It’s finally Friday and the start to a long weekend! Here are this week’s hot security topics, as reported by our esteemed peers in the industry:
Applications uploading data from your iPhone’s address book without permission: “iOS apps and the address book: who has your data and how they’re getting it,” a great article by Dieter Bohn details the source of the problem and how you can detect it yourself. It also includes a list of some of the other offenders that may surprise you as well as an ongoing conversation of over 150 comments.
Our very own Mark Kriegsman, Principal Software Engineer, developed Veracode’s own utility to detect and identify what other applications on your mobile device may be accessing and distributing personal contact data that you don’t know about. We call it AdiOS and anyone can download it using the link in Mark’s blog post.
Apple has responded to this issue by announcing all applications that require access to a users address book will require explicit user permission. Details can be found at, “Apple App Access to Contact Data will Require Explicit User Permission,” by John Paczkowski.
Google Wallet suspends use of prepaid card after vulnerabilities are discovered: “Researcher Cracks Google Wallet PIN,” by Kelly Jackson Higgins at Dark Reading. A senior engineer at Zvelo demonstrated how he could uncover the PIN number used to authenticate mobile-phone payments without a “single invalid attempt.” Also look for commentary from Veracode Sr. Researcher, Tyler Shields.
Nortel Networks, a now extinct telecommunications equipment manufacturer, was infiltrated and exposed for years: “Nortel hacked for years but failed to protect itself, report says," Lance Whitney details Nortel’s history of cyberattacks that lasted nearly 10 years. Chinese hackers were able to steal the passwords of seven executives in 2000, which they then utilized to gain access to the company’s network and take control of personal computers. When Nortel filed for bankruptcy in 2009, it failed to disclose this information to potential buyers.
Could hacking into an Android phone be as easy as connect-the-dots? “’Reverse smudge engineering’ foils Android unlock security,” Stephen Shankland concludes that simple finger traces can potentially reveal the unlock pattern on Android devices. Googler Tim Bray provides input, and recommends that switching to PIN verification using the numeric keypad is much more secure.
Cyber Security Awareness of Utility companies is low: “15 Percent of Vendors, Utilities Not Testing for Grid Security,” from Katherine Tweed at Greentech Media(@greentechmedia). Although the majority of utilities indicated in a KEMA survey that they had selected their smart grid technology based on performance and interoperability, it also revealed that more than half had not yet tested the security of their systems and that 15 percent did not plan to. The article further urges, “The industry must be proactive and rigorous in its pursuit of cybersecurity.”
Open source webmail solution Horde’s FTP servers were hacked via a backdoor built into their applications: “Horde FTP Server Hacked, Files Maliciously Altered,” by Eduard Kovacs. On three different occasions, hackers were able to infiltrate Horde’s servers and alter various files, allowing unauthenticated remote PHP execution.
That’s it for this week’s Friday Roundup. For those of you who have Monday off enjoy the long weekend!