security


'security' Articles

Google Simplifies 2-Step Verification Process With iOS Search App Prompt

Google is making the two-factor authentication process to log into a user account a simpler affair by integrating it into the company's iOS search app. Two-factor authentication adds an extra layer of security to users' Google Apps accounts by requiring them to enter a verification code in addition to their username and password when signing into their account. The two-step verification process prevents unauthorized access if someone obtains a user password. Previously, users had to opt to receive a text message or phone call to get an authentication code, or alternatively use the Google Authenticator mobile app, which generates time-limited numerical codes that users needed to enter into their account log-in page. The change, which is being rolled out from today, means that when a user tries to sign into a Google account with two-step verification enabled, a notification from the Google search app now asks if they are trying to sign in. A simple tap on the option "Yes, allow sign-in" quickly authenticates the account. To enable two-factor authentication, users need to sign into Google's My Account section and select Google prompt under Sign-in & Security -> Signing in to Google -> 2-Step Verification. Google notes that the option requires a data connection to work, and that it may take up to three days for the feature to appear across all account pages. The Google app is a free download for iPhone and iPad available on the App Store. [Direct Link]

Adobe Issues 'Emergency' Flash Player Security Update for OS X to Address Ransomware Attacks

Adobe has issued Flash Player security updates for OS X, Windows, Linux, and Chrome OS to address "critical vulnerabilities that could potentially allow an attacker to take control of the affected system" by way of ransomware. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to decrypt it. These type of threats often display images or use voice-over techniques containing instructions on how to pay the ransom. In this particular "CERBER" attack (via Reuters), affecting Flash-based advertisements, attackers have reportedly demanded between around $500 and $1,000, to retrieve the encrypted files. Adobe says it is aware of Windows 10 being "actively exploited" by this attack, but it is unclear if any Macs have actually been victimized. Just last month, popular BitTorrent client Transmission was temporarily infected with the first ransomware found on the Mac platform. Currently, all servers hosting these malvertisements are now inaccessible. Some reports mentioned that CERBER is being peddled in the Russian underground market as ransomware-as-service (RaaS). This not only proves the suggestion presented by the configuration file’s code above, but also confirms that we will be seeing more of CERBER in the near future.Adobe recommends that Flash Player users on Mac update to version 21.0.0.213 through the update mechanism within the software when prompted, or by visiting the Adobe Flash Player Download Center. Adobe Flash Player installations within Chrome, Microsoft Edge, and Internet Explorer for Windows 8.1 or later should

Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

The sixteenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, and researchers participating in the Pwn2Own computer hacking contest have already discovered multiple vulnerabilities in OS X and the Safari web browser on the desktop. On day one of the event, independent security researcher JungHoon Lee earned $60,000 after exploiting both OS X and Safari. Lee uncovered four vulnerabilities in total, including one exploit in Safari and three other vulnerabilities within the OS X operating system, according to security firm Trend Micro.JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.Meanwhile, the report claims that the Tencent Security Team Shield group successfully executed code that enabled them to gain root privileges to Safari using "two use-after-free vulnerabilities," including one in Safari and the other in a "privileged process." The researchers were awarded $40,000 in prize money. The five participating teams earned a total of $282,500 in prizes on day one, including a leading $132,500 earned by the 360Vulcan Team, according to the report. Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows. Apple representatives have attended

Adobe Releases Flash Player Update for 'Critical' Security Vulnerability on Mac

Adobe has released security updates for Flash Player that address critical vulnerabilities that "could potentially allow an attacker to take control of the affected system." Adobe is aware of "limited, targeted attacks" on OS X, Windows, and Linux. Adobe lists the affected Flash Player and AIR versions in a security bulletin on its website. Mac or PC users running an affected version should immediately uninstall the web plugin or update their installation to the newest version outlined on Adobe's website. Apple blocks many older or vulnerable versions of web plugins from functioning, including Adobe Flash and Java, to help limit exposure to potential "zero day" exploits. The web plugins remain blocked in Safari until you install the latest updates. Chrome, Firefox, and most other modern web browser also have web plugin safeguards in place due to the high number of past security

