Author: Nick Farrell

NSA proof phone rooted in five minutes

Posted on August 11, 2014 by - News

756px-Lu_Zhishen_Water_Margin_2The ultra secure “NSA-Proof “Blackphone was hacked in just inside five minutes during a Blackhat hacking conference.

@TeamAndIRC rooted the device without needing to unlock the bootloader and turned on ADB on the device. The vulnerability that allowed this to happen is now semi-fixed and needs the user to take action to be able to exploit the weakness.

Blackphone was made by Silent Circle and Geeksphone, and it is designed to provide a suite of secure services running on a fork of the Android Open Source Project (AOSP). Called PrivatOS, it is meant to provide a consumer level access to secure options that protect personal data from being leaked to third parties.

It was dubbed as “nsa proof” by her Majesty’s loyal press mostly as what passes for humour in such circles, because it came out after the Snowden affair.

Still its ironic that yet again even the most secure of Android phones are susceptible to the inherent to Android OS which was never built with security in mind.

Blackberry and Blackphone have been scrapping over which one is the most secure.  BlackBerry, sniffed that Blackphone was okay for the average Joe and plain Jane, but“unacceptable” for enterprise and pretty customers. The reason was that Blackberry could protect the whole of the communication because it controlled the network, while the Blackphone could only look after the client end.

@TeamAndIRC assures everyone that it will be working out how to prove that Blackberry is just as bad and will get onto it right now.

 

 

 

 

 

Shark hunter says Ellison needs a bigger boat

Posted on August 8, 2014 by - News

jawsTop security analyst David Litchfield has returned to hunting holes in Oracle software, after a comparatively less daunting task of finding Great White Sharks, and he apparently found  Larry Ellison’s team has not improved during his time off.

Litchfield retired a few years ago from his job of creating major headaches for Oracle and went scuba diving and looking for sharks. Apparently, the sharks gig was dull in comparison to his job hunting holes in Oracle software so he returned to dry land.

Litchfield has been looking at Ellison’s new data redaction service called the Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations.

However Litchfield told the Black Hat USA conference that it is packed with trivially exploitable vulnerabilities

If Oracle had followed any sort of software development life cycle instead of just paying lip service to it, every one of these flaws would have been caught. It is kindergarten stuff, he said.

Litchfield found several methods for bypassing the data redaction service and tricking the system into returning data that should be masked.

Litchfield said that it was so simple to hack the service he did not feel right calling them exploits.

He said Oracle was still not learning he lessons that people were leaning in 2003. He said that in the space of a few minutes he could find a bunch of things that I can send to Oracle as exploitable.

The data redaction bypasses that Litchfield found have been patched, but he said he recently sent Oracle a critical flaw that enables a user gain control of the database. That flaw is not patched yet but is coming.

Microsoft kills support for old IE

Posted on August 8, 2014 by - News

firing-squadSoftware giant Microsoft has decided to pull the support plug on old versions of Internet Explorer.

Of course that is not what Microsoft said on its blog. It tells you that it is “prioritising helping users stay up-to-date with the latest version of Internet Explorer.”

Vole said that outdated browsers represent a major challenge in keeping the Web “egosystem” safer and more secure, as modern Web browsers have better security protection.

Internet Explorer 11 includes features like Enhanced Protected Mode to help keep customers safer. It should come as no surprise that the most recent, fully-patched version of Internet Explorer is more secure than older versions, Vole wrote.

To force the hand of users, from January 12, 2016, the following operating systems and browser version combinations will be supported:

Windows Platform Internet Explorer Version
Windows Vista SP2 Internet Explorer 9
Windows Server 2008 SP2 Internet Explorer 9
Windows 7 SP1 Internet Explorer 11
Windows Server 2008 R2 SP1 Internet Explorer 11
Windows 8.1 Internet Explorer 11
Windows Server 2012 Internet Explorer 10
Windows Server 2012 R2 Internet Explorer 11

After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.

Customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. For more details regarding support timelines on Windows and Windows Embedded, see the Microsoft Support Lifecycle site.

Vole said that it is introducing new features and resources to help customers upgrade and stay current on the latest browser.

 

Nvidia does rather well

Posted on August 8, 2014 by - News

nvidia-gangnam-style-330pxNvidia posted higher second-quarter earnings and gave a forecast for current-quarter revenues that exceeded what the cocaine nose jobs of Wall Street predicted.

