Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

Two security researchers have been crowned the top hackers in this year’s Pwn2Own hacking contest after developing and testing several high profile exploits, including an attack against an Amazon Echo.

Amat Cama and Richard Zhu, who make up Team Fluoroacetate, scored $ 60,000 in bug bounties for their integer overflow exploit against the latest Amazon Echo Show 5, an Alexa-powered smart display.

The researchers found that the device uses an older version of Chromium, Google’s open-source browser projects, which had been forked some time during its development. The bug allowed them to take “full control” of the device if connected to a malicious Wi-Fi hotspot, said Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which put on the Pwn2Own contest.

The researchers tested their exploits in a radio-frequency shielding enclosure to prevent any outside interference.

“This patch gap was a common factor in many of the IoT devices compromised during the contest,” Gorenc told TechCrunch.

Amat Cama (left) and Richard Zhu (right), who make up Team Fluoroacetate. (Image: ZDI)

An integer overflow bug happens when a mathematical operation tries to create a number but has no space for it in its memory, causing the number to overflow outside of its allotted memory. That can have security implications for the device.

When reached, Amazon said it was “investigating this research and will be taking appropriate steps to protect our devices based on our investigation,” but did not say what measures it would take to fix the vulnerabilities — or when.

The Echo wasn’t the only internet-connected device at the show. Earlier this year the contest said hackers would have an opportunity to hack into a Facebook Portal, the social media giant’s video calling-enabled smart display. The hackers, however, could not exploit the Portal.


TechCrunch

Security researchers at Google say they’ve found a number of malicious websites which, when visited, could quietly hack into a victim’s iPhone by exploiting a set of previously undisclosed software flaws.

Google’s Project Zero said in a deep-dive blog post published late on Thursday that the websites were visited thousands of times per week by unsuspecting victims, in what they described as an “indiscriminate” attack.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.

He said the websites had been hacking iPhones over a “period of at least two years.”

The researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-realtime. The “implant” could also access the user’s on-device bank of saved passwords.

The vulnerabilities affect iOS 10 through to the current iOS 12 software version.

Google privately disclosed the vulnerabilities in February, giving Apple only a week to fix the flaws and roll out updates to its users. That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.

Apple issued a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.

Beer said it’s possible other hacking campaigns are currently in action.

The iPhone and iPad maker in general has a good rap on security and privacy matters. Recently the company increased its maximum bug bounty payout to $ 1 million for security researchers who find flaws that can silently target an iPhone and gain root-level privileges without any user interaction. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.

When reached, a spokesperson for Apple declined to comment.


TechCrunch

It’s perhaps not for nothing that The Great Hack – the new Netflix documentary about the connections between Cambridge Analytica, the US election and Brexit, out on July 23 – opens with a scene from Burning Man. There, Brittany Kaiser, a former employee of Cambridge Analytica, scrawls the name of the company onto a strut of ‘the temple’ that will eventually get burned in that fiery annual ritual. It’s an apt opening.

There are probably many of us who’d wish quite a lot of the last couple of years could be thrown into that temple fire, but this documentary is the first I’ve seen to expertly unpick what has become the real-world dumpster fire that is social media, dark advertising and global politics which have all become inextricably, and, often fatally, combined.

The documentary is also the first that you could plausibly recommend those of your relatives and friends who don’t work in tech, as it explains how social media – specifically Facebook – is now manipulating our lives and society, whether we like it or not.

As New York Professor David Carroll puts it at the beginning, Facebook gives “any buyer direct access to my emotional pulse” – and that included political campaigns during the Brexit referendum and the Trump election. Privacy campaigner Carroll is pivotal to the film’s story of how our data is being manipulated and essentially kept from us by Facebook.

The UK’s referendum decision to leave the European Union, in fact, became “the petri dish” for a Cambridge Analytica experiment, says Guardian journalist Carole Cadwalladr She broke the story of how the political consultancy, led by Eton-educated CEO Alexander Nix, applied techniques normally used by ‘psyops’ operatives in Afghanistan to the democratic operations of the US and UK, and many other countries, over a chilling 20+ year history. Watching this film, you literally start to wonder if history has been warped towards a sickening dystopia.

carole

The petri-dish of Brexit worked. Millions of adverts, explains the documentary, targeted individuals, exploiting fear and anger, to switch them from ‘persuadables’, as CA called them, into passionate advocates for, first Brexit in the UK, and then Trump later on.

Switching to the US, the filmmakers show how CA worked directly with Trump’s “Project Alamo” campaign, spending a million dollars a day on Facebook ads ahead of the 2016 election.

The film expertly explains the timeline of how CA had first worked off Ted Cruz’s campaign, and nearly propelled that lack-luster candidate into first place in the Republican nominations. It was then that the Trump campaign picked up on CA’s military-like operation.

After loading up the psychographic survey information CA had obtained from Aleksandr Kogan, the Cambridge University academic who orchestrated the harvesting of Facebook data, the world had become their oyster. Or, perhaps more accurately, their oyster farm.

