Archivi Blog
Windows 8 e Internet Explorer 10, già una falla zero day
Le difese di Windows 8 e Internet Explorer 10 sono già cadute . L’ha fatto Vupen, una società francese che si dedica a trovare falle nei software più popolari e a rivendere le informazioni a terze parti. In questo come in altri casi, i tecnici Vupen hanno usato diverse falle note solo a loro per mettere a segno un colpo contro il nuovo sistema operativo Windows.
“La nostra prima 0day per Win8+IE10 con HiASLR/AntiROP/DEP e aggiramento della modalità protetta con Sandbox (Flash non serve) è pronta per i nostri clienti. Benvenuto #Windows 8″, si legge infatti sull’account Twitter dell’azienda.
Le falle scovate e sfruttate da Vupen purtroppo per ora restano aperte, perché l’azienda non dirà nulla a Microsoft. Bisognerà quindi attendere – non si sa quanto – prima di vedere una correzione ufficiale. Fino ad allora purtroppo bisognerà considerare il pericolo “dietro l’angolo”, ma l’effettiva portata del rischio è tutta da valutare.
Non è per nulla scontato infatti che eventuali criminali riescano a ripetere l’impresa di Vupen. In casi come questi vale piuttosto la pena di domandarsi a chi vadano le informazioni. Vupen s’impegna a diffondere le informazioni in modo responsabile, ma una volta che le ha vendute a un cliente “sicuro” purtroppo non c’è molto che si possa fare per essere certi che i protocolli di sicurezza siano rispettati.
In ogni caso Microsoft continua a lavorare con impegno per rendere i propri prodotti più sicuri, a partire proprio dal sistema operativo e dal browser, e i risultati sono evidenti. A certificarli c’è Kaspersky, che nei dati statistici nel terzo trimestre 2012 segnala che tra le prime dieci vulnerabilità in classifica non ce n’è nessuna che interessa applicazioni Microsoft.
Le prime dieci posizioni sono infatti occupate da Java (Oracle), Reader e Acrobat (Adobe), Flash (Adobe), QuickTime (Apple), iTunes (Apple), Winamp e Shockwave (Adobe). È bene chiarire che i dati dell’azienda russa indicano la diffusione delle vulnerabilità su base percentuale, cioé quanti dei computer presi in esame presentavano tali falle, generalmente perché non aggiornati.
PlayStation 3 Hackers Leak ‘Master Key’ Custom Firmware Online
The reports are circulating that critical security information for Sony’s PlayStation 3 gaming console has been leaked online, making it much easier for games to play pirated games on the console if desired.
The leaking of the crucial security information for the PS3 is being compared to the leak of the consoles ‘master key’ says the BBC website, after Sony’s PS3 console has been hacked using custom firmware.
Its not the first time the PS3 has been hacked in such a way, but in the past Sony has always been able to release and update to correct the issues. But the latest hack released is a custom firmware enabling hacked consoles to log into PSN, alongside LV0 decryption keys which enable it to bypass future security updates, Sony might release.
The hacker News website explains: “The hacker group ‘The Three Tuskateers’ claims that they already had the keys for a while but decided not to publish them. The information also came into the hands of another Chinese hacking group called BlueDiskCFW which was about to release the Iv0 keys for a fee.”
For more information on the hack jump over to the Hacker News website.
Source: BBC
Sandia Labs’ MegaDroid project simulates 300,000 Android phones to fight wireless catastrophes (video)
We’ve seen some large-scale simulations, including some that couldn’t get larger. Simulated cellular networks are still a rare breed, however, which makes Sandia National Laboratories’ MegaDroid project all the more important. The project’s cluster of off-the-shelf PCs emulates a town of 300,000 Android phones down to their cellular and GPS behavior, all with the aim of tracing the wider effects of natural disasters, hacking attempts and even simple software bugs. Researchers imagine the eventually public tool set being useful not just for app developers, but for the military and mesh network developers — the kind who’d need to know how their on-the-field networks are running even when local authorities try to shut them down. MegaDroid is still very much an in-progress effort, although Sandia Labs isn’t limiting its scope to Android and can see its work as relevant to iOS or any other platform where a ripple in the network can lead to a tidal wave of problems.
Google teases hackers with $2 million in prizes, announces Pwnium 2 exploit competition
The folks in Mountain View are starting to make a habit of getting hacked — intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it’s doing it again — hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don’t let that stop you — Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.
LinkedIn confirms that member passwords have been compromised
Reports started swirling this morning that more than six million users had their account passwords stolen, and now the company has confirmed the security breach with a post on its blog — though the company hasn’t yet confirmed how many accounts were compromised.
Affected users will receive an email from LinkedIn with instructions on how to reset their password. This doesn’t appear to be the standard password reset procedure, either — any affected user will automatically be locked out of their account, and the password reset email being sent by LinkedIn won’t contain any links to the site. LinkedIn will also be sending affected members a second email from their customer service department detailing the circumstances behind the breach. We can’t help but feel that all of the service’s members deserve to know exactly what happened — they’ve entrusted their personal data to LinkedIn, regardless of whether their passwords were stolen or not.
