For this edition of the Weekly Cybernote, first of all, we will touch on Project Zero, the elite crack team set up by Google to fight zero-day attacks. We will then discuss an attack identified in China that apparently targeted databases of state employees living in the US. Lastly, we will look at how the Gmail application on iOS could very well prove to be the ideal opportunity for hackers.
Google creates “Project Zero”, an elite team to fight 0-day attacks
Through this team, whose existence is expected to become official shortly, Google intends to test the security of not only their products, but the products of other software vendors as well. Once an exploit is discovered, it would be communicated to Google, who will have between 60 and 90 days to fix it before it becomes officially public on the Project Zero blog. These deadlines may shrink to only 7 days if hackers have already exploited the flaw. The aim is to encourage vendors to track the quality of the tools they provide to their clients to the best of their ability. Ben Hawkes, a New Zealand security researcher and member of this team, discovered a dozen bugs in Adobe Flash and the Microsoft office software suite. Tavis Ormandy is one of the most prolific vulnerability hunters in the world. He took the antivirus industry by storm by revealing grave problems in certain Sophos products and discovered a zero-day vulnerability in Windows in June 2013, but the list doesn’t stop there. And it is far from staying as it is since Google is hiring to add members to this team.
An attack originating in China has targeted databases of American state employees
Chinese hackers have managed to penetrate federal administration files containing the personal details of all state employees, including those in the secret service and defense departments, according to the New York Times on Thursday. The Office of Personnel Management, the American ministry that manages federal state employees, and the Department of Internal Security have attempted to remedy any possible intrusions as soon as they had become aware of it. The hackers struck in March and snooped through the records of tens of thousands of persons who had applied for jobs in order to obtain security accreditations, affirmed the daily, quoting anonymous persons in charge.
Gmail on iOS: the new El Dorado for hackers?
Users of Apple mobile terminals who have installed Gmail on their iOS devices, may have their data intercepted by hackers for a simple reason: Google has not yet set up any security technology to prevent hackers from reading and modifying encrypted communications exchanged with the web giant, wrote Avi Basan, CTO of Lacoon Mobile Security, a company based in Israel and the US. Legitimate websites use digital certificates to encrypt data traffic by using the SSL / TLS (Secure Socket Layer Security / TLS) protocols. However, in certain cases, hackers can falsify these certificates in order to observe and decrypt such traffic. Fortunately, this threat can be kept at bay using a “pinning” certificate which hard-codes details of the legitimate digital certificate in an application.