Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 22, 2015

Apr 22, 2015 9:43AM PDT
iOS bug sends iPhones into endless crash cycle when exposed to rogue Wi-Fi

There's a bug in Apple's iOS 8 that allows nearby attackers to send apps—and in some cases the iPhone or iPad they run on—into an endless reboot cycle that temporarily renders the devices useless, according to researchers who demonstrated the attack Tuesday.

The exploit uses a standard Wi-Fi network that generates a specially designed secure sockets layer (SSL) certificate to exploit the bug, according to the researchers, who work for Israel-based Skycure. The encrypted communication causes whatever apps happen to be connected to the booby-trapped Wi-Fi network to crash. The vulnerability was introduced in version 8 of the Apple mobile operating system.

After sustained connections to the malicious signal, the OS itself will crash, in some cases in a way that causes the devices it runs on to spiral into a repeatable reboot cycle. Making the attack particularly vexing, even if users know the endless crashes are generated by the Wi-Fi network they're connected to, they can't disconnect because the repeated restarts make it impossible to access the device's user settings, as demonstrated in the following video:

Continued : http://arstechnica.com/security/2015/04/ios-bug-sends-iphones-into-endless-crash-cycle-when-exposed-to-rogue-wi-fi/

Related :
How to crash any iPhone or iPad within WiFi range
How evil Wi-Fi can kill iPhones, iPods in range - 'No iOS Zone' SSL bug revealed

Discussion is locked

- Collapse -
1,500 Apple-Approved iOS Apps at Risk From...
Apr 22, 2015 10:12AM PDT
.. Data-Exposing Vulnerability

Graham Cluley @ The Mac Security Blog:

In recent weeks the company has seen its products bedevilled with security flaws, said it's too hard to patch users running vulnerable, older versions of its software, and when it has released a security patch for at least some of its at-risk users—seen it fail abysmally to protect against the problem it was supposed to defend.

Meanwhile, against this backdrop, Cupertino has been banning legitimate anti-virus apps from the iOS app store—apparently on a whim.

Can things get worse? Well, apparently they can.

Now news reaches us that some 1,500 approved apps in the so-called "walled garden," famously vetted vigorously by Apple, have been found to contain a serious vulnerability that could be exploited by hackers to spy on communications, steal passwords and bank account information.

Continued : http://www.intego.com/mac-security-blog/ios-apps-data-vulnerability/

Related :
1,500 iOS apps open to simple man-in-the-middle attacks
1,500 iOS apps sport flaw that allows interception of sensitive user data
1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device?
- Collapse -
Popular WordPress plugins vulnerable to XSS
Apr 22, 2015 10:12AM PDT

At least 17 WordPress plugins - and likely even more of them - have been found vulnerable to cross-site scripting (XSS) flaws that could allow attackers to inject malicious code in the browsers of the sites' visitors.

A particular vulnerability, first flagged by Johannes Schmitt of Scrutinizer CI, has been first privately disclosed by Sucuri researchers and Yoast developer Joost de Valk to the developers of the affected plugins, including Jetpack, WordPress SEO, WPTouch, My Calendar, and others. Yoast's own SEO plugin and Google Analytics plugin were also vulnerable.

The vulnerability stems from the misuse of the add_query_arg() and remove_query_arg() functions, often used by developers to modify and add query strings to URLs within WordPress.

Continued : http://www.net-security.org/secworld.php?id=18275

Related:
Popular WordPress plugins found vulnerable to XSS attacks
Swarm of WordPress plugins susceptible to potentially dangerous exploits

- Collapse -
Tech Support Spam Plague LinkedIn & Other High-Traffic Sites
Apr 22, 2015 10:12AM PDT

"Malwarebytes Unpacked" blog:

To our readers, consider this a heads-up.

It has come to our attention that technical support spammers have been shamelessly marketing their "services" on LinkedIn by taking advantage of the social network's generally free features.

We believe that whoever was behind these campaigns created fake, bare-bones accounts, such as the one below, which they then use to create group accounts. [Screenshot]

These group accounts then serve as an advertising platform to get potential clients to dial those numbers or entertain callers coming from them. Below are screenshots we've captured on some of the groups we found via a simple search: [...]

These posts purportedly cater to companies in the anti-virus (Norton, Kaspersky, AVG), email (Outlook, Hotmail), and telecommunication (Comcast) industries and others.

Continued : https://blog.malwarebytes.org/fraud-scam/2015/04/tech-support-spam-plague-linkedin-and-other-high-traffic-sites/

- Collapse -
Feds Warn Airlines to Look Out for Passengers Hacking Jets
Apr 22, 2015 10:39AM PDT

In response to reports last week that passenger Wi-Fi networks make some planes vulnerable to hacking, the FBI and TSA have issued an alert to airlines advising them to be on the lookout for evidence of tampering or network intrusions.

The FBI and TSA note that they currently have no information to support claims that an attacker could commandeer a plane's navigation system through the passenger Wi-Fi or IFE (In Flight Entertainment) networks, but they are taking the claims seriously. They are currently evaluating the evidence to determine if there is a credible threat posed by intrusions into the networks of passenger planes.

The alert, posted to the FBI's InfraGard site as a private industry notification (or PIN), advises airline staff to be on the lookout for signs that any passengers might be trying to connect to the network ports located beneath their seats.

Continued : http://www.wired.com/2015/04/fbi-tsa-warn-airlines-tampering-onboard-wifi/

Related:
Researcher who joked about hacking a jet plane barred from United flight
Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

- Collapse -
Keeping Your Car Safe From Electronic Thieves
Apr 22, 2015 10:39AM PDT

Last week, I started keeping my car keys in the freezer, and I may be at the forefront of a new digital safety trend.

Let me explain: In recent months, there has been a slew of mysterious car break-ins in my Los Feliz neighborhood in Los Angeles. What's odd is that there have been no signs of forced entry. There are no pools of broken glass on the pavement and no scratches on the doors from jimmied locks.

But these break-ins seem to happen only to cars that use remote keyless systems, which replace traditional keys with wireless fobs. It happened to our neighbor Heidi, who lives up the hill and has a Mazda 3. It happened to Simon, who lives across the street from me and has a Toyota Prius.

"..... Thieves have been breaking into and stealing cars with the help of electronic gadgets for several years now. Jalopnik, the car blog, has written about a "secret device"used to unlock cars. And dozens of other websites have told stories about burglars hacking into cars. As these reports illustrate, and videos online show, in some instances thieves are able to drive away with the cars without needing a key."

Continued : https://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html

Related : New York Times columnist falls prey to signal repeater car burglary

Hit Tip to Bob!

- Collapse -
thanks for the info
Apr 22, 2015 12:36PM PDT

probably a metal card box like for recipe cards and such would work just fine to drop the keys and fob into when at home, and an metal eyeglass case when away from home, especially for a woman in her purse.