now browsing by tag
Source: National Cyber Security – Produced By Gregory Evans Cisco, the makers of Webex, had warned users of the online conferencing service that a vulnerability allowed unauthorised remote users to listen in on private online meetings – without having to enter a password. The vulnerability, which was rated as high severity by Cisco in a […] View full post on AmIHackerProof.com
#hacking | Daily Inter Lake – Politics & Government, The big lesson from the Bezos hack: Anyone can be a target
PROVIDENCE, R.I. (AP) You may not think you’re in the same league as Jeff Bezos when it comes to being a hacking target. Probably not, but you and just about anyone else, potentially including senior U.S. government figures could still be vulnerable to an attack similar to one the Amazon founder and Washington Post owner apparently experienced.
Two U.N. experts this week called for the U.S. to investigate a likely hack of Bezos’ phone that could have involved Saudi Arabian Crown Prince Mohammed bin Salman. A commissioned forensic report found with medium to high confidence that Bezos’ iPhone X was compromised by a video MP4 file he received from the prince in May 2018.
Bezos later went public about the hack after the National Enquirer tabloid threatened to publish Bezos private photos if he didnt call off a private investigation into the hacking of his phone. It’s not clear if those two events are related. The Saudis have denied any involvement in the purported hack.
The events could potentially affect U.S.-Saudi relations. On Friday, Sen. Ron Wyden, an Oregon Democrat, said he is asking the National Security Agency to look into the security of White House officials who may have messaged the crown prince, particularly on personal devices. Jared Kushner, a White House aide and President Donald Trump’s son-in-law, is known to have done so using WhatsApp.
Wyden called reports of the Bezos hack extraordinarily ominous and said they may have startling repercussions for national security.
But they could resonate at the personal level as well. As the cost of hacking falls while opportunities to dig into peoples’ online lives multiply, more and more people are likely to end up as targets, even if they’re not the richest individuals in the world.
Ultimately, that boils down to a simple lesson: Be careful who you talk to and what you’re using to chat with them.
People need to get out of the mindset that nobody would hack them, said Katie Moussouris, founder and CEO of Luta Security. You dont have to be a specific target or a big fish to find yourself at the mercy of an opportunistic attacker.
WhatsApp, owned by Facebook, is generally considered a secure way of trading private online messages due to the fact that it scrambles messages and calls with encryption so that only senders and recipients can understand them. What many people may not have realized is that it, like almost any messaging service, can act as a conduit for malware.
That encryption, however, is no help if a trusted contact finds a way to use that connection to break into the phone’s operating system. In fact, an infected attachment can’t be detected by security software while it’s encrypted, and apps like WhatsApp don’t scan for malware even once files are decrypted.
WhatsApp users can disable the automatic downloading of photos, videos and other media, which happens by default unless the user takes action.
Other messaging apps are likely also vulnerable. It just so happens that this one was a vulnerability in WhatsApp,” said JT Keating, of Texas-based security firm Zimperium. It could have been in any one of any number of apps.”
Prince Mohammed exchanged numbers with Bezos during a U.S. trip in spring 2018. On the same visit, the prince also met with other tech executives, including the CEOs of Google, Apple and Palantir, as well as sports and entertainment celebrities and academic leaders. Virgin Group founder Richard Branson gave the Saudi delegation a tour of the Mojave Air and Space Port in the desert north of Los Angeles.
Google and Apple didnt respond to emailed requests for comment this week on whether their executives shared personal contacts after that trip. Palantir Technologies confirmed that its CEO Alex Karp met with the prince but said they never shared personal messages. Virgin Group said it was looking into it.
UC Berkeley cybersecurity researcher Bill Marczak cautioned that there’s still no conclusive evidence that the Saudi video was malicious, adding that it might be premature to jump to broader conclusions about it. Many other security experts have also questioned the forensics report upon which U.N. officials are basing their conclusions.
But Marczak said it is generally good advice to always be on the lookout for suspicious links or messages that sound too good to be true.”
