Yes, this week’s Threat Of The Week is all about passwords and more specifically two password related stories to raise your paranoia levels, if that is possible.
Firstly, it has been revealed this week that in October 2014, security researchers from three separate, and one especially worrying (we will leave it for you to decide which), universities; Indiana,Peking and Georgia Institute of Technology uncovered a very serious set of issues with Apple’s OSX which enable full access to credentials stored in your KeyChain.
The Modus Operandi of the attacks involved developing attack applications, which were uploaded to the App Store, bypassing Apple’s usually rigorous checks. Upon download these applications used some zero day techniques to break out of the sandboxed application and steal credentials from other applications.
Although Apple asked for six months silence before disclosure, the flaws do not appear to have been rectified. In fact Goole has removed KeyChain integration, so you can be sure this is a credible threat.
The best advice is, as usual, do not download applications from unknown developers EVEN from Apple and watch out for forthcoming patches.
In other password news, the password management company LastPass announced it had been hacked earlier this week although if you have strong passwords, it is unlikely they will be compromised. Weak passwords however will be vulnerable, so if you use this service, change your passwords just to be safe.
As with last week’s Threat Of The Week, user education is paramount in the frontline of protection against exploitation and we urge you to run regular awareness and education campaigns for your people.
If you would like to discuss user awareness training, or indeed anything security related, we would be more than happy to talk to you. Please contact us on : [email protected]