Hacking Gmail with 92 Percent Success

Posted on August 22, 2014 by mea

The researchers monitor changes in shared memory and are able to correlate changes to what they call an “activity transition event,” which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

via UCR Today: Hacking Gmail with 92 Percent Success.

The researchers created three short videos that show how the attacks work. They can be viewed here: http://bit.ly/1ByiCd3.

The biggest iPhone security risk could be connecting one to a computer

Posted on August 14, 2014 by mea

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.

Wang’s team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn’t see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

via The biggest iPhone security risk could be connecting one to a computer – Computerworld.

Microsoft backs open source for the Internet of Things

Posted on July 4, 2014 by mea

The AllSeen Alliance is an effort to standardize device communications. The code that it champions, called AllJoyn, was initially developed by Qualcomm but was subsequently made open source. Big vendors have been recruited to support it, and the AllSeen Alliance now includes LG, Panasonic, Sharp and Haier, among others.

via Microsoft backs open source for the Internet of Things – Computerworld.

How Welcoming Will the Smart Home of the Future Be?

Posted on July 1, 2014 by mea

This approach of binding our smart devices to our personal accounts may be an easy engineering decision today, but it will make less sense as more devices show up in households with multiple family members. Families shouldn’t be forced to decide if the dishwasher is bound to Mom’s Gmail account or Dad’s. Instead, the household should have its own identity, with different family members having different levels of access depending on their needs.

via How Welcoming Will the Smart Home of the Future Be? | MIT Technology Review.

Not sure why a dishwasher or any household appliance would need user authentication or even user management. Does it matter if the person doing dishes is authorized as long as the dishes get washed?

New crimeware tool Dendroid makes it easier to create Android malware, researchers warn

Posted on March 7, 2014 by mea

Dendroid’s features include deleting call logs and files; calling phone numbers; opening Web pages; recording calls and audio from the microphone; intercepting text messages; taking and uploading photos and videos; opening applications and launching HTTP flood (denial-of-service) attacks for a period of time specified by the attacker.

Dendroid is not the first Android RAT, but is one of the most sophisticated one seen to date.

via New crimeware tool Dendroid makes it easier to create Android malware, researchers warn | ITworld.

VPN Related Vulnerability Discovered on an Android device

Posted on January 18, 2014 by mea

In this video we demonstrate the vulnerability via the following steps:

We present a regular Android device (in this case it is the popular Samsung S4 device). Behind it we display a screen with packet capturing tool, showing the traffic that flows through that computer.

Now the user runs the malicious app and clicks on the Exploit button which takes advantage of the vulnerability in the phone’s system.

The exploit vector requires a user to do something.

MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages

Posted on December 18, 2013 by mea

MisoSMS infects Android systems by deploying a class of malicious Android apps. The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China. FireEye Mobile Threat Prevention platform detects this class of malware as “Android.Spyware.MisoSMS.”

via MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages | FireEye Blog.

Once the app is installed, it presents itself as “Google Vx.” It asks for administrative permissions on the device, which enables the malware to hide itself from the user, as shown in Figure 2.

Right there is a clue that something is not right.

DOCSIS 3.0 Strikes Bonanza

Posted on July 22, 2013 by mea

In particular, ABI said, DOCSIS 3.0 device shipments are spiking. The report found that equipment vendors shipped 37 million DOCSIS 3.0 home devices last year, representing 67 percent of all cable CPE shipments. That portion is up from 65 percent in 2011.

via Light Reading – DOCSIS 3.0 Strikes Bonanza.

Time To Dump Antivirus As Endpoint Protection?

Posted on April 22, 2013 by mea

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware.

via Time To Dump Antivirus As Endpoint Protection? — Dark Reading.

There are some other useful tips in this article as well. I like the above quoted idea because AV software can be a pretty heavy load on an endpoint requiring constant maintenance and upgrade. These upgrade cycles in and of themselves pose a security hazard. The more complex a system becomes, the more that can go wrong.

Prices of Windows RT tablets drop, point to failure of OS

Posted on April 3, 2013 by mea

The starting price for Dell’s XPS 10 is now US$449 for a 32GB model, scalping $50 off the original launch price. The 64GB model is $499, which is a drop from the original $599 price. By comparison, the price of the Latitude 10 tablet with Intel processors and Microsoft’s Windows 8 OS remained stable at $499.

via Prices of Windows RT tablets drop, point to failure of OS – Windows 8, Microsoft, Windows, hardware systems, tablets, software, operating systems – Operating Systems – Techworld.

Microcenter always has a full fledged decent laptop for under $300. Here’s the special this week for $279. I don’t know why anyone would pay double for a tablet which is hard to do any real work on. I recently bought a 7″ Samsung S3 tablet for $180 (on sale) that does everything one would ever need to do on a tablet.

ASUS R503U-MH21 15.6″ Laptop Computer – Black

AMD E2-1800 1.7GHz
Microsoft Windows 8 (64-bit)
2GB DDR3-1333 RAM
320GB 5,400RPM Hard Drive
8x SuperMulti DVDRW Drive
Memory Card Reader
10/100/1000 Network
802.11b/g/n Wireless
15.6″ LED-backlit TFT Display

Note: The above link to this special will most likely be dead after the sale.

Bucktown Bell

Cut to the chase.

Category Archives: CPE