Monthly Archives: November 2014

7 great MOOCs for techies — all free, starting soon!

To keep up in the world of high tech, IT pros must be constantly refining their existing skills and picking up new ones along the way. These seven free online courses can help.

Always be learning

Big data, open source software, security — these are some of the IT skills most in demand today and for the near future. Fortunately, free classes, in the form of Massive Open Online Courses (MOOCs), are available to help you keep pace with these and many other IT-oriented subjects. Offered by top universities as well as online education platforms (often in partnership), IT MOOCs can help you keep your skills sharp and resume updated.

We searched through the many offerings out there to find these seven courses, which start in the next few months and offer a deep dive on topics relevant to IT professionals. If you don’t find what you want here, browse the lists of other courses offered by these institutions, or check our last MOOC roundup for ideas. Then log on and start learning.

Big Data Applications and Analytics

Starting date: Dec. 1, 2014
(Note: This self-paced course has been live for a year; starting in December it will be refreshed with new lecture material.)

What it covers: Students will explore cloud-based analytics used for processing big data. Taught by Indiana University professor Geoffrey Fox, director of the university’s Digital Science Center, the course covers cloud infrastructure and data analytics algorithms, and discusses solving problems with X-informatics in areas such as physics, e-commerce, health, remote sensing, and Web search and text mining.

Details: Encompasses 24 hours of course material in 12 sections (three of which are optional), plus homework. The class uses Google Plus community forums and Google Hangouts On Air for instructor and student interaction. The course uses either Python or Java, with side MOOCs available for those who need help with their Python or Java skills. Students can earn Open Badges to show that they’ve completed the course.

Hardware Security

Starting date: Jan. 5, 2015

What it covers: Part of the cybersecurity specialization at the University of Maryland, this course proceeds from the idea that security starts with hardware design, with students examining case studies in which hardware is a system’s weakest security link. The course, taught by University of Maryland associate professor Gang Qu, then examines specific types of side-channel and physical attacks and new hardware security primitives that can help counter those weaknesses. The goal is to enable students to understand current vulnerabilities and to familiarize them with the tools and skills necessary to build trusted hardware.

Details: The course runs six weeks, with an estimated three to five hours of work per week. The class is hosted on the Coursera online-learning platform, which features peer assessments so students can learn from their colleagues’ evaluations and feedback. For a fee of $49, a verified certificate is available upon completion of the course.

Engineering Software as a Service

Starting date: Jan. 6, 2015

What it covers: Offered by the University of California, Berkeley, this is the second part of a semester-long course. In part one, students developed a simple SaaS application; in this half, students will create more sophisticated apps incorporating relationships between models and JavaScript. They will also use Agile development techniques to refactor and improve legacy code.

Details: This is an eight-week course with an estimated 12 hours of work per week. According to one of the instructors, professor Armando Fox prospective students “should have a solid knowledge of Rails, BDD and TDD, as it assumes and builds on those skills.” Prospective students can review the material from part one to make sure they have the knowledge required. The class is hosted on the edX open-source online-learning platform, which offers discussion forums where students can communicate with professors and fellow students. A verified certificate of achievement is available for a fee.

Heterogeneous Parallel Programming

Starting date: Jan. 12, 2015

What it covers: Taught by University of Illinois at Urbana-Champaign professor Wen-mei W. Hwu, this course starts with an introduction to parallel programming and heterogeneous computing — i.e., systems using more than one kind of processor. Based on the premise that truly effective use of such systems will always depend on familiarity with low-level programming, students start with using CUDA C to learn such skills as tiling, parallel convolution and parallel scan. As the course goes on, other languages are introduced, including OpenCL, OpenACC and C++AMP.

Details: Prospective students should have some C/C++ programming experience. This Coursera class runs for nine weeks and requires an estimated six to eight hours of work per week.

Information Visualization

Starting date: Jan. 28, 2015

What it covers: Information Visualization is taught by Katy Borner, director of Indiana University’s Cyberinfrastructure for Network Science Center, with assistance by Scott B. Weingart, a Ph.D. student in information science and history of science, and Michael Ginda, a graduate and research assistant at the center. The course covers algorithms for extracting patterns and trends from data as well as major temporal, geospatial and other visualization techniques. Students collaborate on projects for real-world clients — by way of example, project topics in the previous iteration of the course included the Human Genome Project and Wikipedia.

