Apple Security Updates and Spoofing and Heartbleed …oh my. These are your weeks top security stories:
In a blast from the past security story, Aol email users have been suffering from spoofed accounts. Spoofed emails are pesky messages, in this case containing malicious links, that had their FROM field changed to make it look like it’s coming from the victim, but are just coming from the spammer/spoofer’s account, sent from their server. If there are bounce-backs from emails you didn’t send out, you’ve most likely been spoofed. Once your account has been spoofed, there’s not a whole lot you can do.
In response, Aol has changed its policy “to help mail providers reject email messages sent using forged Aol mail addresses,” their blog explains. With the change, both Aol Mail and other providers will reject spoofed emails before they ever get delivered. This will hopefully fix the issue, but there are some who believe this may not just be a spoofing issue: Blogger Brian Alvey wrote that he believes it may be the cause of an exploit in Aol’s webmail system, but Aol has yet to make a real comment on the incident.
Twitter has been filled with all the expected jokes about the antiquated email provider (just take a peek at the hashtag #AOLHacked). Until the issue is fully fixed, you’re advised to (as always) be leery of suspicious emails and links.
Read about Aol’s new DMARC policy here.
Critical Security Fixes from Apple for OS X & iOS
Apple released numerous fixes for iOS and OS X Lion (10.7+), Mountain Lion (10.8+) & Mavericks (10.9+) on Tuesday, an update that addresses several security issues among more general bug fixes.
For iOS, iPhone and iPad users can update to 7.1.1. The update includes a keyboard responsiveness fix, repairs an issue with Bluetooth and VoiceOver, as well as several smaller security fixes. For iPhone 5S users, the update also includes an improvement to the Touch ID sensor. The OS X update fixes several issues, including an issue that could cause the search and address field to load a webpage before you hit “enter,” improves credit card auto-fill compatibility on sites, strengthens Safari sandboxing, and fixes Safari security issues recently found in various competitions.
Apple also released a patch for AirPort Base Station, the only one of their products that was affected by the Heartbleed bug. The vulnerability would allow an attacker in a privileged network position to get information from process memory. If you haven’t updated, now would be an opportune time.
Read the full bulletin at Apple here.
Last week we wrote about the anti-virus app that had taken Android users for a whirl after it was discovered the app did absolutely nothing in the way of phone protection.
Now, Google is making good on their slip-up by offering all the users that had purchased the app not only a refund for the app but also an additional $5 Google Play store credit. In an email sent to Android users that had shelled out $3.99 for Virus Shield, the company apologized for their mistake and assured customers that they’re “always working to make Google Play better for our users.”
Read more here.
The National Institute of Standards & Technology has officially made the decision to abandon the Duel Elliptic Curve Deterministic Random Bit Generator (DUAL_EC_DRBG). It’s a decision following revelations in December that the NSA had reportedly paid RSA, the creator of the algorithm, $10 million to implement an algorithm in their products that they knew to be flawed and that contained a back door that allowed the NSA to eavesdrop.
However, the algorithm was first found to be flawed in 2007, when Bruce Schneier said it “contains a weakness that can only be described as a back door.” After the public pressure ramped up following Snowen’s leak, the organization has finally removed Dual_EC_DRBG from its list of approved algorithms.
Read the NISTs statement here.
We recently wrote about an issue in WhatsApp’s location sharing feature that would allow for MitM attacks and interception for listening. This week, the same team that discovered that issue, the UNH Cyber Forensics Group, found a similar flaw in Viber, another popular messenger. The team found a critical flaw in the way the app receives images, video and ‘doodles’ and in the way it sends and receives location data. The researchers said they told Viber about the issue but failed to get a response.
Continue reading here.
Android users have collectively downloaded at least 150 million apps that may be susceptible to the Heartbleed bug, researchers at FireEye have found. They also reported that out of 17 apps claiming to scan for the bug, six are flawed in their scanning methods. Though most versions of the Android platform don’t use OpenSSL, many apps do.
The researchers found that most of the vulnerable apps are games, which don’t contain as much valuable information for hackers exploiting Heartbleed as other apps. Regardless, with many game users signing in with Facebook or Twitter, those accounts could also be at risk. Luckily, developers have taken Heartbleed to, well, heart, and many have already pushed out updates to repair the issue.
Continue reading here.
There’s a first for everything. On April 15th, a 19-year-old Computer Science student from Canada was arrested for charges that involve a malicious breach of data from the Canada Revenue Agency site, a feat he accomplished by exploiting the OpenSSL vulnerability. His arrest followed the discovery that the social security numbers of 900 Canadians was stolen, causing the Agency to shut down the site for nearly a week. Read more at Ars Technica.
Tons of tools have popped up, claiming to detect the bug, but how many actually can? Consultancy firm Hut3 is saying that a wide majority of the most popular tools are at least partially flawed in finding Heartbleed, an issue that could cause major issues down the line. Read more at The Guardian.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.