Critical update for Flash released

Posted by:
Date: Thursday, February 6th, 2014, 09:56
Category: Hack, Mac, Malware, News, security, Software, Windows

adobe-flash-playerEarlier it was Java, now it has been discovered that Adobe’s Flash software also has a vulnerability that gives complete control over compromised systems to hackers. This vulnerability, fixed in the just released version 12.0.0.44, affects Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux, although Linux was listed as having a lower priority rating. Adobe has detailed the problem in a security bulletin. All users are recommended to update Flash on their computers, as well as Google’s Chrome browser which has it’s own Flash component. The version of Chrome that includes this fix is 32.0.1700.107 and should update this automatically, but you may have to restart the browser for the correct version to register in the “About Google Chrome” window. If you want to check which version you are running before going through the update process, you can go to this page on Adobe’s site. You can download OS specific installers from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply two Flash updates, one for IE and one for any alternative browsers (Firefox, Opera, e.g.). Both updaters can be found on the download page. On a Mac, if you already have Flash installed, you can also go to the Flash Player settings in System Preferences and click on the Check for Updates button in the Advanced tab. Our friends at Kaspersky Labs make another appearance in the Acknowledgements of the security bulletin where Adobe thanks them for discovering the vulnerability;

“Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:

Alexander Polyakov and Anton Ivanov of Kaspersky Labs (CVE-2014-0497)”

So if you’ve got the time now, and you probably should make the time, get those updaters downloaded and installed. Almost makes you want to remove both Java and Flash doesn’t it?

New malicious Java app aims to infect Mac and Linux systems

Posted by:
Date: Tuesday, February 4th, 2014, 09:34
Category: Announcement, Apple, Desktop Mac, Hack, Mac, Malware, OS X, security, Software

target-javaIt’s a long held belief that unless you are using the Windows platform, you are more or less immune to the average virus, trojan, or hack that you might encounter out in the wilds of the internet. There is some truth to the notion that Windows is more vulnerable to attacks, but there really is no such thing as safe, only safer. Check out this article on How-To Geek for a historical perspective on Windows’ malware woes. While Linux and OS X have more inherent defenses against infection, there are still some avenues that hackers can take advantage of to breach them, one of them being Java.

(more…)

Chrome bug captures your every word behind your back

Posted by:
Date: Thursday, January 23rd, 2014, 08:37
Category: Announcement, Google, Hack, Opinion, privacy, security, Software, Websites

googlelisten2As if people were not paranoid enough about the amount of data Google captures about them, a recently discovered bug in Google’s Chrome web browser can now capture everything you say in front of your computer without you even knowing about it. And here is the kicker…it’s probably not even Google who is after your voice, it’s random hackers taking advantage of the exploit. According to developer Tal Ater, who discovered the exploit, the bug allows a malicious web site to open another browser window (just like a pop-up ad) behind the main window which continues to record your voice -even after you’ve closed the original site window- and sends the recorded data first through Google for processing, and then on to wherever the hacker wants.

(more…)

Security firms weigh in on Adobe breach, cite 38 million+ user IDs stolen

Posted by:
Date: Wednesday, October 30th, 2013, 10:56
Category: Hack, News, security

adobelogo

You’re probably going to want to change your Adobe login and password.

Per Macworld and Krebs on Security, the security breach reported earlier this month at Adobe is turning out to be much more widespread than the company first let on. At least 38 million users have been affected by the early October incident.

When Adobe announced the breach on October 3, it said that attackers stole user names and encrypted passwords for an undisclosed numbers of users, along with encrypted credit or debit card numbers and expiration dates for 2.9 million customers. Krebs on Security has reported on the full extent of the attack, confirming the 38 million figure with Adobe.

The total damage could go beyond 38 million users. According to the article, the 3.8GB file includes more than 150 million usernames and hashed passwords, all taken from Adobe. The same file also apparently turned up on a server with the other stolen Adobe data.

Adobe says that 38 million active users users were affected, whereas the other usernames and passwords could include inactive IDs, test accounts and IDs with invalid passwords. However, Adobe is still investigating, and given the tendency of users to repeat the same usernames and passwords across multiple Web services, inactive account holders could still face a security risk. Adobe is trying to notify inactive users of the breach, and has already reset passwords for active users who were affected.

To make matters worse, Krebs on Security and Hold Security both claim that the hackers stole source code for flagship products such as Photoshop, Acrobat, and Reader. Adobe acknowledged that at least some Photoshop source code was stolen; the company is trying to get the data taken down.