This was surprising given that some analysts were worried that PC shipments were flat in the June quarter.

Nvidia’s graphics chips for PCs make up most of its business but what appears to have saved the company’s bottom line was that it has been selling to car makers and data centres.

In the second quarter, revenue from Tegra chips for automobiles and mobile devices jumped 200 percent to $159 million.

After struggling to compete against larger chipmakers like Qualcomm in smartphones and tablets, Nvidia has increased its focus on using its Tegra chips to power entertainment and navigation systems in cars made by companies including Volkswagen’s Audi, BMW and Tesla.

Nvidia in July launched its own tablet aimed at game enthusiasts, called Shield, with Tegra chips and other high-end components. This went against the industry trend toward commoditized, inexpensive devices.

Nvidia has been doing well in the cloud by flogging its chips to IBM, Dell and HP as part of their datacentre product range.

Predictions are that Nvidia’s GRID graphics technology for data centres will also do well after it has been tested by other potential enterprise customers.

Nvidia reported second-quarter revenue of $1.1 billion, up 13 percent from the year-ago quarter as it expanded its focus on cars and cloud-computing.

For the current quarter, Nvidia said it expects revenue of $1.2 billion, plus or minus 2 percent. Analysts on average expected second-quarter revenue of $1.1 billion and third-quarter revenue of $1.16 billion.

Nvidia’s net income in the second quarter, which ended on July 27, added up to $128 million or compared with $96 million in the year-ago quarter.

Homeland Security Contractor hacked

Posted on August 7, 2014 by - News

invisible-agent-movie-poster-1942-1020531953A company that performs background checks for the US Department of Homeland Security has been the victim of a “state-sponsored attack” on its systems.

US Investigations Services (USIS) had all the personal information about DHS employees so it merited a foreign spy agency’s attention.

DHS said it had suspended all work with the company and a “multi-agency cyber response team is working with the company to identify the scope of the intrusion.

DHS spokesman Peter Boogaard said Homeland Security forensic experts had concluded that some DHS personnel may have been affected. DHS has notified its entire workforce, mostly to be cautious to advise them to monitor their financial accounts for suspicious activity. Although if it was a state sponsored attack the hackers are not going to be raiding bank accounts.

Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack.

USIS says it is the biggest commercial provider of background investigations to the federal government, has over 5,700 employees and provides its services all over the world.

Apple and Intel: sheesh!

Posted on August 7, 2014 by - News

rejection-2One of the dafter silly season stories to cross our desk has been the bizarre claim that Apple will eventually drop Intel and use its own ARM based chips.

The source of this is a former Apple executive Jean-Louis Gassee who wrote in his bog that the end is nigh for Intel on the Mac.

To be fair Gassee did not come up with this theory on his own.  He was quoting Matt Richman in a 2011 blog post titled “Apple and ARM, Sitting in a Tree” where he said that  after a complicated but ultimately successful switch from PowerPC chips to Intel processors in 2005, Apple will make a similar switch, this time to ARM-based descendants of the A4  chip designed by Apple and manufactured by Samsung.

Of course that was a long time ago and Apple and Samsung are no longer friends. The reasons both blogs give for a switch are low power usage and price.

“Dumping Intel for ARM would therefore allow Apple to offer ultra-affordable Macs while at the same time preserving their precious margins. In this scenario, Apple would be able to steal away even more market share from Microsoft while generating boatloads of cash in the process,” Gassee claims.

The other advantage is that Apple is a complete control freak and loves to control as much of the underlying technology in its products as possible.

If Apple moved to ARM, it would not have to suffer the expected humiliation of having to delay its new Macbooks because Intel has not made its Broadwell chip on time. While Intel CEO Brian Krazanich initially claimed that Intel’s next-gen processor would launch in time for the 2014 holiday season, it now looks as if Apple will have to wait until 2015 for that.

That is where the logic in the argument fails completely. The ARM chips are not as good performers as the Intel versions. That is not an insult; they are mobile phone chips which are not designed to do the same thing as a PC.

If Apple were interested in creating low power, “cheap as chips PCs” then it might have a chance at pulling it off, but that has not been Jobs’ Mob’s model ever.

What is bizarre about this rumour is how it has been seized on by the Tame Apple Press keen to show some superiority for Apple even as the shine goes off the company. Having told us for years that the world was moving to mobile, because Steve Jobs said it was, and that the PC was dead, they are now in the uncomfortable position of having to eat their words. They are also finding that their favourite PC maker is not the final solution in some technology fields.