Every student who registers for this 15-week course course gains free access to IU’s scholarly database of 26 million paper, patent and grant records, and to Sci² Tool, a modular toolset that supports the temporal, geospatial, and topical network analysis and visualization of scholarly datasets. An in-course forum encourages interaction with other students, and a unique hashtag allows students to share their visualizations via Flickr.

Details: Materials from the 2014 class are available as an example on the course website through November 2014. The 2015 course will incorporate updated materials and videos and feature new gaming elements designed to encourage student participation.

Software Security

Starting date: Feb. 23, 2015

What it covers: Like Hardware Security, this course is part of the cybersecurity specialization at the University of Maryland. Taught by computer science professor Michael Hicks, this course covers the essentials of building secure software, starting with an examination of vulnerabilities in software and on the Web and how attackers exploit them. Students then learn how to prevent or at least reduce the harm caused by such attacks through improvements in software design. The course ends with an examination of software verification and testing tools.

Details: This Coursera class lasts for six weeks and requires an estimated three to five hours of work per week. For a fee of $49, successful students can earn a verified certificate of completion.

Introduction to Linux

Starting date: Anytime (self-paced)

What it covers: This course, offered by the Linux Foundation, is overseen by Jerry Cooperstein, the foundation’s training program director. It covers both graphical user interfaces and the use of the command line, and accommodates all the major Linux distributions. Students end up with a solid working knowledge of the tools and techniques used by Linux system administrators. Teaching assistants monitor the course, and there is a discussion forum for students to post questions about the material and engage with their colleagues.

Details: The course requires an estimated 40 – 60 hours of work in total. Students who complete the work satisfactorily and follow the edX Honor Code are entitled to a certificate of completion.



Via: itworld

HSBC Acknowledges Massive Payment Card Breach

2.7 million Turkish cardholders’ names, HSBC account numbers, card numbers and expiration dates were exposed.

HSBC recently announced that it had “identified and stopped” a cyber attack targeting its credit card and debit card systems in Turkey.

“On identifying the incident, we took immediate action to safeguard our customers,” the company said in a statement. “We launched an investigation that is ongoing in cooperation with the Banking Regulation and Supervision Agency of Turkey (BRSA) and other relevant authorities. All card operations of HSBC Turkey are functioning normally.”

The compromised data included 2.7 million cardholders’ names, HSBC account numbers, card numbers and expiration dates.


“There is no evidence that any of our customers’ other financial information or personal information was compromised,” HSBC said. “There is no financial risk to our customers and there has been no evidence of any fraud or other suspicious activity arising from this incident.”

According to a FAQ [PDF] on HSBC’s website, the attack was discovered “through our own internal controls.”

The company says it wouldn’t be possible to use the stolen data to make transactions through Internet banking or telephone banking, or to print fraudulent cards and withdraw money from ATMs.

“Only the linked account number was compromised,” the FAQ states. “The content of the account was not compromised. It is not possible to commit fraud with the linked account number.”

Trey Ford, global security strategist at Rapid7, told eSecurity Planet by email that it’s notable both that HSBC caught the breach soon after it took place, and that it discovered the breach itself. “This is impressive given that the vast majority of breaches are detected by third parties, and often not for months,” he said.

“HSBC is underscoring that cards will not be re-issued at this time, and that the compromised data will not impact Internet Banking, ATM transactions, and telephone banking services; customers can continue using their cards with confidence,” Ford added. “This is because ‘card present’ transactions require additional information that would be encoded on the magnetic strip, and for ‘card not present’ transactions, the card security code (CVC or CVV2) would be required to transact business.”

The HSBC breach follows a similar breach this past summer at JPMorgan Chase, exposing information on 76 million households and 7 million small businesses. While the exposed data in that breach was similarly limited — just names, addresses, phone numbers and email addresses — several security experts noted that the stolen information could be leveraged to perform targeted attacks.

According to SafeNet‘s Breach Level Index for the third quarter of 2014, more than 183 million customer accounts and data records containing personal or financial information were either stolen or lost in 320 data breaches between July and September 2014.

