Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 22, 2014

Apr 22, 2014 1:27AM PDT
Active malware campaign steals Apple passwords from jailbroken iPhones

Security researchers have uncovered an active malware campaign in the wild that steals the Apple ID credentials from jailbroken iPhones and iPads.

News of the malware dubbed "unflod," based on the name of a library that's installed on infected devices, first surfaced late last week on a pair of reddit threads here and here. In the posts, readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.

Since then, security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

Continued : http://arstechnica.com/security/2014/04/active-malware-campaign-steals-apple-passwords-from-jailbroken-iphones/

Related:
Mysterious malware steals Apple credentials from jailbroken iOS devices
New iOS malware with a funky name: "Unflod Baby Panda"

Discussion is locked

- Collapse -
Fake Facebook app attack can lead to your Android being ..
Apr 22, 2014 2:17AM PDT
.. spied upon, and your bank account being hacked

The ESET "We Live Security" Blog:

Are you a Facebook user?

If so, be on your guard if you see a screen like the following popping up on your screen: [Screenshot]

Hopefully the poor grammar is enough to trigger your alarm bells, and prevent you from entering your mobile phone number.

But if it's not, there is a risk that malicious hackers could soon be listening in to the calls made on your Android smartphone, intercepting your SMS text messages, and even listening in to any private conversations you are having in the vicinity of your phone.

And, if the hackers can read your SMS messages, they can potentially break into your online bank accounts too.

Continued : http://www.welivesecurity.com/2014/04/22/facebook-android-bank/

Related : Android trojan app targets Facebook users
- Collapse -
Secunia: Fixing OpenSSL's Heartbleed flaw will take MONTHS
Apr 22, 2014 2:17AM PDT

Expunging the Heartbleed bug from vulnerable computers and gadgets is likely to take months, according to a leading vuln research firm. The cautionary assessment by Secunia comes as more and more products are judged to be vulnerable to the infamous OpenSSL security flaw.

Heartbleed most obviously affected secure web servers but also hit routers and other networking equipment, as well as a wide array of other enterprise technology.

And the bundling of the faulty OpenSSL library means applications vulnerable to Heartbleed include everything from VPN software, messaging and VoIP apps, among others. A large number of smartphones (specifically those running Android 4.1) are also on the danger list.

Kasper Lindgaard, Secunia head of research, told El Reg that other items vulnerable to Heartbleed include switches and servers.

Continued : http://www.theregister.co.uk/2014/04/22/heartbleed_repairs_may_take_months/

- Collapse -
An Allegation of Harm
Apr 22, 2014 2:17AM PDT

In December 2013, an executive from big-three credit reporting bureau Experian told Congress that the company was not aware of any consumers who had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. This blog post examines the harm allegedly caused to consumers by just one of the 1,300 customers of that ID theft service — an Ohio man the government claims used the data to file fraudulent tax returns on dozens of Americans last year.

In February, I was contacted via Facebook by 28-year-old Lance Ealy from Dayton, Ohio. Mr. Ealy said he needed to speak with me about the article I wrote in October 2013 — Experian Sold Consumer Data to ID Theft Service. Ealy told me he'd been arrested by the U.S. Secret Service on Nov. 25, 2013 for allegedly using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by guy named Hieu Minh Ngo.

Continued : http://krebsonsecurity.com/2014/04/an-allegation-of-harm/

- Collapse -
Supposedly patched router backdoor was simply hidden
Apr 22, 2014 3:03AM PDT

When security systems' engineer and researcher Eloi Vanderbeken discovered the existence of a backdoor in his own Linksys router last Christmas, he spurred other hackers to check what other routers have the same backdoor. The results of this investigation was that 24 DSL router models from Cisco, Linksys, Netgear, and Diamond were confirmed to be vulnerable.

The backdoor has been tied with Sercomm - the firm that builds these routers for the aforementioned companies - and the specific firmware they install on the devices. A month after the discovery, those companies have pushed out a new version of the firmware that apparently closed the backdoor. Only it didn't - it merely hid it.

Continued:http://www.net-security.org/secworld.php?id=16721

Related: Easter egg: DSL router patch merely hides backdoor instead of closing it

- Collapse -
OpenSSL code beyond repair, claims creator of "LibreSSL"
Apr 22, 2014 3:18AM PDT
.. fork

OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.

The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

Continued : http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

Related: OpenBSD team forks OpenSSL to create safer SSL/TLS library
- Collapse -
Google refunds Android users who bought fake Virus Shield
Apr 22, 2014 4:10AM PDT

Earlier this month an Android anti-virus app, named Virus Shield, managed to fool thousands of customers into buying it, despite not having any anti-virus capabilities.

The $3.99 app initially appeared to be a hot purchase as it quickly rose to the top of the Google Play Store sales charts before Android Police discovered all was not as it seemed.

The app was subsequently removed from the store on 6 April but not before tens of thousands of people had purchased it.

Now Google is offering full refunds to anyone who bought Virus Shield. That's long after the usual 15-minute refund window.

Continued : http://nakedsecurity.sophos.com/2014/04/22/google-refunds-android-users-who-bought-fake-virus-shield-app/

- Collapse -
Some sites have plugged Heartbleed, but 1000's haven't, says
Apr 22, 2014 4:33AM PDT
.. security firm

According to Computerworld, Sucuri Security, a Calif.-based Internet security outfit, says that of the top 1 million sites on the Web as ranked by Alexa (a service which measures what websites are most popular based on Web data that it gathers), as much as two percent of those sites are still susceptible to the Heartbleed OpenSSL bug. However, Sucuri exec Daniel Cid said in an email that the top 1,000 Alexa sites were all safe from the bug, or have been patched and are not at risk anymore. The findings are accurate as of last week.

Sucuri also found that 0.53 percent of the 10,000 most popular sites were vulnerable, with that number rising to 1.5 percent among the 100,000 most popular sites. The percentages break down like this: 53 of the top 10,000 sites were at risk, 1,595 of the top 100,000 sites were vulnerable, and 20,320 of the 1,000,000 most popular sites were still susceptible to Heartbleed.

"We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better," Cid said in a blog post.

Continued : http://www.digitaltrends.com/computing/sites-plugged-heartbleed-thousands-havent-says-security-firm/