Monthly Archives: September 2014

iPhone 6 TouchID scanner susceptible to hacking.

As far as Apple TouchID fingerprint security scanner is concerned it is pretty much the same as what we had in iPhone 5s. Apple iPhone 6 TouchID is still prone to hacking like last year’s TouchID. It plays a vital part in the company’s upcoming mobile payment service. According to a researcher at cyber security company Lookout Inc., TouchID can be hacked and can be used for fraudulent activities. To prove his point security researcher Marc Rogers created an exploit in which he used multiple forged fingerprints in order to deceive the scanner by using the same technique that was used by him when exploiting iPhone 5s. TouchID does not have time-out feature which allows attackers to perform brute-force attacks. <more>

Bash command flaw affects Linux and Mac machines.

Bash is a Unix shell used to control the command prompt. Recently discovered Bash flaw put computers running on Linux and Mac platforms at risk. Security researchers considered Bash command flaw as a bigger threat when comparing with the Heartbleed bug which made the headlines in April. According to experts from cyber security companies, hacker can take full control of the vulnerable system by exploiting bash flaw. US-CERT advises Linux and Mac users to obtain OS security patches from their respective vendors. Heartbleed flaw is used for spying purposes where as Bash flaw allows remote code execution on the vulnerable system that makes it more devastating than Heartbleed. <more>

Apple iOS 8 fixes 53 vulns

Apple has released the latest version of iOS 8, fixing 53 vulnerabilities. Among these vulnerabilities, the most sever security threats allow code execution with root privileges. Similarly other flaws can be exploited to execute arbitrary code with kernel or system privileges. Most vulnerabilities affect the Webkit browser engine that can be exploited when a victim is enticed to visit a specially crafted web page. iOS 8 minimize the threat of stealing Wi-Fi credentials by disabling the Lightweight Extensible Authentication Protocol (LEAP) which was not disabled by default in the earlier versions. <more>

Android flaw puts privacy at risk

According to security researcher Rafay Baloch, Android versions prior to 4.4 are prone to security bypass issue that allows intruders to gain control of a user’s sessions on other sites. The issue is actually related to XSS flaw due to improper handling of javascript: strings preceded by a null byte character in the browser, which hampered the enforcement of same-origin policy. After the exploit released under a Metasploit module by Rapid7 team, Google has acknowledged it and start working on a security patch for earlier version KitKat. <more>

September’s PATCH TUESDAY fixes 42 flaws

On September 9th, Patch Tuesday fixes 42 security flaws covering Windows, Internet Explorer, .NET Framework, and Lync Server. This month Patch Tuesday contains a total of FOUR different bulletins, one of which was rated as CRITICAL. Internet Explorer (IE) has clinched the limelight by addressing 37 vulnerabilities under MS14-052 bulletin. Where as MS14-053 and MS14-055 fix Denial of Service (DoS) issues in the .Net framework and Lync Server respectively. MS14-054 security update addresses a vulnerability in Microsoft Windows Task Scheduler that allows attackers to gain elevated privileges via a crafted application. <more>

Google Glass susceptible to hacker profiling

According to Kaspersky Lab, a wearable technology Google Glass is prone to hacker profiling through network vendors attacks. Kaspersky researchers, Roberto Martinez and Juan Andres Guerrero have done in-depth analysis of Google Glass and Samsung Galaxy Gear 2 in search of privacy issues that could be faced by users. Bluetooth or Wi-Fi can be used to browse the web through Google Glass. Wi-Fi doesn’t need a separate mobile device to access the Internet. According to security researcher, as the data transmission is not fully encrypted giving an opportunity for intruders to intercept sensitive information via Man-in-The-Middle (MiTM) attacks. <more>

Twitter unleashes bug bounty program

Online social networking service Twitter has launched a bug bounty program in an effort to eliminate the security flaws by giving the opportunity to researchers to formally disclose vulnerabilities and in return get the reward. Twitter has outsourced this program to HackerOne. Although there is no maximum limit for the reward but a minimum reward of $140 is offered for one vulnerability. The security flaws include XSS, CSRF, remote code execution and unauthorized access to tweets and direct messages. Only way a researcher is eligible to monetary reward is to report the bug and will not disclose publicly until the patch is available. <more>

NO MORE!! Man-In-The-Middle attacks in Firefox

Latest Firefox implements support for public-key pinning feature. This newly added feature validates the authorization of a server based on an internal list of trusted certificates. Secure communication can be accomplished by encrypting the data, based on a digital certificate issued by any Certificate Authority (CA) and then verify the service identity. Earlier forged certificates had been obtained by cybercriminals and get valid SSL certificate for a domain by deceiving Certificate Authority (CA). Another way of getting the certificate through hacking into their systems and issued on their behalf. The latest firefox wiped out these risks through public-key pinning where digital certificate of the website compares with the certificate present in the browser and it must be matched for communication. <more>