A new security vulnerability has been found in Facebook by bug hunter Laxman Muthiyah that exposes private photos, and it put millions of users potentially at risk. The bug was found in Facebook Photo Sync, a feature that automatically uploads every photo taken on your mobile device to your Facebook account, but marks them as private so only the user can see them. The vulnerability allows hackers access to these private photos by building a malicious application and then tricking victims into installing the app.
Premara Blue Cross has been the target of a sophisticated cyberattack where unauthorized access was gained to the Premera Blue Cross IT systems. A Premara spokesman confirmed that about 11 million individuals may be affected, and the data compromised may include Social Security Numbers and bank account information.
If you use Blue Cross insurance, we recommend contacting the phone number on the back of your insurance card to see if you were affected. If you were affected, you can take advantage of two years of free credit monitoring and identity protection services here.
On Sunday, Yahoo launched a new service called “on-demand” passwords, which lets someone log into a Yahoo account using a unique, one-time code that is delivered via text message. It’s basically two-factor authentication without the first step.
Sounds interesting, but it begs the question, how secure are on demand passwords?
The whole point of multi-factor authentication is that if one authentication factor is compromised, access is still protected with an additional authentication factor. If a password is compromised, then a one-time token (delivered via text or a time-based token) protects access. For example, if the smart phone that receives or generates the second authentication factor is lost or stolen, a third party has access to the 2nd factor, but still does not have access to the password (assuming it is not stored clear-text somewhere on the phone).
Password-less authentication is nothing more than traditional “2-factor” authentication minus the password, and if your phone is lost or stolen (or the sim card is stolen), then a hacker would have the ability to receive the Yahoo one-time password and access your Yahoo account.
Yahoo’s one-time password is nothing new, and is less secure than using a complex password in addition to a second authentication mechanism, such as a time-based token or SMS delivered one-time password. If my smartphone were ever lost or stolen, I would rather have the piece of mind that my accounts are protected by a unique and complex password AND a second authentication factor. My recommendation would be to keep your Yahoo password in place, use a password manager, ensure that your passwords meet complexity and length requirements, and always activate 2-factor authentication where available.
IBM has discovered a security flaw that can leave file storage accounts of mobile users open to hackers. The IBM researchers identified sloppy coding in Dropbox’s SDK Version 1.5.4 for Android that caused the vulnerability.
76% of the applications that link to Dropbox accounts using the Dropbox SDK are vulnerable, including other password managers. Keeper does not rely on any 3rd party storage providers and is not vulnerable to this flaw.
During a Cybersecurity panel discussion on Tuesday with members of Homeland Security, the theme was not “if you get hacked”, it’s “when you get hacked.” Companies need to start thinking this way, no one is immune to cyber attacks and it’s critical to have cybersecurity prevention tools in place and a plan for when it happens. While most cybercrime issues are preventable, cybercrime affects everyone.
Read more here: http://www.bizjournals.com/boston/blog/techflash/2015/03/homeland-security-official-your-company-might-get.html
Google’s expert team of hackers at Project Zero have discovered a serious flaw in modern DRAM devices. The flaw encourages computer vendors to cough up more information about hardware flaws, and is exploitable on x86 laptops. Google is encouraging vendors to release information about affected devices so that researchers and further evaluate the rowhammer problem.
Read more here: http://www.zdnet.com/article/rowhammer-dram-flaw-could-be-widespread-says-google/
Apple’s latest iOS release includes a fix for the FREAK exploit, which allows hackers to attack encrypted networks, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. Most iPhones and iPads were affected by the bug.
Read more here: http://www.zdnet.com/article/apple-fixes-freak-security-flaw-with-ios-8-2-update/
Here are the top 5 stories from MWC 2015 Day 3:
- Pebble followed up their smartwatch announcement with a Time Steel model with a metal body. The watch will have 10 days of battery life, and run for $299
- Leia is bringing 3D holograms to mobile devices
- Flir One showcased a smartphone dongle with thermal imaging
- Sony’s SmartEyeglass apps were displayed for it’s SmartEyeglass wearable
- Acer debuted a Fitness tracker with the Liquid Leap+
Yesterday, cryptographers discovered a security flaw dating back to the 90’s, that affects OS X, iOS, and Android users on over 64,000 websites. The FREAK exploit allows hackers to force a lower-grade of encryption, so that affected sites (with your personal information) can be cracked within a few hours.
Keeper is not vulnerable to the RSA FREAK vulnerability.
Here are our top 5 developments from Day 2 at MWC 2015:
- Fujitsu showed off a prototype smartphone that uses an infrared camera to scan your irises for your password
- Qualcomm announced ultrasonic 3D fingerprint authentication
- Intel revealed three new mobile chips, the Atom x3, x5, and x7
- BlackBerry showed their new Leap smartphone, a $275 device that claims to have a battery that lasts 25 hours with heavy use
- Silent Circle announced their second-edition Blackphone secure smartphone.
Check back tomorrow for Day 3 updates!