“Consumers’ heads must be spinning as criminals are easily getting access to their credit card, banking and personal information at every turn,” SafeNet chief strategy officer Tsion Gonen said in a statement. “Companies should assume a breach and plan accordingly. They need to implement technologies and programs that minimize the impact of a breach on top of the traditional prevention. As it is, these technologies are just not being used by to the fullest extent by either consumers or companies.”

“While it’s not surprising that sophisticated cybercriminals are continuing to attempt these breaches, what is surprising is that again only 1 percent of breached records had been encrypted,” Gonen added. “Now is the time for customers to demand that their personal information be encrypted by companies.”


Via: esecurityplanet

Hackers seized database from City of Detroit, demanded $800k in bitcoin

Hackers seized a digital database from the city of Detroit earlier this year and then demanded they receive a ransom in bitcoin, Mayor Mike Duggan said this week, but the city balked and ultimately the hijackers were unsuccessful with their request.

Duggan, who was elected last year to lead the Motor City after a headline-making bankruptcy filing, explained at a conference that hackers had asked for hundreds of thousands of dollars in cryptocurrency after compromising a city database back in April. The pilfered database wasn’t used or needed by the city, however, The Detroit News reported, so the ransom was never paid.

Speaking at the North American International Cyber Summit, Duggan said the incident from earlier this year made him realize that sensitive information needs to be stored more securely.

“It was a good warning sign for us,” he told his audience at the conference, Detroit News journalist Holly Foumier reported.

According to the Associated Press, Duggan said the hackers asked for 2,000 bitcoins after seizing the database, worth roughly $803,000.

Unfortunately for the city, such attacks aren’t isolated, either. The Michigan state government suffers around 500,000 computer attacks every day, the AP reported, and Duggan believes that improvements are needed across the board.

“It was pretty disturbing what I found,” the mayor said with respect to the type of technology the city currently relies on. “I found the Microsoft Office system we had was about 10 years old and couldn’t sync the calendar to my phone.”

“We’re in the early stages of ramping up,” he said. “The stakes in play in the state and in the country are enormous.”

Another factor involved in making that determination, Duggan added, occurred when an unnamed person involved in last year’s historic bankruptcy was victimized in a cyberattack that involved money being removed from that individual’s personal banking account.

“The timing was such that he certainly thought it was a political agenda,” the mayor said.

With regards to the “ransomware” that could have cost the city of Detroit an entire database — or arguably worse, more money than Motown could afford — other targets have been impacted as well by similar campaigns as of late in which victims are asked to pay with bitcoin to regain control of seized data: earlier this month, the Dickson County Sheriff’s Office in Tennessee acknowledged that it paid around $500 in bitcoin to a hacker who cracked into a server used by the law enforcement agency and also demanded ransom.

At Monday’s cyber conference, Michigan Gov. Rick Snyder warned that such attacks may only increase in severity over time as more assets rely on being connected to the web.

“Twenty years from now, your car is going to be driving itself,” Foumier quoted him as saying. “The vehicle will be talking to other vehicles, making decisions on when to stop and when to brake.”

“The risks we have today are only going to dramatically increase,” he said.


Via: rt

Chrome 39 contains 42 security fixes, fallback to SSL 3.0 removed

Google Chrome 39, which was promoted to the stable channel for Windows, Mac and Linux on Tuesday, contains 42 security fixes.

A researcher identified as ‘biloulehibou’ earned $7,500 for discovering a double-free vulnerability in Flash, Chen Zhang of the NSFOCUS Security Team earned $5,000 for uncovering a use-after-free bug in Blink, and a researcher known as ‘cloudfuzzer’ earned $3,000 for identifying a buffer overflow flaw in PDFium, according to a Tuesday post.

Fallback to SSL 3.0 has been removed in Chrome 39, according to a Tuesday tweet by Adam Langley, senior staff software engineer at Google, who wrote in late October that SSL 3.0 will be disabled completely in Chrome 40.

In October, Google researchers uncovered a vulnerability in SSL 3.0 – known as POODLE – that could enable an attacker to intercept plaintext data from secure connections.


Via: scmagazine

New Certification Authority To Offer Free Certs For HTTPS

The Electronic Frontier Foundation’s new certificate authority aims to make getting a domain validation TLS cert so easy, you can’t resist.


The process of obtaining SSL/TLS certificates is cumbersome enough to convince many domain owners that it isn’t worth the trouble, but a new certificate authority (CA) seeks to change that and make it free of cost — making the process so quick and easy that every site will be convinced to shift from “http” to “https.”