Sorce: Linkedin
Logitech Alert 750n adds wide-angle night vision for improved indoor snooping, we go hands-on
Unable to sleep soundly because of the lingering fear that someone’s rummaging around your living room? Logitech’s newest surveillance gizmo, the 750n Indoor Master System, should ease your worries, since it adds 130-degree night vision and illuminates whatever’s lurking in the darkness at a distance of up to 50 feet. Like Logitech’s older products, such as the Alert Master, the 750n records video at 960 x 720p, and it uses the same HomePlug adapter for installation. If you’re already feeding your paranoia with a Logitech Alert Master, you can upgrade to the night-vision capabilities with the 700n Indoor Add-On Camera. The products cost $300 and $230, respectively, and will be available before the end of the month, but you can join us after the break for our impressions.
Apple publishes support page for Flashback malware, is working on a fix
After the Flashback / Flashfake Mac trojan was exposed by Russian site Dr. Web, Apple has finally responded by publishing a support page about the issue and promising a fix. If you haven’t heard by now, the malware exploits a flaw in the Java Virtual Machine, which Oracle pushed a fix for back in February, but Apple didn’t patch until a botnet consisting of as many as 650,000 Macs was identified on March 4th. Antivirus maker Kaspersky has confirmed the earlier findings, and released a free tool affected users can run to remove the trojan from their computers. Other than the update already delivered for computers running OS 10.6 and 10.7 Apple recommends users on 10.5 and earlier disable Java in their browser preferences. What isn’t mentioned however, is when its fix is incoming or any timetable on its efforts with international ISPs to cut off the IP addresses used by the network. This is not the first timeMacs have fallen prey to malware and as their market share grows will likely not be the last, so don’t think just opting for OS X is automatically keeping you a step ahead security-wise. Check the links below for more information about what the malware does, and how to get rid of it.
Google’s ‘Bouncer’ service scans the Android Market for malware, will judge you at the door
Google has had its fair share of malware-related problems in the Android Market, but that’s hopefully about to change, now that the company has announced a new security-enhancing service. Codenamed “Bouncer,” Mountain View’s new program sounds pretty simple, in principle: it just automatically scans the Market for malware, without altering the Android user experience, or requiring devs to run through an app approval process. According to Hiroshi Lockheimer, Android’s VP of Engineering, Bouncer does this by scanning recently uploaded apps for spyware, trojans or any other lethal components, while looking out for any suspicious behavior that may raise a red flag. The service also runs a simulation of each app using Google’s cloud-based infrastructure, and regularly checks up on developer accounts to keep repeat offenders out of the Android Market. Existing apps, it’s worth noting, will be subject to the same treatment as their more freshly uploaded counterparts. Lockheimer went on to point out that malware is on the decline in the Market, citing a 40 percent drop between the first and second halves of 2011, and explained some of Android’s fundamental security features, including its sandboxing and permission-based systems. Head for the source link below to read the post in full.
Samsung introduces WiFi SmartCam and video baby monitor (Video)
For those keen on observing from afar, Samsung’s just unveiled two WiFi surveillance cameras. Both can easily be paired with routers that support WPS and offer remote tracking from Sammy’s SmartCam website. That video feed is 640 x 480 at 30fps and encoded in H.264. Alternatively on the WiFi SmartCam, footage can automatically be uploaded to YouTube based on predefined activity. And both’ll survey in complete darkness thanks to built-in infrared — up to a few meters at least. Catch either in March when they go on sale for a cool $149. PR, per usual is after the break.
Twitter acquires dynamic duo at Whisper Systems, works to beef up privacy / security
Adobe releases final Flash Player version for Android, BlackBerry PlayBook, promises future updates
Smart Cover can unlock password-protected iPads running iOS 5 (video)
Psst. Hey, do you carry a spare Smart Cover around with you? Well, if you’re an unscrupulous sort, you can actually use it to bypass the lock screen of any iPad running iOS 5. This multi-step security hole will let you browse whatever’s running behind the passcode screen, whether that’s email, apps or the homescreen. To take advantage of the flaw, hold down the power button on the locked device until the power off slider appears, then whip the Smart Cover on, open and tap cancel. Fortunately for iPad owners, the rest of the tablet remains locked-down, but the main problem here is any sensitive information left on-screen. If you unlock the tablet to the main screen, you won’t be able to open new apps, although anyone feeling particularly nefarious can apparently delete apps from that meticulously arranged home screen. See how it’s done in the video after the break.
Some HTC Android Smartphones May Have Massive Security Hole
It would appear that some of HTC’s Android smartphones may have a major security hole, according to a recent report by Trevor Eckhart and the guys over at Android Police.
According to the report, the security hole may be in certain HTC devices which have been updated to the latest version of HTC’s Sense user interface, and could grant apps with Internet permission access to your private data like text messages and location information.
