Apple tackles a long list of vulnerabilities in its desktop and mobile operating systems in advance of new version releases set to debut later this year.
Although there is much excitement among Apple users for the upcoming iOS 9 and OS X 10.11 releases, they aren't yet available, and Apple is still updating iOS 8 and OS X 10.10.
Apple released the OS X 10.10.4 and iOS 8.4 updates on June 30, providing users with security patches fixing multiple vulnerabilities across both desktop and mobile operating systems.
The new OS X and iOS updates are the first major Apple security patch updates since April 8, when the OS X 10.10.3 and iOS 8.3 updates debuted.
Among the security patches in OS X 10.10.4 are three vulnerabilities (CVE-2015-3671, CVE-2015-3672 and CVE-2015-3673) in Apple's Admin framework. The flaws could potentially have enabled a non-administrative user of a system to obtain full administrative rights.
Apple is also fixing four vulnerabilities (CVE-2015-3679, CVE-2015-3680, CVE-2015-3681 and CVE-2015-3682) in Apple Type Services (ATS), the OS X feature that enables fonts. Additionally, there are six vulnerabilities (CVE-2015-1157, CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688 and CVE-2015-3689) in the CoreText library, which affects both OS X and iOS. The sum total impact of the ATS and CoreText vulnerabilities is that simply by loading a malicious font or text file, an attacker could have been able to load arbitrary code.
On the hardware side, there is also a fix in OS X for CVE-2015-3678, a vulnerability in Apple's high-speed Thunderbolt interface. An attacker could have exploited the flaw to execute arbitrary code on a vulnerable system.
"A memory corruption issue existed in the handling of certain Thunderbolt commands from local processes," Apple warned in its advisory. "This issue was addressed through improved memory handling."
The Intel graphics driver used in OS X is being patched for eight vulnerabilities (CVE-2015-3695, CVE-2015-3696, CVE-2015-3697, CVE-2015-3698, CVE-2015-3699, CVE-2015-3700, CVE-2015-3701 and CVE-2015-3702).
"Multiple buffer overflow issues exist in the Intel graphics driver, the most serious of which may lead to arbitrary code execution with system privileges," Apple warned in its advisory.
Apple is now patching both OS X 10.10.4 and iOS 8.4 for the Logjam Secure Sockets Layer/Transport Layer Security (SSL/TLS) vulnerability first disclosed April 20. The Apple patch for Logjam, also known as CVE-2015-4000, is found in the coreTLS library.
"coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites," Apple warns in its advisory. "This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite."
For iOS 8.4, there is a fix in the core telephony component for CVE-2015-3726, a vulnerability that could have enabled a malicious SIM card to execute arbitrary code. iOS 8.4 also benefits from a patch for the WiFi connectivity flaw identified as CVE-2015-3728, which could have exposed mobile users to risk.
"iOS devices may auto-associate with untrusted access points advertising a known ESSID but with a downgraded security type," Apple warns in its advisory on the issue.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Apple Fixes OS X and iOS Flaws Ahead of New Releases
↧
↧
FIDO Alliance Extends Two-Factor Security Standards to Bluetooth, NFC
The FIDO Alliance adds Bluetooth and near-field communications to security specifications first defined in December 2014.
In December 2014, the FIDO (Fast Identity Online) Alliance issued the 1.0 version of its U2F (Universal Second Factor) security specifications to enable two-factor authentication. The U2F 1.0 specification is now being expanded to support the wireless Bluetooth and near-field communications (NFC) protocols.
What U2F provides is a second-factor authentication mechanism that can be used to supplement a username and password to provide more secure access to a site or online service. With the initial rollout of U2F, USB-based devices were the primary technology mechanism. USB keys, including those from security vendor Yubico, can be used for U2F to enable secure authentication.
As to why Bluetooth and NFC are being added now to U2F, Sam Srinivas, FIDO Alliance vice president and co-chair of the FIDO U2F Technology Working Group, said FIDO is being pragmatic and incremental in its approach to standardization.
"We wanted to get the core USB transport, which is very appropriate for desktop use cases, shaken out and into the market," Srinivas told eWEEK. "We also wanted to make sure the higher crypto layer of the protocol was working well in the field before expanding to other transports—this higher crypto layer is the same regardless of the physical transport."
Srinivas added that the need to make sure everything was working properly is why FIDO consciously decided to defer working on other transports, though conceptually it is just the same crypto running over a different underlying physical connection.
