Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

Top 5 in Security: Your Weekly Update

The security industry took a massive hit this week with the Heartbleed bug, and while it took most of the focus, there’s some notable news that you may have missed. Here are your top 5 security stories of the week:

Heartbleed Bug Wreaks Havoc On The Internet

The Heartbleed bug has taken the internet by storm since it was first discovered by researchers earlier this week, and for good reason. A two-year old vulnerability in the Web’s most popular OpenSSL encryption software, Heartbleed affects some two-thirds of the internet with an estimated 17% of SSL web servers using trusted certificates affected.

Heartbleed has widespread implications and repercussions for the internet. Besides the possible theft of quite a bit of data by malicious hackers, there is now speculation that the NSA could have discovered the vulnerability long before the rest of us, allowing them to peek in on up to two-thirds of the Web.

If you’re running OpenSSL 1.0.1 through 1.0, you’re highly advised to update to the patched version, 1.0.1g as soon as possible. If you’re an administrator running VMs in the cloud, you’re advised to run source code analysis on your code to ensure it’s safe from Heartbleed.

Read more about the Heartbleed bug and how to avoid it here, and check to see which of your sites require a password change here

Totally Fake, PAID, Antivirus App Downloaded 10,000+ Times On Google Play

It’s a rarity when people are willing to pay for any app – especially anything over the .99¢ price tag, so the fact that 10,000 people paid $3.99 for an app that literally does nothing is especially intriguing. When Android Police published their take-down on the fake app, Virus Shield was listed at #1 in the Google Play Store with a 4.7 star rating, just having been available for little more than a week.

Virus Shield simply looked legitimate, claiming to “protect you and your personal information from harmful viruses, malware and spyware,” but in fact did nothing. Or rather, the only thing it did was change a red X icon within the app to a red checkmark icon, supposedly showing the user was being protected. When investigators tracked the creator down, it turns out he’s a well-known scammer already banned from gaming forums for trying to defraud people.   The app had earned its creator upwards of $40,000, but has since been taken down from Google Play.

There is an upside to this sad story, though: At least 10,000 people cared enough about their personal mobile security to pay a good amount for a supposedly premium antivirus app. Its clear people are willing to pay for premium security products, a sign that people are finally starting to take their personal security and privacy more seriously.

Read more about Virus Shield here. 

Computer Science Student Flies For Free – Courtesy of Apple Passbook Hack

Anthony Hamilton, an 18 year old Greek student studying at the University of Crete has apparently found a way to create fake boarding passes designed for Apple’s Passbook. He’ll be presenting his discovery at the upcoming Hack in the Box conference in late May.

In his presentation abstract, Hamilton describes how you can “generate a boarding pass, get through all the security airport checks and eventually ending up on your first class seat to the destination of your choice” using just a computer and your iPhone – and a little social engineering.

Hamilton claims his exploit allows users to bypass the security protocols used to check tickets and created his own tickets using Java and CSS in a web browser. He was able to then send the ticket to his iPhone using the same interface a developer would use to send a coupon or ticket to Passbook. Disclaimer: He’s never confirmed or denied whether he’s actually used the exploit himself, so it’s still to be seen whether this would work or not.

Read more about the Passbook Hack here.

Critical Patches for Adobe & Microsoft; XP Officially Dead

Microsoft and Adobe both released patches for critical security issues on the latest Patch Tuesday. For Microsoft, the updates include a patch for the exploitable Zero-Day vulnerability found in Microsoft Word last month, a cumulative update for Internet Explorer as well as the final patch for systems running Windows XP.

Any users, especially organizations, still running systems on XP have been advised to make the switch to Windows 8, and Microsoft offers a free data transfer tool for a hassle-free upgrade.  From Microsoft’s blog:

“Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which will no longer be fixed.”

Adobe also released a scheduled patch update for the Flash Player and Adobe AIR. The Flash patch was released to address four remote code execution flaws in the player for Windows, OS X and Linux systems, and the AIR patch was released for Android, Windows and Mac. All users are advised to update to the latest version.

Read more about Patch Tuesday here.

Germany Hit By Epic Data Breach, 18 Million Affected

For the second time in 2014 already, Germany has been hit by a data breach, this one possibly their worst ever. Officials in the city of Verden announced a breach where up to 18 million email addresses and passwords were most likely stolen, though only three million users are thought to be in Germany. The BSI, the country’s Federal Office for Information Security, is now involved, advising anyone thought to be a victim to run anti-malware on their systems.

The theft was discovered during an investigation into a spam botnet using stolen email addresses. Germany has a law requiring explicit permission for contact by email, so affected users won’t be notified directly and instead must visit a “safety test” site set up by the country that checks to see whether an account has been compromised.  

Germany was first rocked by a breach in late January, when 16 million internet users were at risk of having various accounts compromise by hackers using malware.

Read more about the massive breach here

Jump to Category