Actionable Insights: Google Extension, Android Caution And Apple Fix

This week’s roundup of updates and patches to keep your enterprise protected

As Cyber Security Hub reports on the “Incident Of The Week” each Friday, it’s also hard to ignore all the cautionary tales, best practices, tips and tricks from experts and enthusiasts around our social media outlets.

In order to help executives become more proactive in their cyber security tasks, the following is coverage of three recent updates and patches that cyber security professionals cannot afford to ignore. Since cyber security awareness is key to helping prevent cyber attacks, here are the most noteworthy patches and updates, as noted by industry experts, that will help keep your enterprise protected.

Google Chrome Password Checkup Extension

Do you know if your password has been compromised? Well, the new Chrome Extension will let you know. Once installed, it will check whether or not your password is safe to use every time you log into the website. If not, you’ll get a message from Google saying that your password has been involved in a data breach.

However, reports that your passwords are never seen by Google (the company only stores a hashed partial code for unsafe passwords in your Chrome browser) and “never reports any identifying information about your accounts, passwords, or device. And while there are tools out there of this type, the Google credentials behind it make it easier to recommend.”

For instance, Troy Hunt — who discovered the recent and massive Collection #1 data breach that exposed millions of emails and passwords — has created his own free breach notification site HaveIBeenPwned.

At the time of the breach, Hunt told Cyber Security Hub, "The thing about enterprise versus consumer is that at the end of the day, it’s still all about people and people take their security practices home and to work with them. Very often, the password they use on public websites that are breached is very similar if not the same to the one they use in the enterprise," he added.

Hunt also explained what organizations can do to protect themselves from an attack like this one: "Robust password requirements are important and that doesn’t mean asking people to use a mix of character types. Blocking known bad passwords that have been exposed in a data breach, for example, is increasingly important."

You can install Password Checkup for free on the Chrome Web Store.

Android Update For PNG Image Vulnerability

There have been reports warning users about the files they open on their smartphones that contain a .PNG (Portable Network Graphic) file. In fact, according to Graham Cluley, an independent security analyst, Android phones can get hacked just by looking at a PNG image.

In its Android Security Update for February, Google has detailed three critical security vulnerabilities in the way the operating system handles these images. Most notably, “According to the advisory, a maliciously-crafted PNG image file could execute code on vulnerable Android devices, potentially hacking phones and granting access by a remote attacker,” reported Cluley. “The newly-discovered flaws affect millions of devices running versions of the Android operating system from Android 7.0 Nougat to the latest Android 9.0 Pie, and an attack could be activated by tricking a user into viewing a booby-trapped PNG image sent via email or a messaging app.”

See Related: “Mitigating Magecart Attacks: Why Real-Time Prevention Is Your Best Option

While Google has stressed that there are no reports of active exploitation of these vulnerabilities, more detailed descriptions are expected in the days ahead. “But my advice is don’t delay — patch your Android phone as soon as a security update is available,” Cluley said.

Group FaceTime Fix For iOS

On Jan. 19, a 14-year old from Arizona discovered a glitch using FaceTime, Apple’s video chatting software, which allowed him to eavesdrop on his friend’s phone before his friend had even answered the call. Dubbed FacePalm by security researchers, the bug was letting users call anyone with FaceTime and immediately hear the audio coming from the phone — before the person on the other end had accepted or rejected the incoming call.

See Related: “Incident Of The Week: Group FaceTime Glitch Exposes Privacy Breach

At the time, an Apple spokesperson said the company “is aware of this issue and we have identified a fix that will be released in a software update later this week.”

While it has taken a little longer than expected, the fix is now available to download for users:

  • For iOS users, go to the Settings app, “General” and then, “Software Update.”

    For Mac users, go to “Settings” and then “Software Update” to download to computers.
  • In a statement on Thursday, Apple thanked customers for their "patience."

"Today’s software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience," the company said. "In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security," including fixing a previously unknown issue with Live Photos shared on FaceTime.