Posts with tag security

Somebody plug that hole before we drown

Newly published iOS 7 security flaw leaves your email attachments unencrypted




Apple’s mobile platform is under fire once again today, this time after a new revelation has revealed that iOS 7 leaves users’ email attachments unencrypted, potentially allowing enterprising hackers to grab any files sent and received by an iPhone, iPad, or iPod touch running iOS 7.0.4 or newer. The new flaw was revealed today by security researcher Andreas Kurtz and published by ZDNet.

security-flaw-email-attachmentsThe screenshot above shows that to access an attachment, all anyone needs to do is navigate to the “Mail” folder hidden inside an iPhone, where the attachments sit ready for anyone to open. Apple has responded to the discovery of the security issue by confirming that the issue does exist, however the company has yet to confirm when it will be patched. Apple regularly issues security updates to their platforms and one can expect that this pretty significant issue will be fixed well ebfore the introduction of iOS 8, which is expected at this year’s WWDC developer conference.

Via: MacRumors
Source: ZDNet


A day to remember

Boston celebrates on Marathon Day 2014




Boston-Marathon-2014

After the terrorist tragedy of the Boston Marathon in 2013, many had wondered – even if in the back of their heads – what the tone of this year’s Marathon would take. But those who had wondered shouldn’t have even given a passing negative thought – on Marathon Day 2014, Boston has come together for a magical, wonderful day of celebration. As the city is exploding with pride, Boston is running again.

Of course, it should come to no surprise that security this year has been significantly beefed up. In an interview today with former Boston police commissioner Edward Davis, network television station CBS asked about how security was improved this year following last year’s tragedy. According to Davis, police presence has been significantly beefed up, with officers both in uniform and under cover keeping an eye on the crowd for any suspicious activity. Bomb sniffing dogs are also in heavy use this year, and spectators have been advised to leave their bags at home, however bags are technically allowed but subject to search at any time.

Though Davis retired from his post as Police Commissioner in 2013, Davis also responded to a question regarding the future of security at the Boston Marathon and future, similar events. Davis believes that this sort of security measure is the new normal barring any sort of significant “change in security needs” in the future. Some had questioned whether security at this year’s Marathon has gone too far, it must be said that the runners’ and spectators’ safety should be the first priority at these sort of events.

At the time of writing, over 16,000 people have crossed the finish line. This year’s winners include Rita Jeptoo, winner of the woman’s race, Meb Keflezighi, winner of the men’s and the first American winner in 31 years, and Ernst Van Dyk, winner of the wheelchair race.

Haverzine is proud to be operated just outside of Boston and offers congratulations and support to everyone who is running at this year’s Marathon. You’re all Boston Strong!

Image Credit: Associated Press


Security at its finest

Samsung’s new fingerprint scanner easily spoofed




glam_galaxy-s5_groupThat fancy fingerprint scanner in your new Samsung Galaxy S5? Turns out, it’s easily spoofed from nothing more than a photograph of your fingerprint.

A German security team, Security Research Labs, was easily able to spoof the system due to the way it’s implemented in other devices which makes it a higher risk. The video, embedded after the break, not only shows the team gaining access to the device by using a fake fingerprint but it also shows them gaining access to PayPal which also supports the new sensor and is just as easily faked out as the rest of the phone.

Interestingly, Ars Technica reports that this spoofing method doesn’t work against Apple’s Touch ID system but does work on the S5. Given that the team acquired the fingerprint simply by taking a photo of a fingerprint left on a screen, it’s very easy to replicate this attack and gain access to everything, especially when you consider just how many smudges are often left on a phone screen.

The video showing off this spoofing attack is embedded after the break.
Source: Ars Technica


Flaw's been around since July

Whoops: Tinder security flaw gave everyone easy access to your location




tinder-logo

Well, whoops. Let’s hope you aren’t paranoid if you are, or have been in the last year, a Tinder user. According to a new report by security firm IncludeSec, Tinder has left a security flaw open for the greater part of a year that gave hackers super easy access to your smartphone’s location services remotely. While the attack, which is reportedly now patched, required that attackers had already intercepted your Tinder identifier number, such information would have been child’s play to obtain for anyone on the same network with a simple packet sniffer.

The flaw has been around since July, and was only recently patched last month on January 1st – however Tinder reportedly refused to communicate with IncludeSec, who reported the issue to the social networking service that’s disturbingly similar to “hot or not” services that have been around the net for forever.

The lesson here? Never trust an application that requires access to your phone’s location services unless you’re absolutely sure that the development team is able to find and fix these sort of flaws in short notice. Such a security flaw could have easily put you, and any other Tinder user, in danger if the data was put in the wrong hands.

Via: The Verge
Source: IncludeSec


Pause your game

Sony forces PSN password resets after warning users of irregular activity




playstation4-press-console-controller-camSony has been having some minor issues with security in the not too distant past (hey, is it me, or does that just seem like a candidate for the understatement of the century?), and it looks like things are heating up once again as Sony is warning customers of irregular activity on their PlayStation Network accounts. While in the email Sony says there’s nothing abnormal about this and makes no mention of this being representative to a larger issue, it appears that many, many people have received this and similar issues informing customers of a mandatory password today alone; social networking is abuzz with talk of potentially hijacked accounts.

Sony claims that they regularly keep an eye out for suspicious activity and “reset passwords of affected accounts to protect consumers and their account information,” so this could potentially be either a glitch in Sony’s system or something far more nefarious. This certainly wouldn’t be the first time Sony’s had issues with the PlayStation Network being hijacked – the hacker group formally known as LulzSec caused quite a stir in 2011 when they stole information from and took down access to PlayStation Network for a considerable length of time.