Apple Acquired Firmware Security Company LegbaCore Last November

Apple acquired firmware security company LegbaCore in November 2015, according to security researcher Trammell Hudson, who revealed the acquisition in his presentation at the 32C3 conference in December. LegbaCore's goal, according to founder Xeno Kovah, is "to help build systems that are as secure as we know how to make." In November, Kovah and fellow LegbaCore founder Corey Kallenberg revealed that they had joined Apple as full-time employees. Just a couple days before that, LegbaCore's website announced that it would "not be accepting any new customer engagements", noting that the website would remain up "to serve as a reference for LegbaCore's past work." LegbaCore had collaborated with Hudson on Thunderstrike 2, the first firmware worm to affect Mac computers. The malware is impossible to remove, resistant to both firmware and software updates. LegbaCore and Hudson had alerted Apple to Thunderstrike 2's vulnerabilities and Apple began work on fixes, issuing one in June 2015. On Twitter, Kovah said that Apple began discussions with LegbaCore after the consultancy's presentation in summer 2015. It soon became clear to Kovah and Kallenberg that Apple had "some *very* interesting and highly impactful work" that the two could participate in. They were eventually convinced to wind down LegbaCore's existing contracts and begin work at Apple. What did Apple hire us to do? We can’t say. :) Well, we can probably say something like “low level security” (I don’t know our job titles)— Xeno Kovah (@XenoKovah) November 10, 2015 While LegbaCore is a security consultancy

Apple's Strict Bluetooth LE Security Requirements Slowing Rollout of HomeKit Accessories

While it has been more than a year since Apple launched HomeKit, a software framework for communicating with and controlling light bulbs, thermostats, door locks and other connected accessories in the home, only five HomeKit-approved products have been released to date: the Ecobee3, Elgato Eve, iHome iSP5 SmartPlug, Insteon Hub and Lutron Caseta Wireless Lighting Starter Kit. The slow rollout of HomeKit-enabled hardware accessories is not because of a lack of interest in the platform, but rather Apple's strict security requirements for Bluetooth LE (low energy) devices, according to Forbes. In particular, the strong level of encryption required to use the HomeKit protocol through Bluetooth LE has resulted in lag times that essentially render some accessories useless.For example, a smartlock that makes its user wait 40 seconds before it opens is clearly inferior to a traditional lock. One of HomeKit’s selling point is that it provides a more reliable user experience, so these kinds of lag times will need to be sorted out before Apple can become a major platform for the smart home. Elgato Eve smart home sensors for doors, windows and energy consumption Chipmakers such as Broadcom and Marvell have reportedly been working to improve their Bluetooth LE chips to more effectively handle Apple's level of encryption, an important step if the company wants to become a major player in the smart home. In the meantime, developers have either been focusing on Wi-Fi-based HomeKit hardware or working on temporary solutions to the problem.For the time being, Elgato has found a

iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more. The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits."We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others. Lead researcher Luyi Xing told The

Apple Issues Security Updates Fixing 'FREAK' Security Flaw

Just under a week after researchers uncovered a security flaw referred to as "FREAK" (Factoring Attack on RSA-EXPORT Keys) that left many devices vulnerable to hacking attempts, Apple has issued fixes for all of its platforms. The fix is available in Apple TV 7.1 for Apple TV 3rd generation and later, iOS 8.2 for iPhone 4s and later, iPod touch 5th generation and later and iPad 2 and later. It's also available for Macs with OS X Mountain Lion 10.8.5, Mavericks 10.9.5 and Yosemite 10.10.2. The vulnerability had stemmed from a former U.S. government policy that prevented companies from exporting strong encryption, instead requiring them to create weak "export-grade" products to ship to its customers outside of the United States. Though the policy was lifted more than a decade ago, the weaker encryption continued to be used by software companies. Apple's fix addresses the issue by removing support for those weak "export grade" products, also known as RSA keys. The updates for iOS 8.2, Apple TV 7.1 and Mac OS X Mountain Lion, Mavericks and Yosemite are available

OS X 10.10.2 Includes Fix for 'Thunderstrike' Hardware Exploit Affecting Macs

Apple is readying a fix in OS X 10.10.2 for the so-called "Thunderstrike" hardware exploit targeting Macs equipped with Thunderbolt ports, iMore has learned. According to the report, Apple patched the vulnerability by making code changes in the upcoming software update that prevent a Mac's bootrom from being replaced or rolled back to a previous state in which it could be attacked.To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again. According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that's exactly the deep, layered process that's been completed.Thunderstrike is a serious vulnerability discovered earlier this year by security researcher Trammell Hudson, enabling an attacker to replace a Mac's bootrom with malicious code without a user knowing. Since the malicious code is stored in a low level inaccessible to the user, the problem would remain even if the bootrom was replaced. The proof-of-concept attack is limited in scope, however, as an attacker would require physical access to the Mac or savvy social engineering skills in order to trick a user into attacking his or her Mac themselves. Apple has already addressed the issue in its latest hardware, including the iMac with Retina 5K Display and new Mac mini. OS X 10.10.2 has been in pre-release testing for over two months and should be made available to the public in the coming