A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security. The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.
Search Results for "Heartbleed"
Google has unveiled an all-star team of hackers and security researchers it is calling “Project Zero.” According to a post on Google’s security blog, the company is hoping to use its security research muscle to investigate the security of “any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.” Research like Google employee Neel Mehta’s, which helped expose the “Heartbleed” vulnerability in OpenSSL is a good example of the kinds of stuff Project Zero will do. Researchers will devote their time to finding and reporting software vulnerabilities and researching new exploits, mitigations and “program analysis.” The company said it plans to disclose any vulnerabilities it finds to the vendor first, then to the public in an external database. The public can monitor “time to patch” (given that the vulnerability is disclosed ahead of a patch). Project Zero brings Google’s elite hackers under […]
Just a month after a critical security hole in OpenSSL dubbed “Heartbleed” captured headlines around the globe, The OpenSSL Foundation has issued an other critical software update fixing six more security holes, two of them critical. The Foundation issued its update on Thursday, saying that current versions of OpenSSL contain vulnerabilities that could be used to carry out “man in the middle” (or MITM) attacks against OpenSSL clients and servers. SSL VPN (virtual private network) products are believed to be especially vulnerable. Users of OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 are all advised to update immediately. According to information released by the OpenSSL Foundation, an attacker using a carefully crafted handshake can force the use of “weak keying material in OpenSSL SSL/TLS clients and servers.” That could lay the groundwork for man-in-the-middle attacks in which an attacker positions herself between a vulnerable client and server, decrypting and modifying traffic as it passes through the attacker’s […]
The plot of the 1982 film Blade Runner (loosely based on the 1968 novel Do Androids Dream of Electric Sheep by Philip K Dick) turns on the question of what makes us ‘human.’ Is it memories? Pain? Our ability to feel empathy? Or is it merely the foreknowledge of our own certain demise? In that movie, a group of rebellious, human-like androids – or “replicants” – return to a ruined Earth to seek out their maker. Their objective: find a way to disable an programmed ‘end of life’ in each of them. In essence: the replicants want to become immortal. It’s a cool idea. And the replicants – pre-loaded with fake memories and histories – pose an interesting philosophical question about what it is that makes us humans. Our artificial intelligence isn’t quite to the ‘replicant’ level yet (the fictional tale takes place in 2019, so we have time). But some […]
Many of you who have been following this blog know that the Security Ledger is particularly interested in covering the (fast) evolving border line between “traditional” IT security and the terra incognito of the Internet of Things. This week, we’re taking that discussion to the next level with our first-ever event: The Security of Things Forum (or SECoT for short). SECoT is going to be an amazing day of discussion and debate about what I consider one of the foremost challenges facing the technology community in the next decade: securing a rapidly expanding population of intelligent and Internet-connected devices. [Register for The Security of Things Forum here. Use the Promo Code SLVIP to get 20% off!] Attendees will hear an address by Dr. Dan Geer, the Chief Security Officer at In-Q-Tel, the U.S. Central Intelligence Agency’s investment arm. Dan is one of the smartest and most prescient thinkers in the security world, […]