[ISN] Severe weaknesses in Android handsets could leak user fingerprints

http://arstechnica.com/security/2015/08/severe-weaknesses-in-android-handsets-could-leak-user-fingerprints/ By Dan Goodin Ars Technica Aug 10, 2015 HTC and Samsung have patched serious vulnerabilities in some of their Android phones that made it possible for malicious hackers to steal user fingerprints. The researchers who discovered the flaws said that many more phones from all manufacturers may be susceptible to other types of fingerprint-theft attacks. The most serious of the flaws was found on HTC’s One Max handset. According to researchers at security firm FireEye, the device saved user fingerprints as an unencrypted file. Almost as bad, the BMP image was readable by any other running application or process. As a result, any unprivileged process or app could obtain a user’s fingerprints by reading the file. Attackers could capitalize on the weakness by exploiting one of the many serious vulnerabilities that regularly crop up in Android or by tricking a target into installing a malicious app. HTC fixed the issue after FireEye privately reported it, according to this summary, which didn’t provide a date or other details of the update. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Random numbers aren’t, says infosec boffin

http://www.theregister.co.uk/2015/08/11/your_numbers_arent_random_says_infosec_boffin/ By Richard Chirgwin The Register 11 Aug 2015 The randomness (or rather, lack thereof) of pseudo-random number generators (PRNGs) is a persistent pain for those who work at the low layers of cryptography. Security researcher Bruce Potter, whose activity in the field stretches back more than a decade, when he demonstrated war-driving using Bluetooth, says problems both in design and implementation undermine the effectiveness of common crypto libraries. Now Potter’s work (his BlackHat presentation is here [PDF]) has led to the claim that nobody really understands what’s going on. Part of the problem, he writes, is that people tend to conflate “entropy” with “randomness”, when in fact the two mean different things: entropy is a measurement of the uncertainty of an outcome, while randomness is a long-term assessment of entropy. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Imploding Barrels and Other Highlights From Hackfest DefCon

http://www.wired.com/2015/08/highlights-from-defcon-2015/ By Kim Zetter Security Wired.com 08.10.15 VISITING LAS VEGAS can feel a bit like being a metal sphere in a pinball machine — you’re tossed from bright lights to blaring shows and back again until you eventually (hopefully) emerge out a hole at your home airport. When you visit Vegas with a swarm of hackers and security researchers, the dizziness gets amped up tenfold and can be laced with a dose of dark mischief. This year marked the 23rd DefCon, the hacker conference that began as an informal gathering for hackers to meet in person and party in the desert. Since its beginning, it has grown from fewer than 100 attendees to reportedly more than 20,000 all of them jammed into two hotels this year—Paris and Ballys—to learn the latest hacks and swap techniques. WIRED covered a number of talks from the conference over the last two weeks—including hacks of Chrysler Jeeps and Teslas, electronic skateboards, sniper rifles and Brinks safes. But as this year’s event draws to a close, here’s a compendium of some of the con’s other highlights: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail