BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Most Versions of Android have SMiShing Vulnerability

Posted November 5, 2012    Bobby DeSimone and Scott Ellis

Researchers at NC State University have discovered a vulnerability that allows a zero-permission App to fake SMS messages and thus lead to potential SMS Phishing (or SMiShing).   By creating fake SMS messages from legitimate looking sources, a mal-ware app could fool a user into clicking on a link to a rogue site with the intension of phishing for personal information.  While this process is not new and even Apps that create fake SMS messages have been around for while, this vulnerability allows an App to do so without asking for any SMS permission.

Google has confirmed this vulnerability as of 11/1/2012 and promised a fix/update in future Android versions. Affected versions of Android include Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1).  Researchers even confirmed it all the way back to Android 1.6.

As more unfolds on this issue, we’ll keep you updated. In the meantime, please watch the “SMiShing Vulnerability Demo in Android” video below.

Tags:
, , , , , , , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,