Topic security

Apple CEO Tim Cook: 'Privacy Is A Fundamental Human Right'

Anonymous Coward
in security on (#PTA6)
On government requests for customer text messages:

"The government comes to us from time to time, and if they ask in a way that is correct, and has been through the courts as is required, then to the degree that we have information, we give that information.

However, we design our products in such a way that privacy is designed into the product. And security is designed in. And so if you think about it ... some of our most personal data is on the phone: our financial data, our health information, our conversations with our friends and family and co-workers. And so instead of us taking that data into Apple, we've kept data on the phone and it's encrypted by you. You control it."

On Apple's recent emphasis on customer privacy:

:We do think that people want us to help them keep their lives private. We see that privacy is a fundamental human right that people have. We are going to do everything that we can to help maintain that trust. ...

Our view on this comes from a values point of view, not from a commercial interest point of view. Our values are that we do think that people have a right to privacy. And that our customers are not our products. We don't collect a lot of your data and understand every detail about your life. That's just not the business that we are in."

Major Android remote-access vulnerability is now being exploited

Anonymous Coward
in security on (#JGQT)
story imageBased on anonymized data collected from users of an app designed to check for a newly revealed vulnerability in many Android devices, Check Point has discovered that at least one application currently in the Google Play store is exploiting the vulnerability to gain root access to the Android OS — and bypassing Google’s security scans of Play applications to do so.

While the app was discovered installed on an infinitesimal percentage of devices checked by Check Point, it shows that the vulnerability caused by insecure OEM and cell carrier software meant to provide remote access to devices for customer service engineers has already been exploited by “legitimate” phone applications—and the method used to bypass Google’s security checks could be used for more malicious purposes on millions of devices. And there’s no easy way for Google or phone manufacturers alone to patch the problem.

At the Black Hat security conference in Las Vegas earlier this month, Check Point’s Ohad Bobrov and Avi Bashan presented research into an Android vulnerability introduced by software installed by phone manufacturers and cellular carriers that could affect millions of devices. Labeled by Bobrov and Bashan as “Certifi-Gate," the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer service—including versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.

'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think

Anonymous Coward
in security on (#J92P)
Tor has its advocates, and it's certainly our best chance at ensuring a modicum of privacy online. But it's got vulnerabilities of its own.

One attack vector is through secure BIOS systems that can be rooted and then have access to everything a computer does, regardless of operating system.
Kallenberg and Kovah have created a tool that automates the identification and exploitation of BIOS bugs, a number of which they will detail at CanSecWest. Using their own bespoke malware, they have repeatedly been able to gain access to System Management Mode (SMM), a part of the computer used by firmware that’s entirely separate from other processes, but can read everything going through a machine’s memory.

“Once the payload is delivered, we have an agent running in SMM,” said Kallenberg during a demo session with FORBES. “The thing about SMM is that it runs independent of the operating system, the operating system has no visibility into system management mode, it’s a protected region that can’t be read or written by the OS – Tails can’t read or write to it – but it has access to all of memory.”
Check out the rest at 'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think.

Some PDFs from Blackhat 2015

Anonymous Coward
in security on (#H1EZ)
The Black Hat Conference of 2015 just concluded in Las Vegas, and they've got a lot to show for it. If you're not familiar with Black Hat, they are:
the most technical and relevant global information security event series in the world. For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.

From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to the most respected information security event series internationally. Today, the Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia, providing a premier venue for elite security researchers and trainers to find their audience.
Here are links for PDFs provided as part of the 2015 event (don't read them in Firefox's built-in PDF reader; it's got a vulnerability):

How to build an asychronous and fileless back door,

Reverse Engineering a Smart Card,

Automated Human Vulnerability Scanning with AVA,

Big Game Hunting: Nation-state malware research,

Toward Automated Scalable Analysis of Graphical Images Embedded in Malware,

Hidden risks of biometric identifiers and how to avoid them,

Internet Facing PLCs: a new back orifice,

Internet-scale file analysis,

The ELK: Obtaining context from security events,

Conti Pen testing a city,

Modern Active Directory attacks: detection and protection,

Remote physical damage 101 Bread and Butter attacks,

Sharing more than just your files,

The memory sinkhole: unleashing an X86 design flaw allowing univeral privilege escalation,

The NSA Playset: a year of toys and tools,

Understanding and managing entropy usage,

Using static binary analysis to find vulnerabilities and backdoors in firmware, and

Web timing attacks made practical.

Editor's note: For what it's worth, the Black Hat Review Board oversees the entire organization and is supposed to be a selection of the industry's best and brightest. I don't recognize any names, which probably says more about your editor than about the Board. What is |.'s opinion of Black Hat and its annual conferences?

Fingerprint biometrics instead of ticket/ID

Anonymous Coward
in security on (#GTBW)
story imageWishing the airline industry could get its act together to innovate around security hassles? Don't give up hope yet!

Security firm CLEAR has worked with Alaska Airlines to implement biometric identification of passengers willing to pay an annual fee of $245. Swiping fingers across a plate will replace a boarding pass and photo ID. The airline states that in their opinion 'Using biometrics as identification has a huge potential to simplify the travel experience and eliminate hassles'.

No word on what happens when someone decides to impersonate someone and hacks off their hand to use as identification.