The new CA, a nonprofit called Let’s Encrypt, was announced
by the Electronic Frontier Foundation (EFF), with plans to begin issuing free domain verification certificates as soon as June 2015. The CA is a collaborative effort of researchers and developers at the EFF, Mozilla, and the University of Michigan, with support from Cisco, Akamai, and Identrust.

Back in 2012, Josh Aas and Eric Rescorla, co-workers at Mozilla, were discussing ideas for widely increasing the use of SSL/TLS online. “Everything was really hard,” says Aas, “unless you owned the CA.”

They brought their idea for a new CA to their employers at Mozilla, who agreed to support them as their first major sponsor. In 2013, they created the Internet Security Research Group (ISRG), which will operate the new CA. Aas is currently its executive director. They then learned that the EFF was working on similar plans and decided to team up.

The usual process for obtaining an SSL or TLS cert takes between one and three hours, according to the EFF. Let’s Encrypt reduces this time to 20-30 seconds. You don’t even need to visit the Let’s Encrypt website to get it.

Such speed requires a high degree of automation, so the researchers created ACME, a new protocol for obtaining and managing certificates. However, that automation limits what sort of verification they can do. So Let’s Encrypt will only be able to issue domain validation certs — you’ll have to go elsewhere for extended validation.

At the moment, Let’s Encrypt does not have a root certificate developed or accepted by browsers. This process could take years. In the meantime, another CA, IdenTrust, has agreed to vouch for Let’s Encrypt by cross-signing its root, thereby allowing people to obtain Let’s Encrypt certs.

Aas says Let’s Encrypt intends to start issuing certs in June 2015. “We also want more transparency about what certs are issued.” Certificates can be issued with greater confidence when a CA can see what certs have been issued by other authorities. The EFF’s Decentralized SSL Observatory, the University of Michigan’s, and Google’s Certificate Transparency logs are examples of these public cert databases, and the ISRG intends to follow suit. “We’re committed to publishing every cert we issue.”


Via: darkreading

Microsoft releases emergency patch to stymie Windows Server attacks

This critical update was one of two delayed from last week.

Microsoft today released one of its rare “out-of-band” security updates to patch a vulnerability in all versions of its Windows Server software.

Attackers have already exploited the underlying vulnerability, Microsoft acknowledged.

The update, designated MS14-068, was one of two bulletins that Microsoft withheld a week ago when it issued 14 other patch collections for Windows, Internet Explorer (IE) and Office.

On Nov. 6, Microsoft announced it planned to release 16 updates, but between then and Nov. 11’s Patch Tuesday, dropped two. One for Exchange Server — Microsoft’s enterprise-grade email server — was delayed, the company said, because of a problem with the installer package for Exchange Server 2013.

“We have discovered that in some instances, OWA [Outlook Web Access] files will be corrupted by installation of a Security Update,” the Exchange team blogged on Nov. 11. The team added that there was a workaround, but believed it “acceptable” because the problem might crop up only after the security update, and the damage to OWA, had been done.

The Exchange update was pushed back to December.

Microsoft had not explained why it had postponed what became today’s MS14-068, however, saying at the time only that the release date would be determined later.

MS14-068 quashed a critical vulnerability in all versions of Windows Server, from the to-be-retired-in-2015 Windows Server 2003 to the latest Windows Server 2012 R2. The client editions of Windows — ranging from Vista to Windows 8.1 — will also be updated by MS14-068. Although the vulnerability cannot be exploited in those versions, Microsoft is modifying Vista, Windows 7, Windows 8 and Windows 8.1 in case a future exploit technique is discovered.

The Server bug is in Microsoft’s implementation of Kerberos KDC (Kerberos Key Distribution Center), a network service that supplies temporary session keys to users and computers within a firm’s Active Directory domain. A successful exploit lets attackers impersonate anyone on the domain, including administrators, giving them full access to company secrets and data, and the right to install malicious programs.

Microsoft confirmed that attackers have already leveraged the bug. “When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability,” the company reported in MS14-068. “Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2.”

The admission got the attention of Chris Goettl, a product manager with patch management developer Shavlik. “This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release altogether,” said Goettl in a Tuesday email. “Our recommendation: include this in your patch cycle ASAP.”