Even caution about avoiding suspicious links might not be good enough to ward off spyware especially for high-profile targets like dissidents, journalists and wealthy executives. Hackers-for-hire last year took advantage of a WhatsApp bug to remotely hijack dozens of phones and take control of their cameras and microphones without the user having to click anything to let them in.
In such cases, said Marczak, there doesnt need to be any interaction on the part of the person being targeted.
View full post on National Cyber Security
For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.
On sale for around three years, superficially it’s not hard to understand why the model M2 might appeal to anxious parents or carers.
Costing only $32, it pairs with a smartphone so that adults can track the real-time location of kids via GPS, GSM or Wi-Fi using a simple mapping app and online account. Add a SIM and it can be used to make voice calls and there’s even an SOS button children can press in the event of an emergency.
The colour screen, cartoon icons, and baby-blue or pink colour scheme is almost guaranteed to appeal to younger children.
AV-Test’s investigations reveal that the M2 also happens to be an unmitigated security disaster.
Naked Security has covered numerous security screw-ups over the years but it’s hard to imagine a more face-palming charge sheet than that levelled at the makers of the M2 by AV-Test.
To illustrate the point, the testers use the example of a girl called Anna who lives in Dortmund, Germany.
She vacations with her grandparents in a coastal town called Norderney, where she regularly visits the local harbour around 2 o’clock to spot seals for an hour.
The company knows all of this because Anna is wearing an M2 smartwatch which has been leaking this information along with that of another 5,000 children via a public system whose security would be non-existent for any competent hacker.
AV-Test was able to find the names and addresses of these children, their age, images of what they looked like, as well as voice messages transmitted from the watch.
In a development that would be ironic if it weren’t so serious, they were able to discover children’s current locations. Warns AV-Test’s Maik Morgenstern:
We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland.
The epic fail starts with the fact that communication with the online system is unencrypted and its authentication is weak.
Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative.
Perhaps worse, the smartphone app’s poorly secured web API makes it possible to borrow any user’s account ID and log into that account.
An attacker could not only track and contact a child but lock legitimate adults out of the account.
Remember, this is a device that is supposed to be a security tracker for carers that turns out to do the same job for anyone.
This is surely worse than no security trackers because at least using nothing wouldn’t lull its users into a false sense of security.
What to do
If you own one of these watches, our advice would be to stop using it immediately.
It’s not clear how many children might be wearing one – AV-Test detected users in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the UK, The Netherlands, and China – but it’s likely to be a lot more than the 5,000 the researchers identified.
The maker, SMA, has been told of the flaws while the product’s German distributor has removed it from sale.
The troubling part of this story is that AV-Test has been looking at this type of children’s smartwatch for some years, and this is only the latest and worst example in a sector that seems to have treated security as little more than a tick box – if it looks secure then it probably is.
Indeed, Naked Security has covered security problems with this class of device many times before. In 2017, Germany even reportedly banned the devices over spying worries. Then there’s this week’s case of the baby monitor hacked by a stranger.
Until IoT products like this can demonstrate better security, it’s wise to shop with great caution.
The post Kids’ smartwatch security tracker can be hacked by anyone – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Technique known as NAND mirroring, which focuses on bypassing limit on password retry attempts, can be used to break into any model up to the 6
The FBI paid more than $1.3m to unlock the San Bernardino shooter’s iPhone 5C,
The post $100 store-bought kit can help anyone hack into iPhone passcodes appeared first on National Cyber Security.
View full post on National Cyber Security
V160 SUICIDE. To anyone thinking about suicide. What if you were infected with the Katrina Virus?National Cyber Security
nationalcybersecurity.com – the game game grumps scary maze game love game game of thrones lil wayne game celebration the game japanese game show game theory eminem 50 cent maze game cl… #gregoryevans #HTCS #PSO #B4Inc Move o…
View full post on Hi-Tech Crime Solutions Daily