Top 5 in Security: Weekly Update

Mar 30, 2014 By Sarah Vonnegut

From snooping drones and leaky apps to more hijack-able connected devices, these are your week’s top 5 security stories. 

6 Months Later, Angry Birds Still Spilling Personal Info

Rovio, the gaming company behind the mobile hit Angry Birds, has apparently continued its relationship with the ad platform believed to have been hacked into repeatedly by the British intelligence agency. Worse still, the company continues to collect and share personal information with various third-party advertising services. 

Security researchers at FireEye found that the Android app continues to collect a massive amount of personal data about players who sign-up to the app, including birthday, email, gender, name and country, before pairing it with the customer ID and storing it on the user’s phone. The researchers also discovered that the app sends most of that data in plain text. Even if a player opts out of signing up, the game still collects and sends plenty of information about the device. 

Read more about the still-rogue app here

‘Snoopy’: The Smartphone-Hacking Drone

We’re already painfully aware of the damage drones can do – but did you know they’re now being used to hack us? Security researchers have developed a new device that can access both someone’s Wi-Fi network as well signals based on radio frequency and Bluetooth. And pairing the device with a drone makes for nothing short of security nightmares.

Once it’s accessed the victims Wi-Fi network, the device can remotely capture anything the user does on the phone – including login credentials, credit card info, private messages, personal info and more. Using GPS on the drone, Snoopy can then track the victim and maintain contact while he or she is out and about. The researchers have already used their device to track over 40,000 unique devices in a 14-hour window.

Snoopy in Action:

Read more about Snoopy here.

Microsoft Word Zero-Day Vulnerability Discovered in the Wild

A nasty vulnerability that would make it possible for an attacker to remotely take control of another computer has been discovered in limited, targeted attacks. Microsoft released an advisory announcing that the exploit, cataloged as CVE-2014-1761, was possible in the last 4 versions of Word for Windows, in Microsoft Office for Mac 2011 and multiple versions of the Microsoft SharePoint server.

The advisory warned that “the vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word or previews or opens a specially crafted RTF e-mail message in Microsoft Outlook while using Microsoft Word as the e-mail viewer.”

Microsoft has released a temporary fix for users, which you can find here. Read Microsoft’s Security Advisory here.

Philips Smart TV Vulnerable to Hijack

Another ‘Internet of Things’ vulnerability hit the news this week, and this time it’s serious: our smart TV’s are now at risk!

Philips Smart televisions that have enabled the Miracast Wi-Fi access point feature are vulnerable to browser cookie theft and more, security researchers from ReVuln wrote this week. A new firmware update allows hackers to access Miracast Wi-Fi network’s in their range and steal an array of information and authentications, from cookies for valid Gmail accounts to pictures, videos, and other data stored on connected USBs. Philips has not yet released a fix for the issue.

Watch ReVuln’s Proof of Concept here.

Know Which Sites & Services Use 2 Factor Authorization

A new site dedicated to showing which online services allow users the option of two-factor authorization has been created. Josh Davis, a software engineer and computer science student at Iowa State, built the site after a recent case of Twitter-handle hijacking accomplished through a mix of social engineering and domain-theft. He did a Google search of sites which used two-factor authorization and was annoyed at how little he found.

The site lists services by industry and color codes which – if any – services for two-factor authorization they employ. An added bonus is being able to Tweet at a company through the site, asking it to add better authorization.

Check out Davis’ site here and read his blog post about it here

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.