Chatting in secret while we're all being watched

Anonymous Coward
in security on (#G31R)
Micah Lee from The Intercept wants to remind you that all your communications are being spied on, and offers tips on how you can chat securely and anonymously, particularly with journalists, as NSA whistle blower Edward Snowden did. His tips amount to: using Tor, Jabber, and OTR (Off-the-Record messaging), while creating disposable accounts that can't be linked back to you. He includes some specifics for various operating systems, and a number of important tips and caveats, such as:

* Use Tor when you create your chat account, not just when you use it.
* Never login to that account when you’re not using Tor.
* Don’t choose a user name that might betray your real identity — don’t use a pseudonym that you’ve used in the past. Make up a random user name that doesn’t have anything to do with you
* Don’t re-use passwords.
* Be aware of which contacts you communicate with from which secret identity accounts.
* Don’t give any other identifying information to the chat service.
* Don't use your Tor IP address to login to a chat account that’s publicly associated with you.

95 percent of Android phones vulnerable to Stagefright remote MMS exploit

Anonymous Coward
in security on (#FZ53)
story imageResearchers at security firm Zimperium identified a bug (really, a series of bugs) that puts some 950 million Android phones at risk of hacking, called it "the mother of all Android vulnerabilities." If you are an Android user, the chances that your phone is vulnerable are about 95 percent. No one has exploited the vulnerability and actually hacked someone's phone -- at least, not yet. The security firm shared the information with Google back in April, along with a suggested patch. Hackers could take advantage of it by sending you a multimedia message (MMS) containing malware. Once received, it would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information.

The key to protecting your phone is to turn off automatic retrieval of multimedia messages. Open your default text messaging app, go to its settings and find the option for auto-retrieving MMS/multimedia messages. Uncheck that box, don't choose to retrieve or open multimedia messages from numbers you don't know, and you should be fairly safe.

U.S. Air Force's new F-35 jet is beaten in dogfight by F-16 designed in the 1970s

in security on (#DNR0)
story imageThe most expensive weapon in history, the U.S. Air Force's $350 billion F-35 stealth jet was outperformed by an F-16 (designed in the early 1970s) in a mock dogfight. The F-35 test pilot said new plane was too cumbersome to dodge enemy fire, and deemed it totally inappropriate for fighting aircraft within visual range. U.S. military leaders have extolled the virtues of the F-35 jets. Marine Lt Gen. Robert Schmidle said the planes were like flying computers and that they could detect an enemy five to 10 times faster than the enemy could detect it.

While the F-35 is a "multi-role" aircraft and not a purpose-built air superiority fighter (unlike the closely guarded F-22), the fifth-generation aircraft is designed to excel in electronic warfare, air-to-surface combat and air-to-air combat. The US is anxious to sell them to their NATO allies to replace aging F-16, F/A-18, F-4, and Harrier fleets. The F-16 has served in the Air Forces of 26 nations, including the U.S., Israel, Egypt, the Netherlands, Denmark and Norway. Most are expected to purchase the new F-35 jet. Britain plans to purchase 138 F-35 jets from the US, but at present costs that would add up to a total of $19 billion. US Vice President Joe Biden promised a delivery of the jets to Israel ‘next year’, amid reports that Tel Aviv has approved a new deal to add 14 more jets to its 2010 order for 19 aircraft. Australia has committed to purchasing 72 F-35s. Japan has ordered 42 F-35As. South Korea has also ordered 40 F-35As, with plans for 20 more, budget permitting.

Millions of Samsung Galaxy devices remotely exploitable

in security on (#BW4T)
Hackers can easily break into Samsung Galaxy phones and spy on the entire life of their users. A vulnerability in software on the phones lets hackers look through the phones’ camera, listen to the microphone, read incoming and outgoing texts and install apps, according to researchers. The hack works by exploiting a problem with the Samsung IME keyboard, a re-packaged version of SwiftKey that the company puts in Samsung Galaxy keyboards. That software periodically asks a server whether it needs updating — but hackers can easily get in the way of that request, pretend to be the server, and send malicious code to the phone.

Researchers have confirmed that the exploit works on versions of the Samsung Galaxy S6, the S6 Edge and Galaxy S4 Mini. But it may also be active on other Samsung Galaxy phones, since the keyboard software is installed on more devices. It doesn’t matter if users are using the keyboard or not. Samsung was notified about the vulnerability in December last year. Samsung is reported to have provided a patch to mobile network operators, who must push Android updates out themselves. There is little that owners of the phone can do beyond avoiding insecure WiFi networks. The most worrying part about this is that users can't stop their device from checking for updates. It may be time to grant superuser access to the device owner by default.

Security updates for Adobe Flash Player flaws that could lead to info theft, malware attacks

in security on (#ATX9)
story imageAdobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address 13 vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

Linux users should update to version
Windows and Macintosh users should update to version
Extended Support Release for Windows and Macintosh is*

Users of Internet Explorer on Windows 8.x and Google Chrome on Windows, Linux and Mac will receive the Flash Player update for their respective browser automatically. Adobe also released updates for the AIR runtime on Windows, Mac and Android, as well AIR SDK and Compiler, because these programs bundle Flash Player.

History has shown that attackers are quick to target new Flash flaws after a fix becomes available for them. Earlier this year, attackers started exploiting a Flash Player vulnerability just one week after Adobe released a patch for it.