Hole
Latest
T-Mobile website bug let hackers steal data with a phone number
Up until last week, a T-Mobile website had a serious security hole that let hackers access user's email addresses, accounts and a phone's IMSI network code, according to a report from Motherboard. Attackers only needed your phone number to obtain the information, which could be used in social engineering attacks to commandeer your line, or worse.
'Cards Against Humanity' hole is a crowdfunding metaphor (updated)
The Cards Against Humanity crew is no stranger to backing projects that are alternately very helpful and utterly pointless, and its latest is squarely in the latter camp. It's crowdfunding the Holiday Hole, which is... a hole in the ground. That's it. So long as the money keeps flowing, machines will keep digging into a nondescript patch of terrain. A basic $5 donation will buy 3 seconds of dig time, but you can contribute whatever you like. CAH is even livestreaming the whole affair (with multiple camera angles!), in case you want to see where your donations are going.
Researchers find another terrifying iOS flaw
It can't have escaped your attention that security experts have declared open season on Apple products over the last few weeks. At San Francisco's RSA conference, an even more terrifying exploit has been revealed that has the power to send your iPhone or iPad into a perpetual restart loop. Mobile security firm Skycure has discovered that iOS 8 has an innate vulnerability to SSL certificates that, when combined with another WiFi exploit, gives malicious types the ability to create "no iOS zones" that can render your smartphones and tablets unusable. Before you read on, grab a roll of tinfoil and start making a new case for your iPhone.
Some Android phones fail to enforce permissions, exposed to unauthorized app access
Eight Android phones, including the Motorola Droid X and Samsung Epic 4G, were found to house major permission flaws according to a research team at North Carolina State University. Their study revealed untrusted applications could send SMS messages, record conversations and execute other potentially malicious actions without user consent. Eleven of the thirteen areas analyzed (includes geo-location and access to address books) showed privileges were exposed by pre-loaded applications. Interestingly, Nexus devices were less vulnerable, suggesting that the other phone manufacturers may have failed to properly implement Android's security permissions model. Google and Motorola confirm the present flaws while HTC and Samsung remain silent. Exerting caution when installing applications should keep users on their toes until fixes arrive. [Thanks, John]
Researchers increase charging capacity, speed of lithium ion batteries by a factor of ten
It's not every day that we get to write about advancements in battery technology -- much less one as potentially groundbreaking as what a group of engineers at Northwestern University claim to have pulled off. In fact, Professor Harold Kung and his team say they've successfully managed to increase both the charging capacity and speed of lithium ion batteries by a factor of ten. The key, according to Kung, is the movement of the lithium ions nestled between layers of graphene. The speed at which these ions move across a battery's graphene sheets is directly related to how fast a device can recharge. To speed up this process, Kung decided to poke millions of tiny, 10-20nm-sized holes into a mobile battery's graphene layers, thereby providing the ions with a "shortcut" to the next level. As a result, Kung's perforated batteries were able to charge ten times faster than traditional cells, going from zero to hero in 15 minutes. Not satisfied with that achievement alone, Kung and his squad then set about increasing their battery's charging capacity, as well. Here, they increased the density of lithium ions by inserting small clusters of silicon between each graphene slice. This approach allows more ions to gather at the electrode and, by taking advantage of graphene's malleable properties, avoids some of the silicon expansion problems that have plagued previous attempts at capacity enhancement. The result? A battery that can run on a single charge for more than a week. "Now we almost have the best of both worlds," Kung said. "We have much higher energy density because of the silicon, and the sandwiching reduces the capacity loss caused by the silicon expanding and contracting. Even if the silicon clusters break up, the silicon won't be lost." There is, however, a downside, as both charging capacity and speed sharply fell off after 150 charges. But as Kung points out, the increase in charge retention would more than make up for this shortcoming. "Even after 150 charges, which would be one year or more of operation, the battery is still five times more effective than lithium-ion batteries on the market today," he told the BBC. For more technical details, hit up the links below.
Apple to patch PDF vulnerability in iOS
Apple said it will issue a patch that will close a PDF hole in iOS. Though this security hole is well known by iOS owners, it made headlines recently when the German government issued a malware warning about this "critical weakness" in Apple's iOS operating system. As it has done in the past with other security issues, Apple will release an update in the coming weeks to close this hole. Those that jailbreak their iOS devices will want to avoid this update. The exploit that Apple will patch is the same one used by Comex in jailbreakme, an online jailbreak tool. Ironically, those that want to close this exploit now can do so using this jailbreak tool. Just jailbreak your iOS device and install a security patch from Cydia.
Skype for Android update adds US 3G calling, fixes personal data hole
Verizon Android users have had 3G Skype calling since this time last year, but the latest app release -- v1.0.0.983 for those of you keeping tabs -- brings 3G calling to the masses, without the need for a VZW-sanctioned app. The update also patches a rather significant security hole discovered last week, which could let third-party apps get hold of your personal information. We're glad to see that's no longer the case, and who's going to object to free calling as part of the deal as well? Make sure your phone's running Android 2.1 (2.2 for Galaxy S devices) and head on over to the Android Market to get updated.
Skype for Android vulnerable to hack that compromises personal info
If you didn't already have enough potential app privacy leaks to worry about, here's one more -- Android Police discovered that Skype's Android client leaves your personal data wide open to assault. The publication reports that the app has SQLite3 databases where all your info and chat logs are stored, and that Skype forgot to encrypt the files or enforce permissions, which seems to be a decision akin to leaving keys hanging out of the door. Basically, that means a rogue app could grab all your data and phone home -- an app much like Skypwned. That's a test program Android Police built to prove the vulnerability exists, and boy, oh boy does it work -- despite only asking for basic Android storage and phone permissions, it instantly displayed our full name, phone number, email addresses and a list of all our contacts without requiring so much as a username to figure it out. Android Police says Skype is investigating the issue now, but if you want to give the VoIP company an extra little push we're sure it couldn't hurt.
Google flips Android kill switch, destroys a batch of malicious apps (update)
When 21 rogue apps started siphoning off identifying information from Android phones and installing security holes, Google yanked the lot from Android Market, and called the authorities to boot. But what of the 50,000 copies already downloaded by unwitting users? That's what Google's dealing with this week, by utilizing Android's remote kill switch to delete them over the air. But that's not all, because this time the company isn't just removing offending packages, but also installing new code. The "Android Market Security Tool March 2011" will be remotely added to affected handsets to undo the exploit and keep it from sending your data out, as well as make you wonder just how much remote control Google has over our phones. Yes, we welcome our new Search Engine overlords and all that, so long as they've got our best interests at heart, but there's a certain irony in Google removing a backdoor exploit by using a backdoor of its own -- even one that (in this case) will email you to report what it's done. Update: TechCrunch says there were 58 malicious apps and 260,000 affected phones in total.
Charlie Miller to reveal 20 zero day security holes in Mac OS X
Say, Charles -- it's been awhile! But we're pleased as punch to see that you're back to your old ways, poking around within OS X's mainframe just looking for ways to remotely control the system, snag credit card data and download a few interoffice love letters that are carefully stashed 15 folders down within 'Documents.' The famed Apple security expert is planning yet another slam on OS X at CanSecWest, where he'll reveal no fewer than 20 zero day security holes within OS X. According to Miller, "OS X has a large attack surface consisting of open source components, closed source third-party components and closed source Apple components; bugs in any of these types of components can lead to remote compromise." He also goes on to reemphasize something he's been screaming for years: "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." In other words, Apple users are "safer" (due to the lack of work that goes into hacking them), "but less secure." So, is this a weird way of applying for a security job in Cupertino, or what?
First electromagnetic 'black hole' built on earth, nobody raps about it
An electromagnetic black hole -- which sucks in the light surrounding it -- has been built at Southeast University in Nanjing, China for the first time. The device works like cosmological black holes in that it has gravity which is intense enough to bend the surrounding space-time, causing any matter in the neighborhood to spiral inward and create the hole itself. The earth-built 'black hole' for microwave frequencies is constructed of 60 annular strips of meta-materials (yes, that's the stuff of invisibility cloaks). Each strip is an intricately etched circuit board which seamlessly and smoothly connects to the strips next to it, creating both a shell and absorber section to the device. When an electromagnetic wave hits the device, it is trapped and guided through the shell region toward the core, where it is absorbed. The device, which was created by Tie Jun Cui and Qiang Cheng, converts that absorbed light into heat, meaning that future possible applications could include new ways of harvesting solar energy. Hit the read link for a fuller description of this truly bad dude.
Unofficial patch for Treo vulnerability loosed
If you've been a bit paranoid of late after hearing that a blatant security hole was found in the now-deceased Palm OS, help has unofficially arrived. Reportedly discovered by Symantec, the vulnerability entailed a hole that allowed the operating system's Find functionality to be accessed even when the device was set to Locked, allowing ill-willed hackers to sift through text message history, calendar entries, tasks, etc. The hole had been confirmed on the Treo 650, 680, and 700p, but now users of the handsets can rest a bit easier after applying this patch. As expected, the update simply disables the Find feature, which essentially closes off the last remaining security loophole and protects prying eyes from seeing that backlog of steamy Valentine's Day texts. So if you're looking to unofficially patch things up with your Palm, be sure to hit the read link and get that install completed, but we're not the ones to come crying to if something goes awry.[Via PalmInfoCenter]
