Categories
Links

GrayKey: The little box that unlocks iPhones

Thomas Reed, for MalwareBytes:

Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.

Nothing is safe. Encrypt and delete constantly.

Categories
Links

How Defective Guns Became the Only Product That Can’t Be Recalled

An enraging story from Michael Smith and Polly Mosendz, for Bloomberg:

Taurus sold almost a million handguns that can potentially fire without anyone pulling the trigger. The government won’t fix the problem. The NRA is silent.

Gun manufacturers have long held an unassailable position in American business and politics. They need to be reminded that they aren’t above the law… and we can start by making them follow the same goddamn rules as everyone else.

Categories
Links

KDE Bug Executes Arbitrary Code Based on Name of Thumb Drive

This is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:

When a vfat thumbdrive which contains “ or $() in its volume label is plugged and mounted trough the device notifier, it’s interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is “$(touch b)” which will create a file called b in the home folder.

It’s jaw-dropping.

Categories
Links

Signal Now Has A Standalone Desktop App

The app is now available for Windows, macOS, Debian-based linux distros. You should be using Signal if you ever talk about anything to anyone.

Categories
Links

iOS 11 has a ‘cop button’ to temporarily disable Touch ID

Now that’s what I call usability.

Categories
Links

Hacker Behind Massive Ransomware Outbreak Can’t Get Emails from Victims Who Paid

A very modern situation: Company does spin control without considering the ramifications, ends up screwing over the already victimized:

A German email provider has closed the account of a hacker behind the new ransomware outbreak, meaning victims can’t get decryption keys.

The exploit, unofficially named Petya, uses the same vector as WannaCry.

Categories
Links

All Major Browsers Fall At Pwn2Own Day Two

What’s that they say about castles built on sand?

Two researchers on Thursday took down the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, as Pwn2Own, the annual hacking contest that runs in tandem at CanSecWest, wound down in Vancouver.

Categories
Links

The World’s Email Encryption Software Relies on One Guy, Who is Going Broke

Filed under Welcome To 2015:

“I’m too idealistic,” he told me in an interview at a hacker convention in Germany in December. “In early 2013 I was really about to give it all up and take a straight job.” But then the Snowden news broke, and “I realized this was not the time to cancel.”

Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.

The people who make important stuff get jack shit for their effort, but that how new Uber For Fart Sounds app gets millions.

Categories
Links

Yahoo Files Suit Demanding Greater Accountability from the U.S. Government

I doubt it’ll do much good, but I’m really glad to see Yahoo! trying something.

Categories
Links

Schneier on Security: Our Newfound Fear of Risk

Bruce Schneier:

We’re afraid of risk. It’s a normal part of life, but we’re increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren’t free. They cost money, of course, but they cost other things as well. They often don’t provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks.

I kind of just want to quote this entire piece, but I’ll let you head over to Bruce’s place for the rest.

Categories
Links

Stop Watching Us

The revelations about the National Security Agency’s surveillance apparatus, if true, represent a stunning abuse of our basic rights. We demand the U.S. Congress reveal the full extent of the NSA’s spying programs.

Sign the letter to congress, follow them on Twitter.

Categories
Links

How To Protect Against Laptop Webcam Hacking

Someone should make a removable 3D printable bracket that does this, maybe with some optional padding to kill a mic as well?

Categories
Links

Java 0-day Countdown

A “Days since last Java 0-Day Exploit” single-serving site.

Categories
Links

Patricio Palladino Demonstrates Non-Alphanumeric Javascript

This is some head-screwing, eyeball-hurting mojo. The tl;dr:

“I just made a tool to transform any javascript code into an equivalent sequence of ()[]{}!+ characters. You can try it here, or grab it from github or npm. Keep on reading if you want to know how it works.”

Categories
Links

Does Airport Security Really Make Us Safer?

Vanity Fair says no:

As you stand in endless lines this holiday season, here’s a comforting thought: all those security measures accomplish nothing, at enormous cost. That’s the conclusion of Charles C. Mann, who put the T.S.A. to the test with the help of one of America’s top security experts.

Experts like Bruce Schneier have been calling what the TSA does “security theater” for 10 years now. The mainstream press just now seem to be catching on.

Categories
Links

TextSecure

Sounds good:

TextSecure is a replacement for the standard text messaging application, allowing you to send and receive text messages as normal.

Why isn’t this built-in to Android? or iOS for that matter? or everything?

Categories
Links

National Internet ID: Calls for Caution

The Heritage Foundation has many good arguments against the proposed government-controlled Internet IDs. It’s a bad idea, and even perfectly-implemented bad ideas are bad ideas.

Categories
Links

The Pitfalls of Facebook’s “Social Authentication”

Dan Wineman shoves a hot poker up the ass of Facebook’s “social authentication”:

Captchas don’t verify identity. “Social authentication” challenges based on public information — especially information that the service itself provides, for free, to anyone who asks — don’t do that either.

The problem with “social authentication” is that second word, there. Facebook’s calling it an authentication method is dangerous because a false sense of security is… false. “Social captchas” just doesn’t have the same marketing chutzpah, I guess.

Link via @mrgan

Categories
Links

A Waste of Money and Time

Security professional Bruce Schneier on what really makes plane travel safer, and the difference between theater and reality:

Of course not. Airport security is the last line of defense, and it’s not a very good one. What works is investigation and intelligence: security that works regardless of the terrorist tactic or target. Yes, the target matters too; all this airport security is only effective if the terrorists target airports. If they decide to bomb crowded shopping malls instead, we’ve wasted our money.

Categories
Links

BlackSheep, the Firesheep countermeasure tool

Like the thing it acts against, it is a Firefox plugin. Were Firesheep a serious malicious tool, the race between BlackSheep countermeasures and Firesheep countercountermeasures would be endless, and Firesheep would always “win”. You can’t develop countermeasures until an attack has been successful. This was and is the message of Firesheep to begin with: The only solution to this kind of attack is to use HTTPS.