hack ▪ April 21

The buggy code highlighted by arsTechnica

The buggy code highlighted by arsTechnica

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate …  expand full story

hack ▪ March 18

hack ▪ March 4

freak

Cryptographers have discovered that a security flaw dating back to the ’90s is placing OS X, iOS and Android users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.

The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site …  expand full story

hack ▪ February 22

hack ▪ January 2

Screen Shot 2015-01-02 at 14.13.12

 

Update: We are now receiving reports that the vulnerability has been patched. People trying to use the tool are apparently now being correctly locked out from repeated password attempts.

A new tool submitted to GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.

The sourcecode for the tool has been released onto GitHub. Upon inspection, the tool is really rather crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.

expand full story

hack ▪ December 30, 2014

firmware

A security researcher speaking at the Chaos Computer Congress in Hamburg demonstrated a hack that rewrites an Intel Mac’s firmware using a Thunderbolt device with attack code in an option ROM. Known as Thunderstrike, the proof of concept presented by Trammel Hudson infects the Apple Extensible Firmware Interface (EFI) in a way he claims cannot be detected, nor removed by reinstalling OS X.

Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

Apple has already implemented an intended fix in the latest Mac mini and iMac with Retina display, which Hudson says will soon be available for other Macs, but appears at this stage to provide only partial protection…  expand full story

Submit a Tip

cancel

Submitting a tip constitutes permission to publish and syndicate. Please view our tips policy or see all contact options.

Powered by WordPress.com VIP