Back in London, Cadwalladr notices triumphant Brexit campaigners fraternizing with Trump and starts digging. There is a thread connecting them to Breitbart owner Steve Bannon. There is a thread connecting them to Cambridge Analytica. She tugs on those threads and, like that iconic scene in ‘The Hurt Locker’ where all the threads pull-up unexploded mines, she starts to realize that Cambridge Analytica links them all. She needs a source though. That came in the form of former employee Chris Wylie, a brave young man who was able to unravel many of the CA threads.

But the film’s attention is often drawn back to Kaiser, who had worked first on US political campaigns and then on Brexit for CA. She had been drawn to the company by smooth-talking CEO Nix, who begged: “Let me get you drunk and steal all of your secrets.”

But was she a real whistleblower? Or was she trying to cover her tracks? How could someone who’d worked on the Obama campaign switch to Trump? Was she a victim of Cambridge Analytica, or one of its villains?

British political analyst Paul Hilder manages to get her to come to the UK to testify before a parliamentary inquiry. There is high drama as her part in the story unfolds.

Kaiser appears in various guises which vary from idealistically naive to stupid, from knowing to manipulative. It’s almost impossible to know which. But hearing about her revelation as to why she made the choices she did… well, it’s an eye-opener.

brit

Both she and Wylie have complex stories in this tale, where not everything seems to be as it is, reflecting our new world, where truth is increasingly hard to determine.

Other characters come and go in this story. Zuckerburg makes an appearance in Congress and we learn of the casual relationship Facebook had to its complicity in these political earthquakes. Although if you’re reading TechCrunch, then you will probably know at least part of this story.

Created for Netflix by Jehane Noujaim and Karim Amer, these Egyptian-Americans made “The Square”, about the Egyptian revolution of 2011. To them, the way Cambridge Analytica applied its methods to online campaigning was just as much a revolution as Egyptians toppling a dictator from Cario’s iconic Tahrir Square.

For them, the huge irony is that “psyops”, or psychological operations used on Muslim populations in Iraq and Afghanistan after the 9/11 terrorist attacks ended up being used to influence Western elections.

Cadwalladr stands head and shoulders above all as a bastion of dogged journalism, even as she is attacked from all quarters, and still is to this day.

What you won’t find out from this film is what happens next. For many, questions remain on the table: What will happen now Facebook is entering Cryptocurrency? Will that mean it could be used for dark election campaigning? Will people be paid for their votes next time, not just in Likes? Kaiser has a bitcoin logo on the back of her phone. Is that connected? The film doesn’t comment.

But it certainly unfolds like a slow-motion car crash, where democracy is the car and you’re inside it.


TechCrunch

How Antivirus Software Can Be Turned Into a Tool for Spying

New York Times

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool. Security software r …

Read more …

Beveiligingsonderzoekers hacken Tesla S

Beveiligingsonderzoekers hebben de Tesla S gehackt. Deze auto beschikt over een intelligent navigatiesysteem en autopilot-software waarmee allerlei interactieve diensten worden gefaciliteerd. Door de hack konden onder andere de ramen op afstand naar beneden worden gedaan, de rem worden ingetrapt en de motor worden uitgeschakeld.

Voor de hack moesten de onderzoekers wel eerst met een kabel en een laptop toegang krijgen tot de computer van de elektrische auto. Door een hack op het entertainmentsysteem kon de auto die langzamer dan acht kilometer per uur reed abrupt tot stilstand worden gebracht. Bij hogere snelheden kwam de auto langzaam tot stilstand.

De hack. …

Read more …

Wachtwoordbeheerder LastPass slachtoffer van hack

CEO Joe Siegrist van LastPass erkent de hack in een blog en verzekert gebruikers dat de verdedigingslinies van het bedrijf voldoende zijn om ‘het merendeel’ van de gebruikers te besc …

Read more …

Volgens website Greatfire.org heeft China het gemunt op bezitters van een iPhone 6. Een grote groep door de staat betaalde hackers zou al bezig zijn om al het verkeer tussen de iPhone 6 en de iCloud af te tappen. China ontkent.

Greatfire.org heeft een zogeheten man-in-the-middle aanval ontdekt, waarbij een nep-website wordt gebruikt die tussen de echte iCloud-server en de smartphone van de gebruikers wordt geplaatst. De gebruikers denken met de echter iCloud te maken te hebben en typen dan ook hun wachtwoord in. De exploitant van de nep-website krijgt op die manier de beschikking over alle toegangscodes.

Het is niet waar

Volgens Greatfire.org is dit een manier van werken die wel vaker door de Chinese overheid wordt toegepast. Een woordvoerder van de Chinese regering ontkent dit echter in alle toonaarden. Tim Cook was vorige week nog zo blij, dat de iPhone 6 eindelijk te koop was in China, maar nu liggen de gevoelens wel een beetje anders.

Alleen Apple

Volgens de analisten van Greatfire is de aanval die nu plaatsvindt uitsluitend gericht op bezitters van een iPhone 6. Er is inmiddels een waarschuwing uitgegaan, maar …

Lees verder

Created by R the Company. Powered by SiteMuze.