Right now we’re gearing up for the big show at Infosecurity Europe, starting 29 April, and we’re also planning a big product announcement that you’ll want to hear about — so stay tuned.
Sophos security experts have been talking a whole lot about data security in the wake of the Heartbleed security hole, and we had a very special guest writing for our blog this week to talk about encryption.
And, there’s been plenty of interesting security news this past week, including a mysterious malware known as Unflod Baby Panda that’s been infecting jailbroken iOS devices. Plus, Apple pushed out a bunch of security fixes for OS X, iOS and Apple TV.
Jailbreaking your iPhone? Watch out for Unflod
Apple’s operating system for iPhones, iPads and iPods, called iOS, is typically praised for being more secure than Android, and with good reason — SophosLabs has seen more than 650,000 malware samples for Android, the majority of them from just the past year.
Malware for iOS is still extremely rare, but it does exist. Recently, a group of Redditors discovered that jailbroken iOS devices were being attacked by malware that steals Apple IDs.
Paul Ducklin, senior security analyst at Sophos, reported that the malware, mysteriously called Unflod Baby Panda, gets to peek at confidential data before it is encrypted for transmission.
This is a good reminder that you should think twice (or three times) before jailbreaking your Apple device — if a crook gets their hands on your Apple ID, for example, they can use your account to buy apps from iTunes.
Is Apple serious about security?
We’ve often been critical of Apple for its bad security habits. There’s its lack of a regular update schedule, a tendency to push out security fixes many months after the flaws were reported, and — what’s worse — Apple isn’t telling us which versions of OS X for the Mac are still being supported.
Maybe they’ve been listening to us down in Cupertino, because Apple released two batches of security fixes this month, including a big one this week for iOS, OS X, and Apple TV.
Unfortunately, as Paul Ducklin reported at Naked Security, some of the security bugs fixed in this week’s batch of updates have been around for a long time.
“Sadly, some of the security holes fixed in this round of updates have been present since last year, and probably should have been patched long ago, during previous updates,” Duck writes.
PCI DSS version 3.0 explained
For many organizations who process and store credit card information, data security is increasingly burdensome and worrying. Never fear — if you’re required to comply with the Payment Card Industry Data Security Standards (PCI DSS), we can help you understand the standards and how to meet the requirements.
Sophos senior security expert John Shier has taken a close look at version 3.0 of PCI DSS and tells us what’s changed since the previous version.
John knows the standards so well he can even debate himself over how effective they are.
Check out his dual columns on PCI DSS at Naked Security: PCI DSS — Why it works, and PCI DSS — Why it fails.
Heartbleed and encryption — the first line of defense
Everyone has been rightly concerned about password security since the discovery of the Heartbleed bug in OpenSSL.
Because OpenSSL is used by websites to encrypt data traffic on the web, Heartbleed means that crooks and spies would have been able to access sensitive data like passwords that we thought were safe.
Well, there’s only one way to beat security holes like Heartbleed for sure — encrypting your data before it goes out over the web.
This week, we had a very special guest writer on our blog — Charles Kolodgy, research VP for security products at IDC — who explained how businesses can manage encryption centrally.
As Kolodgy writes, encryption is “your first line of defense” against accidental loss or theft of data. Check out his article here.
Sophos Security Chet Chat #144: iOS malware, fingerprint security, WhatsApp privacy, hacking the taxman
In this week’s Chet Chat podcast, Sophos experts Chester Wisniewski and Paul Ducklin discuss the Unflod malware for iOS, plus stories about hacking the fingerprint sensor on the Samsung Galaxy S5, another data security blunder by WhatsApp, and an arrest for hacking the Canadian tax agency using Heartbleed.
60 Second Security: LibreSSL, Linux Foundation, Play Store refunds, and Viber shabbiness
Paul Ducklin reviews the news of the week in just about a minute.
Stories covered in this week’s video:
- Anatomy of a data leakage bug – the OpenSSL “heartbleed” buffer overflow
- LibreSSL aims to prevent the next Heartbleed
- More post-Heartbleed love/cash for OpenSSL
- Google refunds Android users who bought fake Virus Shield app
- Here we go again: Viber mobile messenger app leaves user data unencrypted
Keep up with Sophos news
You can get all the latest Sophos related news right here. Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.
Sophos UTM and Mobile Control – Better together for Mobile NAC | Sophos Blog
[…] a wealth of information about the compliance status of your mobile devices. They could have been jailbroken, have potentially malicious apps installed, or just need to sync with the server. Sophos UTM can […]