TweakTown NewsRefine News by Category:
Today, TOR began advising its users to avoid using Microsoft Windows at all cost. The advisory comes after NSA spying was discovered that used malware injected by using the Firefox zero-day vulnerability to gather users' machine names and Mac addresses, which were then being sent back to US government servers.
In the ongoing saga of NSA spying, it appears that not even the darknet is safe. Today, reports came in that an exploit has been discovered in the Tor version of Firefox 17 that comes packaged with the Tor browser bundle. An exploit in the browser's code allowed malware to be injected into the system which then beamed the machine's hostname and MAC address back to a remote server in Reston, Virginia.
The vulnerability is only present in the Windows version of the Firefox Extended Support Release 17 browser that was bundled with the Tor Browser Bundle before June of this year. Because automatic updating is turned off in this version, anyone who downloaded the Tor Browser Bundle before June is susceptible to the spying. Tor recommends that users download the new version of the Browser Bundle to stay secure.
With all the recent revelations and allegations about the NSA and other foreign agencies been able to spy on you through backdoors in your computers and through the microphones on your smartphones, tablets, and other mobile devices, it should come as no surprise that your Smart TV may be spying on you as well.
It's not pleasant all the stories are popping up at the same time, as this week the world's largest security conference known as Black Hat took place in Las Vegas, Nevada. Yesterday, two researchers named Aaron Grattafiori and Josh Yavor demonstrated several vulnerabilities found in the 2012 models of Samsung's Smart TV line. The demonstration took place as Black Hat was wrapping up and it showed how hackers could turn on the built-in camera, take control of social media apps, and access files that were stored on the television.
"Because the TV only has a single user," Grattafiori explained in an interview with Mashable, "any type of compromise into an application or into Smart Hub, which is the operating system--the smarts of the TV--has the same permission as every user, which is, you can do everything and anything."
The two researchers discovered these issues back in December 2012 while working for security firm iSEC. They said that they alerted Samsung back in January and the company has since patched these holes via three software updates and on future generation devices, however, TVs that have not downloaded the update still remain vulnerable.
If you still thought you had privacy after all of the news you've been reading about the NSA PRISM system, or the GCHQ, then you'd be wrong. Very wrong. The Wall Street Journal is now reporting that the FBI has the power to remotely activate microphones in Android smartphones and laptops to record conversations.
This is all coming from a single anonymous former US official, who says that remotely forcing a cellular microphone to listen in on a conversation isn't something new. The FBI used something they called "roving bugs" to spy on alleged mobsters back in 2004, and further back in 2002 they used the roving bugs to keep tabs on supposed criminals using the microphone in a vehicle's emergency call system.
The anonymous US official said that there is a dedicated FBI group that regularly hacks into computers, where they use a mix of custom and off-the-shelf surveillance software which they purchase from private companies. One of the Journal's sources said that the "Remote Operations Unit" will sometimes install software by physically plugging in a USB device, but they can also do it through the Internet by "using a document or link that loads software when the person clicks or views it."
Yesterday, I covered a story about the big chip manufacturers allegedly installing hardware level backdoors into the processors used in all of our PCs. The allegations came from two security industry experts who both claim to have proof of concept demonstrations already. Earlier today, AMD's Michael Silverman contacted me with an official statement on the matter in which he called the allegations "unfounded."
Providing security to users of our processors is a key priority for AMD. We've been incorporating security features into our silicon for many years. There's no reason for the unfounded speculation that has been occurring.
With the Black Hat conference wrapping up today, we will be keeping our eyes open for any whitepapers or proof of concept demos that prove the backdoors exist. I have reached out to both of the security experts for statements as well, but have yet to receive a response. If and when that response comes in, I will be sure to post an update.
The Australian Finance Review has just published a new story that suggests that the NSA may have hardware level backdoors built into current generation AMD and Intel processors. Leading security expert Steve Blank says that he first caught on to the practice when he noticed that the NSA had access to Microsoft emails before they were encrypted. He says that he would be extremely surprised if the NSA did not have access to a processor microcode level backdoor on every PC in America.
His reasoning behind the theory is quite simple. The sheer power needed to brute force crack AES 256-bit encryption on a single file would be equivalent to "the power of 10 million suns" and that a hardware backdoor would require almost no effort to enter and would allow agents access inside your PC in a matter of minutes. Jonathan Brossard, another expert in the security field, demonstrated this as a proof of concept at last year's Black Hat conference. These backdoors are made possible because they are placed inside the microcode which is stored on the chip itself and gets updated every time Microsoft, Apple, or any other OS pushes out an update.
According to a new study, the world's GPS system is open to hackers who could hack virtually any and all GPS units and take control of commercial airliners, for example.
The tools required are simple: a laptop, a small antenna, and an electronic GPS "spoofer" which would cost $3,000. The report comes from GPS expert Todd Humphreys and his team at the University of Texas who took control of a sophisticated navigation system that was built into an $80 million, 210-foot super-yacht in the Mediterranean Sea.
Humphreys told Fox News: "We injected our spoofing signals into its GPS antennas and we're basically able to control its navigation system with our spoofing signals." The team hacked into the yacht's navigation system by sending it counterfeit radio signals and were able to navigate the ship off course, steering it in any direction they wanted.
Over the weekend, the Ubuntu forums went down after a massive security breach resulted in over 1.8 million user credentials being stolen. Canonical made a decision to put the forums in maintenance mode in an attempt to ward off any further attacks. The company says that the attackers managed to get away with every user's local username, password, and email address that was stored in the Ubuntu forum's database.
The company says in the passwords were stored as salted hashes instead of plaintext, but they still recommend that you change any and all passwords that were used on other services such as email, Facebook, or other forum accounts in which you might have use the same password. Canonical says that Ubuntu One, Launchpad, and other related services were not affected by the breach and users of those services need not worry.
Today, the popular version control code repository GitHub issued a statement to the media announcing that it has been fending off a massive attack on its system which managed to knock it servers off-line early Friday morning. The company said that around 10:40 UTC the site was struck with a massive DDoS attack from unknown sources.
Roughly an hour and a half later, the company had implemented processes that began to alleviate the load on their servers but things were not yet back to full functionality. "We've put mitigation in place that should deflect the attack, and services are recovering. We're continuing to monitor closely," GitHub said in a statement.
This is the second large DDoS attack against GitHub this year with the first happening back in March. Before that, the site experienced another massive attack in September 2012 and one before that during February 2012 that lasted for a whole week. It is unclear who keeps attacking the site or what motivates them to try and bring down the service.
After the last month or so with the unveiling of the NSA PRISM system from Edward Snowden, as well as GCHQ, you'd think people would be up in arms over their security. How deep does the rabbit hole go, you ask?
Well, it's now coming to the point where Hewlett-Packard have had to admit, for the second time in a month, that they've built secret backdoors into their enterprise storage products. Technion, a blogger, is the one who has blown the whistle on this one, who saw the security issue in one of HP's StoreOnce systems last month, but then found more backdoors in HP's storage and SAN products.
HP's statement, after Technion blew the whistle, admitted that "all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer."