All GSM phones, such as those that run on T-Mobile and AT&T in the United States, are vulnerable to a major security flaw that could allow hackers to send text messages or place phone calls remotely using a new security flaw, one hacker said recently. Speaking to Reuters ahead of a hacking convention in Berlin, Karsten Nohl, the head of Germany’s Security Research Labs, said the attack could be initiated on a large scale, too. “We can do it to hundreds of thousands of phones in a short timeframe,” Nohl explained. “None of the networks protects users very well.” Nohl didn’t provide details on how hackers could take advantage of the flaw, although Reuters said it’s likely that those attending the conference will try to recreate it themselves. Nohl also explained that carriers can easily patch the security hole and that some simply need to update their software. “Mobile network is by far the weakest part of the mobile ecosystem, even when compared to a lot attacked Android or iOS devices,” Nohl said, noting that Germany’s T-Mobile and France’s SFR wireless carriers are the most secure against hackers. More →
Microsoft employee Ben Rudolph recently tweeted that any Android phone owner who has a device infected with malware can tweet his or her story with the hashtag #windowsphone upgrade for a chance to win a free Windows Phone. That sounds like an attractive promotion, especially given Microsoft’s fresh batch of powerful and solid Windows Phone 7.5 (Mango) devices. Google has reportedly pulled more than 100 malware applications from the Android Market but Microsoft isn’t exactly an anti-malware poster boy itself. In fact, earlier on Tuesday WinRumors posted a story about a security flaw that allows a user to send a text message that automatically reboots any Windows Phone device and then renders the messaging client completely useless. Microsoft hasn’t yet responded to the report and WinRumors, rightly, didn’t explain exactly how the flaw works. A video of the Windows Phone flaw follows after the break. More →
A report was recently published by Android Police that suggests HTC’s Sense user interface has several major security flaws that provide HTC with access to SMS data, phone numbers, system logs, location information and much more. Worse, the flaw could potentially allow any third-party application to access the same private information without having permission from the user to do so. The security issue has been identified on the HTC ThunderBolt, EVO 4G and EVO 3D. “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible,” HTC said in a statement. “We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.” HTC addressed a browser privacy issue in June and also commented on another report in early September which suggested the Sensation and EVO 3D were spying on users. HTC responded to the browser issue with a fix and said the “spying” allegations were a result of an HTC “opt-in” feature that allows HTC to collect data so that it can improve its phones. More →
Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user. That means typing the command: “dscl localhost -passwd /Search/Users/Roger” will actually prompt you to set a new password for Roger. As CNET points out, a hacker could only take advantage of the known bug if he or she has local access to the computer and Directory Service access. CNET suggests disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts as some preventative measures to keep your Mac secure. More →
A security expert at Italian security firm AIR Sicurezza Informatica claims to have found a security flaw in Google’s new social network that allows hackers to potentially use Google+ servers to execute DDoS attacks. Simone Quatrini explained the flaw on the IHTeam Security Blog, and he wrote a script that can perform the attack, repeatedly prompting Google’s server to send requests to the target site. DDoS attacks, or distributed denial-of-service attacks, flood a web server with requests in an effort to prevent it from functioning. Such attacks require appropriate resources and bandwidth to execute, and Google servers would obviously have more than enough of these resources to launch a significant attack. More →
How’s this for an undocumented feature? Apple’s newer MacBook, MacBook Air and MacBook Pro notebooks have a security flaw that can allow hackers to remotely prevent the batteries from charging. Better yet, hackers can exploit the same flaw and remotely cause batteries to explode. Apple laptops’ new “smart” battery technology is intended to provide added control over power management, and it does just that. Unfortunately, it also gives hackers added control because the microcontroller chip that ships in recent Apple laptops can be accessed remotely using a default password shared by each and every notebook. Charlie Miller, the security expert who discovered the vulnerability, plans to showcase the flaw next month at the Black Hat security conference. There, Miller will show that he is able to access the battery controller remotely and cause it to refuse a charge, or even heat up until it catches fire and explodes. “These batteries just aren’t designed with the idea that people will mess with them,” Miller told Forbes last week. “What I’m showing is that it’s possible to use them to do something really bad.” Thankfully, the security expert also intends to showcase a fix for the flaw, which Apple will hopefully implement as soon as possible. More →
Apple released iOS 4.3.4 on Friday in an effort to fix a security vulnerability that was present on both the iPhone and the iPad. The fix was supposed to prevent hackers from using a PDF security hole to jailbreak both devices. That didn’t quite work. The next day iPhone Dev Team was able to route around the security fix and issued a jailbreak tool for iOS 4.3.4. iPhone Dev Team has released the latest redsn0w jailbreak tool, but unfortunately it forces iOS 4.3.4 users to keep their iPhone or iPad tethered to their computer during sync and reboot. In other words, if you haven’t already updated to iOS 4.3.4 and want your iPhone or iPad to remain jailbroken, you’re going to be best off sticking with iOS 4.3.3 until another workaround is found.
Just a quick follow up to an article we posted last week. It looks like Apple’s iOS 4.2 gold master candidate, which was pushed out to developers last night, closes the security loop hole that allowed the iPhone’s lock screen to be bypassed from the “Emergency Call” function. We’ve been trying, unsuccessful, to replicate the issue with the latest iOS pre-release.
If you’re not a member of the developer community, and wondering when you can get your hands on iOS 4.2, know that iOS 4.1 GM was released to developers one week before it went live to the general public.
Blog 9to5Mac has picked up on an interesting bug in iOS 4.1, running on the iPhone, that will allow users to bypass the device’s lock screen and make phone calls. From a locked iPhone pressing the “Emergency Call” button, dialing a non-emergency number (such as “###”), then quickly pressing “Send” followed by the iPhone’s lock key will actually force the device into the “Phone” application. From there you can access favorites, contacts, the dial pad, recent calls, and voicemails. The “home” button remains inactive throughout the process, preventing users from jumping to the home screen, however… going to the “contacts” tab, selecting a contact, and clicking “Email” or “Share contact” will allow a bypasser to send emails and MMS messages.
The issue is reminiscent of a bug in Motorola’s BLUR interface that allows users to make calls using voice actions from a locked screen we told you about last week. We’ve passed the information on to Apple and, hopefully, a fix is included in the next software update. We have a short video demonstrating the bug after the break. More →
A few months ago, Mozilla threw down the gauntlet by asking developers to find major security flaws in Firefox in return for a $3000 reward. Enter, Alex Miller from San Jose, who spotted a critical security flaw hidden away in the Firefox code. Alex spent 90 minutes every day for 10 days before he stumbled onto something and reported it to Firefox’s parent company. Security program manager at Firefox, Brandon Sterne, said: “Mozilla depends on contributors like these for our very, sort of, survival. Mozilla is a community mostly of volunteers. We really encourage people to get involved in the community. You don’t have to be a brilliant 12-year-old to do that”. Pretty impressive stuff. Hit the read link for the full article.
[Via CNET] More →
UPDATE: Bob Lord, Twitter’s security chief, has put up an official blog post explaining exactly what happened this morning. You can read that article here.
In mid-July, Mozilla announced that it was upping its “bug bounty” from $500 to $3,000 for every critical, reproducible security flaw reported. Today, MacWorld is reporting that, “Between 10 percent and 15 percent of the serious security bugs reported since Mozilla launched its bug bounty program have been provided free of charge.” Mozilla spokesperson Johnathan Nightingale said: “A lot of people would say, ‘Don’t worry about it. Donate it to the EFF or just send me a T-shirt.” Now that is the open source type spirt that just warms the cockles of your heart, isn’t it? More →