Are Passwords Immortal? – Security Now 690

Pwn2Own, the Future of Passwords.
— All the action at last week’s Pwn2Own Mobile hacking contest
— The final word on processor mis-design in the Meltdown/Spectre era
— A workable solution for unsupported Intel firmware upgrades for hostile environments
— A forthcoming Firefox breach alert feature
— The expected takeover of exposed Docker-offering servershe recently announced successor to recently ratified HTTP/2
— errata
— The future of passwords: a thoughtful article written by Troy Hunt, the creator of the popular “Have I Been Pwned” web service We invite you to read our show notes.

Hosts: Steve Gibson, Leo Laporte

Updates for Spectre and Meltdown

Jason Howell and Megan Morrone talk to Ed Bott from the Ed Bott Report on ZDNet about what every Windows Admin needs to know about Spectre and Meltdown and four steps to keeping a level head during this vulnerability and the next. Plus, what might have happened if the update had been able to come out on Microsoft’s Patch Tuesday as planned, instead of being rushed because of the embargo breach.

This Week in Tech 648: Distracted by the Robots

The best explanation for the Meltdown and Spectre computer flaws comes from a comic strip. Apple eats crow over slowing iPhones. Magic Leap might not be vaporware after all – will this lead to the death of smartphones? CES 2018 predictions. Prediction #1: no Ajit Pai. SWATting death: who is to blame? Border agents phone searches are way up just as new rules limiting searches are drafted. Please stop giving this man money: Juicero founder now hawking bacteria-filled “raw water.”

This Week in Tech 625: Walking to the Bodega

Apple pays $506 million and €1.7 billion for patent infringements. Trump says that Apple will build 3 big plants in the US; Apple declines to comment. Apple kills the iPod Nano and Shuffle. Coders aren’t happy about the new spaceship campus. Amazon, Alphabet, and Twitter stocks slide after earning reports, but Facebook is flying high. Your Roomba is NOT spying on you. Sweden leaks private info of all its citizens. Hackers crack safes, pwn voting machines, and inject code into mice at DEF CON. Flash is finally dying – in 2020. Everything you ever wanted to know about the upcoming Bitcoin split but were afraid to ask.

–Alex “Will” Wilhelm sleeps in Leo’s parents’ bedroom.
–Mike Murphy was NOT bought by Steve Job’s widow this week.
–Steve Kovach can see the Empire State Building right now.

This Week in Tech 614: $46 at the Piggly Wiggly

The WannaCry ransomware attack is far from over. Amazon introduces the Echo Show – will the touchscreen voice assistant/videophone flop? Microsoft announces their own voice assistant, the Cortana Speaker. The US plans to ban laptops on flights from Europe. Comcast and Charter agree not to compete on wireless. Russian hackers pwned by French presidential campaign

–Christina Warren needs friends in Seattle.
–Father Robert Ballecer just got back from Malta.
–Roberto Baldwin got hung up on by AT&T customer service.
–Alex Wilhelm’s name will not set off your Amazon Voice Assistant.

Surprise: Adobe’s Flash is a favorite hacking target by far

| PCWorld

Adobe Systems’ Flash plugin gets no love from anyone in the security field these days. A new study released Monday shows just how much it is favored by cybercriminals to sneak their malware onto computers.It looked at more than 100 exploit kits, which are frameworks planted in Web pages that automatically probe for software vulnerabilities when a user browses to a page.Those who develop exploit kits are often hired by others to help distribute specific kinds of malware.

Of the top 10 vulnerabilities found in the exploit kits, eight of them were targeted at Adobe’s Flash plugin, used on millions of computers to play multimedia content, according to Recorded Future, a cybersecurity intelligence firm based in Somerville, Massachusetts.

To arrive at its conclusions, Recorded Future looked at software vulnerabilities known to be used in popular exploit kits such as Angler, Neutrino and Nuclear Pack as well as in cybercrime forums between January and September.

Echoing the conclusion of many other security experts, Recorded Future said the findings call “into question Flash’s place in a secure operating environment.”

“While the role of Adobe Flash vulnerabilities as a regular in-road for criminals and malware should come as no surprise to information security professionals, the scale is significant,” the report said.

Adobe has been working for years to make Flash more secure through code reviews, but it has proven to be a mighty task for an application that’s nearly two decades old.

Monthly patches are almost always released by Adobe, and emergency patches come out for zero-day flaws that cybercriminals are actively using.

Apple founder Steve Jobs famously forbid the iPhone from running Flash. This year, other companies have taken steps to reduce the risk of zero-day Flash flaws.

Facebook’s CSO, Alex Stamos, wrote on Twitter in July that it’s “time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”

In September, Google stopped automatically playing some extraneous Flash content on Web pages. The move was aimed at improving performance in the Chrome browser, but it also has security benefits.

Perhaps the most humorous campaign against the application is the ”Occupy Flash” movement. The group advocates moving everything to HTML5, the latest specification of the Web’s vernacular that has a host of multimedia capabilities.

Occupy Flash’s manifesto reads in part: “It’s time has passed. It’s buggy. It crashes a lot. It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology.”

Researcher shows how it could take hackers just 10 seconds to wirelessly upload malware to a FitBit


In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers to self-aiming sniper rifles. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit, which has sold more than 20 million devices worldwide, can theoretically be hacked in just ten seconds and used to spread malware to any computer it syncs with.

