Monday, August 10, 2015

Motorola is the next to patch Android's big video security flaw

Source: http://www.engadget.com/2015/08/08/motorola-patches-stagefright-flaw//

Moto G third-generation

Chalk up one more big Android phone maker racing to patch its devices against that nasty Stagefright video security flaw. Motorola has explained that it will not only fix the vulnerability in phones from 2013 onward (such as the original Moto X and the Droid line), but make sure that its latest hardware is secure almost from the word go. Both the Moto X Style and Moto X Play will be secure on launch, while the recently-shipped third-generation Moto G is getting its update "soon."

The company doesn't say whether or not it's hopping on the monthly security patch bandwagon. However, it does add that it's working with Google and carriers to "simplify the process" of getting that code into your hands going forward. Between this and expected fixes for phones from Google, HTC, LG, Blackphone creator SGP and and Sony, you probably won't have to worry if you're carrying a recent or reasonably well-known device. The real question is whether or not other brands and older (or lower-end) hardware will get the same kind of attention -- you don't want to remain at risk simply because you bought the 'wrong' model.

Filed under: , , ,

Comments

Source: Motorola

Tags: android, droidmaxx, droidmini, droidturbo, droidultra, lenovo, mms, mobilepostcross, motog, motox, motoxplay, motoxstyle, patch, security, stagefright, update

Read More...

Old Intel chips are vulnerable to a fresh security exploit

Source: http://www.engadget.com/2015/08/08/intel-memory-sinkhole-flaw//

An old Intel Core i5 processor

If you have an old, Intel-based computer hanging around, you might want to get rid of it post-haste. Security researcher Chris Domas has discovered a vulnerability in the x86 architecture of Intel processors made between 1997 and 2010 (pre-Sandy Bridge) that lets an attacker install software in a chip's protected System Management Mode space, which governs firmware-level security. Yes, that's as bad as it sounds: an intruder could not only take more control than you typically see in attacks (including wiping firmware), but infect your PC even if you wipe your hard drive and reinstall your operating system. Domas has only tested against Intel-made CPUs so far, but AMD processors could be vulnerable as well.

A would-be hacker needs low-level OS access to get in, so you at least won't face a direct assault -- you need to fall prey to another attack before this becomes an option. However, this vulnerability might be difficult or impossible to fix in a timely fashion. While it's theoretically possible to patch a computer's BIOS (or on relatively recent systems, UEFI) to prevent these attacks, the chances of that happening are slim. What's the likelihood that your motherboard maker will support a product that's at least 5 years old, or that most people are both willing and able to apply firmware upgrades? Not very high, we'd reckon. Although the inexorable march of time will eventually take care of this flaw, the only surefire solution is to upgrade your computer.

Filed under: , ,

Comments

Via: PCWorld

Source: Black Hat, GitHub

Tags: core, cpu, intel, memorysinkhole, nehalem, pentium, processor, security

Read More...

Saturday, August 08, 2015

Researchers find major security flaw with ZigBee smart home devices

Source: http://www.engadget.com/2015/08/07/zigbee-security-flaw//

Hue bridge

Manufacturers of smart home devices using the ZigBee standard are aiming for convenience at the expense of security, according to researchers from the Austrian security firm Cognosec. By making it easier to have smart home devices talk to each other, many companies also open up a major vulnerability with ZigBeee that could allow hackers to control your smart devices. And that could be a problem if you rely on things like smart locks or a connected alarm system for home security. Specifically, Cognosec found that ZigBee's reliance on an insecure key link with smart devices opens the door for hackers to spoof those devices and potentially gain control of your connected home.

"Tests with light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified," Cognosec's Tobias Zillner writes. Even worse, he points out that there's no way for consumers to make their smart devices more secure. In the end, he blames the push for ZigBee to be easy to use as the big reason why companies have been lax with security.