Microsoft credited Qualcomm’s information security and risk management team for reporting the vulnerability, and called out Qualcomm cyber security engineer Tom Maddock in particular for his help.

After patching, IT administrators must restart their Windows Servers, and users must reboot their client PCs.



Via: networkworld

Encrypt everything, urges Internet Architecture Board

The Internet Architecture Board (IAB) has issued a sweeping directive “for protocol designers, developers, and operators to make encryption the norm for Internet traffic ,” even while acknowledging that such an approach will create major obstacles for some network operations.

The statement also leaves unaddressed what will be inevitable howls of protest from the law enforcement and national security sectors, whose surveillance activities have long motivated those pushing for ubiquitous encryption.

From the IAB statement:

In 1996, the IAB and IESG recognized that the growth of the Internet depended on users having confidence that the network would protect their private information.  RFC 1984 documented this need.  Since that time, we have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known.  The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic.  Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258.

Issued back in May, RFC 7258 stated: “Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.”

The IAB believes it’s possible everywhere, or at least close to everywhere.

Newly designed protocols should prefer encryption to cleartext operation. There may be exceptions to this default, but it is important to recognize that protocols do not operate in isolation.  Information leaked by one protocol can be made part of a more substantial body of information by cross-correlation of traffic observation.  There are protocols which may as a result require encryption on the Internet even when it would not be a requirement for that protocol operating in isolation.

The IAB acknowledges that this will be easier said than done for some.

We acknowledge that this will take time and trouble, though we believe recent successes in content delivery networks, messaging, and Internet application deployments demonstrate the feasibility of this migration.  We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload.  For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default.

The Internet Society Board of Trustees issued its own statement supportive of the IAB’s call.

The IAB’s statement aligns with the Internet Engineering Task Force’s (IETF) statement that pervasive monitoring, whatever the source, must be considered an attack on the Internet as well as current work across IETF working groups to strengthen protocols.

User trust is critical to the Internet’s continued growth and evolution. Realizing the IAB’s aspiration would drastically reduce the ability to eavesdrop or modify information sent over the Internet.


Via: networkworld

US State Department’s E-Mail Hacked

he U.S. Department of State is reporting “activity of concern” in parts of its e-mail system, according to several news reports, citing a senior official. It’s too early to tell if it’s a hacking attempt from a foreign nation — at least government officials aren’t willing to disclose the suspected source.

According to the Associated Press, the State Department has made an unprecedented move — shutting down its entire unclassified e-mail system while its technicians work to repair possible damage from the attack. The AP reported that the activity was discovered around the same time a hack of the White House computer network was noticed in late October. Since that time a number of agencies, including the U.S. Postal Service and the National Weather Service, have also reported attacks.

“The department recently detected activity of concern in portions of its unclassified e-mail system,” the State Department official said in a published statement. “There was no compromise of any of the department’s classified systems.”

No Stopping Them?

Eric Cowperthwaite, Vice President of Advanced Security & Strategy at computer and network security firm Core Security, told us there are a couple of important things we can learn from this news. First, is that the U.S. government is now a significant target for bad guys and that is going to continue, and probably get worse. he said.

“The fact that the bad guys are able to, presumably, breach and compromise the unclassified systems is also important to understand. That leads to the second important thing in this ongoing story about an attack against the government,” Cowperthwaite said. “Their unclassified systems are still protected by security measures, just not to the same degree as the classified ones.”

Cowperthwaite noted that most U.S. businesses protect their networks and computer systems with technology that is on par with what the U.S. government requires of unclassified systems. Since that’s the case, it’s clear that businesses, including retail, healthcare, financial services, public utilities, and municipal governments are not going to be able to stop a capable adversary, he said.

“With 90 percent of all computer networks and defenses in private hands, the risk is clearly very high. Businesses must do more to understand the threats and how they are vulnerable,” he said. “They are going to have to greatly increase their maturity and capability in the face of this ongoing threat.”

No Official Responsibility

We turned to Ken Westin, security analyst from advanced persistent threat protection firm Tripwire, to see what he had to say about the mysterious suspected hack. He told us it looked like independent or state-sponsored hacking groups in a reconnaissance phase probing government agency networks to identify vulnerabilities and the data they can access.

