March 24, Softpedia – (International) Jailbroken iPhones unlocked with software brute-force tool in 14 hours, tops. An iOS jailbreaker published a software library under the GNU General Public License called TransLock, that unlocks iOS devices in 14 hours or less via brute-force by injecting itself into the app that manages the device’s home screen, and setting return values in the “SBFDeviceLockController” class to “No”, allowing unlimited attempts and the ability to try a new PIN every five seconds. The tool only requires that the device be connected via USB. Source
March 24, Softpedia – (International) Unauthorized certificates issued for several Google domains. Security engineers at Google reported that intermediate certificate authority at Egypt-based MCS Holdings caused certifications for several Google domains that are trusted by most operating systems (OS) and Web browsers to be issued without authentication, leaving users vulnerable to impersonation and secure communication decryption via man-in-the-middle (MitM) attacks. Users of Google Chrome and Mozilla Firefox versions starting 33 are unaffected by the issue. Source
March 24, Securityweek – (International) Air-gapped computers can communicate through heat: Researchers. Researchers at Israel’s Ben Gurion University demonstrated that it was possible to establish a bidirectional communication channel between two unconnected computers using heat and radio signals emitted from components, such as the central processing unit (CPU) and graphics processing unit (GPU), allowing an attacker to use malware installed on each system to exfiltrate data from an air-gapped computer, dubbed BitWhisper. Source
March 23, Softpedia – (International) Flash Player vulnerable to bug patched in 2011. Security researchers from Minded Security and LinkedIn’s security division discovered that the latest versions of Adobe’s Flash Player Web browser plug-in are vulnerable to a same-origin bypass (SOP) flaw in the company’s Flex SDK compiler that was patched in 2011, which could allow attackers to steal victims’ data via SameOrigin Request Forgery, or perform actions on behalf of victims via Cross-site RequeForgery (CSRF), asking them to visit a malicious Web page. Source
March 23, Softpedia – (International) Twitch security breached, mandatory password reset in effect for all. The Twitch streaming service instituted mandatory password resets, disconnected all accounts from Twitter and YouTube, and emailed affected users after the company detected an authorized access attempt that could have compromised users’ information, including dates of birth, time and Internet protocol (IP) address of last login, and limited information associated with credit cards. Source
March 23, Securityweek – (International) DDoS attackers distracting security team with shorter attacks: Corero Networks. Corero Network Security reported in their quarterly trends and analysis report that 96 percent of distributed denial-of-service (DDoS) attacks against its customers in the fourth quarter of 2014 were less than 30 minutes in length, and 79 percent used less than 5 gigabits per second (Gbps) of peak bandwidth, indicating that attacks were becoming more difficult to detect and were likely intended to partially saturate networks and distract security teams, while leaving enough bandwidth for subsequent attacks to infiltrate networks and access sensitive information. Source
March 24, KrebsOnSecurity – (International) Kreditech investigates insider breach. Germany-based Kreditech is working with authorities to investigate a November 2014 internal isolated security incident where an apparent insider breach of its systems occurred and information from credit applicants was taken. The company stated that no customer data was breached from the event, which originated from a form on its official Web site that stored data in a caching system that deleted data every few days. Source
March 23, Securityweek – (International) Phishers leverage .gov domain loophole to bypass email validation. Security researchers at Trend Micro discovered that cybercriminals responsible for a March 4 – 11 phishing attack that sent over 430,000 emails targeting American Express customers maximized the attack’s effectiveness by exploiting a loophole in the way DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) email verification systems handle messages from .gov top-level domains (TLDs). Source