In a blog post, Hold Security suggested that the source code theft could have far-reaching security implications. “While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data,” the firm wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.”

Active Adobe users affected by the breach should have received a notification from the company by now, prompting them to change passwords. As always, users can employ several strategies to keep their data safe, such as setting different passwords on each site or setting up a password manager.

Stay tuned for additional details as they become available.

German group breaks through iPhone 5s Touch ID fingerprint authentication, releases video of hack

Posted by:
Date: Monday, September 23rd, 2013, 11:48
Category: Hack, iPhone, News, security

eliphone5s

It only took three days to hack the iPhone 5s’ Touch ID authentication system.

Per The Mac Observer, the gChaos Computer Club has claimed to have hacked Apple’s newest security feature. The group started by scanning the fingerprint associated with an iPhone at high resolution, and then printing it out for transfer to another material such as latex. Once the material holding the print, complete with ridges and grooves, has finished setting up, the group placed it over someone else’s finger and used it to successfully unlock the iPhone.

The Chaos Computer Club said, “In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”

They added that it’s a simple process to lift fingerprints and then convert those into fakes that can be used to bypass security systems. “You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” they said.

While the process CCC showed was fairly straight forward, it isn’t exactly a simple process for the average person. It involves successfully collecting a quality fingerprint, scanning it at 2400 DPI or higher, and cleaning up the scanned image and then printing it to an acetate sheet on a laser printer before applying the material that will ultimately hold the fake print.

The group released the following video demonstrating the hack:



Assuming someone steals your iPhone with the intent of hacking around Touch ID it’s actually much easier to simply make you unlock your iPhone instead of duplicating your finger or thumb’s unique patterns. Find My iPhone can also be used to remotely wipe the device and keep anyone from hacking into your personal information.

The bigger problem in this case is that someone else has physical control over your iPhone. When that happens it’s much easier to find ways to hack in — especially since at that point the potential hackers have time on their hands.

Even still, the CCC’s Touch ID demonstration does show that Apple’s Touch ID technology may not be quite as secure as the company implied.

Working around fingerprint security systems is something that people have been doing for years, and Apple doesn’t force iPhone 5s owners to use Touch ID. It’s a convenient alternative to using a four-digit passcode, and is still more difficult to work around.

Stay tuned for additional details as they become available.

Security researchers to demo 30-pin dock connector hack/malware injection at Black Hat next month

Posted by:
Date: Friday, June 7th, 2013, 07:57
Category: Hack, iPad, iPhone, iPod, News, security, Software

dockconnector

You’re not going to like this.

Per Senor O’Grady over on the Apple Core, a group of researchers from Georgia Tech have discovered a way to hack into an iPhone or iPad in less than a minute using a “malicious charger.” The group plans to present its findings at the Black Hat conference in Las Vegas on July 27, 2013.

Billy Lau, Yeongjin Jang and Chengyu Song are presenting a session is called “Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers” at the popular security conference next month. The name “Mactans” comes from Latrodectus Mactans, the highly venomous (and deadly) black widow spider.

According to the synopsis on the Black Hat website, the Mactans session will describe how USB capabilities can be leveraged to bypass Apple’s defense mechanisms built into the iPhone.

Jason’s got the full details, so head on over, take a gander and get ready to never completely trust your iOS device’s 30-pin dock connector again…

Hack: How to use your old ADB keyboard with your current USB-equipped Mac

Posted by:
Date: Monday, April 15th, 2013, 07:46
Category: Hack, Hardware, News

Ok, this could prove to be awesome.

And it’s one of the many reasons I believe the mighty Topher Kessler doth rock on a regular and efficient basis.

Over on CNET, Kessler’s penned a cool hack to use your old Apple Desktop Bus (ADB) keyboard with your current USB-equipped Mac.


adbkeyboard

The hack centers around tech hobbyist Scott Vanderlind’s find that by adding a small USB controller to the keyboard, he could tap into the device’s ADB connection and send it over USB to any modern device, where it works quite well.

For hobbyists, adapters like the Griffin 2001-ADB iMate are not the only options for converting your ADB keyboard to USB. Granted, there’s a small amount of soldering, a Teensy USB controller, and a quick flash of the keyboard’s firmware to enable the ADB-to-USB conversion of the keyboard’s output.

Still, the process seems to work pretty well with the only hiccup being the need to continually hold the Num Lock key for the number pad to work.

