Categories
security

DefCon Hackers Tell How They Cracked Brink’s Safe in 60 Seconds

A safe with an exposed USB port? That’s really asking for trouble. The safe in question is a “secure” digital safe. Unfortunately it appears to be running Windows XP, an OS that’s no longer supported. Even if it’s supported I doubt anyone will connect the safe to the Internet to receive Windows Update. 😉 The problem however, appears not with Windows XP, but with the USB port. That’s as good as giving someone keyboard/mouse access to the console.


Gone in 60 seconds. Security researchers will demonstrate at an Aug. 8 DefCon presentation how they can crack a modern Brink’s safe in just a minute.

Source: DefCon Hackers Tell How They Cracked Brink’s Safe in 60 Seconds

Categories
security

Major Flaw In Android Phones Would Let Hackers In With Just A Text : All Tech Considered : NPR

Android users please take note. This time you don’t even have to download anything or visit any malware website to get hit by malware. A truly scary prospect if someone exploits it nefariously. According to another report cited, 99% of mobile malware targets Android. The lack of a controlled OS patching process is probably why attackers target Android. In contrast, majority of iOS users upgrade to the latest version within weeks of release.

A security gap on the most popular smartphone operating system was discovered by security experts in a lab and is so far not widely exploited. It would let malicious code take over a phone instantly.

Source: Major Flaw In Android Phones Would Let Hackers In With Just A Text : All Tech Considered : NPR

Categories
privacy security

Hacking Team: a zero-day market case study

Singapore’s connection to the Hacking Team – it’s well known that HT has a Singapore presence. The local market appears to be quite receptive of them. In one of the leaks, it was revealed that they also tried to recruit local researchers to develop 0-day for them.

In April of 2014, Hacking Team attended the SyScan conference in Singapore with the intention of recruiting new exploit developers.

They succeeded in making contact with several researchers interested in working with them, including Eugene Ching.

Interestingly, Eugene’s responsibility with the Singaporean Army, presumably for his mandatory service, is to test and fix 0day exploits that they purchase.

Read more details here.

Categories
security

Hackers Remotely Kill a Jeep on the Highway

Another grim reminder of the problems brought about by digitization and so-called IoT – basically connecting everything to the Internet. In this case, hackers were able to remotely control a vehicle driving on real roads. Fortunately in this case it was a controlled exploit. Think of what cybercriminals can do if (or rather when) they take hold of critical infrastructures.

I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Source: Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED

Update (2015-07-21): Chrysler has earlier asked owners to update their software.

Update (2015-07-24): Chrysler is now forced to take a more proactive step to recall millions of vehicles to fix this.

Update (2015-08-14): Black Hat USA 2015: The full story of how that Jeep was hacked

Categories
security

Hacking Team hacked, attackers claim 400GB in dumped data | CSO Online

Infamous company Hacking Team was hacked.

Hacking Team hacked, attackers claim 400GB in dumped data | CSO Online.

Categories
programming security

Cracking JXcore… Again | markhaase.com

JXcore butchered. Twice. Ouch.

Besides being quite easy to reverse engineer, the central flaw here is that they still don’t obfuscate your source code! It’s sitting there in its original form, ready for easy extraction by anybody that you distribute your application to. I mentioned obfuscation in my previous article on JXcore and I’ll repeat that assertion here: obfuscation is the only reasonable protection to defend high level source code from reverse engineering. Nothing can prevent reverse engineering, but good obfuscation can raise the cost substantially.

Source: Cracking JXcore… Again | markhaase.com

Categories
security

Debugging and reverse engineering: Samsung deliberately disabling Windows Update

Ok this is not as bad as Superfish, but it’s bad enough. Samsung is disabling Windows Update so that it doesn’t have to deal with driver update issues.

When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates.

via Debugging and reverse engineering: Samsung deliberately disabling Windows Update.

Categories
privacy security

“EPIC” fail—how OPM hackers tapped the mother lode of espionage data | Ars Technica

The leakage of OPM data has been well-reported but this article provides more details about how it happened. In the worse case, “personal details from nearly everyone who works for the government in some capacity may now be in the hands of a foreign government”.

“EPIC” fail—how OPM hackers tapped the mother lode of espionage data | Ars Technica.

Categories
security

Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X • The Register

iOS and OS X attacks are likely to get more frequent as the platform becomes a valuable attack target, just like Windows in the past.

via Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X • The Register.

Categories
security

What the Ridiculous Fuck, D-Link?! – /dev/ttyS0

How not to release a security patch. Or, don’t take the security community for a fool.

What the Ridiculous Fuck, D-Link?! – /dev/ttyS0.