CNET found that Apple had not increased its security with the latest iteration of the iPhone 6’s fingerprint scanner. They were able to use fake finger prints to get into the iPhone just like they did with the iPhone 5. The technique ot create these fingerprints is very simple and anyone could do it in an afternoon with a single print of the target.
On September 24 the restaurant chain Jimmy John’s released a statement confirming a credit card breach that affected stores all over the states. Jimmy John’s estimates that about 324 stores where affected. Information exposed is believed to be card numbers, cardholder names, verification codes, and the cards expiration date.
It is believed that card an intruder stole log in information from point of sail vendors and used their credentials to remotely install malware onto the point of sale systems. When costumers used their cards on purchases in the store the malware would capture data from the cards magnetic strip. This malware has been removed from most of the afflicted systems.
This past week a new bug has been discovered. It has been nicknamed the “Shellshock”. The bug is a glitch within bash in the Unix command shell. Basically, the command line will run a function but after the function is over it can continue to run code.
This is an issue that has gone unnoticed for almost 25 years. There are few issues. if a hacker get to your home computer, can simply run a function and some some malicious code and infect your system. However, if you are using a firewall it is not as big of a concern. Servers though are a little bit different. They are easier to infect since they aren’t protected by firewall and little complex to fix.
Good news is there are many patches already released since the discoverer, so fixing the bug will require a system update.
A few weeks ago, there were evidence that Home Depot had a security breach when credit cards were put up for sale on a black market website. This was already covered by this blog in this post. Since then, Home Depot has not only confirmed a breach, but that it had existed from April to September 2014. The release also tells that the malware was found in American and Canadian stores installed in the self-checkout machines, and have been removed from use. There were no signs of data breaches in normal checkout machines, Mexican stores, American or Canadian online websites. Despite card information being compromised, there were no signs that PIN numbers were recorded. Home Depot has also finished installing enhanced encryption in U.S stores on September 15 and Canadian stores are expected to be finished in early 2015. The breach was closed but after 56 million cards were affected. The malware used in this breach was reported to not have been seen in other attacks, however there are signs that this breach was done by the same group of hackers responsible for Target last year. According to Krebsonsecurity.com, the thieves were stealing card information up to five days after first signs of the breach on September 2nd. As of September 22, 2014, Home Depot holds the record for the largest retail card breach. Second place goes to TJX with 45.6 million cards and third place goes to Target with 40 million.
Since 2011, Google’s smartphone operating system, Android, has given users the option to encrypt the data on their devices. Encrypting your Android device prevents anyone without your set password from reading the information stored on your device if they manage to break in or intercept any data. Very few people know about the existence of this feature, and fewer still even enable it. However, Google recently announced that their next, upcoming version of Android, currently known as Android L, will have this feature enabled by default. This announcement came shortly after Apple’s announcement that they would be expanding security for its iCould storage system, which was recently breached and resulted in several nude photos of various celebrities being leaked. The moves made by both companies help to ensure the protection of the privacy of their users. Slated to be released in October, Android L will require users to create a password during the activation process in order to automatically set up device encryption before any data can be accessed. This means that users will no longer have to worry about any of their information, pictures, videos, communication, and any other data becoming exposed to those with malicious intent, and they also will not have to think about remembering to turn on this feature.