Monthly Archives: November 2017

Qualcomm has levied another lawsuit against Apple, this time alleging that the iPhone maker took advantage of its “unprecedented access” to Qualcomm’s code to aid Intel, Bloomberg reports. The news lends credence to a report in Reuters that Apple has designed iPhones bereft of Qualcomm technologies that it could ship as early as next year.

The suit alleges that Apple didn’t hold up its end of the bargain in separating engineers working with Qualcomm and Intel chips, and that those working with Intel may have been given access to key information about its competitor’s technologies. The suit notes that in a request from Apple for proprietary Qualcomm information, an Intel engineer was on the distribution list.

The lawsuit filed in a San Diego court suggest that there is no end in sight for the legal skirmish between the two companies that began earlier this year when Apple sued Qualcomm for $1 billion and halted royalty payments to the company over complaints that Qualcomm was charging for technologies that they had nothing to do with.

In the months since, there’s been significant pushback from Qualcomm as the company has tried to seek injunctions in both the U.S. and China against the sales of iPhones that use the company’s wireless tech. Qualcomm has also sued Apple over patent infringement.

The lack of royalty payments from Apple and its suppliers has been doing significant damage to Qualcomm’s bottom line, as well. Yesterday, Qualcomm reported its earnings, which beat analyst expectations even as the company’s profits dropped 90 percent year-over-year.

via: techcrunch

FireEye released a managed password cracking tool, dubbed GoCrack, that is able to execute tasks across multiple GPU servers.

GoCrack is an open source tool developed by FireEye’s Innovation and Custom Engineering (ICE) team that implements an easy-to-use, web-based real-time UI to create, view, and manage password cracking tasks.

Users can deploy a GoCrack server along with a worker on every GPU/CPU capable machine, the tasks will be automatically distributed across the GPU/CPU of the machines composing the network.

“FireEye’s Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI to create, view, and manage tasks.” reads the post published by FireEye. “Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.”

GoCrack supports the hashcat v3.6+ engine and requires no external database server, the experts also implemented the support for both LDAP and database backed authentication.

FireEye plans to add support for both MySQL and Postgres database engines soon.

The server component can run on any Linux server with Docker installed, users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.

Password cracking is a very important activity for security professionals that aim to test password effectiveness and management.

“Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations.” continues FireEye.

GoCrack logs any sensitive actions for auditing purposes, the tool allows to hide task data unauthorized users.

“Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators,” continues the post. “Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as ‘Shared’, which allows other users to use them in task yet do not grant them the ability to download or edit.”

You can download GoCrack code from the GitHub repository along with the tool itself.

Experts have no doubt about the fact that this could be soon a privileged instrument for threat actors looking to crack passwords.

via:  securityaffairs

YouTube Kids, the kid-friendly, more filtered version of YouTube first introduced in 2015, is getting a notable upgrade. The updated app is adding several new features designed to reflect the app’s now aging user base, including profiles that are customized based on the kid’s date of birth, as well as additional security controls for parents and kids.

While YouTube Kids came under fire in the past for not fully locking down the YouTube experience, overall, it’s a safer way to allow kids to browse YouTube compared with giving them access to the main app.

The Kids app is designed with a simpler interface, fun music and curated selections of kid-appropriate content from publishers like DreamWorks TV, Jim Henson TV, Mother Goose Club, Talking Tom and Friends, National Geographic Kids, Reading Rainbow and Thomas the Tank Engine, among others.

In response to earlier complaints, parents were later allowed to toggle off the app’s search capabilities and set their own private passcode, instead of using the default setting, which spells out numbers as words for parents to enter.

In the new release, parents can now sign in with their Google account in order to create customizable profiles for their child or children.

Based on the kid’s age, YouTube Kids will change the way it looks. This will be useful not only for parents with multiple kids, but also because YouTube Kids itself, by default, looked like an app that was designed more so for preschoolers than the school-age crowd.

With the new profiles, younger children will see an app that uses less text while older kids will have more content on their homescreens, says YouTube.

