Items tagged with security

Security conscious computer users might wonder if we will ever fully put Spectre vulnerabilities behind us. Researchers were still discovering new vulnerabilities related to Spectre early this year. Intel is working to protect users from the vulnerability and only a few days ago it announced a patch for side-challenge exploits for some of it chips and awarded the researchers who found the bug $100,000 for their efforts. Google is also integrating security technology into its popular Chrome browser to protect against Spectre vulnerabilities. Those new security features come at a cost for Chrome... Read more...
Windows is more secure today than it was at the beginning of the week. That is how it typically goes after the second Tuesday of each month, otherwise known as Patch Tuesday, when Microsoft doles out a collection of security updates and fixes. This particular Patch Tuesday saw Microsoft dish out 54 bug fixes, including 17 deemed Critical. As far as Patch Tuesday collections go, this one is about average, both in the overall number of fixes and those that are Critical. Of those that fell into the latter category, 15 of them addressed issues with Edge and Internet Explorer, along with technologies... Read more...
Spectre and Meltdown have been the source of major headaches for the industry at large, and in particular Intel, which scurried to release firmware updates to mitigate the side-channel attacks. While now mostly in the rear view mirror, security researchers have discovered another side-channel vulnerability, which is detailed under CVE-2018-3693. It is one of a dozen new CVEs published by Intel. Researchers Vladimir Kiriansky and Carl Waldspurger discovered the flaw (PDF) and are being rewarded $100,000 for their efforts, as part of Intel's bug bounty program. "On January 3, 2018, a team of security... Read more...
China has no love for Taiwan, and the former's censorship has led to strange issues for some iPhone users. If users have their region set to China and someone sends them the Taiwan flag emoji, a bug in iOS could cause the app to crash. That bug has the potential to allow a remote user to launch a denial of service attack on the message receiver by continually sending them the Taiwan flag emoji. The bug was discovered by security researcher Patrick Wardle. Wardle says that the bug was first brought to his attention when a friend told him that iOS apps crashed when she typed the word "Taiwan" or... Read more...
Apple has launched iOS 11.4.1 and this is the update that adds USB Restricted Mode to the iPhone. The intention with USB Restricted Mode was to lock down the USB port of an iPhone to block intrusion techniques using third-party devices to crack the passcode of devices. USB Restricted Mode deactivates USB data processes via the Lighting port when the device is locked for more than an hour. Once that hour limit is reached, the USB port is only good for charging the iPhone. Security Researchers at ElcomSoft have discovered what appears to be an oversight on Apple's part that allows the USB port to... Read more...
Are you concerned about who might be reading your emails? You should be, especially if you allow third-party app developers to access your Gmail account, as many of them request. A recent report highlighted the extent of which third-party app developers can access private information, prompting Google to respond with what amounts to a soothing message saying, 'There, there, everything will be okay'. Google is not necessarily wrong, either, provided you are tech savvy enough to understand the risks associated with giving a third-party app certain permissions, and know how to take control of your... Read more...
A team of researchers has discovered a vulnerability in Android that was thought to be already patched by Google, but is theoretically able to bypass current mitigations and gain unauthorized access to handsets and tablets. Called RAMpage, it's utilizes variations of the Rowhammer attack method that Google's security engineers discovered and fixed two years ago. "Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector...[Now] we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS,... Read more...
A new attack that takes advantage of flaws that are inherent to LTE technology has surfaced called aLTEr. The exploit was discovered by an international team of security researchers and is able to redirect users to hostile websites. The exploit works in part by taking advantage of the fact that there is no integrity checking built into the lower layers of LTE. That lack of integrity checking allows nefarious hackers to use DNS packets directing traffic to website addresses to steer user requests to malicious DNS servers. Attackers could then take the user to whatever website the attacker wants.... Read more...
Intel and its partners have been busy mitigating Spectre and Meltdown, which are two types of speculative side-channel CPU attacks that, if exploited, could potentially expose a user's sensitive data. Most of the mitigations have already been put in place. Other similar vulnerabilities have started to emerge, however, including one that has been dubbed TLBleed. Unlike Spectre and Meltdown though, Intel is not planning on mitigating TLBleed. Details of the flaw will be presented at the Black Hat USA 2018 conference in early August at Mandalay Bay in Las Vegas. The organization refers to TLBleed... Read more...
Stronger wireless security is headed to homes and businesses. That's because the Wi-Fi Alliance this week formally introduced Wi-Fi Certified WPA3, the next generation of Wi-Fi security with new capabilities to bolster personal and enterprise wireless networks. The new standard builds upon and ultimately replaces WPA2, which has seen widespread adoption over the past 10 years, enabling more robust authentication. No small upgrade, WPA3 delivers increased cryptography strength for highly sensitive data markets. There are two modes, WPA3-Personal and WPA3-Etnerprise, both of which use the latest... Read more...
Data breaches have become way too common, and we are not just talking about personal accounts being compromised through phishing attacks, malware, and the like. Companies with an online presence (so pretty much every company in the world) are targets, and since many sites require that you register with an email account, there's a good chance your information has fallen into the wrong hands. As an added security precaution, Mozilla plans to test a new Firefox Monitor security feature using data from the 'Have I Been Pwned' (HIPB) website. Created by Troy Hunt, HIPB is a website where you can input... Read more...
Google is rolling out something akin to DRM for Android APKs as a way to verify that apps originated from the Play Store. Rogue apps that are malware-ridden are running rampant these days, so this is just an extra layer of security that Google is implementing to help safeguard Android users from attacks. The new DRM has a single goal, and that is to allow users to be certain that an app they are using is genuine and hasn't been tampered with. The number of apps that have been found with malware inside or to be outright fake is ever growing in the Android realm. Late last year it was found that... Read more...
The Car Connectivity Consortium (CCC) has announced that it has published the Digital Key Release 1.0 specification. That specification is a standardized solution that is designed to eliminate the keys and fobs we all carry for our cars today and replace them with a digital version that lives on your smartphone. The CCC counts among it some major tech firms and automakers, and the critical mass certainly appears to be there to make digital keys a reality in the future. Participating members of the CCC include charter members Audi, BMW, General Motors, HYUNDAI, LG Electronics, Panasonic, Samsung,... Read more...
Malware is a huge problem for computer users today as the threat posed by malicious software continues to increase. A new botnet was recently detected in a live environment for an unnamed client of Deep Instinct, a security firm. The security firm says that the botnet, dubbed Mylobot, uses three different layers of evasion techniques. The evasion techniques that the botnet uses contact command and control servers that download the final payload, Deep Instinct says that the combination and complexity of the evasion techniques that the botnet deploys have never been seen in the wild before.... Read more...
1 2 3 4 5 Next ... Last