Exploit
Google Had a Big Ol’ Hole In Its Two-Step Verification System
Source: http://gizmodo.com/5986830/google-had-a-big-ol-hole-in-its-two+step-verification-system
The coast is clear now, but for a while there, Google’s two-step verification system wasn’t keeping you as safe as you thought. In fact, it was providing an avenue for folks to get in. App-specific passwords were propping your door open.
The exploit was found—and reported—by Duo Security, which is publishing its data now that Google has fixed things up. If you’ve enabled two-step (which you should), you know that using applications like Twitter or Facebook or Instagram often involves an app-specific password. Apps that don’t just pass you to a Google login page and have you enter a phone-code will tell you to go get an app-specific password manually from your account page, and put that in.
The logic behind having app-specific passwords is that you can disable access from certain apps—like all the apps on a stolen phone—without disturbing the rest. And that’s great. The problem was, those manual app-specific passwords you put in weren’t actually app-specific. Anyone could re-use any of those passwords to link a Google device (Android phone, Chromebook) to a Google account. From there, hackers could login to services with the device, strolling right on in to account settings without ever knowing the real password.
As explained by Duo Security’s cleverly edited Google ad:
That’s not a good situation, but fortunately it’s been fixed. Ever since Feb 21st, anyone trying to get to account settings needs the real password. Convenience be damned. And even though this was a bit of a breach, it’s worth noting that two-step wasn’t making anything worse; in the absence of two-step, a thief with your app-specific password would just have had your real password instead. And they wouldn’t have to know about the connect-a-device exploit to use it. Way worse.
You’re safe for now, but it serves as a good reminder to keep up with those security best-practices. Clean out your app-specific passwords now and then, change your password occasionally, and beware auto-login features that make your life easier because chances are they’re making it more insecure. Nothing’s full-proof, but just try to stay safe out there. [Duo Security]
BlackBerry says TIFF vulnerability exposes enterprise servers to malware
Source: http://www.engadget.com/2013/02/18/blackberry-tiff-vulnerability/
BlackBerry has always prided itself on its top-notch security features, so it’s a little worrying to see the company release a “high severity” advisory today warning of a potential exploit. According to the Waterloo-based operation:
Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone.
Essentially, hackers could rig a TIFF file with malware and then trick a BlackBerry user into loading it via webpage, email or an embedded message, thus allowing the bad guys into their company’s Enterprise Server. BlackBerry hasn’t received any reports of attacks just yet, but urges IT administrators to update their BES software all the same. The update is available at the source, as are several temporary workarounds for those that can’t update their installations just yet.
Filed under: Cellphones, Mobile, Blackberry
Via: Naked Security
Source: BlackBerry Knowledge Base
Digital Consigliere
Collaborators – Digital Profs
Pages
Popular Posts
- The JKWeddingDance video was real; the viral effect was MANUFACTURED - Post 1 of 2
- What is Web 3.0? Characteristics of Web 3.0
- Samsung 52 inch HDTV $9.99 at BestBuy - purchase receipt below (6:21a eastern time August 12, 2009)
- Netflix vs Blockbuster - Perfect example of an industry replaced by a more efficient version of itself
- Try On New Glasses in Warby Parker's Virtual Booth
- Marketing Costs Normalized to CPM Basis for Comparison
- Coke vs Pepsi vs Dr Pepper
- Digital Footprint Score (tm)
- How to manufacture a viral video sensation and make viral profits - Post 2 of 2
Tags
Prototype Web Services
- drag2share – quickly share news items by drag and drop on email addresses
- LivePhotoFrame – upload and remotely manage a digital photo frame via unique URL
- MedleyTuner – create a continuous listening experience by uploading mp3s
- MusicSamplr – discover new artists and music, listen to samples
- SharedMost – what links on ANY webpage are shared most?
- Signatory – sign and date a document and verify it hasn't been altered since that exact time.
- WebTeleprompter – just what it says it is
Archives
- February 2016 (2)
- January 2016 (6)
- October 2015 (2)
- September 2015 (7)
- August 2015 (6)
- July 2015 (2)
- June 2015 (5)
- May 2015 (4)
- April 2015 (32)
- March 2015 (57)
- February 2015 (79)
- January 2015 (86)
- December 2014 (69)
- November 2014 (98)
- October 2014 (150)
- September 2014 (109)
- August 2014 (44)
- July 2014 (92)
- June 2014 (118)
- May 2014 (173)
- April 2014 (130)
- March 2014 (247)
- February 2014 (167)
- January 2014 (222)
- December 2013 (167)
- November 2013 (111)
- October 2013 (116)
- September 2013 (214)
- August 2013 (210)
- July 2013 (200)
- June 2013 (87)
- May 2013 (87)
- April 2013 (70)
- March 2013 (114)
- February 2013 (89)
- January 2013 (136)
- December 2012 (96)
- November 2012 (130)
- October 2012 (147)
- September 2012 (93)
- August 2012 (93)
- July 2012 (112)
- June 2012 (71)
- May 2012 (82)
- April 2012 (80)
- March 2012 (122)
- February 2012 (114)
- January 2012 (129)
- December 2011 (60)
- November 2011 (54)
- October 2011 (29)
- September 2011 (17)
- August 2011 (30)
- July 2011 (18)
- June 2011 (19)
- May 2011 (22)
- April 2011 (23)
- March 2011 (52)
- February 2011 (69)
- January 2011 (108)
- December 2010 (82)
- November 2010 (67)
- October 2010 (68)
- September 2010 (44)
- August 2010 (101)
- July 2010 (61)
- June 2010 (28)
- May 2010 (28)
- April 2010 (26)
- March 2010 (33)
- February 2010 (21)
- January 2010 (13)
- December 2009 (4)
- November 2009 (2)
- October 2009 (14)
- September 2009 (6)
- August 2009 (19)
- July 2009 (34)
- June 2009 (11)
- May 2009 (4)
- April 2009 (6)
- March 2009 (13)
- February 2009 (32)
- January 2009 (25)
- December 2008 (1)
- October 2008 (1)
- June 2008 (1)
- November 2007 (1)