"As soon as we successfully launched FIDO U2F with just the USB transport, we brought the focus back on to the work we were doing on the wireless transports which are most relevant to mobile [Bluetooth and NFC], and what we are announcing now is the completed work," he said.
With the U2F specification additions for Bluetooth and NFC, new forms of FIDO-compliant devices can now be built and deployed. For example, FIDO U2F can now be used to enable a key fob or even a credit card-sized device to be used as a second-factor authentication mechanism.
From a device certification perspective, Srinivas said that FIDO will certify Bluetooth and NFC the same as it has certified USB devices. The certification involves a standard test driver that exercises a device through all of the expected operations for that particular transport (NFC, Bluetooth etc.). He added that after a device passes the test, it is then subject to an operational test where it must perform actual log-ins against a reference test server (i.e., full stack test, not just the transport). Finally, there is an interoperability test where a device must perform log-ins against multiple vendor server implementations.
"We expect to announce the certification program details at a later date, after people have had a chance to make prototype implementations," Srinivas said. "Again, here we are following the same model we established with USB in terms of how we sequence the various events."
While USB is a universal standard with little variation, Bluetooth implementations can vary across different mobile vendors. However, as to the variations of Bluetooth stacks, many of the FIDO member companies have deep Bluetooth experience, and considerations about stack variations were brought into the design by various member companies that fleshed out the transport protocol design, he said.
Looking beyond Bluetooth and NFC, Srinivas said FIDO is considering SIM cards and secure memory cards acting as FIDO U2F devices, or more precisely as repositories of FIDO U2F keys.
"The user would be able to move a SIM or a secure memory card from one phone to another, and their FIDO U2F keys would move to the new phone," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
IT Pros Worried About Security Breach Reporting
Almost 30 percent of those polled are not confident that their IT security staff can detect a cyber-attack attempting to breach their network.
The vast majority (87 percent) of IT professionals believe large financial hacks are happening more often than reported, and right under the nose of security auditors, according to a survey of nearly 150 IT professionals conducted by Lieberman Software.
Meanwhile, 71 percent of respondents think that an advanced persistent threat (APT) attack will attempt to breach their organization in the next six months.
"There is a clear lack of visibility of the CEO and board of directors to the weaknesses and the inability of IT to manage risk and mitigate consequences to known outcomes," Philip Lieberman, president of Lieberman Software, told eWEEK. "From a leadership point of view, many … companies and government agencies [are being run] with a ticking time bomb and no ability to stop it or reduce the consequences of a breach. Not all of the blame lies with IT, but senior leadership of companies [is] not building in resiliency into their business operations when it comes to IT."
The study also found that IT professionals (89 percent) believe the recently announced U.S. federal government cyber-security sanctions provide a deterrent to cyber-criminals.
"IT can build and operate workstations, servers and the cloud in a manner that service can be restored quickly. The common attack as well as the land and expand methods of intruders depend on moving within the network via stolen credentials," Lieberman said. "To minimize this consequence, companies must change the way they use privileged identities from the IT perspective—no use of domain admin accounts—and the removal of users having local administrator rights on their own machines."
He said these changes and the hygienic operation of identity management are keys to minimization of consequences.
"Further automation of attackers and the increased use of zero days and unpatched vulnerabilities are increasing. The lack of investment within internal IT security as well as continued use of lowest cost outsourced IT will raise the frequency of these attacks and their consequences," Lieberman said. "There is an evolution of a new class of managed security services vendors that should find great success in cleaning up and running previously uncontrolled and infected environments, but unfortunately, most will be after the damage has been done to the organizations."
He said his company believes that only through the automation of privileged identities of all types and the enforcement of only just enough privilege (JEA) and just in time privilege (JIT) will the firestorm of attacks be quelled for most companies.
"These techniques and technologies are readily available from many vendors and can be implemented at no cost, but they do require fundamental changes in the processes used by companies and government agencies," he explained.
Almost 30 percent of those polled are not confident that their IT security staff can detect a cyber-attack attempting to breach their network, and nearly half (49 percent) of respondents believe that external cyber-attacks pose the bigger risk to their network, versus 35 percent who think that insiders are the larger risk.
↧
Advanced Phishing Scam Targets CEOs, CFOs for Phony Cash Transfers
NEWS ANALYSIS: Social engineering is a major factor in the success of a sophisticated new fraud that's already resulted in the theft of millions from U.S. corporations.
The email that Michael Becce shared with...
