Web

Remote Car Hacks Depend On The Internal Design, Say Researchers

When purchasing your next car, you face many options. You want a good price, but also good gas mileage and perhaps an entertainment system for the kids in back. But for Dr. Charlie Miller, Twitter, and Chris Valasek, director of vehicle security research at I/OActive, the main criteria is whether or not the car is a likely candidate to be hacked. In particular they said they were interested in cars that would be more susceptible to remote hacking. Work done previously by Professor Stefan Savage along with graduate students from the University of Santa Barbara and the University of Washington used the Onboard Diagnostic port to control a car. Last year Miller and Valasek used internal wiring to gain control of their test cars. This year the pair said they wanted to take a step back and look at how cars in general communicate internally as a predictor of hacking […]

Continue Reading

Micro Survey of Smart Home Devices Finds Much To Fault

Larry Dignan over at ZDNet is writing about a new survey by HP’s Fortify application security division that finds 70 percent of Internet of things devices have exploitable software vulnerabilities. Some caveats: HP makes its conclusions based on scans of “10 of the most popular Internet of things devices.” That’s a very small sample size that could (greatly) skew the results one way or the other. So take this with a grain of salt. You can download the full survey here. (PDF) [Read Security Ledger coverage of Internet of Things here.] According to Dignan, HP found 25 vulnerabilities per device. Audited devices included TVs, Webcams, thermostats, remote power outlets, sprinklers, door  locks, home alarms, scales and garage openers. One of each, from the sound of it. The findings, assessed based on the OWASP Internet of Things Top 10 list and vulnerability categories, account for the devices as well as cloud and […]

Continue Reading

Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security. The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.

Continue Reading

Report: AdWords Fraudbot Helps E-Commerce Firms Compete

One of the more interesting stories to come out this week is from Brian Krebs over at Krebsonsecurity.com. Writing on Friday, Krebs used his prodigious knowledge of the cyber underground to profile “GoodGoogle,”  one of a growing number of specialized online fraud services that helps e-commerce firms target competitors by gaming Google’s AdWords feature. As you probably know, AdWords are one of Google’s biggest sources of revenue. They allow companies with products or services to sell to “bid” on words or phrases (like “Internet of Things”). Users who search on those terms will see hyperlinked ads to the right of their search results that link to a site of the advertiser’s choosing. Advertisers pay a premium to own popular (and lucrative) keywords – more than $40 per click for keywords like “loan,” “insurance,” “mortgage” or “attorney” depending on the word and time of day. Typically, advertisers set a certain daily budget […]

Continue Reading

Google Unveils Project Zero Hacking Team

Google has unveiled an all-star team of hackers and security researchers it is calling “Project Zero.” According to a post on Google’s security blog, the company is hoping to use its security research muscle to investigate the security of “any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.” Research like Google employee Neel Mehta’s, which helped expose the “Heartbleed” vulnerability in OpenSSL is a good example of the kinds of stuff Project Zero will do. Researchers will devote their time to finding and reporting software vulnerabilities and researching new exploits, mitigations and “program analysis.” The company said it plans to disclose any vulnerabilities it finds to the vendor first, then to the public in an external database. The public can monitor “time to patch” (given that the vulnerability is disclosed ahead of a patch). Project Zero brings Google’s elite hackers under […]

Continue Reading
1 13 14 15 16 17 36