We begin our synopsis of this week by looking forward to next week when Microsoft will – at long last – discontinue its support of the once ubiquitous, forever vulnerable, and still widely deployed Windows XP operating system. More on that next week.
As for the things that actually happened this week: we’ve got more news from Bitcoin; security concerns regarding the Tesla S; insights into the global phishing game; fixes for Apple’s Safari browser; bugs in a Phillips Smart TV and more.
According to a Reuters report, a federal judge in the American state of Texas has ordered Mt. Gox chief executive Mark Karpeles to travel to the U.S. and answer questions about the Bitcoin exchange’s bankruptcy filing. Mt. Gox – once the world’s largest exchanger of the Bitcoin digital crypto-currency – shut down in February after losing a reported $400 million and subsequently filed for bankruptcy. Karpeles reportedly filed for Chapter 15 bankruptcy protection at the same Texas court to which he has been summoned in order to avoid a class action lawsuit filed in Chicago. The Texas judge believes that if Karpeles would like to seek protection from his court, then he ought to come and stand before it.
According to my colleague Chris Brook from Threatpost, certain versions of Philips’ popular internet-enabled SmartTVs contain a vulnerability that could give an attacker the ability to access potentially sensitive information within the TV’s system and configuration files as well as any files that may be on a USB stick connected to the TV itself. If that user happens to be browsing the Internet on the very same TV, an attacker could pilfer cookies and use them to access certain websites or online accounts. The problem has to do with a WiFi feature called Miracast, which is enabled by default with a preset and fixed password. This password allows anyone within range of the device’s WiFi adapter to connect to the TV and access its many features.
One of my other colleagues at Threatpost, Dennis Fisher, reported that the popular, high-end, all-electric Tesla S automobile deploys a weak, single-factor authentication system for a mobile app that lets users unlock their vehicle and more. Researcher Nitesh Dhanjani found that when new owners sign up for an account on the Tesla site, they must create a six-character password. That password is then used to login to the iPhone app. The app gives owners the ability to manipulate the door locks, the suspension and braking system and sunroof. The real problem here is that there is no limit on login attempts; meaning that an attacker can perform brute-force attacks against a relatively short password. Six characters are easily breakable in a system with no login attempt limits.
In passing, I’d like to remind any Apple users that the Cupertino, California computer giant issued more than 25 security vulnerability fixes to its Safari browser. Some of these bugs are quite serious, so you should update that browser if you haven’t done so already.
Our researcher friends at Securelist released the first part of their look into the dark world of financial cyber-threats in 2013. Part one is an extensive analysis of the global phishing environment. In brief, they found that 31 percent of all phishing attacks in 2013 targeted financial institutions. Some 22 percent of all attacks involved fake bank websites, which doubles down on their findings from the previous year, 2012, in which only 11 percent of such attacks deployed fake banking websites. Jest less than 60 percent of banking phishing attacks exploited the brands of only 25 international banks, with the remaining 40 percent exploiting the brands of more than 1,000 banks.
In closing, I point you toward the BBC, which is reporting that a five year old boy from San Diego, California uncovered a flaw in the popular Xbox Live online gaming platform that allowed him to log into his father’s account without the correct password. The boy, Kristoffer Von Hassel, attempted to log into his father’s XBOX Live web account. When he entered the wrong password, he was prompted to enter it again. He hit spacebar, and, like magic, he was in.
“I got nervous. I thought [my dad] was going to find out,” Kristoffer told a local television station, KGTV. “I thought someone was going to steal the Xbox.”
The BBC says that Kristoffer’s father, who works in security, reported the details of the bug to Microsoft. In turn, Microsoft fixed the bug and thanked the boy for his help.