Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 15, 2014

by Carol~ Apr 15, 2014 1:43AM PDT
So Far, So Good for TrueCrypt: Initial Audit Phase Turns Up No Backdoors

A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.

A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

TrueCrypt is praised as not only free and open source encryption software, but also that it's easy to install, configure and use. Given that it has been downloaded upwards of 30 million times, it stood to reason that it could be a prime target for manipulation by intelligence agencies that have been accused of subverting other widely used software packages, commercial and open source.

Continued : http://threatpost.com/so-far-so-good-for-truecrypt-initial-audit-phase-turns-up-no-backdoors/105433

Related:
TrueCrypt audit finds "no evidence of backdoors" or malicious code
TrueCrypt source code audit finds no critical flaws or intentional backdoors
First phase of TrueCrypt audit finds no backdoors

Discussion is locked

6 Posts
- Collapse + Expand Details
- Collapse -
Heartbleed makes 50m Android phones vulnerable, data shows
by Carol~ Apr 15, 2014 1:48AM PDT

"Devices running Android 4.1.1 could be exploited by 'reverse Heartbleed' to yield user data - including 4m in US alone "

At least 4m Android smartphones in the US, and tens of millions worldwide, could be exploited by a version of the "Heartbleed" security flaw, data provided to the Guardian shows.

Worldwide, the figure could be 50m devices, based on Google's own announcement that any device running a specific variant of its "Jelly Bean" software - Android 4.1.1, released in July 2012 - is vulnerable.

The figure, calculated using data provided exclusively by the analytics firm Chitika, is the first time an accurate estimate has been put on the number of vulnerable devices. Other estimates have suggested it is hundreds of millions, based on the number of devices running versions of Android 4.1. But most of those run 4.1.2, which is not at risk.

Continued : http://www.theguardian.com/technology/2014/apr/15/heartbleed-android-phones-vulnerable-data-shows

Related:
Vicious Heartbleed bug bites millions of Android phones, other devices
Up to 50 million Android devices could be vulnerable to Heartbleed attack. Here's how to check yours

- Collapse -
Fingerprint lock in Samsung Galaxy 5 easily defeated by ..
by Carol~ Apr 15, 2014 3:30AM PDT
.. whitehat hackers

"Multiple weaknesses put devices and PayPal accounts within reach of attackers."

The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.

The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.

Continued : http://arstechnica.com/security/2014/04/fingerprint-lock-in-samsung-galaxy-5-easily-defeated-by-whitehat-hackers/
- Collapse -
Hardware Giant LaCie Acknowledges Year-Long Credit Card
by Carol~ Apr 15, 2014 3:30AM PDT
.. Breach

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe's ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

Continued : https://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/

Related: Hardware manufacturer LaCie suffered year-long data breach
- Collapse -
Apple ID Phish Goes Horribly Wrong
by Carol~ Apr 15, 2014 3:30AM PDT

"Malwarebytes Unpacked" Blog:

Here's a really weird Apple phish, which seems to want to limit the amount of people who actually fall for it - much less read it at all. For years, scammers have walked a razor's edge of trying to look legitimate while claiming to be some sort of distant relation to the wallet inspector. Most thieves will take a chance and include a "be wary of phish mails, we take your security seriously" type message in their missives because it's what we expect to see (especially in banking emails and related websites) - however, this one may be going a little too far with regards efforts to stop you from opening their spam mail: [Screenshot]

"Spam detection software, running on the system "",
has identified this incoming email as possible spam. The
original message has been attached to this so you can view it
(if it isn't spam) or label similar future email. If you have
any questions, see
@@CONTACT_ADDRESS@@ for details."

That's a weird way to open a spam message, right? They continue with the content of the supposed email, which is unformatted and a mess to read - I doubt many people will bother to even look at it.

Then things get even weirder, with the following "content analysis" of the email:

Continued : http://blog.malwarebytes.org/fraud-scam/2014/04/apple-id-phish-goes-horribly-wrong/

- Collapse -
Arbitrary Code Execution Bug in Android Reader
by Carol~ Apr 15, 2014 5:05AM PDT

The Android variety of Adobe Reader reportedly contains a vulnerability that could give an attacker the ability to execute arbitrary code on devices running Google's mobile operating system.

The problem arises from the fact that Adobe Reader for Android exposes a number of insecure JavaScript interfaces, according to security researcher Yorick Koster, who submitted the details of the bug to the Full Disclosure mailing list.

In order to exploit the security vulnerability, an attacker would have to compel his victim to open a maliciously crafted PDF file. Successful exploitation could then give the attacker the ability to execute arbitrary Java access code and, in turn, compromise reader documents and other files stored on the device's SD card.

Adobe verified the existence of the vulnerability in version 11.1.3 of Reader for Android and has provided a fix for it with version 11.2.0.

Continued : http://threatpost.com/arbitrary-code-execution-bug-in-android-reader/105421

See Vulnerabilities / Fixes : Adobe Reader for Android PDF JavaScript Interface Java Code Execution Vulnerability

- Collapse -
Heartbleed: VMware starts delivering patches
by Carol~ Apr 15, 2014 5:05AM PDT

VMware has announced that it has started shipping patches for its products that have been impacted by the OpenSSL Heartbleed bug.

"VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation," they noted, and added that they plan to release updated products and patches for all affected products by April 19th.

If you're not sure whether a VMware product or service you use is vulnerable or not, check out the lists provided in the VMware Knowledge Base.

Continued : http://www.net-security.org/secworld.php?id=16692

Related: VMware promises Heartbleed patches for affected products by the weekend

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info