Posts with tag security
Somebody plug that hole before we drown
Apple’s mobile platform is under fire once again today, this time after a new revelation has revealed that iOS 7 leaves users’ email attachments unencrypted, potentially allowing enterprising hackers to grab any files sent and received by an iPhone, iPad, or iPod touch running iOS 7.0.4 or newer. The new flaw was revealed today by security researcher Andreas Kurtz and published by ZDNet.
The screenshot above shows that to access an attachment, all anyone needs to do is navigate to the “Mail” folder hidden inside an iPhone, where the attachments sit ready for anyone to open. Apple has responded to the discovery of the security issue by confirming that the issue does exist, however the company has yet to confirm when it will be patched. Apple regularly issues security updates to their platforms and one can expect that this pretty significant issue will be fixed well ebfore the introduction of iOS 8, which is expected at this year’s WWDC developer conference.
A day to remember
After the terrorist tragedy of the Boston Marathon in 2013, many had wondered – even if in the back of their heads – what the tone of this year’s Marathon would take. But those who had wondered shouldn’t have even given a passing negative thought – on Marathon Day 2014, Boston has come together for a magical, wonderful day of celebration. As the city is exploding with pride, Boston is running again.
Of course, it should come to no surprise that security this year has been significantly beefed up. In an interview today with former Boston police commissioner Edward Davis, network television station CBS asked about how security was improved this year following last year’s tragedy. According to Davis, police presence has been significantly beefed up, with officers both in uniform and under cover keeping an eye on the crowd for any suspicious activity. Bomb sniffing dogs are also in heavy use this year, and spectators have been advised to leave their bags at home, however bags are technically allowed but subject to search at any time.
Though Davis retired from his post as Police Commissioner in 2013, Davis also responded to a question regarding the future of security at the Boston Marathon and future, similar events. Davis believes that this sort of security measure is the new normal barring any sort of significant “change in security needs” in the future. Some had questioned whether security at this year’s Marathon has gone too far, it must be said that the runners’ and spectators’ safety should be the first priority at these sort of events.
At the time of writing, over 16,000 people have crossed the finish line. This year’s winners include Rita Jeptoo, winner of the woman’s race, Meb Keflezighi, winner of the men’s and the first American winner in 31 years, and Ernst Van Dyk, winner of the wheelchair race.
Haverzine is proud to be operated just outside of Boston and offers congratulations and support to everyone who is running at this year’s Marathon. You’re all Boston Strong!
Image Credit: Associated Press
Security at its finest
A German security team, Security Research Labs, was easily able to spoof the system due to the way it’s implemented in other devices which makes it a higher risk. The video, embedded after the break, not only shows the team gaining access to the device by using a fake fingerprint but it also shows them gaining access to PayPal which also supports the new sensor and is just as easily faked out as the rest of the phone.
Interestingly, Ars Technica reports that this spoofing method doesn’t work against Apple’s Touch ID system but does work on the S5. Given that the team acquired the fingerprint simply by taking a photo of a fingerprint left on a screen, it’s very easy to replicate this attack and gain access to everything, especially when you consider just how many smudges are often left on a phone screen.
The video showing off this spoofing attack is embedded after the break.
Source: Ars Technica
Pause your game
Sony has been having some minor issues with security in the not too distant past (hey, is it me, or does that just seem like a candidate for the understatement of the century?), and it looks like things are heating up once again as Sony is warning customers of irregular activity on their PlayStation Network accounts. While in the email Sony says there’s nothing abnormal about this and makes no mention of this being representative to a larger issue, it appears that many, many people have received this and similar issues informing customers of a mandatory password today alone; social networking is abuzz with talk of potentially hijacked accounts.
Sony claims that they regularly keep an eye out for suspicious activity and “reset passwords of affected accounts to protect consumers and their account information,” so this could potentially be either a glitch in Sony’s system or something far more nefarious. This certainly wouldn’t be the first time Sony’s had issues with the PlayStation Network being hijacked – the hacker group formally known as LulzSec caused quite a stir in 2011 when they stole information from and took down access to PlayStation Network for a considerable length of time.
All in all, keep an eye out for suspicious activity and for an email from Sony today – who knows, maybe you got hit with this, too. The full email can be found after the break.
Having mined the leaked database themselves
After Adobe got hacked and 38 million accounts were leaked, Facebook is prompting its users to change their password if they used the same login details on Adobe’s website. Other services like Soap.com and Diapers.com have also done something similar.
But you may ask, how do these websites know? It appears that Facebook has gotten ahold of these 38 million entries and is mining through all of them, checking to see which details match with their own set of IDs. Despite the fact that Adobe used a single encryption key, thus allowing anyone who calculates it access to every password, I’m not entirely sure what to think of companies rolling through the leaks in the name of better security. That said, this notification does serve as a reminder to use a unique password for every website you register on.
On Macs only
Earlier this year, Google came under fire for storing all of your logon details in a place where anyone could have at them and then said they would do nothing about it because if you had physical access to someone’s machine, it doesn’t matter what security measures are in place.
Enough people have complained about that where Google has turned back and is actually going to do something about it. In the latest Chromium build, you can set a flag that requires the user to authenticate with their local user account before allowing access into the password page. Then, you have one minute to get your passwords before you’re kicked out and have to re-authenticate. The only thing is, this new feature is only available in Mac OS X builds of Chromium and there is no word if it would make it to other platforms.
Browse with caution
If you’re one of the many iOS users who prefer using Google’s excellent Chrome browser on your iOS device, proceed with caution. According to various reports around the web and confirmed with my own iPad, Google’s latest version of Google Chrome, which was released just this week, has seemingly accidentally broken the browser’s private browsing Incognito Mode functionality.
Any site you visit while operating under Incognito Mode will still be saved to your browsing history, exactly as though Incognito Mode was disabled. Though the browser looks as though it’s functioning properly, displaying the proper Incognito Mode browser skin, all of your data will still go straight into your history for you and your love ones to look through, criticize, black mail, or humiliate you with.
Until Google offers a fix for this security flaw, we’d recommend sticking with Apple’s own Safari browser if private browsing is a big enough necessity to you. We won’t judge.
Meet the Hand of Thief
You Linux users finally have something to worry about: While server-oriented bits of malware for Linux has existed for some time, you now have to worry about your desktop getting some malware. Yes, there’s finally malware for desktop Linux and it’s called Hand of Thief. The authors claim it was tested across 15 different distros (including Ubuntu, Fedora and Debian) and 8 different desktop environments.
The trojan at its simplest form is a swiping program that steals your banking info from HTTP and HTTPS sessions and can work with Chrome, Firefox, Chromium, and IceWeasel. It will also monitor your network activity and block certain websites from being reached, as well as install a backdoor on your computer. Finally, the trojan will also prevent you from running any virtual machines or antivirus software.
The RSA states that this trojan and its command center are being sold for about $2,000 which is around the same price that Windows trojans sell for on the underground black market.
They can even be read in plaintext
Security people, take note: You can get all saved passwords in Google Chrome from the browser itself – and do you see that Show button up there? If you click that, you can see your password in plain text. All you have to do is go to
So what if you have some mischievous friends over? They can copy your Facebook password, log in as you on their computer and wreak some havoc. Okay, that’s annoying, but what if your computer gets stolen? People often save things like their bank info in their auto-login systems; all the bad guys have to do is go to that Chrome address and – oh look, we have your bank account password in plain text!
What’s even worse is that Justin Schuch, head of Chrome Security, said that this is something that will never be fixed; his reasoning being that if you already have access to someone’s computer, you’re out of luck. On one hand, this is true but on the other hand, it should not be this easy to steal someone’s password.