Wednesday, April 23, 2014
           (757) 873-6707                     Monday - Friday, 9 am - 5:30pm
Targeted Attack Uses Heartbleed to Hijack VPN Sessions Details of a targeted attack have emerged where hackers are using the Heartbleed OpenSSL vulnerability to hijack active VPN sessions to remotely access an enterprise.
3 Million Cards Impacted in Michaels Breach The arts and crafts retail chain Michaels confirmed yesterday that most of its U.S. stores were breached for eight months and that the payment card information of nearly 3 million of its customers may have been compromised.
ICS-CERT Warns of Heartbleed Vulnerabilities in Siemens Gear A number of ICS products from Siemens and Innominate are vulnerable to the OpenSSL heartbleed flaw, some of which do not have updates available yet. The list of products affected by the heartbleed vulnerability continues to grow by the day, with OpenVPN being one of the latest. A researcher on Friday said that he was […]
Like Apple’s TouchID, Galaxy S5 Vulnerable to Fingerprint Hack

Researchers published a video this week demonstrating how Samsung’s latest entry in the smartphone arena, the Galaxy S5, is vulnerable to a hack that involves lifting and copying fingerprints to trick the phone’s biometric sensor.

Much like the Apple iPhone 5S, the smartphone, which first hit the market last week, boasts a fingerprint scanner as an added layer of security.

Now the same research outfit that was able to hack the iPhone’s 5S’s Touch ID feature last year, Germany’s Security Research Labs (SRLabs), has managed to bypass a similar feature on the Galaxy S5. Like the iPhone hack the Galaxy hack relies on the attackers using a mold of a fingerprint; or in this case a lab-manufactured wood glue replica of a print, to carry out their attack.

In a video posted Tuesday the researchers claim their method allows for “seemingly unlimited authentication attempts without ever requiring a password.”

While this may sound like a pretty farfetched exploit vector – a user would have to have the Finger Scanner set up on this exact brand of phone and an attacker would have to go through the trouble of creating the fingerprint replica – as the folks from SRLabs note, it could have implications for those who use the new fingerprint scan feature on PayPal’s Android app.

That app allows users to transfer funds using their fingerprint as a biometric authenticator, meaning that if an attacker had access to your phone, and one of these fingerprint molds, they’d be able to make purchases and unsolicited money transfers from the account.

In the video the researchers demonstrate how an attacker could wire himself money via PayPal from a person’s debit account. Using the fingerprint replica it takes three swipes for PayPal to recognize the bogus fingerprint, but according to the researcher, attackers could be allowed “multiple attempts to make a successful swipe with this spoof.”

In a statement released by the company this week PayPal downplayed the issue, claiming they were taking SRLabs’ findings seriously but were confident that its app is still “easier and more secure” than using passwords or credit cards. PayPal added that it could simply deactivate cryptographic keys associated with fingerprints on accounts from lost or stolen devices and allow users to make a new one.

The company added that in the unlikely occurrence that one of its users gets duped by an attacker with one of these phony fingerprint scans, it will reimburse any losses they incur.

To use the S5’s fingerprint scanner, the phone requires users to swipe a finger eight times over the home button. The user can then use that fingerprint to lock their screen, verify their Samsung account or authenticate their PayPal account.

A number of critics have been vocal against using fingerprints as a biometric authentication measure for years now. Some of those voices, including researchers from the Chaos Computer Club (CCC) and SRLabs, have pointed out that whenever a fingerprint gets stolen, there’s no way to change it and that it’s easy to lift users’ fingerprints off of items, including their personal devices.

Still though, fingerprint spoofs, known in some circles as ‘fake fingers’ are not easy to produce. CCC hacker Starbug, who was famously the first to break Apple’s TouchID last fall, used a high resolution image of a fingerprint with latex to produce his.

“This demonstrates—again—that fingerprint biometrics is unsuitable as [an] access control method and should be avoided,” the CCC said in September.

Latest News

An SMS Trojan with global ambitions

Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.

But this is not all. Another Trojan, Trojan-SMS.AndroidOS.FakeInst.ef, targets users in 66 countries, including the US. This is the first case we have found involving an active SMS Trojan in the United States.

NIST Removes Dual EC from Draft Guidance on RNGs

NIST announced it has removed the Dual EC DRBG random number generator from a draft guidance on RNGs; the move could become official next month after a public comment period expires.

AOL Email Hacked by Spoofers to Send Spam

A slew of old AOL email accounts were hacked over the weekend to send spam to other users.

Apple Fixes Serious SSL Issue in OSX and iOS

Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as […]

DBIR: Poor Patching, Weak Credentials Open Door to Data Breaches

Weak or default credentials, poor configurations and a lack of patching are common denominators in most data breaches, according to the 2014 Verizon Data Breach Investigations Report.

DBIR: Point-of-Sale Breaches Trending Downward

The 2014 Verizon Data Breach Investigations Report reveals that point-of-sale intrusions are down, Web applications attacks are up, and DDoS and cyberespionage attacks merit watching.

CloudFlare Launches Bug Bounty Program

CloudFlare is launching a new vulnerability disclosure program in conjunction with the HackerOne bug-bounty platform.

Oracle Gives Heartbleed Update, Patches 14 Products

Amidst all of the fallout related to Heartbleed, Oracle is doing its best to keep users apprised of its efforts to patch any and all software that may be vulnerable to the OpenSSL issue.

OpenICS Decodes Control System Traffic, Builds Data Dictionaries

An ICS protocol sniffer has been released to GitHub. OpenICS builds data dictionaries, rather than signatures, from the packets it captures in order to help business leaders make security decisions.

OpenSSL Heartbleed and the Value of CRLs

One of the consequences of the drama around the OpenSSL heartbleed vulnerability is that security experts have begun taking a hard look again at the certificate revocation process and whether it actually protects users or gives them any visibility into the validity of a given certificate. In a lot of cases, the answer is probably no.