↧
Tor exit nodes ‘sniffing’ data – research
Compromised Tor exit nodes are spying on users, according to research by Swedish security specialist Chloe
↧
↧
Donald Trump’s hotel group investigating credit card data breach
Breach at hotels group owned by US presidential candidate Donald Trump may have first occurred six months ago
↧
CloudHelix, Renamed Kentik, Raises $12M for Security, Network Visibility
A former Akamai executive leads the effort that could help detect DDoS attacks and improve overall network visibility.
Kentik, which was formerly named CloudHelix, officially emerged from stealth mode on July ...
↧
Europe’s hosting companies revealed in new study
[London - 3 July 2015] A new report, European Cloud & Hosting Providers - the Top 250, produced by IT Europa, shows a steadily growing sector, with much of the growth coming through the independent companies rather than giant publicly-listed firms. The total revenues for companies in the report rose by just 1.5% in 2014 over the previous year, but reached €92bn in Europe. The top application and solution areas being hosted were Software as a Service (SaaS) (54% of companies), security (50%), web hosting (45.6%), networks (42.4%), Data Centre Space Rental/Co-location (32%), email hosting (30.8%), Server Rental/Virtual/Dedicated Servers (27.2%), Infrastructure as a Service (IaaS) (26.8%), Platform as a Service (PaaS) (25.6%).The high figures for security are to be expected given the rapid developments in this area. Platform as a Service (PaaS) was surprisingly strong at 25.6%; Telephony/VoIP/Voice at 25.2% is expected to evolve further as unified communications continues to grow, comments IT Europa's news team. The big firms stayed at the top, with IBM Global Services EMEA, Capgemini SA, Microsoft EMEA, HP Enterprise Services EMEA and BT Global Services staying ahead of global leader AWS in Europe anyway.Of the 250 companies profiled, there were 177 Independent companies, 52 Subsidiaries, 17 Public companies (traded on stock exchanges) and 4 parent companies; the best performers were the Independents with revenues increase of 8% between 2013 and 2014. Companies from 24 European countries were included in the report, with the largest geographic markets covered in terms of companies profiled being: UK (143 companies), Germany (23), Netherlands (18) and France (12). The largest geographic markets in terms of revenue are UK ($33.79bn), France ($30.06bn).The European Cloud & Hosting Providers - the Top 250 database report spans 24 countries and represents the most detailed view available of this key market sector. It has been compiled from detailed interviews by IT Europa's own research team. The company profiles include sales figures for each company in local currency and US dollars, contact details for key executives, software product types, company activities, end-users by numbers of staff, key vendor relationships, ownership details and company overview. The report is available from IT Europa (www.iteuropa.com) costing from £1,500. Data can also be extracted and supplied by country, region or on a bespoke basis. About IT EuropaIT Europa is the leading provider of strategic business intelligence, news and analysis on the European IT marketplace and the primary channels that serve it. It publishes European channel publications, such as the IT Europa, ISVEuropa and MSPEuropa newsletters, markets a range of database reports and organises European conferences and events for the IT and Telecoms sectors. For further details visit: www.iteuropa.com For further information contact:Alan Norman - Tel: +44 (0) 1895 454 604, Email: alan.norman@iteuropa.com Source: RealWire
↧
Microsoft’s WiFi Sense Poses Manageable Security Risks
NEWS ANALYSIS: The Windows 10 WiFi password sharing feature poses a potential risk, but it's manageable if you have implemented real wireless security.
The expressions of alarm are all over the place. Suddenly people have discovered something called "WiFi Sense" that Microsoft is including in Windows 10 when it's released at the end of July.
Once the new version of Windows is released, this feature of Windows will have an impact on your wireless network security. So you will need to plan on how to handle it before it launches.
Microsoft's WiFi Sense is a means of sharing connection information between users. The original idea was to make connections between wireless hotspots quick and easy so that you don't have to fumble around with your wireless device every time you find yourself near a new source of WiFi.
To make this happen, Microsoft learns the log-in characteristics of WiFi access points, and it saves them. In addition, WiFi Sense can share those characteristics with your other Windows devices and, if you wish, your friends and contacts. The information it shares includes the WiFi password, which effectively opens up private WiFi to public use.
Before you hit the panic button, a little context and some background might be helpful. WiFi Sense isn't new. This feature was part of Windows Phone 8.1, but you likely never heard of it because almost nobody used that version of Windows Phone. The carriers that sold Windows phones mostly didn't upgrade them, so the proportion of phones with that feature was vanishingly small.
