The place I work at did some stuff.
But the major takeaway for most people should probably be this:
IF YOU ARE ON AN iOS DEVICE, UPDATE YOUR PHONE OR iPAD RIGHT NOW
The vulnerabilities we identified in iOS are incredibly severe. Please update your device immediately.
BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life:
But the software on the DTEK50 is the same as the Priv’s – hardened Android 6.0.1 (Marshmallow), FIPS 140-2 compliant full disk encryption, hardware root of trust, and BlackBerry Integrity Detection that monitors for compromises, with BlackBerry extras like the Hub (a unified inbox for all communications), calendar, contacts, password keeper, device search, launcher, and the DTEK security app for which the phone was named. Once you’ve used the BlackBerry software, most other offerings seem severely wanting. DTEK deserves special mention. It evaluates the device’s security posture, recommends changes, and allows you to see exactly what rights each app is using, and how often. You can also revoke individual privileges for an app if, for example, you see no reason why a flashlight app should have access to your contacts.
On what possible grounds can the reviewer – or the editor, who presumably assigned the title to this article – assert that the new Blackberry device is ‘secure’? We know that Blackberry’s consumer-grade options do not encrypt messaging data. We know that other implementations of Android, such as CopperheadOS, actually contribute code to the Android Open Source Project that is meant to reduce vulnerabilities.
We also know that Blackberry refuses to disclose how often they receive, and respond to, government requests for assistance. And we don’t know which countries Blackberry provides assistance to, under what specific terms, or the types of data that the company discloses. But all of this speaks to Blackberry being able to access consumers’ data…which is the definition of a service being insecure insofar as non-authorized actors can read or copy the data in question.
Before journalists or editors make assertions regarding security of mobile devices (or any other product for that matter) they should be obligated to contact experts in the field of mobile security. And preferably they’d actually contact people who actively test the security of mobile devices. Or, you know, at the very least they’d read the news and realize that the security afforded by Blackberry to its retail customers if more like propoganda than based in reality.
Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks:
“The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted,” Lookout researcher Andrew Blaich told Ars. “If there’s somewhere they’re going to that they don’t want tracked, always ensure they’re encrypted.”
The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.
One of the more likely ways exploits might target Android users is for them to insert JavaScript into otherwise legitimate Internet traffic that isn’t protected by the HTTPS cryptographic scheme. The JavaScript could display a message that falsely claims the user has been logged out of her account and instruct her to re-enter her user name and password. The login credentials would then be sent to the attacker. Similar injection attacks might also attempt to exploit unpatched vulnerabilities in the browser or e-mail or chat app the targeted Android user is using.
Another day, and another massive vulnerability disclosed about Android.
Almost every Volkswagen sold since 1995 can be unlocked with an Arduino:
… security researchers have discovered how to use software defined radio (SDR) to remotely unlock hundreds of millions of cars. The findings are to be presented at a security conference later this week, and detail two different vulnerabilities.
The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company’s vehicles.
Alone, the value won’t do anything, but when combined with the unique value encoded on an individual vehicle’s remote key fob—obtained with a little electronic eavesdropping, say—you have a functional clone that will lock or unlock that car.
Just implement the research by dropping some Raspberry Pi’s in a mid- to high-income condo parking garage and you’ve got an easy way to profit pretty handsomely from Volkswagen’s security FUBAR.
Waiting for Android’s inevitable security Armageddon:
Android has around 75-80 percent of the worldwide smartphone market—making it not just the world’s most popular mobile operating system but arguably the most popular operating system, period. As such, security has become a big issue. Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work. There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.
This editorial was written over a year ago. And it’s as true, today, as it was the day it was written. Imagine if car companies just kept releasing the same dangerous, flawed, and fixable devices despite rampant car crashes, accidents, and other mishaps.
That’s Google today, as it continues to push flawed versions of Andrew, and today’s OEMs (e.g. Samsung, HTC) and carriers (e.g. Rogers, AT&T, Vodafone). The insecurity of Android constitutes a basic safety and human rights issue at this point given how states exploit Android vulnerabilities to target dissidents, journalists, academics, writers, and the public more generally. And yet none of the core parties reponsible for these major security failures are making genuine efforts to actually fix the problem because they don’t think they have to care.
Copperhead OS: The startup that wants to solve Android’s woeful security:
Linux device drivers have been the operating system’s Achilles heel since day one, and the Android platform is no exception. Android phones ship with kernels frozen to ensure driver compatibility—which usually means that a new Android device comes with a kernel that’s already a year or two old.
“It’s like if you have a printer and the last printer driver made was for Windows 95, you can never upgrade your computer to a newer version,” Soghoian explains. “Android is bigger than just Google, and when Google’s partners drag their feet it undermines the security of the entire ecosystem.”
As an Android device ages, the kernel may get backported security patches, depending on the OEM’s willingness to push updates, but the handset will miss out on the latest security advances, since upgrading the kernel would break hardware compatibility with the drivers.
There are a lot of great things about Android. Device and data security just aren’t amongst them.
Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:
Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.
There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:
Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.
Netflix Adopts Efficient HTTPS Encryption For Its Video Streams:
Netflix has been reluctant to adopt HTTPS for its video streams so far because delivering video is already a bandwidth-heavy task, and adding encryption on top of that risked adding too much overhead. To solve this problem, the company searched for the ideal cipher and its fastest implementation.
Encrypting everything matters because third-parties can use our unique ‘tells’, be they video watching, online reading, music listening, website browsing, or other human behaviours to track us across the Internet. Some of these trackers are other companies, some of them are governments, and some are just questionable groups of hackers.
Netflix’s adoption of HTTPS for their entire service line is a good thing but, now, it’ll be important to actually test the implementations of HTTPS. Unfortunately, most implementations suffer some kind of deficiency and it’s more likely than not that Netflix’s initial deployment will be similarly flawed.
Thank god that this absolute blight on computer security is finally starting to be fully deprecated. Which means it should only continue to be a problem until the mid- to late-2020s as people gradually upgrade their devices to those which will not run Flash content by default…
We have never had absolute privacy in this country. Cars, safe deposit boxes, our apartments, our houses, even the contents of our minds—any one of us, in appropriate circumstances, can be compelled to say what we saw. We have never lived with large swaths of our life off limits, where judicial authority is ineffective. That is something we need to talk about. I don’t think the FBI should tell people what to do. I don’t think tech companies should tell people what to do. The American people need to decide.
James Comey, Director of the FBI
The problem is that Comey is simply wrong: the state has never held absolute power over citizens. The 5th Amendment in the United States guarantees a right to avoid testifying against oneself. Our devices are now so personalized with our communciations, thoughts, banking, business, and life that they are functionally a self-testamonial about our lives.
Moreover, even when some evidence is unavailable – be it because authorities don’t know to look for it, or cannot find it – that doesn’t immediately mean that a case is terminated. Instead, a range of powers as well as alternate charges can be brought to bear. And the price of a democracy is that, sometimes, authorities cannot bring charges against people they suspect but cannot prove may have broken the law. This restraint on state power is a core feature of liberal democratic governance and is a restraint that needs to be maintained so that we can all enjoy our freedoms.
Excited Pixels