For anyone who's had worries about the vulnerability of the connected home, Cognosec's findings basically present the worst case scenario for ZigBee. Since it affects a wide variety of devices, it's unclear how quickly manufacturers will be able to come up with a fix. We've reached out to the ZigBee Alliance, whose members include major companies like Samsung, Sony and ARM, and will report back with their response.

[Photo credit: Tom Raftery/Flickr]

Filed under:

Comments

Via: TechCrunch

Source: Cognosec

Tags: hacks, security, smarthome, Zigbee

Read More...

Tuesday, August 04, 2015

Hackers could take complete control of your computer if you use 'the Netflix for pirated movies'

Source: http://www.businessinsider.com/hacker-proves-popcorn-time-is-not-safe-from-attack-2015-8

Popcorn Time Streaming App

Popcorn Time, the Netflix-like website for pirated movie content, may be vulnerable to a hack attack, TorrentFreak reports. This is according to a Greek security researcher named Antonios Chariton who published a blog post this past weekend.

Using a series of techniques, Chariton wrote that he demonstrated how "someone can get complete control of a computer assuming they have a Man In The Middle position in the network."

A 'man-in-the-middle' attack is when a hacker intercepts a data request between two machines. It is then able to swap the intended data for something malicious. So, if an attacker is able to execute one of these intercepting attacks, he or she can wreak havoc on the computer running Popcorn Time.

The attack is based on the clever way Popcorn Time avoids being banned by internet service providers (ISPs). The application is able to connect directly to the CloudFlare network. This, put in the simplest of terms, means that if an ISP wants to block the Popcorn Time program it would have to ban the entire CloudFlare website and not just the pirated content program. This is a smart way to avoid widespread ISP blocks.

The problem, however, is that the connection to CloudFlare is made over the HTTP protocol, and it's been shown that HTTP is just not secure.

Chariton didn't mince his words: "HTTP is insecure. There's nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don't run inside a web browser."

Because of HTTP's vulnerability, Chariton wrote that he was able to inject malicious code into a victim computer using Popcorn Time.

Popcorn Time penned a blog post responding to these claims. It assured users that they “don’t need to worry.” For one, man-in-the-middle attacks are “very unlikely,” and require a hacker gaining access into a victim’s personal network.

The site does admit that there are some security issues to be dealt with. It says it will release a fix to these shortly, but adds that what Chariton brought to light isn't as dire as it may seem.

SEE ALSO: The malware that's been holding gamers' files hostage for $500 is now even more destructive

Join the conversation about this story »

NOW WATCH: All the incredibly useful things you didn't know your iPhone headphones could do










Read More...

Toshiba's new flash chips hold twice the data

Source: http://www.engadget.com/2015/08/04/toshiba-flash-chips-double-capacity//

Judging by recent announcements, we're about to enter a golden age of fast, nearly unlimited storage for all the high-res selfies you can shoot. Following an announcement by Intel and Micron last week, Toshiba and partner SanDisk revealed their own 256Gb flash chips. Toshiba already has the smallest flash cells in the world at 15 nanometers, which it stacks in 48 layers to maximize density. The new chips add in 3-bit tech (first used by Samsung) to squeeze even more bytes in, helping it double the storage of chips it announced just a few months ago. The result will be faster and more reliable memory for smartphones, SSDs and other devices.

Intel and Micron announced 256Gb chips using different, 32-layer tech earlier this year, so they may beat Toshiba/SanDisk to the manufacturing punch. Consumers will be the main beneficiaries of the rivalry, in any case. Micron said the tech will eventually yield up to 10TB laptop drives at much lower prices per gigabyte than current models. It'll also result in cheaper and faster memory chips for smartphones and other mobile devices. Toshiba's in the process of building its new fab plant in Japan, and said the 256Gb chips will be available sometime in 2016.

Filed under:

Comments

Source: Toshiba

Tags: 256Gb, BiCS, Flash, memory, NAND, SanDisk, SSD, Toshiba

Read More...