Tech News

SAN FRANCISCO — Pen and paper instead of a laptop. Cash instead of credit cards. Face-to-face chats instead of cell phones. That is the drill for the most cautious at two big computer security conferences this week in Las Vegas. Together they are a gathering of the worlds best hackers, which is why security professionals need to be there — but also on their toes, said Richard Blech, CEO of Secure Channels, a digital information security company based in Irvine, Calif. Black Hat, which begins Tuesday, will fill the Mandalay Bay hotel with upwards of 9,000 security executives, hackers, academics, government and law enforcement staffers. it is immediately followed by Def Con, a more hacker-oriented conference held at the Paris and Ballys hotels. Last year, Def Con attracted nearly 16,000 people. Both feature demonstrations, lectures and presentations about the most cutting-edge computer security issues — attended by thousands of people with the tools and the knowledge to break into just about any system imaginable. It is one-stop shopping, a place were every major security executive is gathered. You do not have to travel around the globe or hunt them down on the Internet — they are all here, said Brad Taylor, CEO of security company Proficio in Carlsbad, California. That means the rules are a little different, said Stan Black, chief security officer for Citrix in Fort Lauderdale, Fla.. For example, he is bringing his schedule printed out on a piece of paper so he does not have to turn on his cell phone to check it. The most wary will also turn off WiFi, power down Bluetooth and book hotel rooms halfway across town.

Security-enhancer HTTPS Everywhere switched off with this one weird trick Detectify researcher Mathias Karlsson says attackers can remove Google Chrome extensions, including the popular HTTPS Everywhere extension, if users do nothing else but visit a web page. Karlsson (@avlidienbrunn) says the vulnerability patched and pushed into the latest stable edition of Chrome allows users to be targeted without requiring intervention. After some hours of analysis I managed to disable it (HTTPS Everywhere) by just viewing a HTML page, Karlsson says. In fact, I managed to disable any extension and most without any user interaction. Karlsson published a proof-of-concept attack that will disable HTTPS Everywhere by corrupting it. The flaw does not reside in the extension and affects users who have not applied automatic Chrome updates. Extensions are corrupted when websites attempt to access the Chrome extension URI handler. A malicious link can be constructed to issue ping attribute requests triggering corruption when users click. Google had previously blocked most chrome extension URI request but appeared to have missed the ping attribute.

Gaining remote code execution privileges merely by having access to the mobile number? Enter Stagefright. The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java. Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake (@jduck), dived into the deepest corners of Android code and discovered what we believe to be the worst Android vulnerabilities discovered to date. These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drakes research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction. Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleeep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Messaging your mates on WhatsApp could soon be a thing of the past. The popular app is facing a total UK ban as new laws being rushed through would stop people sending any form of encrypted messages. WhatsApp, iMessage and Snapchat currently scramble communications between users and if they dont conform they will face a ban. Speaking earlier this year David Cameron warned: In our country, do we want to allow a means of communication between people which we cannot read? My answer to that question is no we must not. If I am Prime Minister, I will make sure it is a comprehensive piece of legislation that makes sure we do not allow terrorist safe spaces to communicate with each other. And the controversial law, nicknamed the snoopers charter, could be in place by the Autumn. Home Secretary Theresa May, has warned that the Government will push the legislation through – with the recent terrorist atrocities in Tunisia and France forcing the government to act quickly. The laws would mean online services such as WhatsApp, Google, Facebook and Apple would be forced to hand over messages, sent by users, to government security agencies such as MI5. It is currently unclear what the full extent of the powers will be, however many are already condemning the bill. Executive director of The Open Rights Group Jim Killock told the BBC... The government is signalling that it wants to press ahead with increased powers of data collection and retention for the police and GCHQ, spying on everyone, whether suspected of a crime or not. This is the return of the snoopers charter, even as the ability to collect and retain data gets less and less workable. And Liberty, which campaigns for civil liberties and human rights in the UK added...We take no issue with the use of intrusive surveillance powers per se - targeted surveillance can play an important part in preventing and detecting serious crime. But the current regime just does not provide sufficient safeguards to ensure that such surveillance is conducted lawfully, and in a necessary and proportionate way.

Fresh research has cast further doubt on the ability of virtual private networks (VPNs) to protect users privacy from intelligence agencies and criminal hackers. VPNs are secure lines of communication that set up a private network between devices across public networks. They protect users privacy by setting up an encrypted tunnel between the device being used and the VPN providers servers when accessing online services, in theory making it more difficult for hackers to siphon or steal data mid-transit. You can download a VPN as a browser extension if you want to make it harder for others to see what youre looking at on the web. The research was published by Queen Mary University in London, in a paper titled A Glance Through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients. The scientists examined the Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite services security.

A couple of days ago it was discovered that Samsung laptops were disabling Windows Update. For those unfamiliar with Windows Update, it is a tool included on every copy of Windows that basically helps search for the latest updates to help keep your computer patched and updated to the latest Windows software. Instead Samsung decided to disable it and use their own SW Update tool in its place. Naturally many users weren’t too pleased with this and the good news is that Samsung has agreed to stop doing it. In a statement provided to VentureBeat, Samsung has promised that they will be issuing a patch to its software in which it will stop disabling Windows Update. According to Samsung, “We will be issuing a patch through the Samsung Software Update notification process to revert back to the recommended automatic Windows Update settings within a few days.” For those wondering why this is a big deal, it is because while there is no issue with Samsung’s own software, the fact that it ignores the user’s commands is disturbing. Basically if you were to re-enable Windows Update, upon reboot the SW Update tool will disable it again. The only way to ensure your Windows Update settings are not being messed with is by uninstalling SW Update. In any case if you’re a Samsung laptop owner, this is an update you’ll want to keep an eye out for.