The Tech News Blog

February 25, 2014

Apple Patches Critical OS X ‘Gotofail’ Security Hole

Apple logo

Apple on Tuesday issued an update for OS X that fixes a serious SSL security hole the company already fixed in its iOS devices late last week.

The so-called "gotofail" flaw, which stemmed from an extra line accidentally added in Apple's source code, could let an attacker on the same network as a victim eavesdrop on all user activity. Apple on Friday pushed out an update for the iPhone, iPad, and iPod touch, but experts warned that Mac desktops and laptops were still at risk.

Tuesday's security update, OS X version 10.9.2, fixes the bug in both OS X Mavericks and the older Mountain Lion; older versions of Mac OS X are not believed to be affected. To get the update, head to your Mac's Apple menu and select Software Update. Users should install the update as soon as possible.

February 24, 2014

Apple Security Bug Could Let Hackers Intercept Encrypted Data

Apple logo

Apple on Friday quietly pushed out an update for its mobile devices to fix a major security flaw that could allow attackers to intercept encrypted email and other data. Experts warn that Mac desktops and laptops are still at risk.

The flaw, which relates to how iOS 7 validates the SSL certificates intended to protect websites, could let an attacker on the same network as a victim eavesdrop on all user activity. Apple did not reveal too much information about the problem, though experts who have studied the bug said hackers could launch so-called man in the middle attacks to intercept messages as they pass from a user's device to sites like Gmail, Facebook, or even online banking.

"An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple said in its advisory.

As PCMag's Security Watch blog noted, SSL certificate validation is "critical" for establishing secure sessions with websites.

"By validating the certificate, the bank website knows that the request is coming from the user, and is not a spoofed request by an attacker," PCMag's Fahmida Rashid wrote. "The user's browser also relies on the certificate to verify the response came from the bank's servers and not from an attacker sitting in the middle and intercepting sensitive communications."

February 23, 2014

Apple Fixes “Fundamental” SSL Bug in iOS 7

ios 7.06 bugApple quietly released iOS 7.06 late Friday afternoon, fixing a problem in how iOS 7 validates SSL certificates. Attackers can exploit this issue to launch a man-in-the-middle attack and eavesdrop on all user activity, experts warned.

"An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple said in its advisory.

Users should update immediately.

Watch Out for Eavesdroppers
As usual, Apple didn't provide a lot of information about the issue, but security experts familiar with the vulnerability warned that attackers on the same network as the victim would be able to read secure communications. In this case, the attacker could intercept, and even modify, the messages as they pass from the user's iOS 7 device to secured sites, such as Gmail or Facebook, or even for online banking sessions. The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, CTO of CrowdStrike.

The software update is available for the current version of iOS for iPhone 4 and later, 5th generation iPod Touch, and iPad 2 and later. iOS 7.06 and iOS 6.1.6. The same flaw exists in the latest version of Mac OS X but has not yet been patched, Adam Langley, a senior engineer at Google, wrote on his ImperialViolet blog. Langley confirmed the flaw was also in iOS 7.0.4 and OS X 10.9.1

February 16, 2014

Kickstarter Hacked, Credit Card Data Safe

Kickstarter example

The group funding site Kickstarter was recently the target of a hack by an unknown individual or group of individuals. Yes, some of the data that the service stores about you – if you're a user – was tapped into. However, there's a bit of a silver lining: Credit card data and passwords appear relatively safe, with a caveat.

Kickstarter officially notified the world about the hack yesterday via a blog post from company CEO Yancey Strickler, although the attack itself happened this past Wednesday. According to Strickler, Kickstarter was tipped off about the unauthorized access by "law enforcement officials" that evening. Once notified, Kickstarter "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system," according to the related Kickstarter blog post.

Following an investigation – hence the reason why users were notified Saturday instead of, say, Thursday — Kickstarter was able to determine that its users' credit card data remained safe from pilfering. However, that doesn't mean that the attacker(s) left empty-handed:

"While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," reads Strickler's blog post.

February 10, 2014

Snapchat Flaw Lets Attackers DDoS Your Phone


Popular picture-messaging app Snapchat can be used to launch a denial-of-service attack against a user's iPhone, a security researcher said.

Pocket DDOS
Attackers can flood a Snapchat user's account with thousands of messages in a matter of seconds, causing the app to freeze and the entire device to crash, Jaime Sanchez, a security consultant for Spanish telecommunications company Telefonica, wrote on a post on Users may need to perform a hard reset on their iPhones to recover.

