of the consumer. It’s the ongoing battle between certified ethical hackers and malicious hackers. Read more…


XSS Vulnerabilities Can Affect Embedded Browsers in Mobile Apps

A security researcher has noted that the use of embedded browsers in mobile applications can make those applications vulnerable to cross site scripting attacks. Developers of mobile software have found it can be effective to embed a smartphone operating system’s web browser and then create their user interface using HTML, CSS and JavaScript. The user interface is then more portable to other devices and is easier to customise using CSS. But this convenience comes at a cost. Researcher Kyle Osborn, who is presenting his findings at TakedownCon, found that some developers don’t clean the data being sent to their HTML-based user interface.  Read more…


Mobile Security at TakeDownCon: Hackers Handing Out a Healthy Dose of Paranoia”

Smartphones are mini-computers packed with financial and personal info, but even though folks can use their mobile devices for everything from paying bills to GPS, it’s a bit confusing when wondering why folks don’t consider mobile security. To ignore the need for mobile security is a bit like choosing to run a computer without any regard to security precautions. Not wise at all. Even without any malicious intent by app developers, many are not concerned about security; their apps may ask for overreaching access permissions.

Mobile and wireless security news is pouring out of TakeDownCon in Las Vegas. During the keynote presentation, Moxie Marlinspike said “mobile malware detection should be done by the app stores” and “Google has done the absolute bare minimum to secure the Android platform.” Marlinspike tweeted, “Half way through my talk at TakeDownCon this morning, I realized it included some minor Android 0day we hadn’t reported.”  Read more…


New System Secures Cellphones for Web Transactions

An experimental method for two-factor authentication to websites employs mobile phones in a new way to ensure that users’ online accounts don’t get hijacked.

Called password less authentication (PLA), the scheme gathers authentication data over the Internet as well as carrier cellular networks and ties them together to positively identify the person trying to log in to an account, according to the author of PAL, Srikar Sagi, a security researcher.

PLA gets around some shortcomings of other scenarios in which cellphones are used in two-factor authentication. Some of these other methods have secure websites send SMS messages containing one-time passwords to cellphones for users to copy into the authentication page for the site they are logging into.  Read more…


Researcher demos threat of “transparent” smartphone botnets

In a presentation at TakeDownCon in Las Vegas today, security researcher Georgia Weidman demonstrated how malware on smartphones could be used to create smartphone “botnets” that could be used in the same way as PC botnets, providing hackers with a way to insert code between the operating system’s security layers and the cell network. In an interview with Ars Technica, Weidman said that the approaches used by Carrier IQ developers to create phone monitoring software could be adopted by hackers as well to create botnets that could silently steal users’ data, or send data without users’ knowledge. “From what I’ve seen in Carrier IQ, they just didn’t think about what they were going to do,” Weidman said. “But malware writers are going to take advantage of those techniques.


Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

At today’s TakeDownCon security conference in Las Vegas, researcher Kyle Osborn will present some examples of cross-site scripting attacks that he and colleagues have discovered on mobile devices. “XSS is generally considered to be a browser attack,” Osborn said in an interview with Ars Technica. But many applications, he said, such as those built with cross-platform mobile-development tools like PhoneGap, use HTML rendering to handle display of data. If applications aren’t properly coded, it’s possible for JavaScript or other web-based attacks to be injected into them through externally-provided data. “Often, there are times when you can just make a JavaScript request and pull files from the local filesystem,” he said. Read more…


Just What We Need: Malware to Slave Your Android to a Botnet

The Georgia Show: Buffer Overflow Basics from Georgia Weidman on Vimeo.


TakeDownCon Las Vegas in the News: NBC News Live


TakeDownCon Las Vegas Hosts Leading Industry Experts on Mobile Threats

As mobile and wireless devices and technology slowly become ubiquitous to our daily lives, their security is an area we cannot afford to ignore. TakeDownCon Las Vegas will be the platform where critical issues surrounding mobile and wireless security, are discussed and debated.

December 1, 2011 – Top ethical hackers from across the US will unveil the latest threats to mobile devices at next week’s TakeDownCon security conference in Las Vegas. TakeDownCon is the highly technical IT Security conference series designed by EC-Council that first launched this May in Dallas.

“The focus of TakeDownCon Las Vegas is on mobile and wireless security and we have assembled an all-star cast of leading cybersecurity minds who will be presenting cutting-edge vulnerabilities from mobile cross-site scripting to smartphone botnets, mobile application exploits and Android viruses,” said Leonard Chin, Conference Director for TakeDownCon. “Mobile devices pose one of the most significant and growing threats to corporate IT security and our speakers will be addressing a number of critical security management issues that are highly relevant for today’s businesses.” Read more…