Spyware, Viruses, & Security forum

Alert

NEWS - April 15, 2014

by Carol~ Forum moderator / April 15, 2014 1:43 AM PDT
So Far, So Good for TrueCrypt: Initial Audit Phase Turns Up No Backdoors

A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.

A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

TrueCrypt is praised as not only free and open source encryption software, but also that it's easy to install, configure and use. Given that it has been downloaded upwards of 30 million times, it stood to reason that it could be a prime target for manipulation by intelligence agencies that have been accused of subverting other widely used software packages, commercial and open source.

Continued : http://threatpost.com/so-far-so-good-for-truecrypt-initial-audit-phase-turns-up-no-backdoors/105433

Related:
TrueCrypt audit finds "no evidence of backdoors" or malicious code
TrueCrypt source code audit finds no critical flaws or intentional backdoors
First phase of TrueCrypt audit finds no backdoors
Post a reply
Discussion is locked
You are posting a reply to: NEWS - April 15, 2014
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - April 15, 2014
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Heartbleed makes 50m Android phones vulnerable, data shows
by Carol~ Forum moderator / April 15, 2014 1:48 AM PDT
In reply to: NEWS - April 15, 2014

"Devices running Android 4.1.1 could be exploited by 'reverse Heartbleed' to yield user data - including 4m in US alone "

At least 4m Android smartphones in the US, and tens of millions worldwide, could be exploited by a version of the "Heartbleed" security flaw, data provided to the Guardian shows.

Worldwide, the figure could be 50m devices, based on Google's own announcement that any device running a specific variant of its "Jelly Bean" software - Android 4.1.1, released in July 2012 - is vulnerable.

The figure, calculated using data provided exclusively by the analytics firm Chitika, is the first time an accurate estimate has been put on the number of vulnerable devices. Other estimates have suggested it is hundreds of millions, based on the number of devices running versions of Android 4.1. But most of those run 4.1.2, which is not at risk.

Continued : http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows

Related:
Vicious Heartbleed bug bites millions of Android phones, other devices
Up to 50 million Android devices could be vulnerable to Heartbleed attack. Here's how to check yours

Collapse -
Fingerprint lock in Samsung Galaxy 5 easily defeated by ..
by Carol~ Forum moderator / April 15, 2014 3:30 AM PDT
In reply to: NEWS - April 15, 2014
.. whitehat hackers

"Multiple weaknesses put devices and PayPal accounts within reach of attackers."

The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.

The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.

Continued : http://arstechnica.com/security/2014/04/fingerprint-lock-in-samsung-galaxy-5-easily-defeated-by-whitehat-hackers/
Collapse -
Hardware Giant LaCie Acknowledges Year-Long Credit Card
by Carol~ Forum moderator / April 15, 2014 3:30 AM PDT
In reply to: NEWS - April 15, 2014
.. Breach

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe's ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

Continued : https://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/

Related: Hardware manufacturer LaCie suffered year-long data breach
Collapse -
Apple ID Phish Goes Horribly Wrong
by Carol~ Forum moderator / April 15, 2014 3:30 AM PDT
In reply to: NEWS - April 15, 2014

"Malwarebytes Unpacked" Blog:

Here's a really weird Apple phish, which seems to want to limit the amount of people who actually fall for it - much less read it at all. For years, scammers have walked a razor's edge of trying to look legitimate while claiming to be some sort of distant relation to the wallet inspector. Most thieves will take a chance and include a "be wary of phish mails, we take your security seriously" type message in their missives because it's what we expect to see (especially in banking emails and related websites) - however, this one may be going a little too far with regards efforts to stop you from opening their spam mail: [Screenshot]

"Spam detection software, running on the system "",
has identified this incoming email as possible spam. The
original message has been attached to this so you can view it
(if it isn't spam) or label similar future email. If you have
any questions, see
@@CONTACT_ADDRESS@@ for details.
"

That's a weird way to open a spam message, right? They continue with the content of the supposed email, which is unformatted and a mess to read - I doubt many people will bother to even look at it.

Then things get even weirder, with the following "content analysis" of the email:

Continued : http://blog.malwarebytes.org/fraud-scam/2014/04/apple-id-phish-goes-horribly-wrong/

Collapse -
Arbitrary Code Execution Bug in Android Reader
by Carol~ Forum moderator / April 15, 2014 5:05 AM PDT
In reply to: NEWS - April 15, 2014

The Android variety of Adobe Reader reportedly contains a vulnerability that could give an attacker the ability to execute arbitrary code on devices running Google's mobile operating system.

The problem arises from the fact that Adobe Reader for Android exposes a number of insecure JavaScript interfaces, according to security researcher Yorick Koster, who submitted the details of the bug to the Full Disclosure mailing list.

In order to exploit the security vulnerability, an attacker would have to compel his victim to open a maliciously crafted PDF file. Successful exploitation could then give the attacker the ability to execute arbitrary Java access code and, in turn, compromise reader documents and other files stored on the device's SD card.

Adobe verified the existence of the vulnerability in version 11.1.3 of Reader for Android and has provided a fix for it with version 11.2.0.

Continued : http://threatpost.com/arbitrary-code-execution-bug-in-android-reader/105421

See Vulnerabilities / Fixes : Adobe Reader for Android PDF JavaScript Interface Java Code Execution Vulnerability

Collapse -
Heartbleed: VMware starts delivering patches
by Carol~ Forum moderator / April 15, 2014 5:05 AM PDT
In reply to: NEWS - April 15, 2014

VMware has announced that it has started shipping patches for its products that have been impacted by the OpenSSL Heartbleed bug.

"VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation," they noted, and added that they plan to release updated products and patches for all affected products by April 19th.

If you're not sure whether a VMware product or service you use is vulnerable or not, check out the lists provided in the VMware Knowledge Base.

Continued : http://www.net-security.org/secworld.php?id=16692

Related: VMware promises Heartbleed patches for affected products by the weekend

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Big stars on small screens

Smosh tells CNET what it took to make it big online

Internet sensations Ian Hecox and Anthony Padilla discuss how YouTube has changed and why among all their goals, "real TV" isn't an ambition.