Another big week for Sophos has just gone by, and our heads are still spinning. We presented ground-breaking research at not one but two big tech conferences this week — Mobile World Congress and RSA Conference 2014. We also gave RSA attendees a taste of our exciting World of Warbiking tour, launched this week in San Francisco.
On the security news front, Apple’s buggy code left OS X Mavericks users vulnerable for several days this past weekend before a patch came out on Tuesday. So one of our experts made his own unofficial patch to show us what caused the security loophole, and how it should be fixed.
World of Warbiking: San Francisco edition
Our security expert and cycling enthusiast James Lyne took to the (very hilly) streets of San Francisco at the start of our World of Warbiking tour, launched this week at RSA. James used special equipment to detect wireless hotspots everywhere he went in this hyper-connected city, in an effort to see how much information people give away about themselves unwittingly. The results were somewhat shocking.
When we set up an insecure Wi-Fi network in San Francisco, 1,512 users happily connected to our open wireless network without any idea whether we were honest people, or out to do harm. If you connect to a network, the owner of that network could insert code on your computer or redirect you to a malicious website, James explains in his blog post about the warbiking project.
And just because wireless security has been an issue for many years doesn’t mean it’s been resolved.
“As security professionals, we should not ignore painfully old hacks and problems such as these,” James tells TomsGuide.com. “It’s still a real issue in the real world.”
Apple’s “goto fail” fail
Apple released a security patch for iOS last Friday, which is not unusual. But security researchers noticed over the weekend that the same security bug affecting iOS was left unpatched in OS X 10.9, putting Mavericks users at risk of attack. It took a few days for Apple to get a patch out, during which time our security expert Paul Ducklin created his own unofficial patch.
Duck reported at Naked Security that the buggy code could allow users of Mac OS X 10.9 (Mavericks) to be tricked by cybercriminals into accepting SSL/TLS certificates that ought to be rejected. The bug occurred when an Apple programmer accidentally repeated the code “goto fail,” which caused a security check for SSL/TLS certificates to be bypassed.
“The bug was caused by a line of C code that says ‘goto fail,’ which was a self-descriptive irony too amusing to ignore,” Duck wrote, as reported by InformationWeek.
As our security expert Maxim Weinstein pointed out in a blog post at Dark Reading, this incident is bad news for the 20% of Mac users running OS X Snow Leopard, which Apple is no longer protecting with security updates.
“As additional vulnerabilities are discovered and more developer signing certificates are stolen, Snow Leopard will become more and more susceptible to malicious activity,” Max writes.
Android malware surged 600% in 2013
At Mobile World Congress in Barcelona this week, we released our first Mobile Security Threat Report, written by SophosLabs threat researcher Vanja Svajcer, and showing that Android malware has grown by 600% in the past year. And in the 10 years since the first mobile malware appeared in 2004, malware for Android devices has become far more sophisticated.
It shouldn’t come as much of a surprise that cybercriminals are now targeting Android. With smartphone subscriptions reaching more than 7 billion this year, mobile platforms are where the action is.
“Massive expansion in the smart device market has spurred the development of mobile phone malware, especially when it comes to Android-based gadgets,” according to Channelnomics.
Naked Security wins at Security Blogger Awards
We almost forgot to mention that we won some big awards this week too. Our security news and expert opinion blog Naked Security won a huge prize at the Security Blogger Awards, taking home the award for the blog that “best represents the security industry.” So thanks to everyone who voted for us; and to the whole team of writers at Naked Security, well done.
Not a bad week!
Stay in the know
Never miss a beat with the latest news, opinion and advice from our experts. Sign up for our Sophos Blog newsletter by filling in your email address at the top of the page (you can receive notifications after each post, or on a daily or weekly basis).