secwatcher - Slashdot User

Submission + - Do PoC Exploits Do More Good or Harm? (threatpost.com)

Submitted by secwatcher on Wednesday January 22, 2020 @02:33PM

secwatcher writes: When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.

In fact, almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea.

Submission + - Millions of Dell PCs Vulnerable to Flaw in Third-Party Component (threatpost.com)

Submitted by secwatcher on Friday June 21, 2019 @08:25AM

secwatcher writes: Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software. The flaw could enable a remote attacker to completely takeover affected devices.

Submission + - Behind the Naming of ZombieLoad and Other Intel Spectre-Like Flaws (threatpost.com)

Submitted by secwatcher on Tuesday May 21, 2019 @08:46AM

secwatcher writes: There was a lot more to the name game behind choosing titles for ZombieLoad, Spectre and Meltdown than picking cool and edgy attack titles. If you have ever wondered why they were named what they were, Threatpost tracked down one of the researchers behind the naming convention (and discovery) and found out.

Much like the funky titles of advanced persistent threat groups, these speculative execution attacks, which impact Intel CPUs, are often named to reflect the impact behind the vulnerabilities, their attributes and how the attack processes work.

“We always try to come up with names that somehow resemble the nature of the attack,” Daniel Gruss, a security researcher from the Graz University of Technology and one of the founders of the ZombieLoad flaw, told Threatpost in a recent podcast interview.

Submission + - TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids (threatpost.com)

Submitted by secwatcher on Monday April 15, 2019 @06:17PM

secwatcher writes: A popular smartwatch that allows parents to track their children’s whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children, according to Pen Test Partners and security researcher Troy Hunt.

Submission + - Attackers Can Track Kids' Locations via Connected Watches (threatpost.com)

Submitted by secwatcher on Wednesday January 30, 2019 @05:11PM

secwatcher writes: A gamut of kids’ GPS-tracking watches are exposing sensitive data involving 35,000 children — including their location, in real time.

Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research.

“A year on, we decided to have a look at the Gator watch again to see how their security had improved,” said Vangelis Stykas, in a Tuesday posting. “Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents’ details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches.”

Submission + - Hack Allows Escape of Play-with-Docker Containers (threatpost.com)

Submitted by secwatcher on Monday January 14, 2019 @03:03PM

secwatcher writes: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack.

“The team was able to escape the container and run code remotely right on the host, which has obvious security implications,” wrote researchers in a technical write-up posted Monday.

Submission + - iOS Fitness Apps Robbing Money From Apple Victims (threatpost.com)

Submitted by secwatcher on Monday December 03, 2018 @11:53AM

secwatcher writes: Two apps that were posing as fitness-tracking tools were actually using Apple’s Touch ID feature to loot money from unassuming iOS victims.

The two impacted apps were the “Fitness Balance App” and “Calories Tracker App.” Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store.

However, according to Reddit users and researchers with ESET, the apps steal money – almost $120 from each victim – thanks to a sneaky popup trick involving the Apple TouchID feature.

Submission + - Lock-Screen Bypass Bug Quietly Patched in Handsets (threatpost.com)

Submitted by secwatcher on Friday November 16, 2018 @04:59PM

secwatcher writes: A design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication.

In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent’s Xuanwu Lab which is credited for first identifying the flaw earlier this year.

Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors.That includes current models of Huawei Technologies’ Porsche Design Mate RS and Mate 20 Pro model phones. Researchers said that many more cellphone manufacturers are impacted by the issue.

Submission + - iPhone XS Passcode Bypass Hack Exposes Contacts, Photos (threatpost.com)

Submitted by secwatcher on Friday September 28, 2018 @01:43PM

secwatcher writes: A passcode bypass vulnerability in Apple’s new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone.

The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple’s latest iOS 12 beta and iOS 12 operating systems.

Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and “office clerk” based in Spain who has also found previous iPhone hacks.

Submission + - Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Chang (bleepingcomputer.com)

Submitted by secwatcher on Friday August 24, 2018 @11:26AM

secwatcher writes: One of the programs that a lot of users have seen listed in these alerts and is suggested to be removed is the Bitdefender antivirus program as shown above. Having a well known company like Google telling users to remove a security solution is a problem as these programs are important for many users to have installed on their computers in order to protect them from malware, unwanted programs, and malicious websites.

Comment Re:hilarity ensues (Score 1) 56

by secwatcher on Wednesday August 15, 2018 @11:29AM (#57130882) Attached to: Microsoft and Amazon Begin Public Rollout of First Alexa-Cortana Integrations

Would love to see Cortana and Alexa talk smack to each other.

Submission + - Built-In Lazy Loading Lands in Google Chrome Canary (bleepingcomputer.com)

Submitted by secwatcher on Tuesday August 14, 2018 @08:24AM

secwatcher writes: Google has started rolling out support for built-in lazy loading inside Chrome. Currently, support for image and iframe lazy loading is only available in Chrome Canary, the Chrome version that Google uses to test new features.

Submission + - Google Bug Hunter Urges Apple to Change its iOS Security Culture (threatpost.com)

Submitted by secwatcher on Thursday August 09, 2018 @08:52AM

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability.
In a provocative call to Apple’s CEO Tim Cook, Beer directly challenged him to donate $2.5 million to Amnesty International – roughly the equivalence of bug bounty earnings for Beer’s 30-plus discovered iOS vulnerabilities.

Comment SMS Weaknesses (Score 1) 44

by secwatcher on Wednesday August 01, 2018 @02:41PM (#57050626) Attached to: A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says

They were using SMS 2FA? Really?? That said it sounds like the number impacted was small, so at least Reddit learned from this (relatively) smaller incident instead of something bigger happening.

Submission + - Bugs in Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com)

Submitted by secwatcher on Thursday July 26, 2018 @03:37PM

secwatcher writes: Cisco Talos researchers found flaws located in Samsung’s centralized controller, a component that connects to an array of IoT devices around the house – from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices.

“Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities,” researchers said in a report.

Slashdot Top Deals