Plus, kids with brothers or sisters can choose to set their own passcode to keep the others out of their own account. (Parents, of course, can override this if need be.)

The app also introduces a new setup process for parents that includes more detailed information to help them make the right choices related to the parental control options, as well as be more informed about the app in general.

For example, a longer intro explains to parents that YouTube does not manually review the videos in YouTube Kids — meaning there’s still a chance that something inappropriate could get through its automated filters. And it details how to block and report the videos that slip through.

“Remember our systems work hard to filter out more mature content from the app. But no system is perfect,” writes Balaji Srinivasan, the YouTube Kids engineering director, in today’sblog post announcing the upgraded app.

In other words, YouTube Kids is definitely saying that it’s not going to devote additional staff to make YouTube Kids 100 percent safe. It’s just aiming for “good enough.”

A final setup screen offers a longer explanation as to why parents may want to turn search on or off, allowing parents to better understand the risk associated with that decision.

YouTube says it’s now working on a way to allow parents to add more content to the app, but doesn’t go into detail. It’s also looking into building out the experience for tweens, with a focus on the categories that most appeal to that somewhat older demographic.

Though YouTube Kids may not be perfect, it has proven to be popular. The app is now live in 37 countries, has more than 11 million weekly active viewers and has seen more than 70 billion views in the app. (The new kid profiles, however, are only available in select markets for now. The full list is here.)

via: techcrunch

Amazon wants to be the hub for your connected home, and today the company announced two new products that will help it fill out that ambition, specifically in the area of home security. It announced a new “intelligent” camera called the Cloud Cam, and a new smart-lock service called Key.

You control both using Alexa, the voice-based assistant that powers its line of Echo speakers and screens and connected device controllers.

Pre-order pricing for the Cloud Cam starting at $119.99 and going up to $249.99 for Prime members if paired with Key as part of a larger In-Home Kit (which also includes a smart lock from Yale or Kwikset). As it did with the Echo Dot, Amazon is also selling multipacks of the Cloud Cam that bring down the unit cost. Amazon describes the Cloud Cam as a “premium product at a non-premium price.” But there are also subscription prices, which we’re detailing below.

Key, meanwhile, will launch on November 8 starting in 37 cities in the U.S. covering “millions of items,” Amazon said.

The moves underscore Amazon’s ambitions to be more than just an e-commerce hub for the home — although with Key aimed specifically at enabling deliveries, they clearly will help the company further its e-commerce business as well.

When Amazon launched the Echo Look earlier this year, people raised questions about how much Amazon was invading your privacy with a “smart” camera that could potentially record everything it sees. In light of that, it’s very interesting to see the company taking ownership of that theme with a new security cam product, which comes with even more enhanced camera features like night vision and motion detection.

It is also a sign of how the company is shaping up to be a formidable player in the area of productizing innovations in artificial intelligence.

“Cloud Cam has all the features you need to monitor your home, including a 1080p Full HD camera, night vision, two-way audio, and free storage for clips–and with the secure AWS cloud powering Cloud Cam’s advanced computer algorithms and intelligent alerts, the service is always getting smarter,” said Charlie Tritschler, Vice President, Amazon Devices, in a statement.

The Key, meanwhile, is something of a throwback to the old, human way of doing things — but with a smart lock twist. The idea with it is that the Cloud Cam is able to detect when someone has come to deliver a package and work the unlocking of the smart lock in tandem with that.

As Amazon describes it, when a delivery driver requests access to the customer’s home:

“Amazon verifies that the correct driver is at the right address, at the intended time, through an encrypted authentication process. Once this process is successfully completed, Amazon Cloud Cam starts recording and the door is then unlocked. No access codes or keys are ever provided to delivery drivers.”

“Amazon Key gives customers peace of mind knowing their orders have been safely delivered to their homes and are waiting for them when they walk through their doors,” said Peter Larsen, Vice President of Delivery Technology, Amazon, in a statement. “Now, Prime members can select in-home delivery and conveniently see their packages being delivered right from their mobile phones.”