PC chip design is one of them.

What is more likely is that Apple will stick to its Mobile ARM chips and look to Intel to provide its PC chips at least for the foreseeable future. About the only thing that might change Apple’s mind is that if AMD suddenly came up with some super cool chips.  They, at least, would be cheaper – not that Apple really cares that much about price.

Wackypedia in trouble over selfie

Posted on August 7, 2014 by - News

Picture thanks to Wiki Commons

Picture thanks to Wiki Commons

Online encyclopaedia Wikipedia is in hot water over a selfie picture which a monkey took of itself when it stole an English nature photographer’s camera.

Wackypedia claims that since the monkey took the picture it is public domain and the picture does not belong to photojournalist David Slater, who owned the camera. It had put the pictures in its Wikimedia Commons and Slater claims that is costing him money.

The black macaca nigra monkey swiped the camera from Slater during a 2011 shoot in Indonesia and snapped tons of pictures, incWluding the selfie and others at issue.

Wikimedia said that it had received a takedown request from Slater, claiming that he owned the copyright to the photographs, but it did not agree.

The image has at times been removed from the Wikimedia Commons by various site editors and keeps coming back.

Slater said the picture should not be in the public domain. While a monkey pressed the button, but I did all the setting up.

Wikimedia said that to claim copyright, the photographer would have had to make substantial contributions to the final image, and even then, they would only have copyright for those alterations, not the underlying image. This means that there was no one on whom to bestow copyright, so the image falls into the public domain.

Tektronix makes security own goal

Posted on August 7, 2014 by - News

Barbra_Streisand's_Greatest_HitsIt appears that the Tektronix company has a few problems when it comes to managing the press.

Last week a small site called hackaday ran a yarn which said that Tektronix application modules were designed with laughable security.

The theme of the post was a review of Tektronix modules that unlock the features in an oscilloscope chip. However, Tektronix designed a woefully weak system for unlocking these modules.

Tektronix was not happy about the details of its system being reviewed in the magazine, and even less so that it was described as being “laughable”.

But rather than ignore the review, take the editor out for a quiet chat, or ask nicely to have the thing taken down, Tektronix said the review violated its copyrights.

Its lawyers sent a DMCA Takedown Notice demanding that it remove the post because the story violated its copyright.

To put this in some perspective, if you review a product and you think it is insecure you are allowed to say why. The use of a DMCA though is a nasty tactic because it means that a less understanding ISP can shut your magazine down.

Tektronix said that the posting on the “Hack A Day” website concerning hacking of Tektronix’ copyrighted modules for use in oscilloscopes.

“Hacking those modules permits unauthorised access to and use of Tektronix’ copyrighted software by means of copying of Tektronix’ copyrighted code in those modules,” the company said.

The posting includes instructions for how to hack our modules and thereby violate Tektronix’ copyrights.

However Hack-a-Day said that is the point of its article. The product uses an EEPROM, a connector, and a plain text string of characters which is already published publicly on Tektronix’s  website.

“ If you were selling these keys for $2.99 perhaps this would be adequate, but Tek values these modules at $500 apiece,” the site said.

Now it would appear that Tektronix is suffering from a bad case of Barbara Streisand after all we would never have noticed Hack-a-Day’s story if it had not objected.

US spooks in Snowden panic

Posted on August 6, 2014 by - News

spyUS spooks have uncovered what they think is another Edward Snowden who has been secretly leaking classified info to the great unwashed.

The Secret Service is thinking of asking the US Department of Justice to open a criminal investigation into the suspected leak of a classified counter-terrorism document to a news website.

A document which was published in The Intercept provides a statistical breakdown of the types of people whose names and personal information appear on two government data networks listing people with supposed connections to militants.

The Intercept is co-founded by Grenn Greenwald, the reporter who worked with Edward Snowden but the document was dated August 2013, after Snowden left the US.

Since Snowden is not thought to have had access to US networks after May, officials to suspect the drop may have come from a second leaker.

The document talked about the Terrorist Identities Datamart Environment database (TIDE) and the Terrorist Screening Database.

It said 680,000 names were “watchlisted” in the Terrorist Screening Database, an unclassified data network which is used to draw up more selective government watchlists.

The file also showed that 280,000 of the 680,000 people are described by the government as having “no recognised terrorist group affiliation.”

