Gmail users on iOS at risk of data interception

July 11, 2014 – 7:22 AM

Apple users accessing Gmail on mobile devices could be at risk of having their data intercepted, a mobile security company said Thursday.

The reason is Google has not yet implemented a security technology that would prevent attackers from viewing and modifying encrypted communications exchanged with the Web giant, wrote Avi Bashan, chief information security officer for Lacoon Mobile Security, based in Israel and the U.S.

Websites use digital certificates to encrypt data traffic using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols. But in some instances, those certificates can be spoofed by attackers, allowing them to observe and decrypt the traffic.

That threat can be eliminated through certificate “pinning,” which involves hard coding the details for the legitimate digital certificate into an application.

Unlike for Android, Google doesn’t do this for iOS, which means an attacker could execute a man-in-the-middle attack and read encrypted communications, Bashan wrote. Google acknowledged the problem after being notified by Lacoon on Feb. 24, but the problem has not been fixed, he wrote.

Source:
http://www.pcadvisor.co.uk/news/security/3530133/gmail-users-on-ios-at-risk-of-data-interception/?olo=rss

“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al.

July 8, 2014 – 4:22 PM

A serious attack involving a widely used Web communication format is exposing millions of end users’ authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.

The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they’re executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.

The attack relies on behavior that has existed for years that allows the binary contents of a common shockwave file—a throwback term for Flash files that’s better known simply as SWF—to be converted into an equivalent file based solely on alphanumeric characters. The conversion typically happens to compress a SWF file so it works with websites that use a technique known as JSONP—or JSON with padding—to set browser cookies and perform other tasks.

A new proof-of-concept tool dubbed Rosetta Flash uses a creative combination of encoding algorithms to construct character-only representations of SWF files that contain malicious commands. Among other things, malicious SWF files spawned by the tool can use the visitor’s Flash application to send Web requests that can access authentication cookies and other files set by other websites that use JSONP. This exfiltration works as a result of Flash being able to bypass the Same Origin Policy, which is in place to stop these kinds of cross domain requests. As a result, a malicious website hosting a booby-trapped SWF file could use authentication cookies that were previously set by eBay and other vulnerable sites to make authenticated data requests on behalf of the person visiting the attack site.

Source:
http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookies-on-ebay-tumblr-other-sites/

Windows XP users left high and dry as Oracle ends Java support

July 4, 2014 – 10:10 AM

Windows XP hold-outs pay attention. If you run the Java runtime on XP, it looks as if the current version is about as good as it gets. The next version, 7u65 and 8u11, due to ship in the middle of July, will not support or run on XP.

Oracle hasn’t announced this so much as sneaked out the information on its Java support site.

“As of April 8, 2014 Microsoft stopped supporting Windows XP and therefore it is no longer an officially supported platform,” says the text.

Sure enough, checking the operating system list for JDK 7 and JRE 7 certified system configurations, Windows XP is now missing from a list that contains Windows Vista, Windows 7 and Windows 8.

According to Danish security firm Heimdal, which first noticed the issue after being tipped off by partners, XP users will be able to download and install the new version of Java but it won’t load correctly. Oddly, when the firm tried to confirm this with Oracle it got no reply.

Techworld asked Oracle for a comment and was met with a similarly chilly silence. It seems that the firm has made its position as clear as it wants to and that’s the end of the matter.

“Windows XP still accounts for approximately 20 percent of the PC’s in use, according to global market data. Of those XP users some 82 percent also use Oracle Java according to our intelligence. . This means that millions of PC users, who still run Microsoft XP, are being left in the dark with a piece of software that is known to be very vulnerable,” said Heimdal’s CEO, Morten Kjaersgaard.

Source:
http://news.techworld.com/security/3528860/end-of-road-windows-xp-not-supported-by-new-java-update/

Breaches exposed 1 in 7 US debit cards in 2013

July 3, 2014 – 4:56 AM

Data breaches at retailers and financial services companies exposed 14 percent of all U.S. debit cards in 2013, according to a nationwide survey by a major ATM network operator.

The figure is three times that of 2012 and comes as consumers are using debit cards to make more purchases than ever before.

The survey, conducted by Discover Financial Services’ Pulse ATM network, found that the majority of affected cards were exposed in a single event: the Target data breach that compromised some 70 million customer records in late 2013.

Around 10 percent of all U.S. debit cards were affected in the Target incident, and the majority of financial institutions affected were pushed to reissue cards.

The Target breach will likely encourage a faster switch to so-called “EMV” cards, which contain a microchip rather than a magnetic strip, and require a PIN for authorization rather than a signature.

While EMV is already standard in Europe, U.S. banks and credit unions dragged their feet on the technology, but the Target breach has pushed the industry to a tipping point, said Pulse. Two-thirds of financial institutions plan to begin issuing EMV cards in 2015.

Source:
http://www.pcadvisor.co.uk/news/security/3528524/breaches-exposed-1-in-7-us-debit-cards-in-2013/

Serious Android crypto key theft vulnerability affects 86% of devices

June 28, 2014 – 3:38 PM

Researchers have warned of a vulnerability present on an estimated 86 percent of Android phones that may allow attackers to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices.

The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. The advisory said Google has patched the stack-based buffer overflow only in version 4.4, aka KitKat, of Android. The remaining versions, which according to Google figures run 86.4 percent of devices, have no such fix.

There are several technical hurdles an attacker must overcome to successfully exploit the vulnerability. Android is fortified with modern software protections, including data execution prevention and address space layout randomization, both of which are intended to make it much harder for hackers to execute code when they identify security bugs. Attackers would also have to have an app installed on a vulnerable handset. Still, the vulnerability is serious because it resides in KeyStore, arguably one of the most sensitive resources in the Android OS.

Source:
http://arstechnica.com/security/2014/06/serious-android-crypto-key-theft-vulnerability-affects-86-of-devices/