Sanchez demonstrated the weakness by sending 1,000 messages within five seconds to the Los Angeles Times reporter Salvador Rodriguez's Snapchat account, causing his device to shut down and restart, the Times reported. The attack won't crash Android devices, although they will become slow and the app will be impossible to use, Sanchez said.

Snapchat's privacy-conscious app lets users send photo and video messages which disappear shortly after the recipient has viewed them. When a user sends a message, the app generates a new token to verify the user. Unfortunately, it appears that old tokens can also be reused to send additional messages, Sanchez found.

February 8, 2014

HVAC Vendor Confirms Link to Target Data Breach

Target Dog

Almost two months after Target reported a massive data breach that put the personal data of up to 70 million shoppers at risk, more details have emerged about how the hackers gained access to the retailer's systems.

As first reported by security blogger Brian Krebs, hackers broke into Target's network using credentials stolen from a third-party vendor—Sharpsburg, Penn.-based Fazio Mechanical Services.

On Friday, owner and president Ross E. Fazio confirmed that his company, a refrigeration and HVAC systems maker, was "a victim of a sophisticated cyber attack operation."

"Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis," Fazio wrote in a statement. "No other customers have been affected by the breach."

Fazio denied conducting any remote monitoring or control of Target's heating, cooling, and refrigeration systems, and said that its "IT system and security measures are in full compliance with industry practices."

January 21, 2014

16M Online Accounts Compromised, German Authorities Warn

Security Password Hack

Another day, another massive data breach.

Germany's Federal Office for Information Security, or BSI, said Tuesday that the online accounts of some 16 million Internet users have been compromised by hackers. The theft of email addresses and passwords was discovered as part of an analysis by research institutions and law enforcement agencies into botnets, or networks of compromised computers that cybercriminals use to carry out attacks, the organization said.

BSI warned that affected individuals may be at risk of identity theft as a result of the data heist. The organization has set up a webpage where people can check if their information has been compromised.

Those affected by the breach should check their computer for malware, and change all their passwords for social-networking sites, online stores, email accounts, and other online services.

The incident is just the latest in a string of high-profile breaches both in the U.S. and abroad.

January 20, 2014

You’re Still Using Terrible Passwords

Security Password Hack

You can't teach an old dog new tricks. Or passwords, it seems.

Despite all the warnings about the need for secure passwords, some Web users still use very obvious codes, according to SplashData's annual list of the most commonly used passwords on the Web.

The good news is that "password" is no longer the most popular password, slipping to No. 2. But it has been replaced by the equally dumb "12346."

SplashData's 2013 list was influenced by last year's huge Adobe hack, which saw the release of encrypted passwords for approximately 38 million active users.

"Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing," Morgan Slain, CEO of SplashData, said in a statement.

Other passwords in the top 10 were the oh-so clever "12345678," as well as "qwerty", "abc123," and "iloveyou," as well as various, easily guessed number combinations ("111111").

January 10, 2014

Target Hack Affected Up to 70M Shoppers

Target Black Friday

Target on Friday revealed some more details about the recent mega hack of encrypted customer payment card data.

In addition to nabbing 40 million credit and debit card numbers, as was previously disclosed, the hackers managed to steal the personal information of up to 70 million individuals, Target said. That includes customers' names, mailing addresses, phone numbers, and email addresses.

Target said much of the stolen data is "partial in nature," but promised it will attempt to contact everyone whose email address has been compromised. The company said it will provide tips to guard against scams, and warned that it will not ask guests to provide any personal information as part of its communication, so be on the lookout for phishing emails.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Gregg Steinhafel, chairman, president, and CEO of Target, said in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."

January 7, 2014

Intel Ditching McAfee Brand for Security Products

McAfee Deep Defender

Intel is rebranding its McAfee security products as Intel Security going forward, the company revealed late on Monday during CEO Brian Krzanich's keynote presentation at the Consumer Electronics Show.

The transition away from the McAfee brand, rendered somewhat toxic in recent years due to the bizarre antics of company founder John McAfee, will play out over the next 12 months, according to Intel.

The chip giant acquired McAfee in 2010 for $7.68 billion and began integrating the computer security firm's technology into Intel hardware products while continuing to sell McAfee software solutions for PCs.

"For McAfee, the initial announcement is that as new products are introduced, the McAfee brand name will be phased out and branded Intel Security," an Intel spokesperson told PCMag on Tuesday. "The shield—which represents the core values of security and protection—will remain. The rebranding will begin immediately, but the transition will take up to a year before it is complete. McAfee will continue to operate as a wholly owned subsidiary."