All in all, keep an eye out for suspicious activity and for an email from Sony today – who knows, maybe you got hit with this, too. The full email can be found after the break.


Having mined the leaked database themselves

Facebook prompts you to change your password after Adobe hack




fbadobeAfter Adobe got hacked and 38 million accounts were leaked, Facebook is prompting its users to change their password if they used the same login details on Adobe’s website. Other services like Soap.com and Diapers.com have also done something similar.

But you may ask, how do these websites know? It appears that Facebook has gotten ahold of these 38 million entries and is mining through all of them, checking to see which details match with their own set of IDs. Despite the fact that Adobe used a single encryption key, thus allowing anyone who calculates it access to every password, I’m not entirely sure what to think of companies rolling through the leaks in the name of better security. That said, this notification does serve as a reminder to use a unique password for every website you register on.

Source: Krebson Security
Via: Engadget


On Macs only

Chrome locks down its password page




chrome-pwEarlier this year, Google came under fire for storing all of your logon details in a place where anyone could have at them and then said they would do nothing about it because if you had physical access to someone’s machine, it doesn’t matter what security measures are in place.

Enough people have complained about that where Google has turned back and is actually going to do something about it. In the latest Chromium build, you can set a flag that requires the user to authenticate with their local user account before allowing access into the password page. Then, you have one minute to get your passwords before you’re kicked out and have to re-authenticate. The only thing is, this new feature is only available in Mac OS X builds of Chromium and there is no word if it would make it to other platforms.

Source / Image Credit: François Beaufort (Google+)
Via: Engadget


Browse with caution

PSA: New Google Chrome update for iOS broke Incognito Mode




chrome-logo-1301044215If you’re one of the many iOS users who prefer using Google’s excellent Chrome browser on your iOS device, proceed with caution. According to various reports around the web and confirmed with my own iPad, Google’s latest version of Google Chrome, which was released just this week, has seemingly accidentally broken the browser’s private browsing Incognito Mode functionality.

Any site you visit while operating under Incognito Mode will still be saved to your browsing history, exactly as though Incognito Mode was disabled. Though the browser looks as though it’s functioning properly, displaying the proper Incognito Mode browser skin, all of your data will still go straight into your history for you and your love ones to look through, criticize, black mail, or humiliate you with.

Until Google offers a fix for this security flaw, we’d recommend sticking with Apple’s own Safari browser if private browsing is a big enough necessity to you. We won’t judge.

Via: 9to5Mac


Don't trust the untrustworthy

Introducing “iMessage for Android”, a security disaster waiting to happen




Screen Shot 2013-09-24 at 11.07.21 AM

If it sounds too good to be true, it more than likely is – especially when it comes to something as promising sounding as “iMessage for Android”, a new app that has just hit the Google Play Store that promises to allow Android users to interact with their iOS-wielding friends over iMessage, just as though they were running an officially sanctioned Apple product.

Unfortunately, the application appears to be absolutely riddled with potential security concerns – it is, essentially, a security disaster just waiting to happen. The app looks pretty enough – it’s got a fairly faithful iOS (6) style UI, it appears to be at the very least functional, and it even supports emojis! What’s to hate?

Well, a lot, unfortunately. Early reports indicate that the app appears to work as a sort of rootkit for your Android phone, with permission to install other APKs onto your phone without your knowledge, silently in the background. What’s more, it appears as though there are some concerns that the application could be sending your Apple ID login details to these anonymous developers, giving them access to your credit card information, name, address, and more.


Meet the Hand of Thief

Desktop Linux finally gets a piece of malware




handofthiefYou Linux users finally have something to worry about: While server-oriented bits of malware for Linux has existed for some time, you now have to worry about your desktop getting some malware. Yes, there’s finally malware for desktop Linux and it’s called Hand of Thief. The authors claim it was tested across 15 different distros (including Ubuntu, Fedora and Debian) and 8 different desktop environments.

The trojan at its simplest form is a swiping program that steals your banking info from HTTP and HTTPS sessions and can work with Chrome, Firefox, Chromium, and IceWeasel. It will also monitor your network activity and block certain websites from being reached, as well as install a backdoor on your computer. Finally, the trojan will also prevent you from running any virtual machines or antivirus software.

The RSA states that this trojan and its command center are being sold for about $2,000 which is around the same price that Windows trojans sell for on the underground black market.

Source: RSA
Via: Engadget, ZDNet


They can even be read in plaintext

Chrome stores all your passwords in a place anyone can get to them




chromepass
Security people, take note: You can get all saved passwords in Google Chrome from the browser itself – and do you see that Show button up there? If you click that, you can see your password in plain text. All you have to do is go to chrome://settings/passwords.

So what if you have some mischievous friends over? They can copy your Facebook password, log in as you on their computer and wreak some havoc. Okay, that’s annoying, but what if your computer gets stolen? People often save things like their bank info in their auto-login systems; all the bad guys have to do is go to that Chrome address and – oh look, we have your bank account password in plain text!

What’s even worse is that Justin Schuch, head of Chrome Security, said that this is something that will never be fixed; his reasoning being that if you already have access to someone’s computer, you’re out of luck. On one hand, this is true but on the other hand, it should not be this easy to steal someone’s password.

Source: Elliott Kember, Hacker News
Via: Engadget