SSL encryption was the name of the security game this week, with major vulnerabilities –now fixed – facing both iOS and WhatsApp users and Neiman Marcus released a new analysis of their recent breach – and apparently someone was NOT paying attention. Catch up on all last week’s stories before RSA USA takes over your life!
A very serious encryption issue in iOS versions 7.0.6 and 6.1.6 has been patched and all iOS users are advised to update their devices as soon as possible to prevent a man-in-the-middle attack that could capture and modify data being sent to and from one’s phone. Apple has been decidedly hush-hush about where the flaw was discovered, but Hacker News users quickly pinpointed the flaw as a stray line of code in Apple’s open source code.
The Man-in-the-Middle attack could happen when both the attacker and victim were on the same network (wired or wireless). A flaw in the authentication system would allow the attacker to bypass the SSL/TLS verification and impersonate a protected site as private messages, financial information, etc. is exchanged between the actual site and the victim.
The same issue also affects OS X operating systems but a patch for Mac is still to come. For now, advised CrowdStrike, you can update your iDevices and systems and avoid unprotected networks until you do so. If you’re using a Mac, use only trusted networks and set the “ask to join networks” setting off until an update for OS X has been released.
As Cryptography professor and blogger Matthew Green tweeted:
Ok, I know what the Apple bug is. And it is bad. Really bad.
— Matthew Green (@matthew_d_green) February 21, 2014
Get all the info on the Apple Update here.
The purchase heard ‘round the world comes with some serious security baggage. WhatsApp, the cross-platform mobile messaging app, bought by Facebook last week for $19 billion, has apparently been found to have some serious SSL vulnerabilities.
Praetorian, the security firm that wrote about WhatsApp’s security flaws, noted that “within minutes” of starting their security audit, the group had already “picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers.” One of the issues surrounds an outdated implementation of SSL encryption, a vulnerability well-known to allow man-in-the-middle attacks, allowing an attacker to monitor communications between two users and possibly manipulate them. Another issue involves WhatsApps failure to implement certificate pinning, a technique created to block attacks that use fake certificates.
Praetorian security researcher Paul Jauregui called “the kind of stuff the NSA would love.” WhatsApp has already quickly fixed the majority of the issues, which were not difficult fixes in the first place.
Read Praetorian’s blog post on the WhatsApp flaws here.
Hackers going through Neiman Marcus Groups’ POS systems set off alerts nearly 60,000 times over a period of three and a half months, according to a new internal company analysis into the breach that began in late 2013. The abnormal behavior of the hackers’ malicious software was flagged by the retailer’s systems but may have been interpreted as false positives and ignored.
Alerts went off whenever the hackers’ card-stealing software was automatically deleted each day. Using the connection between Neiman Marcus’s POS system and its’ transaction processing computer, the attackers were able to reload their software quickly after it was removed on a daily basis.
The hackers spent a total of 8 months within the systems, spending four months just scouting out the network and getting ready for the ‘main event’. Interestingly enough, the report also noted that the originally reported number of customer credit cards exposed in the breach was three times the actual number, going from an estimate of 1.1 million to less than 350,000. Neiman Marcus was also found to be in compliance with PCI standards, the report said.
Lots of unanswered questions remain about how exactly the hackers got in, since the data was apparently insufficient for the report, so this won’t be the last we hear about Neiman Marcus.
Read all about the new report on the Neiman Marcus breach here.
The dating app that’s popular from Antarctica to Socchi was giving way too much away about its’ users– and way too early in the ‘relationship’. A major security flaw in the apps’ API allowed users to track other Tinder users’ locations. Max Veytsman, a researcher at Toronto’s Include Security found the vulnerability, claiming that he was able to find exact locations of any Tinder user with accuracy of up to 100 feet.
Using simple trigonometry, he found that if you know the city a user lives in, you can create three fake accounts to sniff out the user’s position by telling the API you’re at three fake locations close to him or her. Veytsman even created his own app, TinderFinder, to figure out user locations even easier, though the app was never released for obvious privacy and security concerns.
Read Veytsman’s write-up of his find here.
Yet another zero-day flaw was discovered in Adobe Flash, prompting Adobe to issue to second emergency patch update in a month. The security company FireEye uncovered the CVE-2014-0502 vulnerability, which could allow attackers to control infected systems remotely using arbitrary code execution. The flaw has been nicknamed “Operation Greedywonk.”
All versions of Adobe Flash 220.127.116.11 and earlier for Windows and Mac and versions 18.104.22.1686 and earlier for Linux to be updated to fix this vulnerability.
Read the Security Bulletin here.
No matter whether or not you’ll be at RSA USA this week, you can follow along with everything that’s going on on our constantly updated site, LiveSec.net! Following last year’s overwhelming success, we’re excited to once again keep you updated with breaking news, product launches, top speakers & sessions, press coverage, best parties, awesome giveaways and more.
Join our online raffle for your chance to win a basket of RSA 2014 vendor giveaways shipped to your door. Bookmark it now and check back often – all this week!
And if you’re at the conference, be sure to stop by the Checkmarx Booth #3541 for our master mentalist to read your mind and some sweet giveaways.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.