According to The Register, an attack on a FitBit via Bluetooth would only require an attacker to be a few feet from a target for around ten seconds after the devices connect. Any computer that later connects with the wearable can be infected with a backdoor, trojan, or some other form of malware used by the hacker.

An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. [When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile […] the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).

Apvrille will be presenting a proof-of-concept demonstration video at the Hack.Lu conference taking place in Luxembourg today. “The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”

FitBit have apparently been aware of the problem since March when Apvrille contacted the company about it. FitBit says it believes the vulnerability, which the first instance of a fitness wearable shown to be potentially hackable, is a low-severity issue and unrelated to malicious software. The researcher has pointed out that the attack is a proof of concept and not something that’s in the wild.

This isn’t the first instance of FitBit making headlines due to security failings. In 2011, blogger Andy Baio tweeted that Fitbit fitness band users’ sexual activity was showing up in Google search results by accident, revealing whether they had engaged in “vigorous” or “passive and light” efforts.

Jeep hacking raises fears over vehicle vulnerabilities

Hackers have been demonstrating for years that vehicles are just as susceptible to hacking as any other electronic gadget yet it wasn’t until the recent hack of a Jeep Cherokee’s infotainment system and Chrysler’s subsequent recall that people started to take notice.

According to Kelley Blue Book’s recent Vehicle Hacking Vulnerability Survey, 72 percent of respondents said they were aware of the Jeep hack in question while 41 percent said the incident will be of consideration when buying or leasing their next vehicle.

But just how big of a problem could vehicle hacking pose?

The survey found that a third of those questioned see vehicle hacking as a serious problem while 78 percent believe it will be a frequent problem over the next three years. Much like PC hacking, most believe vehicle vulnerabilities will become a permanent fixture moving forward with an overwhelming majority – 81 percent – citing vehicle manufacturers are most responsible for securing a vehicle from hacking.

Given the recent Chrysler recall, it’s little surprise that those surveyed felt the automaker’s vehicles were most susceptible to hacking (70 percent). General Motors was ranked as the second most susceptible in the eyes of survey-takers at 47 percent followed by Ford with 30 percent.

Karl Brauer, senior analyst for Kelley Blue Book, said cyber-security is still a relatively new area of specialization for automakers but it’s one they need to take seriously to ensure they are ahead of the curve.

via Jeep hacking raises fears over vehicle vulnerabilities – TechSpot.

A public marketplace for hackers—what could possibly go wrong?

Last November, Charles Tendell quietly launched a website called Hacker’s List. Its name was literal. In this online marketplace, white-hat security experts could sell their services in bite-size engagements to people with cyber-problems beyond their grasp.

“Hacker’s List is meant to connect consumers who have online issues to hackers or professionals out there who have the skills to service them,” Tendell told Ars. “Consumers get bullied online, they lose personal information, they have things stolen from them, they get locked out of things, and they have people post negative things or post personal information. They didn’t have a place to go to be able to get help and make sure they’re getting the right price or the best person for a particular job. That’s what Hacker’s List is for.”

The idea seemed clever enough. Soon after launch, The New York Times found the site and brought a stampede of traffic that initially caused it to go down under the strain. In the six months or so since, Hacker’s List has been running without technical hitches. (The site is also utilizing CloudFlare’s content delivery network nowadays.)

However, controversy has crept in to fill the void left by backend hiccups. It’s true that Hacker’s List’s purpose remains showing the general population that “not all hackers are evil,” as Tendell puts it. His intentions for the site also continue to be noble. But many of the project requests being posted to the site show the message isn’t getting through as the marketplace scales. If anything, it seems that those who now flock to Hacker’s List have largely been people looking for evil hackers to hire. And the site is constantly looking for ways to keep up.

Goldilocks filtering

Whether good or bad, all the attention Hacker’s List has drawn since launch hasn’t hurt Tendell. The founder and CEO of Denver-based Azorian Cyber Security is now also the co-host of a syndicated tech radio show and a frequent go-to cyber-expert for local and national news broadcasts. Tendell insists that Hacker’s List is a separate entity from his business, but he admits that “being on the front page of a lot of things has increased Azorian’s footprint and business.” In fact, the international press coverage may be Hacker’s List’s biggest upside—because it’s not clear how many actual business transactions happen through the site.

According to data on the site itself, only a handful of the enrolled hackers have made any money through Hacker’s List since its November 2014 launch. For most, their earnings listed have been just a few hundred dollars. While there are more than 3,000 “hacker” accounts registered—some representing security firms, others registered to individuals—there’s no way to know how many are active. Some early adopters of the site who spoke with Ars quickly abandoned it as a source of projects when they saw the sorts of requests that started to come in.

Logistically, Hacker’s List acts as a sort of reverse-eBay: customers post projects, then “hackers” bid on them. The customer selects someone for the job based on bids, and—if the project passes as legitimate with Tendell’s team—the site acts as an intermediary. It holds the customer’s payment until a project is done and they have approved the work. This escrow period also assures the person doing the work that the money is actually there. Afterwards, customers can rate the “hacker” based on their performance and write comments that appear on user profiles.

In theory, this checks and balances system is the same mechanism that keeps other user-generated economies, from AirBnB to Uber, honest. But a quick survey of the kinds of requests made on Hacker’s List recently looks a lot less like someone trying to buy a used cell phone and a lot more like someone trying to hire a hit-man:

Read More: A public marketplace for hackers—what could possibly go wrong? | Ars Technica.