We begin our synopsis of this week by looking forward to next week when Microsoft will \u2013 at long last \u2013 discontinue its support of the once ubiquitous, forever vulnerable, and still widely deployed Windows XP operating system. More on that next week.<\/p>\n
As for the things that actually happened this week: we\u2019ve got more news from Bitcoin; security concerns regarding the Tesla S; insights into the global phishing game; fixes for Apple\u2019s Safari browser; bugs in a Phillips Smart TV and more.<\/p>\n
According to a Reuters report,<\/a> a federal judge in the American state of Texas has ordered Mt. Gox chief executive Mark Karpeles to travel to the U.S. and answer questions about the Bitcoin exchange\u2019s bankruptcy filing. Mt. Gox \u2013 once the world\u2019s largest exchanger of the Bitcoin digital crypto-currency \u2013 shut down in February after losing a reported $400 million and subsequently filed for bankruptcy. Karpeles reportedly filed for Chapter 15 bankruptcy protection at the same Texas court to which he has been summoned in order to avoid a class action lawsuit filed in Chicago. The Texas judge believes that if Karpeles would like to seek protection from his court, then he ought to come and stand before it.<\/p>\n According to my colleague Chris Brook from Threatpost<\/a>, certain versions of Philips\u2019 popular internet-enabled SmartTVs contain a vulnerability that could give an attacker the ability to access potentially sensitive information within the TV\u2019s system and configuration files as well as any files that may be on a USB stick connected to the TV itself. If that user happens to be browsing the Internet on the very same TV, an attacker could pilfer cookies use them to access certain websites or online accounts. The problem has to do with a WiFi feature called Miracast, which is enabled by default with a preset and fixed password. This password allows anyone within range of the device\u2019s WiFi adapter to connect to the TV and access its many features.<\/p>\n One of my other colleagues at Threatpost, Dennis Fisher, reported that the popular, high-end, all-electric Tesla S automobile deploys a weak, single-factor authentication system<\/a> for a mobile app that lets users unlock their vehicle and more. Researcher Nitesh Dhanjani found that when new owners sign up for an account on the Tesla site, they must create a six-character password. That password is then used to login to the iPhone app. The app gives owners the ability to manipulate the door locks, the suspension and braking system and sunroof. The real problem here is that there is no limit on login attempts; meaning that an attacker can perform brute-force attacks against a relatively short password. Six characters are easily breakable in a system with no login attempt limits.<\/p>\n In passing, I\u2019d like to remind any Apple users that the Cupertino, California computer giant issued more than 25 security vulnerability fixes to its Safari browser<\/a>. Some of these bugs are quite serious, so you should update that browser if you haven\u2019t done so already.<\/p>\n Our researcher friends at Securelist released the first part of their look into the dark world of financial cyber-threats in 2013. Part one is an extensive analysis of the global phishing environment<\/a>. In brief, they found that 31 percent of all phishing attacks in 2013 targeted financial institutions. Some 22 percent of all attacks involved fake bank websites, which doubles down on their findings from the previous year, 2012, in which only 11 percent of such attacks deployed fake banking websites. Jest less than 60 percent of banking phishing attacks exploited the brands of only 25 international banks, with the remaining 40 percent exploiting the brands of more than 1000 banks.<\/p>\n