Tech News

Microsoft is warning users that their Windows Phone 8 and Windows Phone 7.8 devices could be easily tricked into revealing login credentials for corporate WiFi access points secured with WPA2 protection. The vulnerability appears to build on a known security weakness in a Microsoft authentication protocol as well as the way Windows Phones connect to WPA2 networks. How it works Lets say Bob works for Acme Inc. and you use a Nokia Lumia 920 as his work phone. Every day Bobs phone automatically connects to the company\'s WiFi network, called ACME1, using WPA2 security. Whenever Bobs phone sees a WiFi network called ACME1, the handset assumes that this is his work network and attempts to make a connection. Now, lets say that two blocks down the street there\'s a cafe where a lot of ACME employees grab a latte on their lunch breaks. All a hacker would have to do is set-up a wireless router called ACME1 secured with WPA2 and wait for a Windows Phone to connect to the rogue access point.

One-click login hands over keys to Gmail, Google Drive et al, says researcher The single-click Google account login for Android apps is a little too convenient for hackers, according to Tripwire\'s Craig Young, who has demonstrated a flaw in the authentication method. The mechanism is called \'weblogin\', and basically it allows users to use their Google account credentials as authentication for third-party apps, without sharing the username and password itself: a token is generated to represent the user\'s login details. Young claimed the unique token used by Google\'s weblogin system can be harvested by a rogue app and then used to access all of the advertising\'s giants services as that user. To demonstrate the flaw at this month\'s Def Con 21 hacking conference in Las Vegas, Young created an Android app that asks for access to the user\'s Google account to display stocks from Google Finance.

Malware means \'attacker now has a list of vulnerable Tor users\' Tor has confirmed the existence of malware that has taken down some of its hidden nodes and says flaws in Firefox are the source of the problem. The network anonymising service yesterday noted the disappearance of some nodes on its network. The outfit hasn\'t offered any more insight into what\'s down, or exactly what brought anything that is down down. But it has issued a critical security announcement saying Tor Browser Bundle versions based on Firefox 17 ESR are vulnerable to arbitrary code execution” that means an attacker could in principle take over the victim\'s computer. The news gets worse, as Tor also says: However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it\'s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.

A High Court judge has blocked three security researchers from publishing details of how to crack a car immobilisation system. German car maker Volkswagen and French defence group Thales obtained the interim ruling after arguing that the information could be used by criminals. The technology is used by several car manufacturers. The academics had planned to present the information at a conference in August. The three researchers are Flavio Garcia, a computer science lecturer at the University of Birmingham, and Baris Ege and Roel Verdult, security researchers at Radboud University Nijmegen in the Netherlands. \"The University of Birmingham is disappointed with the judgement which did not uphold the defence of academic freedom and public interest, but respects the decision,\" said a spokeswoman. \"It has decided to defer publication of the academic paper in any form while additional technical and legal advice is obtained given the continuing litigation. The university is therefore unable to comment further at this stage.\" Radboud University Nijmegen said it found the ban \"incomprehensible\". \"The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible,\" said a spokeswoman. \"The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients.\" Neither VW nor Thales was able to provide comment. The ruling was issued on 25 June, but the case only gained public attention following an article in the Guardian.

Ubuntu Forums suffered a massive data breach, the company behind the Linux open-source based operating system said on Saturday. In an announcement posted on its main forum page, Canonical confirmed there had been a security breach and that the team is working to restore normal operations. The notice said \"every user\'s local username, password and email address\" from their database was stolen. The company confirmed that though the passwords are not stored in plain text, users who share passwords across sites are encouraged to change them. \"Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected by the breach,\" the open-source company stated. An estimated 1.82 million users are subscribed to the forums, with more than 1.96 million threads, according to the last crawl by the Internet Archive in mid-June.

DEF CON and Black Hat aren\'t rappers with guest spots on Jay-Z\'s new album, they\'re a pair of security conferences, that you\'ve likely never heard of or paid any attention to. You might want to change that this year. A major part of these conferences are presentations by security professionals (that\'s pronounced \"hackers\") who spend their days breaking into all things digital, and this year\'s agendas are stacked with demonstrations of exploits against connected home technology. The explosion of otherwise mundane internet-enabled devices, thermostats, light bulbs, ovens, TVs, the list goes on - has everyone from script kiddies to intelligence agencies just as excited about the new attack avenues these gadgets and appliances open. Any device that can talk to another device or the internet can potentially be hackabled to do something unintended by its creator or owner, and this will soon be demonstrated publicly at Black Hat Fouladi and DEF CON. Why worry? Granted, a hacker going after your internet-enabled toaster may not be lucrative in the same way that stealing your identity or banking credentials might be, but money\'s not always the motive in hacking circles. Many of the most damaging attacks on computers have been perpetrated for shock value, underground credibility, or professional reputation. Burning down a home by hacking connected appliances would be worth a lot more cred than pwning Grandma\'s computer. This is admittedly a worst-case scenario, but there are innumerable ways that a compromised connected home could be used to wreck your day. A hacked baby monitor could be used by would-be burglars to figure out when you\'re not home, the script kiddie next door could shut off your heat mid-winter and burst your pipes by hacking your internet-connected thermostat, or shut off your smart-grid enabled fridge and spoil all the food. A few years back, proof-of-concept attacks against compromised networked laser printers were able to make them singe paper. Back when I had X10 automation-enabled switches throughout the house, friends used to drive by and mess with my house lights, just for fun. Exploits against an X10 successor, Z-Wave, will be demoed soon at BlackHat and DEF CON. The point: This isn\'t just tinfoil-hat stuff; there are plenty of plausible attacks against a connected home. Unlike the annoyance factor when a computer gets hacked, there can be real-world physical consequences when unsecured connected appliances are exploited.