Google has announced it has made reCAPTCHA easier for humans to read and harder for bots. To do this, advanced risk analysis is used before, during and after interaction to decide the likelihood that the user is human.
CAPTCHAs that are easy-to-read text and image numbers are served to users who are likely to be human and harder CAPTCHAs are sent to users who are likely to be a bot. Learn more on the Google Online Security Blog here.
Apple has released iOS 7.0.2. The update fixes a bug that could be exploited to bypass the passcode and access the iPhone’s stored photos and the email and Web services used to share them. The update also brings back the Greek keyboard option for entering a passcode. Learn more on the 9to5 Mac blog here.
Apple has also announced they have expanded the available of AppleCare+ for iPhone 5 users. Previously, users could only get their iPhone repaired in the country of purchase. Now, users can get their iPhone repaired in any country that sells the same phone. Learn more on TechCrunch here.
Tumblr has fixed a security issue in their iOS app that allowed passwords to be sniffed while in transit. Users of the app should update and change their password in case it has been compromised.
Learn more on the Tumblr blog here and download the updated app from the iTunes app store here.
Microsoft is launching new bounty programs on 26 June 2013 that will offer a cash reward up to US$100,000 for finding truly novel exploitation techniques to bypass protections in the upcoming Windows 8.1 Preview.
Up to a further US$50,000 will be paid if ideas for how to defend against the attack are included in the submission. There is also a bounty of up to US$11,000 for finding critical vulnerabilities in Internet Explorer 11 Preview until 26 July 2013.
Interested in learning more? See the Microsoft Security blog here.
Researchers have cracked passwords that are automatically generated by iPhone’s mobile hotspot feature. To do this, they capture a WPA2 authentication handshake, which can often be done in less than a minute, and then send the password hash to a computer with four AMD Radeon HD 7970 graphics cards to crack the password.
When the researchers reverse-engineered iOS 6, they discovered that the password is a four- to six-letter word randomly chosen from the built-in English dictionary followed by a random 4-digit pin code. Using this knowledge, they were able to cycle through every possible word and pin code to crack the password in about 49 minutes.
The researchers then traced the password generation function calls and discovered over 250,000 invocations that only 1,842 different words are selected. They also discovered that some of the words were 10 times more likely to be selected than the other words. With this knowledge, they crafted an optimised list of passwords ordered by frequency.
By using their four AMD Radeon HD 7970 graphics cards to generate about 390,000 guesses each second, the researchers were able to crack the password in about 24 seconds. The iOS 7 beta software is not as easy to crack, since it generates a random 12-character alphanumeric string without using a dictionary.
Using the mobile hotspot feature in iOS 6 or earlier? Always change the automatically generated password to a more secure password. Users of other phones should also use more secure passwords, since Windows Phone 8 only uses an eight-digit password and some Android phones may also generate easy-to-crack passwords. Interested in learning more? Read the research paper here.
Security researchers have uncovered a weakness in some iPhones that could be used to automatically connect to rogue Wi-Fi networks to collect passwords and other sensitive data.
The weakness is in the
profile.mobileconfig file installed by AT&T, Vodafone and more than a dozen other carriers that instruct the devices to automatically connect to a Wi-Fi network called
attwifi when the signal becomes available.
Attackers can take advantage of this by giving their rogue network the same name to automatically initiate an attack against nearby iPhones, even ones that have never connected to any Wi-Fi network before. Once connected, the attacker can run exploit software that bypasses the secure sockets layer Web encryption.
Once the exploit software is installed, the attacker can perform a man-in-the-middle attack to intercept passwords and forge links and other content on the websites the user visits.
The researchers tested their hypothesis in a restaurant in Tel Aviv, Israel and 60 people connected to their Wi-Fi network in the first minute and 448 connected during a two-and-a-half-hour period.
The best way to prevent iPhones from connecting to networks without the user’s knowledge is to disable Wi-Fi on the device when it isn’t needed. There are also apps available that can control which SSIDs the iPhone will and won’t connect to.
Interested in learning more? See the Skycure Security blog post here.
Security researchers have created a modified charger using a BeagleBoard that can install malware on iOS devices in a minute. The malware uses USB capabilities to bypass the defense mechanisms in the latest iOS software and doesn’t require any user interaction to install.
Once installed, the malware hides itself the same way Apple’s built-in software does so that it cannot easily be found and removed. For more information, see the security researchers’ post here.
Google is planning to upgrade the digital certificates it uses to secure Gmail, Calendar and Web search services from 1024-bit to 2048-bit encryption on 1 August 2013. Most client software shouldn’t have any problem with this change.
However, some client software embedded on devices such as phones, printers, set-top boxes, gaming consoles and cameras may need to be updated. Programmers who are connecting to Google’s services using HTTPS should check their code to ensure the change goes smoothly.
Learn more on the Google Security blog here.
Apple has released an update to QuickTime that fixes a dozen security issues. See the article here for more information about the vulnerabilities. Apple strongly recommends that all QuickTime users install the update.
Using Apple QuickTime? Run Apple Software Update to download the update or download the latest version of QuickTime here.
Twitter has updated its Mac application to add Notification Center support in OS X Mountain Lion. Users are notified whenever someone mentions them or whenever they receive a direct message. The update also includes many bug fixes.
Using an Apple Mac? Download the update from the Mac Store here.
Twitter has also added two-factor authentication to its website, which can be enabled to improve the security of a Twitter account. When enabled, Twitter will send a code via SMS to the user’s phone that must be entered to log in.