Tag Archives: vulnerabilities

[ISN] Severe weaknesses in Android handsets could leak user fingerprints

http://arstechnica.com/security/2015/08/severe-weaknesses-in-android-handsets-could-leak-user-fingerprints/ By Dan Goodin Ars Technica Aug 10, 2015 HTC and Samsung have patched serious vulnerabilities in some of their Android phones that made it possible for malicious hackers to steal user fingerprints. The researchers who discovered the flaws said that many more phones from all manufacturers may be susceptible to other types of fingerprint-theft attacks. The most serious of the flaws was found on HTC’s One Max handset. According to researchers at security firm FireEye, the device saved user fingerprints as an unencrypted file. Almost as bad, the BMP image was readable by any other running application or process. As a result, any unprivileged process or app could obtain a user’s fingerprints by reading the file. Attackers could capitalize on the weakness by exploiting one of the many serious vulnerabilities that regularly crop up in Android or by tricking a target into installing a malicious app. HTC fixed the issue after FireEye privately reported it, according to this summary, which didn’t provide a date or other details of the update. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Researcher says he can hack GM’s OnStar app, open vehicle, start engine

http://venturebeat.com/2015/07/30/researcher-says-can-hack-gms-onstar-app-open-vehicle-start-engine/ By Bernie Woodall in Detroit and Jim Finkle in Boston Reuters July 30, 2015 BOSTON/DETROIT (Reuters) – A researcher is advising drivers not to use a mobile app for the General Motors OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers Can Disable a Sniper Rifle — Or Change Its Target

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/ By Andy Greenberg Security Wired.com 07.29.15 PUT A COMPUTER on a sniper rifle, and it can turn the most amateur shooter into a world-class marksman. But add a wireless connection to that computer-aided weapon, and you may find that your smart gun suddenly seems to have a mind of its own—and a very different idea of the target. At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter. “You can make it lie constantly to the user so they’ll always miss their shot,” says Sandvik, a former developer for the anonymity software Tor. Or the attacker can just as easily lock out the user or erase the gun’s entire file system. “If the scope is bricked, you have a six to seven thousand dollar computer you can’t use on top of a rifle that you still have to aim yourself.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Smartwatches a new frontier for cyber attack, HP study shows

http://www.computerweekly.com/news/4500250398/Smartwatches-a-new-frontier-for-cyber-attack-HP-study-shows By Warwick Ashford Security Editor ComputerWeekly.com 23 Jul 2015 Smartwatches with network and communication functionality represent a new and open frontier for cyber attack, according to a study by HP Fortify. The study revealed that 100% of the tested smartwatches contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns. The study report entitled Internet of things security study: Smartwatches makes recommendations for secure smartwatch development and use in home and work environments. As the internet of things (IoT) market advances and smartwatches become more mainstream, they will increasingly store more sensitive information, such as health data, the report said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Adobe to patch second Hacking Team Flash zero-day bug

http://www.computerworld.com/article/2947273/malware-vulnerabilities/adobe-to-patch-second-hacking-team-flash-zero-day-bug.html By Gregg Keizer Computerworld July 11, 2015 Adobe next week will patch a second zero-day vulnerability found in the leaked documents from the Hacking Team, a controversial Italian company that sells surveillance software and exploits to governments, Adobe said late Friday. Computerworld’s Best Places to Work in IT 2015: Company Listings The complete listings: Computerworld’s 100 Best Places to Work in IT for 2015 A compact list of the 56 large, 18 midsize and 26 small organizations that ranked as Computerworld’s READ NOW The flaw will be patched this coming week; Adobe did not set a release date for the fix. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe noted in an advisory. The vulnerability was the second uncovered in the gigabytes of documents leaked after attackers compromised the Hacking Team’s network and pilfered emails, financial information and contracts from the firm’s systems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Feds Say That Banned Researcher Commandeered a Plane

http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/ By Kim Zetter Wired.com 05.15.15 A SECURITY RESEARCHER kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent. Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states. “He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.” Hurley filed the search warrant application last month after Roberts was removed from a United Airlines flight from Chicago to Syracuse, New York, because he published a facetious tweet suggesting he might hack into the plane’s network. Upon landing in Syracuse, two FBI agents and two local police officers escorted him from the plane and interrogated him for several hours. They also seized two laptop computers and several hard drives and USB sticks. Although the agents did not have a warrant when they seized the devices, they told Roberts a warrant was pending. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail