Technology

Threat: Rogue access points and Evil Twins pose risks on open networks.
Solution: Users: disable automatic connection to wifi networks. Businesses: use network segmentation and devices that provide intrusion and malware detection.
URL: https://www.helpnetsecurity.com/2016/03/14/rogue-access-point-rsa-conference/

In this article the authors set up an open access point at RSA Conference configured to use some common SSID’s. Interestingly enough they 2,456 devices connect to the access points. These access points could have easily been configured as evil twins to snoop the network traffic of attendees that came to the conference. Luckily for the attendees this was just a test and their devices were just served the internet without bad intentions.

As a user there are several ways to protect against this type of attack. The first step would be to disable automatic connection to wifi networks. This would stop your device from connecting to an evil twin without your knowledge. As a business owner there are also several options to protect customers you want to provide access to wifi. Network segmentation and devices that offer other network protections are a good start. In addition, providing security such as WPA2 is another good option.

Threat: Multiple Passcode Bypass Vulnerabilities Discovered in iOS 9
Solution: Disable the Siri module and Events Calendar without passcode, along with the public Control Panel with the timer and world clock. Users should also activate the weather app to prevent the redirect.
URL: http://www.securityweek.com/multiple-passcode-bypass-vulnerabilities-discovered-ios-9

This is a pretty big vulnerability that requires very little technical knowledge to exploit. The last vulnerability of this type I remember only allowed access to pictures and contacts.

I also wonder if the FBI could could explot this to unlock the iPhone they want from Syed Farook and the few hundred ones they have from other suspects for lesser crimes.

In addition as I look at the steps needed to completely disable this exploit, I hope Apple pushes out a security update soon. I can’t imagine many users actually taking the steps to disable everything necessary to protect against this.

Threat: DROWN attack places more than 11 million websites at risk.

Solution: OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 should upgrade to OpenSSL 1.0.1s. If you are using another version of OpenSSL, you should move to the newer versions.
You should also ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers.

URL: http://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html

The DROWN attack targets servers that might not use SSL2 but still support it. Often this is done to support other servers that use it such as SMTP, IMAP, and POP mail servers. A DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack.

You can find out if your website is vulnerable to this critical security hole using the DROWN attack test site.

Like many of these attacks, the fix is already out there. Server admins need to perform updates immediately to protect against attacks. In addition confirming all servers that use the same certificates are updated is important as this attack can compromise one server and be used on a “secure” server that uses the same certificate.

Threat: Pirated App Store client for iOS found on Apple’s App Store
Solution: Do not install software from unapproved third party app stores as the applications are riskware and some of the applications installed may contain malware.

URL: https://www.helpnetsecurity.com/2016/02/22/pirated-app-store-client-ios-found-apples-app-store/

An app called “Happy Daily English” available in the Appale App Store has been revealed to be a fully functional third party app store client. This new discovery shows some techniques that can be used to fool app reviewers and the programing language also allowed the application to be updated without approval from Apple.

The app developer also analyzed Apple’s proprietary protocols to implement some functionalities of Apple’s Xcode IDE to automatically generate free personal development certificates. So far the application hasn’t stolen any account information but has used it for analytical purposes. I recommend avoiding cracked software app stores as they are both illegal and often introduce vulnerabilities.