Weekly Infosec Snipper June 22, 2015
1)Mac OS X and iOS faced Cross-app resource access (XARA) attacks
Four unpatched vulnerabilities in Mac OS X and iOS permits malevolent apps to bypass security settings and steal credentials. Researchers at the University of Indiana have notified Apple about these vulnerabilities in late October 2014 and the company assured that the flaws would roll out patches within six months. Researchers named these vulnerabilities as cross-app resource access (XARA) attacks because they get unauthorized access to the device. These vulnerabilities can steal password, gain access to secure container, intercept data between IPC (inter process communication) and URL scheme hijacking.
2)Password Recovery Scam trick users to hand over their Email Accounts
With the help of social engineering and a tricky text message attackers can make email users victim of password recovery fraud. Attackers are targeting Gmail, hotmail, and yahoo email users; they just need email address and mobile number of users. The motto behind this fake email is not to steal money of users but only to gather information by approaching to individual user. For example in Gmail service, attackers utilize user’s mobile number and email address and try to login on email services. At the time of entering password, they click on Need Help link and choose “Get a verification code on my phone” option. Once the user receives the verification code, the attacker resends the message “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.” The user ultimately sends the code to attacker and surrender details of account to attackers.
3) 600M Samsung Devices are at risk of Remote code Execution Vulnerability
Remote code execution vulnerability (CVE-2015-2865) has affected 600 million Samsung mobile devices. A Samsung keyboard that is a pre-installed app in mobile device build on SDK allows attackers to gain access of GPS, microphone, images, text messages, and device sensors. Besides, attackers can install malicious app without requiring user’s permission and can change the functionality of existing app. However, Samsung has released a patch in 2015, but it is not certain that how many devices have been updated until now.
4)Attackers have hacked Last Pass
The users of Last Pass are recommended to change their master password as attackers have hacked Last Pass service. However, no encrypted data was theft. The authority also urged to users that they would soon receive an email asking for changing their master password. For that, users must have trusted IP address or device. Besides encrypted data, hackers have successfully captured other non-encrypted data like email address, password reminders, and authentication hashes.
5)WhatsApp seems failure in protecting user’s privacy
Electronic frontier foundation published a report named “Who Has Your Back? 2015: Protecting Your Data From Government Requests“. The report says that WhatsApp seems most unsecured service offered over the web. Major Findings in the report says that there are nine companies received 5 stars while AT&T, Verizon and WhatsApp found lacking in following industry accepted best practice. Companies like Adobe, Apple, CREDO, Dropbox, Sonic, WICKR, Wikimedia, WordPress.com, and Yahoo remained on the top position as per user’s privacy and industry standards.
6)Finally Google launched Android Bug Bounty Program
Google has commenced Android Security Reward Program for finding any vulnerability in Nexus phones and tablets. Google is ready to pay for each bug, including patches. The program will cover Nexus line of products, Samsung Galaxy line, and gadgets. Thus, Nexus phone will become ongoing vulnerability reward program. Google also run bug bounty program for chrome and other Google products. They have rewarded $1.5 million to security researchers last year.