Exploit

Google Had a Big Ol’ Hole In Its Two-Step Verification System

Source: http://gizmodo.com/5986830/google-had-a-big-ol-hole-in-its-two+step-verification-system

Google Had a Big Ol' Hole In Its Two-Step Verification System The coast is clear now, but for a while there, Google’s two-step verification system wasn’t keeping you as safe as you thought. In fact, it was providing an avenue for folks to get in. App-specific passwords were propping your door open.

The exploit was found—and reported—by Duo Security, which is publishing its data now that Google has fixed things up. If you’ve enabled two-step (which you should), you know that using applications like Twitter or Facebook or Instagram often involves an app-specific password. Apps that don’t just pass you to a Google login page and have you enter a phone-code will tell you to go get an app-specific password manually from your account page, and put that in.

The logic behind having app-specific passwords is that you can disable access from certain apps—like all the apps on a stolen phone—without disturbing the rest. And that’s great. The problem was, those manual app-specific passwords you put in weren’t actually app-specific. Anyone could re-use any of those passwords to link a Google device (Android phone, Chromebook) to a Google account. From there, hackers could login to services with the device, strolling right on in to account settings without ever knowing the real password.

As explained by Duo Security’s cleverly edited Google ad:

Google Had a Big Ol' Hole In Its Two-Step Verification System

That’s not a good situation, but fortunately it’s been fixed. Ever since Feb 21st, anyone trying to get to account settings needs the real password. Convenience be damned. And even though this was a bit of a breach, it’s worth noting that two-step wasn’t making anything worse; in the absence of two-step, a thief with your app-specific password would just have had your real password instead. And they wouldn’t have to know about the connect-a-device exploit to use it. Way worse.

You’re safe for now, but it serves as a good reminder to keep up with those security best-practices. Clean out your app-specific passwords now and then, change your password occasionally, and beware auto-login features that make your life easier because chances are they’re making it more insecure. Nothing’s full-proof, but just try to stay safe out there. [Duo Security]

Tags: , , , , , , , , , , , , , , ,

Monday, February 25th, 2013 news No Comments

BlackBerry says TIFF vulnerability exposes enterprise servers to malware

Source: http://www.engadget.com/2013/02/18/blackberry-tiff-vulnerability/

BlackBerry says TIFF vulnerability exposes enterprise servers to malware

BlackBerry has always prided itself on its top-notch security features, so it’s a little worrying to see the company release a “high severity” advisory today warning of a potential exploit. According to the Waterloo-based operation:

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone.

Essentially, hackers could rig a TIFF file with malware and then trick a BlackBerry user into loading it via webpage, email or an embedded message, thus allowing the bad guys into their company’s Enterprise Server. BlackBerry hasn’t received any reports of attacks just yet, but urges IT administrators to update their BES software all the same. The update is available at the source, as are several temporary workarounds for those that can’t update their installations just yet.

Filed under: , ,

Comments

Via: Naked Security

Source: BlackBerry Knowledge Base

Tags: , , , , , , , , , , , , , , , , ,

Monday, February 18th, 2013 news No Comments

Exploit uses firewalls to hijack smartphones, turns friends into foes

Source: http://www.engadget.com/2012/05/22/exploit-uses-firewalls-to-hijack-smartphones/

Image

Normally, firewalls at cellular carriers are your best friends, screening out malware before it ever touches your phone. University of Michigan computer science researchers have found that those first lines of defense could be your enemy through a new exploit. As long as a small piece of malware sits on a device, that handset can infer TCP data packet sequence numbers coming from the firewall and hijack a phone’s internet traffic with phishing sites, fake messages or other rogue code. The trick works on at least 48 carriers that use firewalls from Check Point, Cisco, Juniper and other networking heavy hitters — AT&T being one of those providers. Carriers can turn the sequences off, although there are consequences to that as well. The only surefire solution is to either run antivirus apps if you’re on a mobile OS like Android or else to run a platform that doesn’t allow running unsigned apps at all, like iOS or Windows Phone. Whether or not the exploit is a serious threat is still far from certain, but we’ll get a better sense of the risk on May 22nd, when Z. Morley Mao and Zhiyun Qian step up to the podium at an IEEE security symposium and deliver their findings.

Exploit uses firewalls to hijack smartphones, turns friends into foes originally appeared on Engadget on T! ue, 22 M ay 2012 03:18:00 EDT. Please see our terms for use of feeds.

Permalink Ars Technica  |  sourceUniversity of Michigan (PDF)  | Email this | Comments

Tags: , , , , , , , , , , , , , , , , , ,

Tuesday, May 22nd, 2012 news No Comments

Dr. Augustine Fou is Digital Consigliere to marketing executives, advising them on digital strategy and Unified Marketing(tm). Dr Fou has over 17 years of in-the-trenches, hands-on experience, which enables him to provide objective, in-depth assessments of their current marketing programs and recommendations for improving business impact and ROI using digital insights.

Augustine Fou portrait
http://twitter.com/acfou
Send Tips: tips@go-digital.net
Digital Strategy Consulting
Dr. Augustine Fou LinkedIn Bio
Digital Marketing Slideshares
The Grand Unified Theory of Marketing