SSL.com’s Friday Security Roundup – April 24, 2015

 

SSL_com_logo

From Houston, Texas– home to the Rockets, big rockets, a great collection of rocks and which knows how to rock – welcome to our Friday Security Roundup, where SSL.com reviews some of the security issues that we’ve been following this week.


Insert Wildly Unfair iPhone User Joke Here

Reported at RSA2015, by mobile security firm Skycure: “No iOS Zone“, an exploit which can crash any iOS device in range of a maliciously-configured Wi-Fi hotspot. A denial-of-service attack that actually reaches into the operating system itself (and involves how SSL certificates are handled by iOS) means that your cool tech won’t work –  even in offline mode.  Both Skycure and Apple are a bit vague on details while a solution is hammered out, but since the attack could potentially force an automatic connection, then crash all iOS devices it finds, for the present they recommend only one workaround: “physically running away“.

Status: In play – Skycure states that hasn’t been seen in the wild, but predict that targeted attacks like this are going to be more likely going forward.


Insert Your OTHER Wildly Unfair iPhone User Joke HERE

Determined, by analytics service SourceDNA: A major security flaw affecting well over one thousand iOS apps. The issue lies with an older version of the widely-used AFNetworking library – SSL certificate validation checks are bypassed, so basically any HTTPS connection can be approved. This would be a Bad Thing, exposing your iOS device to man-in-the-middle attacks.

Status: Also in play – AFNetworking corrected the problem weeks ago, but a range of apps released during the six week window will remain vulnerable until they are themselves updated to use the fixed library. We would like to applaud SourceDNA’s clear and transparent outlining of their methodology and process in researching this issue – kudos, guys.

Love In the Air, In the Clear

Unsecured, by match.com: Their freakin’ login page. According to readers of and research by the good folks at Ars Technica, it would appear that usernames and passwords to the popular dating site have been accepted on their login page with no encryption whatsoever, from at least some point in March of this year.

Status: Possibly now addressed, but still awfully darned disturbing. For a site with some 20 million members, skipping the very most basic security step in the catalog is poor form indeed.


Causation Is Not Correlation. However…

Suggested, by Japan’s Board of Audit: Upgrading 48,000 TEPCO computers which are  currently running Windows XP. TEPCO, as you might recall, is the Tokyo Electric Power Company and operates the Fukushima Daiichi nuclear plant, which had a spot of bother back in 2011. XP was only finally retired by Microsoft in April 2014, and there is no connection whatsoever between XP use and nuclear catastrophe. However, the Board of Audit (very roughly analogous to the US GAO) notes that  TEPCO’s plan to keep using XP until 2019 (as a cost saving measure) could very well be a Very Bad Idea.

Status: SSL.com knows how hard it was to say goodbye to XP, variously known as “the WinOS that actually worked” or “not Vista” – but using any retired and unsupported OS to run something as vital as a nuclear power plant (let alone an automatic teller machine) is bad practice.


As always, we appreciate you reading these words, and let us know what you think