Fans of the fledgling cryptocurrency known as Bitcoin got quite a shock in recent days as some clever thieves worked out yet another method to swipe virtual cash from unsuspecting users. The source of the theft was traced to a bug in Android, and now Google has acknowledged the flaw exists.
Another day, another Android flaw.
A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.
And with that information, the attacker has access to “Google Apps, Gmail, Drive, Calendar, Voice and other Google services.”
Security researcher Ibrahim Balic said he meant no harm and reported the security hole to Apple. Nick Arnott also has a good story about this on iMore.
We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.
If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password.
That doesn’t sound good.
Nick Arnott give us a walkthrough of how the exploit worked. It’s important to note that Apple has already fixed the security hole, but it’s interesting to see what happened.
The security hole has been fixed. Nice quick turnaround.
F-Secure:
Android malware has been strengthening its position in the mobile threat scene. Every quarter, malware authors bring forth new threat families and variants to lure more victims and to update on the existing ones. In the fourth quarter alone, 96 new families and variants of Android threats were discovered, which almost doubles the number recorded in the previous quarter.
Android accounts for 79 percent of the security threats for mobile platforms. iOS barely registers in the results, despite the fact there are hundreds of millions of users. F-Secure published a PDF with all of the results.
Good luck Android users.
The difference between the first exploit and this one is how it can make the iPhone screen go black, allowing an attacker to plug the device into a computer via USB and access the user’s data without having their PIN or passcode credentials.
I don’t know how they find this stuff, but Apple has to get this fixed.
The world’s largest software company said the security intrusion was “similar” to recent ones reported by Apple Inc (NSQ:AAPL) and Facebook Inc (FB.O).
Apple on Tuesday admitted to being the victim of a hacker attack by the same people that went after Facebook last week. Apple said it is taking steps to help it’s customers, including releasing an updated Java malware removal tool. […]
To improve their chances of beating a spam filter by sending you spam from your contact’s account, the spammer first has to break into that account. This means many spammers are turning into account thieves.
Good to see Google fighting these people.
Android applications downloaded by as many as 185 million users can expose end users’ online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.
Of course, iOS doesn’t have this problem, so all of you Android owners that want to switch from the malware invested, security sucking Android can make the move any time.
Google’s Matt Cutts on the myths and realities of enabling two-factor authentication.
Mat Honan:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
The good news is the hacker didn’t brute-force the password. The bad news… yeah.
We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.
Let’s just assume that every password is going to be leaked.
Lex Friedman:
Two stories about potential user data leakage at the networking company trickled out late Tuesday and early Wednesday. One suggested that the LinkedIn iOS app may leak personal data from your calendar to the LinkedIn website; the second report indicates that a Russian hacker may have posted 6.5 million LinkedIn passwords on the Web.
I guess a little bit of security is too much to ask for.
Building on state-of-the-art encryption standards, DropKey quickly and easily encrypts any file specifically for your recipients — without the need for a password or the hassle of juggling a bunch of keys!
They are giving away the app until May 20.
Public-Key Cryptography, created in the 1970s, is a matched-pair encryption/decryption standard. Using this method, the sender and recipient share public encryption keys, thereby establishing a relationship of trust. After that occurs, files can be encrypted by one and decrypted by the other without using passwords. While Public-Key Cryptography can use a variety of levels of security, DropKey uses the 256-bit method, a well-established industry standard.
I talked to DropKey’s CEO Ian Schray, and what impresses me about the app is that it only takes one extra click to encrypt a file and send it in an email, then it does if you didn’t encrypt the file. I’ve tried file encryption software in the past and it was a real pain, but this looks really good.
In response to Flashback malware that’s been in the news lately, Apple on Tuesday revealed that it is developing a tool to detect and remove it. […]
Developer Juan Leon put together this app.
The Sun:
Sony music suffered its second major security breach in a year, with thieves targeting songs and unreleased material by the superstar singer.It’s alleged they downloaded more than 50,000 music files, worth £160million, in the biggest ever cyber attack on a music company.
Has Sony ever heard of security?
PCWorld: The user names and passwords clipped from Foxconn on Wednesday can be used to place fraudulent orders from the company’s clients, the hackers said in a statement accompanying a torrent file containing the stolen data. Foxconn has taken its … Continued
The Register: Computer scientists have discovered a weakness in smartphones running Google’s Android operating system that allows attackers to secretly record phone conversations, monitor geographic location data, and access other sensitive resources without permission. Well now, there’s a feature the … Continued
A new study from anti-virus software maker McAfee shows that almost all of the malware available for mobile devices is on the Android platform, not iOS.
Reuters:
A software flaw in Apple Inc’s iPhones and iPads may allow hackers to build apps that secretly install programs to steal data, send text messages or destroy information, according to an expert on Apple device security.
Here is a video from the researcher Charlie Miller:
Sony has been the target of another hacker attack. This time about 93,000 PlayStation Network (PSN) and Sony Online Entertainment (SOE) accounts were compromised, but no one’s credit card information is in danger. That’s according to a report posted to … Continued
CNN: A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. Military security specialists are unsure if the virus was introduced intentionally or … Continued
Threatpost: Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple’s popular online music store. In a lunchtime address to business and technology leaders in Massachusetts, Coakley … Continued
NPD Research: Among smartphone users, 82 percent have no security products installed on their phones; however, the percentage of users addressing this concern varies by platform, according to NPD’s “Emerging Technology Trends: Mobile Security” report. Although iPhone and Android smartphone … Continued
Apple on Friday released Security Update 2011-005 for Snow Leopard and Lion (as well as Server versions). The update is available for download through the Software Update system preference and from the Apple Web site. The update is described as … Continued