First, LastPass revealed on Monday that it detected suspicious activity on its network. Although there’s no evidence that any encrypted user data or accounts were accessed, LastPass email addresses and password reminders were compromised.
Then on Wednesday, six security researchers released a paper revealing flaws in OS X and iOS, which open the systems up to some particularly nasty malware. The malware could be used to bypass sandbox security protections, and grab passwords from other apps, including Apple’s built-in OS X Keychain.
As if that wasn’t enough, it was revealed Wednesday that 600 million Samsung phones are potentially vulnerable, thanks to poor security practices in the built-in phone keyboard.
Is anything safe? Is anyone? In 2015, the likely answer is no.
Mac and iOS security woes
The OS X and iOS zero-day exploit is especially troubling, given how it works.
The good news is that in order for XARA to be exploited, certain vectors need to be in place, primarily through malware or hijacked software. The bad news — the really bad news — is that the researchers managed to get apps containing these vectors approved and listed in the Mac App Store.
The researchers behind XARA notified Apple of its findings in October, giving the company a six-month deadline to fix the bugs. And although it appears Apple has made some effort to close the holes that allow XARA to exist, the problems are still present in the latest versions of OS X and iOS.
Ultimately, as an industry, we need to move beyond the password and on to other types of authentication. Biometrics is one solution — though that opens its own can of worms when it comes to privacy and accountability.