Head on over, take a gander and if you’ve found a cool hack of your own that you’d like to share, please let us know in the comments.

Advertising-based trojan goes into wild on Mac OS X, Windows platforms

Posted by:
Date: Thursday, March 21st, 2013, 07:55
Category: Hack, News, security, Software

The available list of Mac malware (and jerks creating it) just grew a bit.

Per MacNN, a new Mac trojan is inserting ads into Safari, Chrome, and Firefox, says a Russian security firm, Doctor Web. Nicknamed “Trojan.Yontoo.1,” the malware is so far being distributed through movie trailer pages, which prompt people to download a browser plugin, a media player, a video enhancer, or a download accelerator. When launched, the malware asks to be installed under a name such as “Free Twit Tube.”

In reality, the installer inserts a plugin into the aforementioned browsers, which transmits data about the websites a person visits to a remote server, and inserts ads into places in sites where they wouldn’t otherwise exist. Visiting the official Apple page for the iPad mini, for instance, may trigger an ad for unrealistically low iPad discounts. Doctor Web notes that the attackers could potentially swap out the plugin for different or updated code.

The malware is targeting Windows systems as well, but Doctor Web comments that hackers are increasingly targeting Mac owners, and that such ad schemes generate money regardless of the platform they’re on. The hackers likely receive money for each ad impression, and more if a person actually clicks on an ad. There doesn’t appear to be any defense against the trojan in OS X at the moment, short of rejecting the installation; Apple may, however, be able to create a safeguard by updating the OS’ blacklist.

Stay tuned for additional details as they become available.

Second lockscreen bypass exploit discovered in iOS 6.1, data vulnerable via USB connection

Posted by:
Date: Tuesday, February 26th, 2013, 07:07
Category: Hack, iOS, News, security, Software

Apple either needs to assign its iOS security people some business hammocks or take their current ones away…

A second iOS 6.1 bug has been discovered that gives access to contacts, photos and more. The vulnerability uses a similar method as the one disclosed previously, though it apparently gives access to more user data when the phone is plugged into a computer.

Per MacRumors and Kaspersky’s Threatpost, the exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone. A video posted by the group shows a user flipping through the phone’s voicemail list and contacts list while holding down the power button. From there an attacker could get the phone’s screen to turn black before it can be connected to a computer via a USB cord. The device’s photos, contacts and more “will be available directly from the device hard drive without the pin to access,” according to the advisory.

Apple was expected to fix the lock screen bug in iOS 6.1.2, but that small release fixed a different bug. Instead, it appears a fix for at least one of the lock screen vulnerabilities will be coming in iOS 6.1.3, currently in the hands of developers.

Stay tuned for additional details as they become available.

Apple’s iOS 6.1.3 beta could fix security holes, disable Evasi0n jailbreak

Posted by:
Date: Tuesday, February 26th, 2013, 07:02
Category: Hack, iOS, News, security, Software

evasi0n-icon

It was awesome while it lasted.

Per Forbes,

Late last week Apple released an update for iOS to developers in beta that prevents the use of the popular jailbreak software evasi0n, according to one of evasi0n’s creators who tested the patch over the weekend, David Wang.

Wang has stated that he’s analyzed the 6.1.3 beta 2 update and found that it patches at least one of the five bugs the jailbreak exploits, namely a flaw in the operating system’s time zone settings. The beta update likely signals the end of using evasi0n to hack new or updated devices after the update is released to users, says Wang, who says he’s still testing the patch to see which other vulnerabilities exploited by the jailbreak might no longer exist in the new operating system.

That impending patch doesn’t mean evasi0n’s time is up, says Wang. Judging by Apple’s usual schedule of releasing beta updates to users, he predicts that it may take as long as another month before the patch is widely released.

When evasi0n hit the Web earlier this month, it quickly became the most popular jailbreak of all time as users jumped at their first chance to jailbreak the iPhone 5 and other most-recent versions of Apple’s hardware. The hacking tool was used on close to seven million devices in just its first four days online.

Apple already has a more pressing security reason to push out its latest update. The patch also fixes a bug discovered earlier this month that allows anyone who gains physical access to a phone to bypass its lockscreen in seconds and access contacts and photos.

When Apple’s update arrives, the team of jailbreakers known as the evad3rs may still have more tricks in store. Wang has stated that the group has discovered enough bugs in Apple’s mobile operating system to nearly build a new iOS jailbreak even if all the bugs they currently use are fixed.

Stay tuned for additional details as they become available.