Some of the devices which are reported to be effected include the HTC EVO 4G, EVO 3D, Thunderbolt, Evo Shift 4G, MyTouch 4G Slide and possibly some models of the HTC Sensation.
It would appear HTC hasn’t released any official statement with regards to the alleged vulnerabilities as yet, you can find out more information over at Android Police.
Hardening WordPress Security: 25 Essential Plugins + Tips
If you are running a WordPress-powered website, its security should be your primary concern. In
most cases, WordPress blogs are compromised because their core files and/or plugin are outdated;
outdated files are traceable and it’s an open invitation to hackers.
How to keep you blog away from the bad guys for good? For starters, make sure you are always updated with the latest version of WordPress. But there’s more. In today’s post, I’ll like to share with you some useful plugins as well as some tips to harden your WordPress security.
Seagate's GoFlex Turbo portable hard drive touts USB 3.0, built-in SafetyNet
Another week, another external HDD from the folks at Seagate. This go ’round, it’s the GoFlex Turbo taking the stage, positioned somewhere between the GoFlex Slim and Satellite in terms of depth. It’s the outfit’s first drive to ship with two free years of SafetyNet, which nets you a single data recovery attempt should something go haywire during the honeymoon period. Tucked within, you’ll find a 500GB / 750GB drive (7200RPM), a USB 3.0 port and support for eSATA / FireWire 800 connectors via an optional interface adapter. Per usual, it’ll hum along just fine on both Windows and OS X, and can be snapped up today at Best Buy for $119.99 / $139.99, respectively. Full release is after the break, and if you’re curious, we managed to see consistent USB 2.0 rates of 30MBps to 40MBps (read / write) during our brief time with it.
New Android trojan can record phone calls, expose your embarrassing fantasy baseball talk
Hackers Unlock Car Doors Via SMS
Security researchers at iSec partners, Don Bailey and Mathew Solnik have discovered a way to unlock car doors and even start some car engines remotely using SMS.
The two researchers have managed to intercept the wireless messages that travel between software based systems like OnStar and cars, they were able to crack the protocol behind the systems and then duplicate it with a laptop in around two hours.
They have managed to use the hack on two different systems and unlock the vehicles, and they have given the system the name of ‘War Texting’, and will present it at the Black Hat Conference later this week, although they have said that they wont release any details on the system and how it works so that it can’t be used maliciously.
Source Network Wold, Gizmodo
Image Credit VOD Cars/ Flickr
Google Voice adds spam filter, lets solicitors get caught in the web
Remember when your legitimate emails were flanked by dozens of grammatically nightmarish blurbs, peddling pills, x-rated services, and Nigerian scams? If you use Gmail, most of that garbage no longer arrives in your inbox, instead making its way to a spam folder, where it’s held for a month before ending its journey at the Google graveyard. Now, Mountain View is applying that same concept to your Google Voicecalls, flagging unsolicited calls, texts, and voicemails, then booting them to a spam folder. The company’s servers use collected data from other users marking similar messages as spam, as well as propriety identification tools, to help ensure that those generic creditor or vacation sweepstakes calls never make it to your phone. And like GMail messages, misdirected calls can be marked as “Not Spam” from within the Spam folder, letting them slip through the fence the next time around. GV users can simply check the box next to “Global Spam filtering” on the Calls tab to activate the feature, or hit up the source link for the full scoop.
Visidon Applock sees your pretty face, grants you Android access (video)
In the event you got lulled into a groovy seat dance by that most excellent muzak above, let us repeat – this app does not protect your lockscreen. That said, Visidon’s Applock will prevent the privacy-adverse from messing with your personally curated app collection. Have a nosy significant lover? No sweat — snap a pick with your front-facing cam, enable the face-lock in your settings, and those sexts are as good as blocked. It’s far from foolproof, however, as some comments indicate an extended bit of facial-wriggling tricks the app into unlock mode. Oh well, you’re so vain, you’ll probably think this Android market link is for you — don’t you?
Sega's online Pass hacked, 1.3 million user passwords stolen
Let’s bid a bitter welcome to Sega, the latest entrant to the newly founded club of hacked online communities. Sega Pass, the company’s web portal, suffered a breach of its defenses on Thursday, which has now been identified to have affected a whopping 1.29 million users. Usernames, real names, birth dates, passwords, email addresses, pretty much everything has been snatched up by the malicious data thieves, with the important exception of credit / debit card numbers. We’d still advise anyone affected to keep a watchful eye on his or her banking transactions — immediately after changing that compromised password, of course. In the meantime, Sega’s keeping the Pass service offline while it rectifies the vulnerability; it’ll be able to call on an unexpected ally in its search for the perpetrators in the form of LulzSec, a hacker group that boasted proudlyabout infiltrating Sony’s network, but which has much more benevolent intentions with respect to Sega. What a topsy-turvy world we live in!
