Google Glass Hijack, Steganography Backdoor, and Femtocell Hack
After a week missing-in-action due to vacation, I’m back with another news-packed InfoSec summary video for the week. If you’d like to quickly hear the highlights about the latest updates, breaches, and malware, give our weekly video a go.
In this week’s episode I cover some interesting new Mac malware, a Google Glass hijacking vulnerability, how to hide web backdoors in images, and a rogue femtocell. For all that and more, click play below; and don’t forget to check the Reference section for extras.
Have a great weekend, and stay safe online!
(Episode Runtime: 15:18)
Direct YouTube Link: https://www.youtube.com/watch?v=pjWEkd2htzQ
Episode References:
- Chinese researchers fine second APK key vulnerability – Android Police
- Rekey app fixes master key flaw on rooted Androids – Google Play
- Clear text passwords found in iOS Tumbler app; upgrade – Read Write Web
- New Mac malware leverages right-to-left override trick – F-Secure
- Evil Mac Javascript launches ransomware attack – Malware Bytes Blog
- Google Glass QR code hijack – The Washington Post
- The dangers of Google Glass – PC Magazine
- Lookout Google Glass QR flaw video – YouTube
- Security researchers create rogue Femtocell – Reuters
- Hiding web backdoors in JPG images – Securi
Extras:
- Another 0day Java flaw disclosed – Full Disclosure list
- Malware targets pinterest – Janne.is
- HD Moore exposes IPMI vulnerabilities – Information Week
- DEFCON asks Feds to stay home –DEFCON
- Wall Street to launch cyber attack test – The Boston Globe
- Oracle fixes 89 vulnerabilities with July CPU – WGSC
- HP admits backdoors are in data store products – Info World
- Cheap Android RAT on underground market – Ars Technica
- NASDAQ community forum hacked – Graham Cluley Blog
— Corey Nachreiner, CISSP (@SecAdept)
A lot of interesting stories in this review.
1. First is Tumblr client issue. Curious explanation, that “Tumblr’s iOS app fails to log users in through a secure (SSL) server”… OK, it is. Well, let’s think as a developer. “So, if logging on through secure (SSL) server will be impossible (for some reason), what shall we do? We include, as a “last resort”, logging on functionality with sending credentials in a clear text by HTTP to point of authentication!” Are we think like developer, who cares about security of product use?
2. Mac malware, leverages RLO trick. The salt is not in RLO itself (though it’s simple and curious trick), but in two moments:
– not the first case, then Apple’s Developer ID Application fully compromised;
– Janicab is a complete, full working malware for Mac platform. So, another counter-evidence for people, who think that Mac is “immune to malware by design”. As you can see from screenshots in article – author creates a botnet with Janicab.
3. Steganography Malware. Another example of great human ingenuity, but destructively oriented. Didn’t know, that so many things can be done with legitimate JPG-format file…