Password-pilfering app exposes weakness in iOS and Android vetting process

Highlighting crucial weaknesses in Apple's and Google's processes for admitting new titles into their competing app stores, both companies have ejected a third-party Instagram app after discovering it probably pilfered user passwords and pictures.

InstaAgent, as the app was called, marketed itself as a program that tracked people who visited a user's Instagram account. It had between 100,000 and 500,000 downloads from Google's Play Store and was in the top charts of the iOS App Store. But behind the scenes, an app developer said earlier this week, the app sent users' Instagram login credentials to a server controlled by the InstaAgent developer. Google was the first to pull the app. Apple later followed.

According to a blog post published Thursday by the iOS developer:

Read 2 remaining paragraphs | Comments

Pay or we’ll knock your site offline—DDoS-for-ransom attacks surge

A number of sites have been hit by distributed denial-of-service attacks over the past week. Strong enough to knock some of them offline for days at a time, these DDoS attacks have been launched by extortionists demanding thousands of dollars in ransom money.

One of the latest sites to be targeted is FastMail. In a blog post published Wednesday, the Australian e-mail provider said it was hit by a wave of data assaults on Sunday that were soon followed by e-mails demanding a payment of 20 Bitcoins, worth about $6,600 at current exchange rates. Other services reporting similar shakedowns include Hushmail, Runbox, and VFEMail. As Ars reported last week, ProtonMail paid a $6,000 ransom only to be taken out by a new round of attacks. Zoho also reported a week-long struggle to beat back DDoS attackers but made no mention of receiving a ransom demand.

"The attackers have demanded a ransom, which we will not pay, and have promised an increase in the intensity of the attacks," Hushmail wrote in their advisory, which was published last Friday. "As such we expect that there will be continued attacks, which may result in further interruptions in service. We are continuing to improve our protection against these attacks, and have filed a criminal complaint with the relevant authorities."

Read 7 remaining paragraphs | Comments

Why the attack on Tor matters

(credit: Aurich Lawson / Thinkstock)

This post was originally published on the blog A Few Thoughts on Cryptographic Engineering. Matthew Green is a cryptographer and professor at Johns Hopkins University who has designed and analyzed cryptographic systems used in wireless networks, payment systems and digital content protection platforms.

On Wednesday, Motherboard posted a court document filed in a prosecution against a Silk Road 2.0 user indicating that the user had been de-anonymized on the Tor network thanks to research conducted by a "university-based research institute."

As Motherboard pointed out, the timing of this research lines up with an active attack on the Tor network that was discovered and publicized in July 2014. Moreover, the details of that attack were eerily similar to the abstract of a (withdrawn) BlackHat presentation submitted by two researchers at the CERT division of Carnegie Mellon University (CMU).

Read 10 remaining paragraphs | Comments