Your Phone Ain't Safe As You Think!Another week chock-full of hacks and vulns, and if you thought your password manager and cell phone were safe, you’ll want to pay close attention to
the LastPass breach.
After the
Sunday Times posted an unsubstantiated article quoting anonymous government sources alleging that Russia and China cracked the cache of files liberated by whistleblower Edward Snowden, security technologist Bruce Schneier came to Snowden’s defense and took it a
step further, positing that they had likely already accessed the files long before Snowden did.
-snip-
Be Careful Which Networks You Connect to on Your Samsung Galaxy S6Over 600 million Samsung Galaxy S phones are susceptible to a major security risk in the phone’s default IME keyboard. The vulnerability would allow an attacker to eavesdrop on calls, read incoming and outgoing text messages, install malicious apps, and access the camera and phone. It was discovered by NowSecure mobile security researcher Ryan Welton last December and presented at the Blackhat Mobile Security Summit in London earlier this week. It’s hard to pin the blame on just one company. Samsung’s default keyboard uses SwiftKey technology to power typing features such as word predictions, and SwiftKey made the mistake of failing to use TLS encryption in the zip archive file sent during the language pack updates. This leaves users vulnerable to man-in-the-middle attacks. Samsung added fuel to the fire by giving these updates system-user-level permissions, allowing them to bypass Android’s normal protections. And although Samsung made a patch available to mobile carriers on March 27 of this year, the carriers are taking their sweet old time to push out the updates. While waiting for a patch, you can reduce their risk by avoiding public Wi-Fi or using a VPN.
OS X and iOS Flaws Let Hackers Steal Keychain, 1Password ContentsThink you’re off the hook because you’re on an iPhone rather than a Samsung Galaxy? Not so fast. A group of researchers found flaws in the sandboxes protecting both iOS and OS X that could allow hackers to steal passwords from your keychain and the password manager 1Password. The researchers submitted malicious proof-of-concept apps to the Apple store. The apps were accepted in the store, and researchers were able to bypass sandboxing protections. 1Password has tips for users on its blog to help mitigate some of the risk while waiting for a fix. “In light of the vulnerabilities, users of all OSes should limit the apps they install to those that are truly needed and explicitly trusted,” wrote Ars Technica Security Editor Dan Goodin.
{...}
Read more at
http://www.wired.com/2015/06/security-news-week-phone-aint-safe-think/
