Zero Day Weekly: Samsung Knox controversy, Twitter Digits, bricked FTDI chips

A collection of notable security news items for the week ending October 24, 2014. Covers enterprise, controversies, reports and more. UPDATED.

zero day weekly

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 24, 2014. Covers enterprise, controversies, reports and more.

This week, Google released invites to its latest attempt to reshape the inbox; Twitter ruffled feathers with its new password replacement Digits; a Windows update is bricking cloned FTDI chips; Samsung Knox got NSA approval then took a hit for shoddy crypto; iCloud had another bad week, and much more.

If you're going to start Knox you have to provide your password to get access to the data and the Knox home screen. But there is a small button under the textfield called "Password forgotten?" By tapping it, you have to provide your PIN. If the PIN is correct, the Knox app will show you a little password hint (the first and the last character of your password!! + the original length of your password!)

Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end it just uses the Android ID together with a hardcoded string and mixes them for the encryption key. (...)

The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely.

For such a product the password should never be stored on the device. Instead of Samsung Knox, use the built-in Android encryption function and encrypt the whole device.

Update October 26, 2:06 am PST: Samsung responded to the security reasearcher's post about KNOX saying, "We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions." Samsung said in regard to the accusation that KNOX stores an alternative PIN in plaintext for password recovery, "we would like to reassure our customers that KNOX enterprise containers do not store any alternative PIN for password recovery purposes, relying instead on IT admins to change and reset passwords through their MDM agent."

  • Facebook revealed Require-Recipient-Valid-Since (RRVS) where if a user's account were connected to a recycled Yahoo email address, that account could be taken over (and potentially compromised) by the new Yahoo account owner — all through a simple password change request. Facebook engineers explained in a blog post on Thursday how they have been working with the Yahoo Messenger team to patch up the problem.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All