Tech News

It is a truism that all software has bugs and security holes. It is another that license agreements invariably make software vendors immune to liability for damage or losses caused by such flaws. But, to my surprise, Black Hats founder and keynote speaker are arguing that software product liability, presumably mandated by governments, is inevitable. If they are right, a seismic change is on the horizon. I do not see a way forward without software liability, said Jeff Moss aka Dark Tangent. As software eats the world, industries which are already subject to liability are becoming software companies: Moss called Airbus, Boeing, and Tesla manufacturers of moving data centers. The recent Jeep hack highlights the extent to which vehicle manufacturers have become software companies, and vulnerable to software flaws. But traditional software companies are immune to liability. It is not, Moss argues, a level playing field. Market forces will drive us to software liability, he claims. Keynote speaker (and lawyer) Jennifer Granick similarly believes the Internet of Things will lead to industries accustomed to liability becoming software companies, which will lead to software liability.

The vulnerability was introduced in 1997, but has remained hidden until now. A design flaw in the x86 processor architecture dating back almost two decades could allow attackers to install a rootkit in the low-level firmware of computers, a security researcher said Thursday. Such malware could be undetectable by security products. The vulnerability stems from a feature first added to the x86 architecture in 1997. It was disclosed Thursday at the Black Hat security conference by Christopher Domas, a security researcher with the Battelle Memorial Institute. By leveraging the flaw, attackers could install a rootkit in the processors System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers. Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure.

Yahoos top websites fell victim to a malvertising attack within the companys ad network, although Yahoo will not reveal the number of people who may have been affected. Hackers exploited Adobe Flash software to conduct the attack. Malware was spread through Yahoos ads for a week, according to a senior security researcher at Malwarebytes, the security firm that first learned of the attack. More than 100 million people visit Yahoos new sites per month. Yahoo said it has curbed the attack that began on July 28. As soon as we learned of this issue, our team took action to block this advertiser from our network, a Yahoo spokesperson said in a statement. Jerome Segura, a senior security researcher at Malwarebytes, said hackers used a bug in Adobe Flash, which streams audio and video. This [is] one of the largest malvertising attacks we have seen recently, Segura said. Yahoo claimed the scale of the attack was initially blown out of proportion. We take all potential security threats seriously, the companys spokesperson said, according to The Hill. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue. Yahoos contemporary, Google, fell victim to a large malvertising attack earlier this year. Hackers were found to be using Googles advertising service, DoubleClick, to launch attacks on visitors from other websites. Google responded by announcing it would encrypt all DoubleClick ads. Yahoo also said in April that it would encrypt its ad network connections. The company said it has already installed end-to-end encryption for its Yahoo Mail. Online advertisers have received encouragement from top US senators to solidify their networks in order to protect online consumers from malvertising attacks. We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online, said Sen. John McCain, who, with then-Sen. Carl Levin, released a report in 2014 that urged online advertisers to take action. Malvertising efforts reached more than 2 million users in June, a record according to security firm Invincea. The Adobe Flash-enabled attack, meanwhile, has led to a renewed call for the service to be disabled on personal computers short of the outright retirement of Flash.

SAN FRANCISCO — Pen and paper instead of a laptop. Cash instead of credit cards. Face-to-face chats instead of cell phones. That is the drill for the most cautious at two big computer security conferences this week in Las Vegas. Together they are a gathering of the worlds best hackers, which is why security professionals need to be there — but also on their toes, said Richard Blech, CEO of Secure Channels, a digital information security company based in Irvine, Calif. Black Hat, which begins Tuesday, will fill the Mandalay Bay hotel with upwards of 9,000 security executives, hackers, academics, government and law enforcement staffers. it is immediately followed by Def Con, a more hacker-oriented conference held at the Paris and Ballys hotels. Last year, Def Con attracted nearly 16,000 people. Both feature demonstrations, lectures and presentations about the most cutting-edge computer security issues — attended by thousands of people with the tools and the knowledge to break into just about any system imaginable. It is one-stop shopping, a place were every major security executive is gathered. You do not have to travel around the globe or hunt them down on the Internet — they are all here, said Brad Taylor, CEO of security company Proficio in Carlsbad, California. That means the rules are a little different, said Stan Black, chief security officer for Citrix in Fort Lauderdale, Fla.. For example, he is bringing his schedule printed out on a piece of paper so he does not have to turn on his cell phone to check it. The most wary will also turn off WiFi, power down Bluetooth and book hotel rooms halfway across town.

Security-enhancer HTTPS Everywhere switched off with this one weird trick Detectify researcher Mathias Karlsson says attackers can remove Google Chrome extensions, including the popular HTTPS Everywhere extension, if users do nothing else but visit a web page. Karlsson (@avlidienbrunn) says the vulnerability patched and pushed into the latest stable edition of Chrome allows users to be targeted without requiring intervention. After some hours of analysis I managed to disable it (HTTPS Everywhere) by just viewing a HTML page, Karlsson says. In fact, I managed to disable any extension and most without any user interaction. Karlsson published a proof-of-concept attack that will disable HTTPS Everywhere by corrupting it. The flaw does not reside in the extension and affects users who have not applied automatic Chrome updates. Extensions are corrupted when websites attempt to access the Chrome extension URI handler. A malicious link can be constructed to issue ping attribute requests triggering corruption when users click. Google had previously blocked most chrome extension URI request but appeared to have missed the ping attribute.

Gaining remote code execution privileges merely by having access to the mobile number? Enter Stagefright. The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java. Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake (@jduck), dived into the deepest corners of Android code and discovered what we believe to be the worst Android vulnerabilities discovered to date. These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drakes research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction. Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleeep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.