GrayKey: The little box that unlocks iPhones

[Thomas Reed, for MalwareBytes][1]:

>Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.

Nothing is safe. Encrypt and delete constantly.

[1]: “GrayKey iPhone unlocker poses serious security concerns “


How Defective Guns Became the Only Product That Can’t Be Recalled

[An enraging story][link] from Michael Smith and Polly Mosendz, for Bloomberg:

> Taurus sold almost a million handguns that can potentially fire without anyone pulling the trigger. The government won’t fix the problem. The NRA is silent.

Gun manufacturers have long held an unassailable position in American business and politics. They need to be reminded that they aren’t above the law… and we can start by making them follow the same goddamn rules as everyone else.

[link]: “ How Defective Guns Became the Only Product That Can’t Be Recalled”


KDE Bug Executes Arbitrary Code Based on Name of Thumb Drive

[This][link] is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:

[link]: “KDE Project Security Advisory”

>When a vfat thumbdrive which contains “ or $() in its volume label is plugged
and mounted trough the device notifier, it’s interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is “$(touch b)” which will create a file called b in the
home folder.

It’s jaw-dropping.


Signal Now Has A Standalone Desktop App

[The app is now available][link] for Windows, macOS, Debian-based linux distros. You should be using Signal if you ever talk about anything to anyone.

[link]: “Signal Blog: Standalone Signal Desktop”


iOS 11 has a ‘cop button’ to temporarily disable Touch ID

[Now that’s what I call usability][link].

[link]: “iOS 11 has a ‘cop button’ to temporarily disable Touch ID – The Verge”


Hacker Behind Massive Ransomware Outbreak Can’t Get Emails from Victims Who Paid

A very modern situation: [Company does spin control without considering the ramifications, ends up screwing over the already victimized][link2]:

A German email provider has closed the account of a hacker behind the new ransomware outbreak, meaning victims can’t get decryption keys.

The exploit, unofficially named Petya, [uses the same vector as WannaCry][link].

[link2]: “Hacker Behind Massive Ransomware Outbreak Can’t Get Emails from Victims Who Paid – Motherboard”

[link]: “A Ransomware Outbreak Is Infecting Computers Across the World Right Now”


All Major Browsers Fall At Pwn2Own Day Two

[What’s that they say about castles built on sand?][link]

>Two researchers on Thursday took down the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, as Pwn2Own, the annual hacking contest that runs in tandem at CanSecWest, wound down in Vancouver.

[link]: “All Major Browsers Fall At Pwn2Own Day Two | Threatpost | The first stop for security news”


The World’s Email Encryption Software Relies on One Guy, Who is Going Broke

[Filed under Welcome To 2015][link]:

>”I’m too idealistic,” he told me in an interview at a hacker convention in Germany in December. “In early 2013 I was really about to give it all up and take a straight job.” But then the Snowden news broke, and “I realized this was not the time to cancel.”
>Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.

The people who make important stuff get jack shit for their effort, but that how new Uber For Fart Sounds app gets millions.

[link]: “The World’s Email Encryption Software Relies on One Guy, Who is Going Broke – ProPublica”


Yahoo Files Suit Demanding Greater Accountability from the U.S. Government

[I doubt it’ll do much good, but I’m really glad to see Yahoo! trying *something*.][link]

[link]: “Yahoo Files Suit Demanding Greater Accountability from the U.S. Government | Yahoo Global Public Policy”


Schneier on Security: Our Newfound Fear of Risk

[Bruce Schneier:][link]

>We’re afraid of risk. It’s a normal part of life, but we’re increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren’t free. They cost money, of course, but they cost other things as well. They often don’t provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks.

I kind of just want to quote this entire piece, but I’ll let you head over to [Bruce’s place][link] for the rest.

[link]: “Schneier on Security: Our Newfound Fear of Risk”


Stop Watching Us

>The revelations about the National Security Agency’s surveillance apparatus, if true, represent a stunning abuse of our basic rights. We demand the U.S. Congress reveal the full extent of the NSA’s spying programs.

