Categories
security

How White Hat Hackers Stole Crypto Keys from an Offline Laptop in Another Room | Motherboard

The so-called side-channel attacks – in which attackers steal information from a machine they don’t have direct access to – are getting more popular these days. This is another innovative example of a side-channel attack. The target laptop was not connected to any network (either through LAN or Wifi) and yet the attackers managed to obtain the encryption keys from it.

“The attacks are completely non-intrusive: we did not modify the targets or open their chassis.”

Source: How White Hat Hackers Stole Crypto Keys from an Offline Laptop in Another Room | Motherboard

Categories
security

Barcode attack technique (Badbarcode)

Barcode scanners can be hacked via a specially crafted barcode sequence. They can be instructed to execute arbitrary commands including downloading external scripts via FTP.

via Barcode attack technique (Badbarcode)

Categories
Uncategorized

Firefox OS/Connected Devices Announcement – Firefox OS Participation – Mozilla Discourse

Goodbye Firefox OS. We’re back to the duopoly of Android/iOS.

We will end development on Firefox OS for smartphones after the version 2.6 release

Source: Firefox OS/Connected Devices Announcement – Firefox OS Participation – Mozilla Discourse

Categories
sysadmin

No POST after rm -rf / / Kernel & Hardware / Arch Linux Forums

This is pretty serious. Someone just bricked his laptop by executing a rm -rf / command as root in Linux. As in destroyed. None of your usual BIOS/UEFI prompts appear and no hotkeys can help to restore the firmware.

The root (pardon the pun) of the problem appears to be traced to the mounting of /sys/firmware/efi/efivars as rw by systemd. systemd maintainer (Poettering) refuses to fix the issue.

100_05201

Source: No POST after rm -rf / / Kernel & Hardware / Arch Linux Forums

Categories
programming

Oracle deprecates the Java browser plugin, prepares for its demise

It’s been a long time coming. Goodbye Java (plugin). That reminds me of those Java applets that I wrote in a different era. Now if I could only find and convert (rewrite) them to HTML5…

It will be removed some time after the release of Java 9.

Source: Oracle deprecates the Java browser plugin, prepares for its demise

Categories
privacy security

TrendMicro software allows arbitrary command execution

Also mentioned here, the reported anti-virus software is so full of holes that it should strike fear in any company using TrendMicro Antivirus right now. Not only does it allow privileged command execution, it also exposes passwords that you store using the Password Manager.

The way I see it, it’s a combination of incompetence and lack of proper supervisory oversight. It’s exactly the kind of thing that will result if you ask a developer to just meet the specs, where the specs doesn’t talk about hygiene factors such as security etc.

Source: Issue 693 – google-security-research – TrendMicro node.js HTTP server listening on localhost can execute commands – Google Security Research – Google Project Hosting

Categories
Uncategorized

Remix OS

This is an interesting project – running Android as the primary OS for your PC. And why not? It promises the ability to install and run apps from Google Play store, not unlike some of those cheap knockoff set-top boxes that we see. However the OS (called Remix OS) feels much more “desktop-like” – multiple windows, taskbar etc. Those who likes the Android ecosystem might appreciate something like this.

A PC experience unlike anything on Android. An Android experience unlike anything on a PC.

Categories
security sysadmin Uncategorized

Under-attack Linode resets passwords after logins leak onto web

First sustained DDoS attacks. Now password leaks. The bad news never ends for Linode, which is unfortunate, since they are a very cheap and viable alternative to AWS especially if you factor in ingress/egress traffic.

Linode’s woes continue: the server hosting biz has just run a system-wide password reset on customer accounts after two Linode.com user credentials were discovered “on an external machine.”

Source: Under-attack Linode resets passwords after logins leak onto web

2016-01-06 11.22 SGT: As of now, the site is still having intermittent access.
Capture

Categories
privacy security

FROST: Forensic Recovery Of Scrambled Telephones

Recovering contents directly from physical RAM of devices has been known for quite some time – it involves esoteric measures such as freezing the device using liquid nitrogen or by putting it in the freezer. It is interesting to see this technique being used to attack Android phones to recover disk encryption keys. Potentially this might defeat on-disk encryption for Android devices, though there are quite some caveats in the technique discussed on the website.

To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung.

FROST: Forensic Recovery Of Scrambled Telephones

Categories
privacy security

Unauthorized code in Juniper ScreenOS allows for administrative access

This is bad. Juniper is a major network equipment provider and a backdoor like this could lead to huge security compromise.

During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.

Source: Important Announcement about ScreenOS® – J-Net Community

Update (2015-12-20): It could be a state-sponsored attack.