It’s small consolation, but Amazon says that when all of the above goes wrong, “in-home delivery is backed by Amazon’s Happiness Guarantee.” I’ll be very curious to see how many people take up this offer.

The new products come swiftly on several other developments in the world of connected home security — a sign of how that market is heating up. Last week, Yale owner Assa Abloy acquired August, the smart lock startup — and we’ve heard rumors (but haven’t been able to confirm them yet) that it’s been eyeing up other connected home startups as well. Meanwhile, Alphabet-owned Nest is moving into home security on the back of acquiring Dropcam and most recently launching a secure alarm system. August had been running a trial with Walmart to allow its delivery people access to people’s homes when they are not in to securely drop off items.

While the “Cam” is clearly a physical object, there is also a “Cloud” component to the name, and that is where Amazon is hoping to make some recurring revenues. A free tier will give you access to 24 hours of clips stored in the AWS cloud (with support for three cameras). The paid tiers bring that number up to 10 with additional storage and unlimited downloads of clips, along with other features like Person Detection and Zones, which lets you indicate motions that you don’t want recorded (such as pets’ eating area or a ceiling fan). Prices for the subscriptions are as follows:

• Basic ($6.99/mo, $69/yr) offers access to the last 7 days of motion detection clips for up to 3 cameras
  
• Extended ($9.99/mo, $99/yr) offers access to the last 14 days of motion detection clips for up to 5 cameras
  
• Pro ($19.99/mo, $199/yr) offers access to the last 30 days of motion detection clips for up to 10 cameras

Also somewhat creepy but probably useful is that Cloud Cam has two-way audio to use your app to “tell your dog at home to stop barking or let your family know you’re leaving work.” The audio also works via the Echo Show and Spot.

via:  techcrunch

‘Basic IT security’ could have prevented the NHS from being such a significant victim of May’s WannaCry ransomware outbreak.

The National Health Service (NHS) was left vulnerable to the WannaCry ransomware attackbecause, despite local health trusts being warned to patch their systems, many had failed to do so.

A National Audit Office (NAO) investigation into May’s global cyber-attack — which took down IT systems at many NHS organizations — has found that the impact of WannaCry could have been prevented if basic security best practice had been applied.

According to the NAO’s report, NHS Digital — the health service’s data and IT body — issued critical alerts throughout March and April warning organizations to patch their systems in order to prevent an event like WannaCry from happening.

In April, Microsoft released an emergency patch to protect against EternalBlue, a leaked NSA hacking tool which uses a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using worm-like capabilities.

It was this exploit which powered WannaCry and led to its quick proliferation onto networks around the world, including the NHS. An NHS spokesperson told ZDNet that the critical alerts to patch systems were issued in response to Microsoft updating software to protect against the exploit.

Previous advice issued in 2014 by the Department of Health and the Cabinet Office warned hospitals and GP surgeries that it was essential for them to have “robust plans” to migrate away from old software, such as Windows XP, by April 2015. Despite this, the older Microsoft operating system remained common within the NHS.

In total, one-third of NHS trusts in England were disrupted by the WannaCry attack: 81 of the 236 trusts across England were affected by the attack and 595 GP practices were also hit. None paid the ransom demanded by those behind WannaCry.

Locked out of systems by the file-encrypting malware, many NHS bodies had to resort to pen and paper and thousands of operations and appointments were cancelled.

“No harm was caused to patients and there were no incidents of patient data being compromised or stolen. Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum,” said Keith McNeil, chief clinical information officer for health and care at NHS England.

In some instances, it took weeks for services to fully recover and the NAO report says that the NHS still doesn’t know the full extent of the disruption — which could have been much worse if cybersecurity researcher Marcus Hutchins hadn’t discovered a WannaCry kill switch, which prevented the ransomware from spreading to more systems.

While the Department of Health is said to have developed a plan for responding to a large scale cyber-attack, it hadn’t been tested at local level, leading to confusion about who should lead the response to WannaCry.

