Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 23, 2014

Apr 23, 2014 3:27AM PDT
iPhones and Macs get fix for extremely critical "triple handshake" crypto bug

Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately.

The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories here and here. The bug makes it possible to bypass HTTPS encryption protections that are designed to prevent eavesdropping and data tampering by attackers with the capability to monitor traffic sent by and received from vulnerable devices. Such "man-in-the-middle" attackers could exploit the bug by abusing the "triple handshake" carried out when secure connections are established by applications that use client certificates to authenticate end users.

Continued : http://arstechnica.com/security/2014/04/iphones-and-macs-get-fix-for-extremely-critical-triple-handshake-crypto-bug/

Related:
Apple Fixes Serious SSL Issue in OSX and iOS
Apple security updates for Mac, iOS, and AirPort
Apple Patches Heartbleed Bug with AirPort Base Station Firmware Update 7.7.3
Apple pushes out critical security fixes for OS X, iOS and Apple TV

For additional details see first entries in VULNERABILITIES / FIXES thread.

Discussion is locked

- Collapse -
An SMS Trojan with global ambitions
Apr 23, 2014 3:33AM PDT

Kaspersky Lab Weblog:

Recently, we've seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS-AndroidOS.Stealer.a; this Trojan came top in Kaspersky Lab's recent mobile malware TOP 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.

But this is not all. Another Trojan, Trojan-SMS.AndroidOS.FakeInst.ef, targets users in 66 countries, including the US. This is the first case we have found involving an active SMS Trojan in the United States.

FakeInst was detected by Kaspersky Lab back in February 2013; since then, 14 various versions of it have emerged. The earlier versions were only capable of sending messages to premium-rate numbers in Russia. But by mid-2013 other countries appeared on the "support list":

Continued : http://www.securelist.com/en/blog/8209/An_SMS_Trojan_with_global_ambitions

- Collapse -
AOL Email Hacked by Spoofers to Send Spam
Apr 23, 2014 3:33AM PDT

In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo.

Yet those who still have accounts with AOL were no doubt unhappy when they discovered last weekend that a slew of old AOL Mail accounts had been hacked to send spam to their friends.

While it's unclear exactly how many users' accounts have been compromised at this point, multiple users have complained on Twitter that their accounts - some which naturally have not been used for years - were compromised and used to send spam to other users.

Continued : http://threatpost.com/aol-email-hacked-by-spoofers-to-send-spam/105629

Related: Has your AOL account been spewing out diet spam? You're not alone ...

- Collapse -
An Eavesdropping Lamp That Livetweets Private Conversations
Apr 23, 2014 4:06AM PDT

As former NSA director Michael Hayden learned on an Amtrak train last year, anyone with a smartphone instantly can become a livetweeting snoop. Now a whole crowd of amateur eavesdroppers could be as close as the nearest light fixture.

Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in an era when anything can be broadcast by ubiquitous, Internet-connected listening devices.

"What does it mean to deploy one of these in a library, a public square, someone's bedroom? What kind of power relationship does it set up?" asks House, a 34-year-old adjunct professor at the Rhode Island School of Design. "And what does this stream of tweets mean if it's not set up by an artist but by the U.S. government?"

Continued : http://www.wired.com/2014/04/coversnitch-eavesdropping-lightbulb/

- Collapse -
Phishers Divert Home Loan Earnest Money
Apr 23, 2014 4:06AM PDT

It looks like it's time to update my Value of a Hacked Email Account graphic: Real estate and title agencies are being warned about a new fraud scheme in which email bandits target consumers who are in the process of purchasing a home.

In this scheme, the attackers intercept emails from title agencies providing wire transfer information for borrowers to transmit earnest money for an upcoming transaction. The scammers then substitute the title company's bank account information with their own, and the unsuspecting would-be homeowner wires their down payment directly to the fraudsters.

This scam was laid out in an alert sent by First American Title to its title agents:

Continued : http://krebsonsecurity.com/2014/04/phishers-divert-home-loan-earnest-money/

- Collapse -
Coding error protects some Android apps from Heartbleed
Apr 23, 2014 5:34AM PDT

"A few office-productivity apps are protected from Heartbleed thanks to a mistake"

Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library.

FireEye scanned 54,000 Android applications in Google's Play store on April 10 to see which ones are vulnerable to Heartbleed. The flaw, publicly disclosed on April 7, is contained in OpenSSL, a code library used to encrypt data traffic.

The security company found several games and office-based mobile applications that are vulnerable to the bug, mostly because the applications use their own native OpenSSL library rather than the one in the Android OS. Google said Android was mostly immune to Heartbleed.

Continued : http://news.techworld.com/security/3513059/coding-error-protects-some-android-apps-from-heartbleed/

From FireEye: If an Android Has a Heart, Does It Bleed?

- Collapse -
Amazon Cloud IaaS Service servers riddled w/ vulnerabilities
Apr 23, 2014 5:34AM PDT

An investigation spurred by one of the customers of their security product has lead researchers of security company Bkav to an unexpected discovery: the servers provided by Amazon's Cloud IaaS Service are riddled with vulnerabilities.

The customer in question complained about his server having been infected with spying and information-stealing malware despite the use of Bkav's antimalware solution.

While investigating how that might have happened, they discovered that Windows Server 2003 on Amazon's cloud server was last updated in October 2009. What's more, the Auto Update was turned off.

Continued : http://www.net-security.org/secworld.php?id=16731

Related: Amazon and HP Cloud Services Vulnerable Due to Unpatched Windows Server Installations

- Collapse -
Phishers Pump out Heartbleed Attacks
Apr 23, 2014 5:34AM PDT

Symantec Security Response Blog:

Symantec has recently detected phishing emails related to the Heartbleed Bug. The phisher attempts to gather information by posing as a US military insurance service with a message about the Heartbleed bug.

The Heartbleed bug is a recently discovered security vulnerability affecting OpenSSL versions 1.0.1 to 1.0.1f. This vulnerability was fixed in OpenSSL 1.0.1g. Symantec's security advisory gives more details on the bug and offers remediation steps.

Spammers and phishers are known to use trending news and popular topics to disguise their payloads. In the case of phishing emails, phishers often cite security concerns to legitimize and disguise their social engineering methods. The payloads of these emails attempt to compel the messages' recipients into divulging sensitive information.

In this case, the phishers send the following email. [Screenshot]

Continued : http://www.symantec.com/connect/blogs/phishers-pump-out-heartbleed-attacks