More lists include a “no fly” list totalling 47,000 people who are supposed to be banned from air travel, and a further “selectee list” of 16,000 people who are supposed to get extra screening.

The screening database is taken from TIDE, a larger, ultra-classified database which contains 320,000 more names.

This is not the first time the Intercept has a big scoop that has put the fear of god into the spooks. It has also published a lengthy document setting out the criteria and procedures by which names are placed into terrorist watchlist databases.

Hotel takes Basil Fawlty approach

Posted on August 6, 2014 by - News

fawlty2_2790315bA US hotel has been adopting a Basil Fawlty approach to bad reviews on the internet.

The Union Street Guest House in New York has worked out that the best way to keep negative reviews off Yelp and other sites is to fine guests who complain.

The hotel charges couples who book weddings at the venue $500 for every bad review posted online by their guests. The online police reads:

“Please know that despite the fact that wedding couples love Hudson and our inn, your friends and families may not. “If you have booked the inn for a wedding or other type of event . . . and given us a deposit of any kind . . . there will be a $500 fine that will be deducted from your deposit for every negative review . . . placed on any internet site by anyone in your party.”

If you take down the bad review, you will get your money back.

Just in case anyone posts a bad review, the hotel owner has been aggressively posting “mean spirited nonsense,” and “she made all of this up.”

For example in one case a reviewer complained of rude treatment over a bucket of ice, the proprietors shot back: “I know you guys wanted to hang out and get drunk for 2 days and that is fine. I was really really sorry that you showed up in the summer when it was 105 degrees. . . I was so so so sorry that our ice maker and fridge were not working and not accessible.”

As Basil Fawlty once said: “Have you seen the people in room six? They’ve never even sat on chairs before.”

After the outcry the Hotel pulled its policy from the web, but it can be found on Go-Back. You can just remember this rant from Fawlty Towers which is more or less similar.

 

Child labour plant dogs Samsung

Posted on August 5, 2014 by - News

child_laborThe Chinese subsidiary of Shinyang Engineering has started supplying parts to Samsung a month after business ties were cut over child labour allegations.

Samsung halted business with Dongguan Shinyang Electronics after China Labor Watch found at least five child workers without contracts at the plant.

The kids were working on the assembly lines at Dongguan Shinyang and yet a month earlier an independent audit by Samsung found no child labour at the site.

Shinyang said that a third-party firm supplying workers had brought in child labourers around the end of June with forged identification.

There are no child workers at Dongguan Shinyang now and the children working at the plant have been let go.

Samsung suppliers have been under watch since 2012, when China Labor Watch found seven children younger than 16 were working for one of the South Korean firm’s China-based suppliers. Chinese law forbids hiring workers under 16.

Apple had a similar problem with some of its Chinese contacts and people objecting to Foxconn workers throwing themselves off buildings rather than making its shiny toys.

Handbags swing in HP/ Autonomy case

Posted on August 5, 2014 by - News

pearl-harborPundits are grabbing their popcorn as the opening rounds of handbag swinging between HP and the former owners of Autonomy begin in earnest.

HP wants to sue former Autonomy Chief Financial Officer Sushovan Hussain as he seeks to block HP’s settlement of three shareholder lawsuits over its purchase of the British software outfit.

Hussain wants to block the settlement, saying HP officials were wrongly absolved in the ill-fated acquisition of Autonomy for $11.1 billion in 2011.

HP wrote down Autonomy’s value by $8.8 billion a year later and accused Autonomy officials of accounting fraud.

Hussain said that is rubbish and it was HP’s mismanagement which stuffed up the company he used to run.

But what has triggered this round of handbag swinging was that HP reached a settlement with shareholders to end efforts to force current and former HP officials, including Chief Executive Officer Meg Whitman, to pay damages over its Autonomy purchase.

Instead they have agreed to help HP pursue claims against former Autonomy officials such as Hussain and former CEO Michael Lynch.

HP said that the notion that Hussain should be permitted to intervene and challenge the substance of a settlement designed to protect the interests of the company he defrauded is ludicrous.

It now says that shareholders agree with HP that Hussain, along with Autonomy’s founder and CEO, Michael Lynch, should be held accountable for this fraud.

Hussain said in his court filing that the “collusive and unfair” settlement, if approved by a federal judge, would let HP “forever bury from disclosure the real reason for its 2012 write-down of Autonomy.

