• United States



4 Flaws: Fun with iPhone, Java, Dropbox and the brain

Sep 05, 20123 mins
Application SecurityCybercrimeNetwork Security

A look at the highest-profile vulnerabilities of the past month.

Lots of high-profile buggery to review this month. Let’s start with Apple and those targeting the iPhone.

1.) iPhone: Hackers are having a lot of fun at Apple’s expense lately. Take the SMS flaw in iPhone, for example.  A hacker who calls himself “pod2g” reported that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source. Because the flaw does not involve code execution, an attacker does not need to get malware past Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices. Apple took a lot of heat for this one, mainly because its solution was to have customers use its instant messaging service, iMessage, which only works on iOS, the operating system for Apple mobile devices.

2.) Java: Attackers were all over Java with their exploit tools before Oracle had a chance to patch critical flaws in Java 7, the latest version of the software platform. “Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2021-4681 in the wild, Oracle strongly recommends that customer apply the updates provided by this security alert as soon as possible,” the company said when the fix was issued in early September.

3.) Dropbox: The Dropbox file-sharing service suffered a setback in its efforts to move into the enterprise after being hit by a spam attack that stemmed from the breach of an employee’s account. Dropbox confirmed that a stolen employee password led to the theft of a “project document” that contained user e-mail addresses. With addresses in hand, the hacker then proceeded to spam European users of the cloud-storage service with ads for gambling Web sites. Dropbox has since implemented two-factor authentication to bolster security.

4.) The Brain (truly): OK, this one is still largely based on theory, but it’s an interesting glimpse of what we could be in for in the future. Using off-the-shelf gaming technology that tracks brain activity, a team of scientists has shown that it’s possible to steal passwords and other personal information. Researchers from the University of Oxford, University of Geneva and the University of California at Berkeley demonstrated the possibility of brain hacking using software built to work with Emotiv Systems’ $299 EPOC neuro-headset. Developers build software today that responds to signals emitted over Bluetooth from EPOC and other so-called brain computer interfaces (BCI), such as MindWave from NeuroSky. Of course, if software developers can build apps for such devices, so can criminals.

–Based on reports by CSO correspondent  Antone Gonsalves