WiFi Sense also isn't unique in its capability to share wireless log-in information. Analyst Craig Mathias of Farpoint Group pointed out to me that Passpoint from the WiFi Alliance performs a similar task of sharing log-in information and automating the process of using access points. Passpoint is also not new.
What is new is that WiFi Sense will now be a standard part of the mainstream version of Windows, which unlike the previous edition is expected to be widely adopted. This means that there will be millions of users who have the ability to share their WiFi log-in information with all of their social media and address book contacts, likely without actually being aware that they're doing so. It's the lack of awareness that provides part of the risk.
The reason for the risk is that WiFi Sense also automatically accepts any terms and conditions presented by the WiFi access point. Normally this isn't a problem, since what you're agreeing to is that you won't do anything illegal. But suppose a WiFi site includes terms that say the site has the right to download your personal data? Sometimes it's a good idea to actually read all that legal boilerplate.
↧
↧
Wick Hill Deal Paves The Way For Further Growth And International Expansion
Woking, Surrey: Monday, July 6th 2015: 2.00 p.m. - In a deal announced today, Rigby Private Equity, the private equity arm of Rigby Group Investments, has made a significant investment in specialist, high value-added distributor Wick Hill Group. The de...
↧
Mozilla Fixes Flaws With Firefox 39, Previews Firefox 40
The Logjam SSL/TLS vulnerability is among the 13 security advisories in latest stable release of the open-source Firefox Web browser.
There are two new versions of Mozilla's Web browsers for users to try out today, with a stable Firefox 39 release and a beta of Firefox 40 that provides a preview of features still in active development.
With Firefox 39, Mozilla has integrated its Project Silk effort, whose goal is to make the browser scrolling and animation experience smoother for Website rendering. So far, Project Silk has only been integrated into the Apple Mac OS X edition of Firefox 39.
"We have achieved stability on OS X, and Project Silk is planned soon on Windows, Linux, and Android," Chad Weiner, director of product management at Mozilla, told eWEEK. "We wanted to make the experience better for our OS X users ASAP rather than wait for it to be ready for all platforms."
While Mac OS X users are the first to benefit from Project Silk, OS X is the last operating system to benefit from Firefox's safe browsing malware detection capability—it is just now being added in Firefox 39 for OS X. The safe browsing malware detection feature warns users when they downloaded files that are detected as malware, according to Weiner.
"Firefox asks Google's Safe Browsing service if the software is safe by sending it some of the metadata associated with the download, such as a file's hash and binary size," he said. "It has been available on Firefox for PC and Linux for some time, and with this release we wanted to extend this protection to Mac files."
As part of the Firefox 39 release, Mozilla is providing 13 security advisories, four of which are rated as being critical. The critical security advisories include MSFA-2015-66 , which provides a patch for seven different identified vulnerabilities (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739 and CVE-2015-2740).
"These [vulnerabilities] included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows," Mozilla warns in its security advisory. "These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them."
Firefox 39 also provides users with a fix for the Logjam SSL/TLS vulnerability that was first disclosed on May 20.
"The essence of the Logjam vulnerability was that Firefox was willing to accept short, export-grade Diffie-Hellman keys," Richard Barnes, Firefox security lead at Mozilla, told eWEEK. "Firefox 39 will not accept Diffie-Hellman keys shorter than 1,023 bits, the minimum level secure enough for use in the modern Web."
Mozilla's data indicates that this change will affect around 0.04 percent of Transport Layer Security (TLS) transactions, according to Barnes. Some servers may need to be reconfigured or upgraded in order to use sufficiently strong Diffie-Hellman keys.
Looking forward, Firefox 40, which is now in beta, will provide a few new capabilities. At the top of the Firefox 40 features list is support for Windows 10, including tablet mode. Microsoft's Windows 10 operating system is set for release on July 29.
Also starting with Firefox 40, Mozilla will begin to provide users with a warning for browser add-ons that have not been digitally signed.
"Mozilla verifies and 'signs' add-ons that follow a set of guidelines to ensure that users' information will not be stolen of manipulated," Mozilla states in a support post.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Did Hacking Team sell software to plant child porn on suspects’ PCs?
Initial analysis of stolen Hacking Team code finds reference to 'child porn evidence fabrication tools'
↧
Surveillance Tech Firm Hacking Team Falls Victim to Hackers
Hacking Team, a company that helps governments and others with surveillance, is the victim of a major breach that leaks 400GB of documents.
