Rovio, the gaming company behind the mobile hit Angry Birds, has apparently continued its relationship with the ad platform believed to have been hacked into repeatedly by the British intelligence agency. Worse still, the company continues to collect and share personal information with various third-party advertising services.
Security researchers at FireEye found that the Android app continues to collect a massive amount of personal data about players who sign-up to the app, including birthday, email, gender, name and country, before pairing it with the customer ID and storing it on the user’s phone. The researchers also discovered that the app sends most of that data in plain text. Even if a player opts out of signing up, the game still collects and sends plenty of information about the device.
Read more about the still-rogue app here.
We’re already painfully aware of the damage drones can do – but did you know they’re now being used to hack us? Security researchers have developed a new device that can access both someone’s Wi-Fi network as well signals based on radio frequency and Bluetooth. And pairing the device with a drone makes for nothing short of security nightmares.
Once it’s accessed the victims Wi-Fi network, the device can remotely capture anything the user does on the phone – including login credentials, credit card info, private messages, personal info and more. Using GPS on the drone, Snoopy can then track the victim and maintain contact while he or she is out and about. The researchers have already used their device to track over 40,000 unique devices in a 14-hour window.
Snoopy in Action:
Read more about Snoopy here.
A nasty vulnerability that would make it possible for an attacker to remotely take control of another computer has been discovered in limited, targeted attacks. Microsoft released an advisory announcing that the exploit, cataloged as CVE-2014-1761, was possible in the last 4 versions of Word for Windows, in Microsoft Office for Mac 2011 and multiple versions of the Microsoft SharePoint server.
The advisory warned that “the vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word or previews or opens a specially crafted RTF e-mail message in Microsoft Outlook while using Microsoft Word as the e-mail viewer.”
Another ‘Internet of Things’ vulnerability hit the news this week, and this time it’s serious: our smart TV’s are now at risk!
Philips Smart televisions that have enabled the Miracast Wi-Fi access point feature are vulnerable to browser cookie theft and more, security researchers from ReVuln wrote this week. A new firmware update allows hackers to access Miracast Wi-Fi network’s in their range and steal an array of information and authentications, from cookies for valid Gmail accounts to pictures, videos, and other data stored on connected USBs. Philips has not yet released a fix for the issue.
Watch ReVuln’s Proof of Concept here.
A new site dedicated to showing which online services allow users the option of two-factor authorization has been created. Josh Davis, a software engineer and computer science student at Iowa State, built the site after a recent case of Twitter-handle hijacking accomplished through a mix of social engineering and domain-theft. He did a Google search of sites which used two-factor authorization and was annoyed at how little he found.
The site lists services by industry and color codes which – if any – services for two-factor authorization they employ. An added bonus is being able to Tweet at a company through the site, asking it to add better authorization.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.