In addition, email systems being taken down as a result of the attack meant those infected by the ransomware had problems communicating with national NHS bodies — eventually leading to communications being made via mobile devices and WhatsApp.

Ultimately, the report concludes that all organizations infected by WannaCry shared the same vulnerability and “simple action” could have been taken to prevent it by ensuring the correct patches and updates were in place. The NAO says there are lessons the NHS must learn from the incident.

“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” said Amyas Morse, head of the National Audit Office.

“There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

The NHS says it will learn from the incident and is taking action to ensure a more effective response can be taken in the event of a similar attack in future. Response plans are said to have been sharpened and £21m in funding has been made available to increase the cyber-resilience of urgent and emergency care centers. “Essential action” has also been taken to secure local firewalls.

“We welcome the outcome of this investigation which highlights some of the challenges we faced during the WannaCry incident and in our role to alert NHS organizations to known cyber security threats and advise them of appropriate steps to take to minimize risks,” said Dan Taylor NHS Digital’s head of security.

“We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organizations.”

via:  zdnet

A highly critical vulnerability has been discovered in Oracle’s enterprise identity management system that can be easily exploited by remote, unauthenticated attackers to take full control over the affected systems.

The critical vulnerability tracked as CVE-2017-10151, has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction, Oracle said in its advisory published Monday without revealing many details about the issue.

The vulnerability affects Oracle Identity Manager (OIM) component of Oracle Fusion Middleware—an enterprise identity management system that automatically manages users’ access privileges within enterprises.

The security loophole is due to a “default account” that an unauthenticated attacker over the same network can access via HTTP to compromise Oracle Identity Manager.

Oracle has not released complete details of the vulnerability in an effort to prevent exploitation in the wild, but here the “default account” could be a secret account with hard-coded or no password.

“This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” Oracle’s advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Oracle has released patches for all versions of its affected products, so you are advised to install the patches before hackers get a chance to exploit the vulnerability to target your enterprise.

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” the company warned.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability.
However, Oracle said it was “likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”

The security patch for this vulnerability comes just about two weeks after Oracle’s regular Critical Patch Update (CPU) for October 2017, which patches a total of 252 vulnerabilities in its products, including 40 in Fusion Middleware out of which 26 are remotely exploitable without authentication.

via:  thehackernews

Do you know? Thousands of websites use HTML5 Canvas—a method supported by all major browsers that allow websites to dynamically draw graphics on web pages—to track and potentially identify users across the websites by secretly fingerprinting their web browsers.

Over three years ago, the concern surrounding browser fingerprinting was highlighted by computer security experts from Princeton University and KU Leuven University in Belgium.

In 2014, the researchers demonstrated how browser’s native Canvas element can be used to draw unique images to assign each user’s device a number (a fingerprint) that uniquely identifies them.

These fingerprints are then used to detect when that specific user visits affiliated websites and create a profile of the user’s web browsing habits, which is then shared among advertising partners for targeted advertisements.

Since then many third-party plugins and add-ons (ex. Canvas Defender) emerged online to help users identify and block Canvas fingerprinting, but no web browser except Tor browser by default blocks Canvas fingerprinting.

Good news—the wait is over.

Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.

The browser will now explicitly ask user permission if any website or service attempts to use HTML5 Canvas Image Data in Firefox, according to a discussion on the Firefox bug tracking forum.

The permission prompt that Firefox displays reads:

“Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer.”

Once you get this message, it’s up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the “always remember my decision” box to remember your choice on future visits as well.

Starting with Firefox 58, this feature would be made available for every Firefox user from January 2018, but those who want to try it early can install the latest pre-release version of the browser, i.e. Firefox Nightly.

Besides providing users control over canvas fingerprinting, Firefox 58 will also remove the controversial WoSign and its subsidiary StartCom root certificates from Mozilla’s root store.

With the release of Firefox 52, Mozilla already stopped allowing websites to access the Battery Status API and the information about the website visitor’s device, and also implemented protection against system font fingerprinting.

via:  thehackernews