Major Vulnerability for iOS with Mailbox.app

Mailbox.app is an email application for iOS devices that was recently acquired by Dropbox less than a month after it launched.

According to this blog post by Miki Spag, Mailbox.app will execute any Javascript included in the body of an email. Spag writes that this vulnerability “allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things.”

In the video below, Spag demonstrates how simple it is to execute Javascript code from within the app.

Currently Mailbox is only available for iOS and only works with Gmail, but it works to achieve “Zero Inbox.”

Until Mailbox developers are able to patch this substantial exploit, Roboscan recommends iOS users default to the native Mail app or to Gmail’s iOS app.

iPhone5S TouchID – Hacked

The generous slew of pledged rewards go to Starbug of the Chaos Computer Club  from Germany.

Starbug of CCC Hacks iPhone5S Touch ID

Starbug of CCC Hacks iPhone5S Touch ID

A few days before Apple released the iPhone5S, security researchers Nick Depetrillo, Robert David Graham, et al. challenged other security researchers and hackers to hack Apple’s new security measure, Touch ID, a fingerprint sensor (here’s a link to that blog post if you want to read the details). The announcement was made on Twitter, with a guide line, and the rewards were pledged by various techies all over the world on a website.

The contest started when Apple released the iPhone 5S on September 20th. The hackers say the sensor for the Touch ID is identical to any other sensor. Bypassing the system can be done very easily with everyday tools. All you need is a camera, a laser printer, and some wood glue.

1. Enroll a fingerprint

2. Photograph the enrolled user’s fingerprint with 2400 dpi resolution

3. Clean up the image, invert, print the fingerprint on a transparent sheet with a thick toner setting, with 1200 dpi resolution

4. Smear woodglue over the print on the transparent sheet. Wait until the woodglue cures.

5. Lift the woodglue print carefully, breathe onto it to add moisture (just enough to replicate moisture on a human body)

6. Place print on the sensor and unlock the enrolled user’s iPhone 5S

Roboscan offers our congratulations to Starbug for successfully hacking Apple’s security method without cutting off any limbs or taking advantage of the user. How do you think this information will influence the future of security measure development?

Related Reading: http://gizmodo.com/hackers-iphone-5s-fingerprint-security-is-not-secure-1367817697

iPhone 5S Feature becomes New Target for Hackers

A couple days ago, Apple released information about the upcoming release of the iPhone5S. Of the updates implemented to the newest version, the embedded fingerprint sensor feature called “Touch ID” has grabbed the attention of people all over the world; including that of hackers.

Security researchers Nick Depetrillo, Robert David Graham, Dam Kaminsky and others, were talking about the safety of the fingerprint sensor on Twitter when Mr. Depetrillo decided to post a challenge.

Nick Depetrillo announces hack challenge on Twitter

Nick Depetrillo announces hack challenge on Twitter

Soon after, istouchidhackedyet.com was created. More security researchers and hackers pitched in, offering more incentives. The grand prize for the first person to “enroll print, place it, lift it, reproduce it, use the reproduction to unlock the phone without being locked. Video”, the basic conditions dictated by Depetrillo’s tweet,  is now over $13,000, a couple bottles of wine and hard liquor, and even books.

With the iPhone 5S due to launch this Friday, the competition hasn’t begun yet. But once hackers get their hands on the iPhone 5S, who knows what the coming weekend will bring?

Related reading: Hackers Set Sights on iPhone 5S Fingerprint Scanner

 

Microsoft Releases IE Fix for Browser Attack Prevention

Yesterday, Microsoft released a preventative fix for Internet Explorer. Hackers discovered a zero day exploit. Without releasing further information on the newly discovered vulnerability, Microsoft has urged its users to install the aptly dubbed “Fix It” as soon as possible, or stop using Internet Explorer entirely until they are able to release a browser update.

Hackers are likely working on reverse-engineering the Fix It, so it’s only a temporary solution to the exploit.

This exploit appeared at a time when Internet Explorer has shown an increase in market share.

Net Applications' August 2013 browser data for personal computers shows a Chrome decline.

(Credit: Net Applications)

Internet Explorer currently accounts for 56.61 percent of desktop browsers.

Microsoft plans to release Internet Explorer 11 in October. The release preview for Windows 7 will be available later this week.

Shadow IT, Good or Bad?

Is Shadow IT Good or Bad?

Is Shadow IT Good or Bad?

Some of you might or might not have heard of the term “Shadow IT.” It means the technology that is not formally supported or built by the company . They are not a part of the core IT solution or mobile devices of the company.

Bring your own device (BYOD) policy becomes more common in the working environment, especially in start-up business.  However, there are pros and cons.

On the bright side…

Shadow IT can be an important source of innovation of an organization. Some technology may then become an official approved solution for the company. Meanwhile, if employees were allowed to bring their personal mobile devices to work, it might actually help the efficiency of internal information and data exchange. Employees can backup files, make a copy in their personal devices or upload to the cloud then access to the documents later, anytime, anywhere, which highly increases the efficiency of the organization function.

On the flip-side…

Risk management becomes more difficult. BYOD indeed increases the convenience for employees and is beneficial to the company in some way; however, the risk of confidential document outflow comes after.

Some applications or devices outside of company approval may not have strong security support. Meanwhile, it gives company a hard time to to keep track of the company data.

Some organizations make their file available in read-only so that employees can only make copies of the document but not make changes to it. However, employees may be frustrated by the restriction on the devices or limited authorization of data; as a result. efficiency of work decreases.

At the end, is Shadow IT or BYOD good or bed? There is no absolute right answer to this question. It is affirmed that BYOD has a positive influence to the growth of a company; nevertheless, a thorough plan for the risk management is a must.

If you own a company or an organization, will you give the green light to BYOD policy?