A look at the highest-profile vulnerabilities of the past month. Lots of high-profile buggery to review this month. Let’s start with Apple and those targeting the iPhone. 1.) iPhone: Hackers are having a lot of fun at Apple’s expense lately. Take the SMS flaw in iPhone, for example. A hacker who calls himself “pod2g” reported that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source. Because the flaw does not involve code execution, an attacker does not need to get malware past Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices. Apple took a lot of heat for this one, mainly because its solution was to have customers use its instant messaging service, iMessage, which only works on iOS, the operating system for Apple mobile devices. 2.) Java: Attackers were all over Java with their exploit tools before Oracle had a chance to patch critical flaws in Java 7, the latest version of the software platform. “Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2021-4681 in the wild, Oracle strongly recommends that customer apply the updates provided by this security alert as soon as possible,” the company said when the fix was issued in early September. 3.) Dropbox: The Dropbox file-sharing service suffered a setback in its efforts to move into the enterprise after being hit by a spam attack that stemmed from the breach of an employee’s account. Dropbox confirmed that a stolen employee password led to the theft of a “project document” that contained user e-mail addresses. With addresses in hand, the hacker then proceeded to spam European users of the cloud-storage service with ads for gambling Web sites. Dropbox has since implemented two-factor authentication to bolster security. 4.) The Brain (truly): OK, this one is still largely based on theory, but it’s an interesting glimpse of what we could be in for in the future. Using off-the-shelf gaming technology that tracks brain activity, a team of scientists has shown that it’s possible to steal passwords and other personal information. Researchers from the University of Oxford, University of Geneva and the University of California at Berkeley demonstrated the possibility of brain hacking using software built to work with Emotiv Systems’ $299 EPOC neuro-headset. Developers build software today that responds to signals emitted over Bluetooth from EPOC and other so-called brain computer interfaces (BCI), such as MindWave from NeuroSky. Of course, if software developers can build apps for such devices, so can criminals. –Based on reports by CSO correspondent Antone Gonsalves Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe