An Android Firefox exploit found which can be triggered and execute apk files. It forces Firefox versions 23/24/26 to download and execute a malicious application. This exploit was posted by a Russian hacker and exploit writer and the auction starts at $460. This can happen by just visiting a malicious site so even browsing is not safe. The only thing for the attacker is to use some social engineering and convince people to visit a malicious website. He might not even have to do it since he can instead infect a known website and all its visitors be victims. Update your software to the latest version and be careful on the websites you are visiting.
Arul Kumar, an Indian security researcher found a vulnerability to Facebook which he could delete any image within a minute. The vulnerability was in Facebook’s support dashboard and they rewarded him with $12.500 for helping the security team to patch it. Basically the security hole was in the photo removal request where the attacker could change the profile id and the image id and so be able to delete any image on Facebook. Imagine if someone that hates you finds this and exploits it or pay someone else and delete all your images. There are people that have uploaded hundreds of photos and they can’t even imagine such a thing happening to them.
Apple invented a new technology that will be able to switch off camera and wi-fi from iPhone remotely. This is to be used for when people enter a “sensitive area”. It basically broadcasts a signal and when iPhone receives it, it will shut down features or entirely. For some of us this is not an issue since I never bought and I will never buy Apple device if they keep overcharge everything. And they of course continue do it since there are many people paying. To our subject, those are not rumors, there is a patent filled by Apple titled “Apparatus and methods for enforcement of policies upon a wireless device”.
We all learned about NSA’s Prism and that user data is available to US government like any other public document. Tor is in general terms an anonymity tool for user internet activity. Since Snowden revealed the information about Prism Tor gained more than 600.000 new users and it now has about 1.2 million users. Tor is also used by hackers and web criminals to hide their activity. This is not Tor’s fault, almost any tool can be used for good and bad things. Some countries ban Tor network in order to be able to monitor their citizens easier. Some times I can’t believe why countries move backwards technology and progress.
Most of you know Lenovo, the biggest Chinese computer maker. It has recently been banned and it can’t supply equipment for several intelligence and security agencies. Mostly for government agencies in US, UK, Canada, Australia and New Zealand. This is because there are concerns that it contains serious hardware and firmware backdoor vulnerabilities. Even though a hardware backdoor is very hard to detect, it is very critical for agencies like NSA. Huawei should feel very lucky since it will most probably fill the gap with its equipment. Lenovo is the company that acquired the personal computer business from IBM when they decided to leave the PC business back in 2005.
During the creation of a Facebook account you must provide an email address which becomes your primary email address. A security researcher found a vulnerability in Facebook, yes another one, that reveals the primary address of any account. The flaw can be found in the invitation mechanism and hackers and spammers can exploit this vulnerability to get the primary email address of every account. The process can be easily automated so this is not an issue to someone with basic programming knowledge. I will not post the steps of how someone can get this information as it is already patched by Facebook and they awarded $3500 to the person that found the vulnerability. If you receive an email to your email address that you only used on Facebook then you know why.
According to Edward Snowden NSA and Isreal worked together to create Stuxnet, a computer worm that was used to attack Iran’s nuclear facilities. It was spread via Microsoft Windows and its target was industrial control systems by Siemens. After that, a more sophisticated virus called Flame was linked with Stuxnet. Kaspersky researchers concluded that the creators of the Flame were the same that also created Stuxnet due to the similarities in the code. So, if what the whistleblower says is true then NSA created both malicious software. I guess they created more than the ones we just learned about. But don’t worry, they create malicious software, worms and viruses to protect you, at least this is what they will say if you ask them. They don’t want to but they have to in order to protect the people.
Researches at Bluebox Security have discovered a vulnerability in Android core from version 1.6 (Donut). This means that almost all Android devices are vulnerable. The numbers are huge, it is about a billion devices. Apparently Samsung knew about this and its flagship, Galaxy S4, is patched and safe from this vulnerability. Bluebox will reveal details of this security hole during the Black Hat USA conference. To understand how serious this vulnerability is, a hacker can modify any application without breaking its cryptographic signature
Security researcher fin1te was able to find a way to gain access to any Facebook account by sending only one SMS. This is how secure you are, one SMS away from someone to hack into your account. Facebook, like many other websites, have added a new layer of protection. They added the phone number and you can use it to verify an access to your account or recover a lost password. In every new feature there are few vulnerabilities. For this process you fill a form and you submit it to their servers for processing. The two main parameters of that form are for the verification code and the user id. If you edit this form, replace your id with the victim’s id and put the verification code Facebook sent you, your number will be linked with that account. From now you can figure it out, you can visit the forgot password page and access the victim’s account.
Microsoft is giving the highest bounty to hackers and security experts if they find vulnerabilities and exploits in its new Windows 8.1, a major update to Microsoft’s latest operating system. Valid submissions of serious vulnerabilities that come also with ideas to defend Windows will be able to get the BlueHat bonus which is $50.000 but they very hard to find. It is clear that Microsoft is very serious about security, they also give up to $11.000 for Internet Explorer 11 preview in Windows 8.1 preview. Preview means that it is beta version and it is not yet finalized to be released. Microsoft is the first company to give bounty for hacking software in beta version and it is doing it to ensure that their stable release will be as secure as possible.