Italian cyber-security vendor Hacking Team, a company whose platform is aimed at helping government agencies hack and perform surveillance on others, ironically has been hacked itself.
Hacking Team's primary product is the Remote Control System (RCS), a software agent that resides on a target's machine.
"Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable," the Hacking Team Website claims.
Hacking Team's Twitter feed was compromised on Sunday, July 5, and was the location the attacker first used to disclose the breach. The Hacking Team was able to regain control of its Twitter account on July 6. More damaging, however, is the public disclosure of 400GB of data on Hacking Team's technology and operations.
Hacking Team has denied the authenticity of the leaked files. Christian Pozzi, senior system and security engineer at Hacking Team, responded on Twitter about the breach early on July 7, before his own account was also hacked.
Hacking Team is in the process of alerting its customers about the data breach, Pozzi said, adding that those who attacked Hacking Team are spreading falsehoods and malware.
"It's up to you what you would like to do, but be warned that the torrent file the attackers claim is clean has a virus," Pozzi tweeted.
While Pozzi is warning that the leaked files are not entirely legitimate, at least one technology organization is taking the risk seriously. Independent software developer Mike Conley tweeted out a request for anyone who was looking through the Hacking Team files to report any security bugs and vulnerabilities they may have been exploiting in Firefox.
Mozilla Security Lead Dan Veditz responded that the first person to file any Hacking Team bugs for Firefox would get a Mozilla bug bounty. Mozilla has paid out more than $1.6 million in bounties to researchers that have reported security vulnerabilities.
Security experts eWEEK spoke with were not surprised by the Hacking Team breach.
"I would have thought that a company such as this would have gone to extreme measures to protect itself knowing that their data contained very secret information," Andy Hayter, security evangelist from G DATA, told eWEEK. "It goes to show that anyone can be a target, be it an individual or company anywhere in the world."
Shawn Masters, vice president of solutions engineering at Novetta, said that vendors and experts in the cyber-world are all constantly under attack. Masters noted a few lessons that can be learned from the Hacking Team breach. "First, when you put yourself out there as a vendor, expert or actor in the cyber-world, you need to harden your defenses for the higher volume and quality of attacks," Masters told eWEEK." All employees need to understand the risks and make sure they are constantly looking for anything out of the ordinary."
Secondly, when an organization has data that might be damaging, to anyone, it is imperative to keep it under extra protection, Masters said. Every enterprise can point at data that should never be publicly revealed, and much of that data has no reason to be easily accessible from the Internet, or a user's machine.
"Organizations should look at data critically and judge when data needs to be handled differently," Masters said. "An ounce of extra prevention can go a long way, but you can never fully apply it after the breach."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
↧
U.S. Government, Firms Conduct International Cyber-Exercises
The 3-week effort, called Cyber Guard, comes as U.S. government systems and private firms suffer major attacks. This year, banks and energy officials took part.
The U.S. Department of Defense wrapped up a 20-d...
↧
Interoute named as a leader in Gartner Magic Quadrant for Cloud-Enabled Managed Hosting, Europe
Second year in a row Interoute has been positioned in the Leaders QuadrantLondon, 7th July, 2015 - Interoute, owner operator of Europe's largest cloud services platform, has today announced that it has been positioned as a "Leader" in Gartner's Cloud-E...
↧
Databarracks launches Windows Server 2003 into space (well, the stratosphere)
- Cloud service provider gives Win2k3 a fitting send off as it reaches end of life -Disaster recovery provider Databarracks has today released their unique tribute to Windows Server 2003, which reaches end of life on July 14th. The Databarracks team, a...
↧
Together, Aspera and SecurIntegration create a strong portfolio for SAP license management
USU Group acquires SecurIntegration for expert SAP license optimizationAachen/Cologne, Germany: 7th July 2015. USU Software AG has acquired SecurIntegration GmbH, an SAP license optimization specialist based in Cologne, Germany. The technology and expe...
↧
↧
Fighting money laundering in the back office
Back Office Workforce Optimisation solutions are key to solving regulatory issues within the financial services sectorOrganisations are on high alert for signs of money laundering. Alerts raised in the field or by detection systems need to be investiga...
↧
Dyre banking Trojan malware activity surges – targets Barclays, RBS, HSBC, Lloyds and Santander customers
Malware similar to Zeus and allows hackers to steal banking credentials, warn Bitdefender
↧
Another Heartbleed? OpenSSL to get fix for ‘high severity security defect’
Patch due on Thursday - brace yourselves
↧
More Pages to Explore .....
