Recent Security Flaws and Updates

Drupal

Updates for the Drupal content management system are available. The Drupal security team’s advisory describes one critical and three “less critical” vulnerabilities that the updates address. The critical flaw lies in Drupal’s implementation of OpenID; it allows attackers to log in to websites as administrators. The issues affect Drupal versions 6 and 7.

Samsung Galaxy Smartphones

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready. See Krebs on Security for this story and the Apple KeyChain story below.

Apple KeyChain

A security flaw (a zero-day bug) in Apple’s OS X and iOS could be exploited to steal information from the Apple keychain and from applications. The problem lies in the operating systems’ application sandboxes and can be exploited by specially created apps. Read the full story in the news.

Android Phone Factory Reset Feature is Flawed

An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts.

In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.

The findings, published in a research paper titled Security Analysis of Android Factory Resets (.pdf), are sure to be a wake-up call for individual users and large enterprises alike. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept.

Read the story in the news.

Mac iOS Security Guide

The new Mac iOS Security Guide was released in April of 2015. As the introduction of the guide states: “Apple designed the iOS platform with security at its core. When we set out to create the best possible mobile platform, we drew from decades of experience to build an entirely new architecture.”

Many of the security features are built in by default.

“iOS and iOS devices provide advanced security features, and yet they’re also easy to use. Many of these features are enabled by default, so IT departments don’t need to perform extensive configurations. And key security features like device encryption are not configurable, so users can’t disable them by mistake. Other features, such as Touch ID, enhance the user experience by making it simpler and more intuitive to secure the device.”

Topics covered in the guide are: system security, encryption and data protection, app security, network security, Apple Pay, internet services, device controls and privacy controls.

Download or view the guide (.pdf)

Android Flaw Allows Attackers to Modify or Replace Apps

A security flaw in the Android operating system could be exploited to remotely take over vulnerable devices.

According to researchers from Palo Alto Networks, roughly half of all Android phones are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The vulnerability has been patched in Android 4.3_r0.9 and later but some Android 4.3 devices remain vulnerable.

The attack works only at third-party app stores, not the Google Play store.

Read the story in the news.

Security Using Mobile Apps

Many of you may have received a new mobile device for the holidays.

This month’s issue of OUCH! (.pdf) covers how to securely use mobile apps. Being one of the primary technologies we use in our professional and personal lives, mobile devices are used to be more productive, communicate, and share information with others or just have fun. However, using the apps on mobile devices can be risky. This issue describes some steps you can take to securely use and maintain your mobile apps.

If you have any questions or concerns about using and setting up your mobile device, you can also go to the Mobile Device Support page in the Knowledge Base.

Securely Disposing of Mobile Devices

The June issue of OUCH!, led by Guest Editor Chris Crowley, discusses how to securely dispose of your mobile device. Most people do not realize just how much sensitive and personal information they have on their mobile device. If you are not careful about how you dispose of your older mobile devices, almost anyone can access that information.

Download the June issue of OUCH! (pdf) and please feel free to share with colleagues.

Additional information about secure disposal and data sanitizing old equipment can be found in the Knowledge Base.

Removing Personal Data from Old Devices

This holiday season you may have received a new PC, laptop, tablet phone or other device. Before recycling, donating, or disposing of an old device, help protect your privacy by removing your personal information first.

Removing the data by simply “erasing” or “clearing” the information may not permanently remove the information from the device. While the data may not be visible to the average user, anyone with the right tools and know-how could retrieve data stored in memory.

To make sure you don’t leave behind anything that might be used against you, take the right steps. Learn how to remove sensitive data from a mobile device or computer and learn about some (free) tools that can help.