Another Android Flaw Gives Apps Elevated Privileges

Close on the heels of Stagefright, another vulnerability has been found to affect Android devices. A flaw in the OpenSSL X509Certificate class allows apps to elevate privileges, allowing them to snoop on vulnerable devices, install malware, and cause other problems. More than half of Android handsets are believed to be vulnerable.

Google has provided a patch, but as with the patch for Stagefright, most people won’t receive it automatically. Ask your mobile carrier if a patch is available and if not, when you can expect it.

Read the story in the news.

Microsoft Ends Support for Windows Server 2003

Microsoft ended support of Windows Server 2003 on July 14, 2015. If you have machines still running Windows Server 2003, it is very important that you upgrade to Windows Server 2012 R2 and apply the latest patches from Microsoft to minimize security risks and comply with recent Massachusetts data regulations.

IS&T recommends that Windows users subscribe to the MIT Windows Automatic Update Service (MIT WAUS) to get the latest service packs and security patches. Visit the MIT WAUS article in the KB for detailed instructions on how to subscribe.

If you have questions or need assistance, send email to the IS&T Help Desk at helpdesk@mit.edu or call 617.253.1101. You can also submit a request online.

Learn more from Microsoft about migrating from Windows Server 2003.

LastPass Network Breach

On June 15, 2015, LastPass sent out a notice to its customers regarding suspicious activity on its network. The details of the activity are posted here.

LastPass Enterprise is a password management system that will be rolled out to the MIT community this summer. LastPass Enterprise encompasses access to data and passwords via Windows, Mac OS X and mobile native clients, as well as via any web browser. It is a convenient solution for the password problem of teams and unlocks features such as shared password folders and secure notes.

You can find information about LastPass Enterprise via the MIT LastPass FAQ. Note that LastPass Enterprise for MIT includes two-factor authentication using Duo, which provides an added layer of security for your account.

See the KB for answers to questions you may have about the LastPass security breach.

MIT Technology Review: Cyber Espionage Nightmare

An article featured on MIT Technology Review covers the disturbing state of corporate cyber espionage. According to the article, agents from China are wanted for allegedly hacking into networks at American companies, stealing emails about business strategy, documents and other information, all to benefit Chinese companies.

Although it seems unlikely that any arrests will be made in the case the US has made against these perpetrators, it does provide American companies with some valuable lessons. They are less likely to keep valuable information online, even if that information is “secured.” The most clear response is also the most drastic: unplug.

Read the full story at MIT Technology Review.

Android Phone Factory Reset Feature is Flawed

An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts.

In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.

The findings, published in a research paper titled Security Analysis of Android Factory Resets (.pdf), are sure to be a wake-up call for individual users and large enterprises alike. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept.

Read the story in the news.

Phishing Attack List: Windows Live ID Scam

Kaspersky Lab experts are warning of a new scam that uses Windows Live ID as bait to catch personal information stored in user profiles on services like Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger and OneDrive.

What appears to be a typical phishing email contains a link that goes to the actual Windows Live website, with no apparent attempt to get the victims’ logins and passwords. So what’s the trick?

  • After following the link and authorizing the account, users receive a prompt: an application requests permission to automatically log into the account, view the profile information and contact list, and access a list of the users’ email addresses.
  • Users who click “Yes” don’t give away their login and password credentials, but they do provide their personal information, the email addresses of their contacts and the nicknames and real names of their friends.

Scammers gained access to this technique through security flaws in the open protocol for authorization, OAuth. The collected information can be used for fraudulent purposes, such as sending spam to the contacts in the victim’s address book or launching spear phishing attacks.

Read the full story.

FBI: Data Breaches Up 400%; Workforce Needs To Be “Doubled or Tripled”

As a follow up to last week’s post about the lack of cybersecurity personnel, this article talks about the increase in attacks and breaches and how it relates to the need for a more robust cybersecurity workforce.

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days.”

Trainor also said the cybersecurity industry needs to “double or triple” its workforce in order to keep up with hacking threats.

Read the story at thehill.com