[Sign the letter to congress][link], follow them on [Twitter][twitter].

[link]: “Stop Watching Us | Stop Watching Us”
[twitter]: “Stop Watching Us on Twitter”


How To Protect Against Laptop Webcam Hacking

[Someone should make a removable 3D printable bracket that does this, maybe with some optional padding to kill a mic as well?][link]

[link]: “How To Protect Against Laptop Webcam Hacking | Electronic Frontier Foundation”


Java 0-day Countdown

[A “Days since last Java 0-Day Exploit” single-serving site.][link]

[link]: “Java 0day countdown”


Patricio Palladino Demonstrates Non-Alphanumeric Javascript

[This is some head-screwing, eyeball-hurting mojo.][link] The tl;dr:

>”I just made a tool to transform any javascript code into an equivalent sequence of ()[]{}!+ characters. You can try it [here][demo], or grab it from [github][git] or [npm][npm]. Keep on reading if you want to know how it works.”

[link]: “Brainfuck beware: JavaScript is after you! | Patricio Palladino”
[demo]: “hieroglyphy Demo”
[git]: “hieroglyphy on Github”
[npm]: “hieroglyphy on NPM”


Does Airport Security Really Make Us Safer?

[Vanity Fair says no:][link]

>As you stand in endless lines this holiday season, here’s a comforting thought: all those security measures accomplish nothing, at enormous cost. That’s the conclusion of Charles C. Mann, who put the T.S.A. to the test with the help of one of America’s top security experts.

Experts like Bruce Schneier have been calling what the TSA does “security theater” for 10 years now. The mainstream press just now seem to be catching on.

[link]: “Does Airport Security Really Make Us Safer? | Culture | Vanity Fair”



[Sounds good:][link]

>TextSecure is a replacement for the standard text messaging application, allowing you to send and receive text messages as normal.

Why isn’t this built-in to Android? or iOS for that matter? or everything?

[link]: “WhisperSystems/TextSecure – GitHub”


National Internet ID: Calls for Caution

[The Heritage Foundation has many good arguments against the proposed government-controlled Internet IDs.][link] It’s a bad idea, and even perfectly-implemented bad ideas are bad ideas.

[link]: “National Internet ID: Calls for Caution | The Heritage Foundation”


The Pitfalls of Facebook’s “Social Authentication”

[Dan Wineman shoves a hot poker up the ass][link] of Facebook’s “social authentication”:

>Captchas don’t verify identity. “Social authentication” challenges based on public information — especially information that the service itself provides, for free, to anyone who asks — don’t do that either.

The problem with “social authentication” is that second word, there. Facebook’s calling it an authentication method is dangerous because a false sense of security is… false. “Social captchas” just doesn’t have the same marketing chutzpah, I guess.

Link via [@mrgan][mrgan]

[link]: “venomous porridge – Yesterday, Facebook announced some new measures…”
[mrgan]: “Neven Mrgan”


A Waste of Money and Time

[Security professional Bruce Schneier on what really makes plane travel safer, and the difference between theater and reality][link]:

>Of course not. Airport security is the last line of defense, and it’s not a very good one. What works is investigation and intelligence: security that works regardless of the terrorist tactic or target. Yes, the target matters too; all this airport security is only effective if the terrorists target airports. If they decide to bomb crowded shopping malls instead, we’ve wasted our money.

[link]: “A Waste of Money and Time – Room for Debate –”


BlackSheep, the Firesheep countermeasure tool

Like the thing it acts against, [it is a Firefox plugin][link]. Were Firesheep a serious malicious tool, the race between BlackSheep countermeasures and Firesheep countercountermeasures would be endless, and Firesheep would always “win”. You can’t develop countermeasures until an attack has been successful. This was and is the message of Firesheep to begin with: The only solution to this kind of attack is to use HTTPS.

[link]: “Firesheep countermeasure tool BlackSheep”