“This breathless ranting from HP is the sort of personal smear we’ve come to expect. As the emotional outbursts go up, the access to facts seems to go down,” Autonomy swung back.

“Meg Whitman is buying off a bunch of lawyers so she doesn’t have to answer charges of incompetence and misdirection in front of a judge and jury.”

 

Ooooohhh get her.

Boffins power gadgets with radio waves

Posted on August 5, 2014 by - News

mad-scientistBoffins from the University of Washington have emerged from their smoke filled labs with a new communication system that uses radio frequency (RF) signals as a power source.

It means that you can also use existing Wi-Fi infrastructure to provide Internet connectivity to these devices.

Dubbed Wi-Fi backscatter, this technology is the first that can connect battery-free devices to Wi-Fi networks.

It solves a problem that inventors were having with the unternet of thongs.  The devices have to be small, and that means losing or shinking the battery. It also means that people will be spending more time charging their shiny toys than they do using them.

Shyam Gollakota, a UW assistant professor of computer science and engineering, said that using this system it is possible to enable Wi-Fi connectivity for devices while consuming orders of magnitude less power than what Wi-Fi typically requires.

The researchers will publish their results at the Association for Computing Machinery’s Special Interest Group on Data Communication‘s annual conference this month in Chicago. The team also plans to start a company based on the technology.

There had been some work done before which showed how low-powered devices such as temperature sensors or wearable technology could run without batteries or cords by harnessing energy from existing radio, TV and wireless signals in the air. This work takes that a step further by connecting each individual device to the Internet, which previously was not possible.

The problem was that low-power Wi-Fi consumes three to four orders of magnitude more power than can be harvested in these wireless signals.

What the researchers developed was an ultra-low power tag prototype with an antenna and circuitry that can communicate with Wi-Fi-enabled laptops or smartphones while consuming negligible power.

The tags looking for Wi-Fi signals moving between the router and a laptop or smartphone. They encode data by either reflecting or not reflecting the Wi-Fi router’s signals, and slightly changing the wireless signal. Wi-Fi-enabled devices detect these changes and receive data from the tag.

The UW’s Wi-Fi backscatter tag has communicated with a Wi-Fi device at rates of 1 kilobit per second with about 2 meters between the devices. They want to extend the range to about 20 meters and have patents filed on it all.

Sony kills ebook reader

Posted on August 5, 2014 by - News

additional-oxford-dodo-bookSony has confirmed that it will not make any more eBook readers, not even in Japan where it can still sell them.

There will never be such a gizmo with the catchy title PRS-T4 and the Sony Reader PRS-T3 will be sold until it runs out. Since that was launched last autumn and only in the EU, Sony could not have have many left.

Sony pioneered the idea of an E-ink ereader in 2004 when it launched the Sony Librie in 2004.

The company worked with E-ink and Toppan Printing Co of Japan for several years to develop the first generation of the 6″ screen which was used in the Librie, and later the Sony Reader, Kindle, Nook, and other ereaders.

Sony released the first 6″ screen, it also followed it up with several cutting edge devices. It was also the first to adopt Epub, and to combine an E-ink screen with a touchscreen and a frontlight.

But Sony was largely aced by the Nook-Kindle price war in June 2010 and lost out in the price drop that followed.

 

Homeland Security wants to save Expendables

Posted on August 4, 2014 by - News

Expendables-3_Expendables-2US Homeland Security, which is supposed to be defending the country from terrorists, is using taxpayer money to defend the business model of Big Content.

The US Department of Homeland Security’s Immigration and Customs Enforcement is investigating the piracy of the Lionsgate action flick The Expendables 3. Lionsgate made calls to several law-enforcement agencies to using their spying technology to locate the pirates, who are accused of leaking a full version of the pic on various file-sharing sites last week.

Apparently, it is not so unusual lately for the men in black, who you would think would be dealing with people with guns trying to bring down the government, to be defending big corporate interests. U.S. Customs was merged into USDHS, and it investigates illegally distributed copyrighted materials, including media content.

In the past, it has actually seized domain names of websites used to illegally distribute media content and/or counterfeit goods.

Lionsgate filed suit against the sites hosting the pic and the same day it dropped the final trailer (see it below) that opens wide August 15.

The digital copy was stolen from the Studio last week and news of the download surfacing wide by the time Comic-Con was in full swing last weekend. There were 250,000 downloads on that first day and an estimated two million afterwards.