For the past two years, since researchers discovered the attack, the term Rowhammer has been used to describe a procedure through which attackers launch read & write operations at a row of memory bits inside a RAM memory card. The repeated read and write operations cause an electromagnetic field to appear, which changes local memory Read more about Rowhammer Attack Can Now Root Android Devices[…]

iTrack Easy, Nut Smart Tracker, TrackR Bravo en Tile were looked at: both the data the device itself sends and the apps they use. They don’t come out well. Source: Stalkers volgen je dankzij je eigen GPS-trackers

On Oct 1, after a 2h absence from his phone, Bob attempted to check his email and discovered he’d been logged out of his gmail account. Upon trying to log back in, Google notified him that his email password had been changed less than an hour ago. He then tried to make a call and Read more about Adding a phone number to your Google account can make it LESS secure (because telco insecurity).[…]

What is the CVE-2016-5195? CVE-2016-5195 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Why is it called the Dirty COW bug? “A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of Read more about Dirty COW (CVE-2016-5195) Linux privilege escalation[…]

Now we have yet another massive database leak has been uncovered related to an insecure MongoDB installation, exposing at least 58 million subscriber records. Twitter user @0x2Taylor posted exfiltrated data on the file sharing site MEGA twice over the weekend, each time resulting in the data being taken down very quickly. The data was then Read more about Modern Business Solutions Stumbles Over A Modern Business Problem – 58M Records Dumped From An Unsecured Database[…]

A new strain of malware has been discovered by Kaspersky Labs, named ‘StrongPity,’ which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool. The malware contains components that not only has the Read more about ‘StrongPity’ malware infects users through illegitimate WinRAR and TrueCrypt installers[…]

inisters have been barred from wearing Apple Watches during Cabinet meetings amid concerns that they could be hacked by Russian spies, The Telegraph has learned. Under David Cameron, several cabinet ministers wore the smart watches, including Michael Gove, the former Justice Secretary. However, under Theresa May ministers have been barred from wearing them amid concerns Read more about Apple Watches banned from Cabinet after ministers warned devices could be vulnerable to hacking […]

In the latest exchange between Mobileye and Tesla, however, the chip company has accused Tesla of lying. “The allegations recently attributed to a spokesperson for Tesla … are incorrect and can be refuted by the facts,” Mobileye said in a statement. […] Tesla was “pushing the envelope in terms of safety,” the company’s chairman and Read more about Is Tesla telling us the truth over autopilot spat?[…]

Qubes is a security-oriented, open-source operating system for personal computers. Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes. This approach allows you to keep the different things you do on your computer securely separated from each other Read more about Securify your PC using Qubes and Whonix[…]

An in-depth security guidance report aimed at Internet of Things developers has been released by the Cloud Security Alliance. Titled Future-proofing the Connected World: 13 steps to developing secure IoT products, the report offers practical and technical guidance to devs trying to secure networks of IoT devices. “An IoT system is only as secure as Read more about CSA releases IoT security guide[…]

Avi Freedman has worked in networking for 30+ years and seen over 100 startups scale their infrastructure. Here are the most vital pieces of advice he has to share. They land themselves in Cloud Jail. They get sucked in by “hipster tools.” They don’t design for monitorability. Source: The Three Infrastructure Mistakes Your Company Must Read more about The Three Infrastructure Mistakes Your Company Must Not Make[…]

A tweak to Microsoft’s Outlook.com cloud service has blocked a good number of people from accessing their messages. Specifically, the baffling and unannounced change affects Outlook.com users with connected accounts: these are email accounts hosted on third-party servers (such as a company’s private server or an ISP’s mail server) that are accessed via the Outlook.com Read more about Never explain, never apologize: Microsoft silent on Outlook.com email server grief[…]

A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found inside of a Word document looks for existing documents on targeted PCs. If no Microsoft Word documents Read more about Malware Evades Detection by counting amount of documents in recent files[…]

MaterCard’s “selfie pay” will be coming to Europe next year after trials in the US, Canada and the Netherlands. The financial services firm is rolling out technologies that will allow European consumers to authenticate their identity without a password, but with a selfie, in order to provide customers with a more convenient method to sign Read more about Mastercard rolls out pay-by-selfie across Europe[…]

We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. Our results show that DNS requests from Tor Read more about DNS requests destroy Tor’s Anonymity[…]

One of the key applications for this system is for authenticating to medical devices worn on patients’ bodies. Devices such as wearable glucose monitors typically use wireless protocols such as Bluetooth to communicate, and those signals can be intercepted by attackers without much effort. The on-body transmission system can send credentials or encryption keys through Read more about Sending passwords using your body[…]

A study from Cambridge University documents an immense drop in complaints against police officers when their departments began using body cameras. But even more surprising is that the data suggests everyone is on their best behavior whether the cameras are present or not. The data was collected in seven police departments in the UK and Read more about Police complaints drop 93 percent after deploying body cameras[…]

Android/iOS: “Free Airport Wi-Fi” is almost always slow, a security nightmare, or expensive—but it’s likely not all that’s available in the airport. Luckily, WiFox is packed with tons of network names and passwords for airports around the globe, so you can surf happily—and safely. Source: WiFox Puts Thousands of Airport Wi-Fi Networks and Their Passwords Read more about WiFox Puts Thousands of Airport Wi-Fi Networks and Their Passwords On Your Phone[…]

The new system, developed by Oberthur Technologies, is called Motion Code, and it changes the security code on the back of the credit card every hour. That way even if a thief does steal the info, it will be useless in less than an hour, preventing nearly all fraudulent transactions.Other than a small screen on Read more about This Credit Card Has a Screen So Its Security Code Can Change Every Hour[…]

Australian researchers have laid waste to the Federal Government’s plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by ‘easily’ cracking government-held medical data. Source: Researchers crack Oz Govt medical data in ‘easy’ attack with PCs Again it is surprising how governments try to criminalise that which Read more about Researchers crack Oz Govt medical data in ‘easy’ attack with PCs[…]

The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws. Read more about D-Link DWR-932 router is chock-full of security holes[…]

Assistant Professor Matthew Green has asked US courts for protection so that he can write a textbook explaining cryptography without getting sued under the Digital Millennium Copyright Act. Green, who teaches at Johns Hopkins University in Maryland, is penning a tome called Practical Cryptographic Engineering that examines the cryptographic mechanisms behind the devices we use Read more about Crypto guru Matt Green asks courts for DMCA force field so he can safely write a textbook[…]

Microsoft Azure is wobbling all around the world at the moment, especially Azure DNS. According to a status update on Microsoft’s site, the issues began around lunchtime, although there is no mention of when they are likely to be fixed. Customers using Azure DNS in multiple regions are experiencing difficulties connecting to their goodies at Read more about Azure is on fire, your DNS is terrified[…]

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who Read more about Someone Is Learning How to Take Down the Internet – Lawfare[…]

To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by Read more about Using known private keys on internet connected devices has gone up 40% since 2015[…]