“Although no damage has been inflicted on these systems or data reportedly stolen, these outages could be a precursor to a more organized attack,” Westin said.

“This is the fourth agency that has announced a compromise in the past few weeks, and others may have seen similar activity, but that information has not been made public. There has not been any announced link or official attribution to the attacks at this point,” he added.



Via: enterprise-security-today

Walmart Now Price-Matches Online Retailers In Its Stores, Including Amazon And

Just ahead of another busy shopping season, Walmart confirmed that it has updated its price-matching policy company-wide to allow its retail stores to match the prices from nearly any online retailer, including top competitor Amazon. The new policy is meant to extend the informal price-matching store managers have already implemented at local stores, in addition to the Ad Matching policy that has Walmart matching the prices from local brick-and-mortar retailers’ advertised sales.

The company’s new policy with regard to online price matching, found here, lists dozens of top retailers’ websites, including Amazon, Babies R Us/Toys R Us, Walgreens, Petco, Best Buy, Dollar General, Family Dollar, Target, Staples, JCPenney, Home Depot, Lowe’s, Petsmart, and many more. It even includes, in the case that the company’s own e-commerce arm has an item on sale for less than those on Walmart’s store shelves.

The move is aimed at cutting down on the practice of “showrooming,” where consumers check out physical products at local stores, then shop for a better deal on the web. It’s a practice that has caused troubles for many traditional retailers, quite a few of which have had to close up shop, or went bankrupt over the years as consumers shifted to shopping online.

Walmart tells us that the new policy only put into writing the price-matching that was already taking place in local stores, and that store managers can continue to price-match other online retailers not explicitly listed in the policy at their own discretion.

The price-matching is not one that involves a price drop guarantee, however. That is, you can’t bring in proof of an online sale after the fact and get a refund for the difference. Instead, the retailer explains, the price-matching is done in real-time for “like” items (same size, color, quantity, etc.) In other words, the product you’ve just googled for or scanned with ShopSavvy or Amazon’s app, for example, while standing in the aisle.

The change comes at a time when the retailer has been feeling the pressures of Amazon and others’ advances in the e-commerce space. Walmart recently announced another quarter without growth, and cut its profit forecasts in part due to its efforts in increasing its e-commerce capabilities, including the addition of new fulfillment centers designed to expand support for next-day deliveries.



Via: techcrunch

Apple downplays iOS Masque bug threat

Apple is attempting to downplay the threat posed by a vulnerability in iOS that enables so-called Masque Attacks, by saying it is not aware of any users being affected.

According to security firm FireEye, the flaw enables legitimately downloaded apps to be replaced by malicious software, downloaded after the initial app install by clicking on a malicious link.

Researchers said the malicious links can be contained in text messages or emails that appear to come from a legitimate source and invites the recipient to click on a link to update an app.

But instead of carrying out an update, the link downloads a malicious app that replaces a legitimate app, such as those used for banking or email.

That means the attacker can steal users’ banking credentials by replacing an authentic banking app with malware that looks just like the app it has replaced.

Researchers said the Masque Attack threat was greater than that of the WireLurker malware, which is mainly targeting iOS users in China.

But Apple claims the default security settings of iOS and OS X are enough to defend against attacks attempting to exploit the vulnerability identified by FireEye.

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software.

“We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps.

“Enterprise users installing custom apps should install apps from their company’s secure website,” Apple said in a statement.

Apple’s assurances follow a warning by the US Computer Emergency Readiness Team (US-Cert), which said attackers could substitute malware for a legitimate iOS app under a limited set of circumstances.

“In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link,” US-Cert said.

The warning said Masque Attacks take advantage of a security weakness that allows an untrusted app – with the same “bundle identifier” as that of a legitimate app – to replace the legitimate app on an affected device, while keeping all of the user’s data associated with the app it has replaced to avoid suspicion.

“This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier,” the US-Cert said, noting Apple’s own iOS platform apps are not vulnerable.

The US-Cert said iPhone and iPad users can protect themselves from Masque Attacks by downloading apps only from the official Apple App Store and official company app stores.

The US-Cert also advises against clicking install on a third-party pop-up when viewing a web page.

“When opening an app, if iOS shows an ‘Untrusted App Developer’ alert, click on ‘Don’t Trust’ and uninstall the app immediately,” the advisory said.



Via: computerweekly