Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Submission + - Do PoC Exploits Do More Good or Harm? (threatpost.com)

secwatcher writes: When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.

In fact, almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea.

Submission + - Behind the Naming of ZombieLoad and Other Intel Spectre-Like Flaws (threatpost.com)

secwatcher writes: There was a lot more to the name game behind choosing titles for ZombieLoad, Spectre and Meltdown than picking cool and edgy attack titles. If you have ever wondered why they were named what they were, Threatpost tracked down one of the researchers behind the naming convention (and discovery) and found out.

Much like the funky titles of advanced persistent threat groups, these speculative execution attacks, which impact Intel CPUs, are often named to reflect the impact behind the vulnerabilities, their attributes and how the attack processes work.

“We always try to come up with names that somehow resemble the nature of the attack,” Daniel Gruss, a security researcher from the Graz University of Technology and one of the founders of the ZombieLoad flaw, told Threatpost in a recent podcast interview.

Submission + - TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids (threatpost.com)

secwatcher writes: A popular smartwatch that allows parents to track their children’s whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children, according to Pen Test Partners and security researcher Troy Hunt.

Submission + - Attackers Can Track Kids' Locations via Connected Watches (threatpost.com)

secwatcher writes: A gamut of kids’ GPS-tracking watches are exposing sensitive data involving 35,000 children — including their location, in real time.

Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research.

“A year on, we decided to have a look at the Gator watch again to see how their security had improved,” said Vangelis Stykas, in a Tuesday posting. “Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents’ details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches.”

Submission + - Hack Allows Escape of Play-with-Docker Containers (threatpost.com)

secwatcher writes: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack.

“The team was able to escape the container and run code remotely right on the host, which has obvious security implications,” wrote researchers in a technical write-up posted Monday.

Submission + - iOS Fitness Apps Robbing Money From Apple Victims (threatpost.com)

secwatcher writes: Two apps that were posing as fitness-tracking tools were actually using Apple’s Touch ID feature to loot money from unassuming iOS victims.

The two impacted apps were the “Fitness Balance App” and “Calories Tracker App.” Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store.

However, according to Reddit users and researchers with ESET, the apps steal money – almost $120 from each victim – thanks to a sneaky popup trick involving the Apple TouchID feature.

Submission + - Lock-Screen Bypass Bug Quietly Patched in Handsets (threatpost.com)

secwatcher writes: A design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication.

In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent’s Xuanwu Lab which is credited for first identifying the flaw earlier this year.

Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors.That includes current models of Huawei Technologies’ Porsche Design Mate RS and Mate 20 Pro model phones. Researchers said that many more cellphone manufacturers are impacted by the issue.

Submission + - iPhone XS Passcode Bypass Hack Exposes Contacts, Photos (threatpost.com)

secwatcher writes: A passcode bypass vulnerability in Apple’s new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone.

The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple’s latest iOS 12 beta and iOS 12 operating systems.

Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and “office clerk” based in Spain who has also found previous iPhone hacks.

Submission + - Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Chang (bleepingcomputer.com)

secwatcher writes: One of the programs that a lot of users have seen listed in these alerts and is suggested to be removed is the Bitdefender antivirus program as shown above. Having a well known company like Google telling users to remove a security solution is a problem as these programs are important for many users to have installed on their computers in order to protect them from malware, unwanted programs, and malicious websites.

Submission + - Google Bug Hunter Urges Apple to Change its iOS Security Culture (threatpost.com)

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability.
In a provocative call to Apple’s CEO Tim Cook, Beer directly challenged him to donate $2.5 million to Amnesty International – roughly the equivalence of bug bounty earnings for Beer’s 30-plus discovered iOS vulnerabilities.

Submission + - Bugs in Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com)

secwatcher writes: Cisco Talos researchers found flaws located in Samsung’s centralized controller, a component that connects to an array of IoT devices around the house – from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices.

“Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities,” researchers said in a report.

Slashdot Top Deals

A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe

Working...