All in Security

Android TV bug gave users access to strangers' Google Photos | Engedget

“On a good day, Android TV, Google's Android OS for TVs, allows users to display photos from their Google Photos albums as screensavers. That's a nice perk -- when it doesn't potentially share your private photos with strangers. Over the weekend, a disturbed Android TV owner took to Twitter when he realized, through the Google Home app, he could access a massive list of random accounts, as well as photos they'd added to their Google Photos albums.” Engadget

NVIDIA GPUs weren't immune to Spectre security flaws either | Engadget

It's not just your processor and operating system that are affected by the Meltdown and Spectre memory vulnerabilities -- your graphics card is, too. To that end, NVIDIA has detailed how its GPUs are affected by the speculative execution attacks and has started releasing updated drivers that tackle the issue. All its GeForce, Quadro, NVS, Tesla and GRID chips appear to be safe from Meltdown (aka variant 3 of the attacks), but are definitely susceptible to at least one version of Spectre (variant 1) and "potentially affected" by the other (variant 2). The new software mitigates the first Spectre flaw, but NVIDIA is promising future mitigations as well as eventual updates to address the second.

Face ID anti-FUD: Why you shouldn't be worried about iPhone X unlock | iMore

An excellent article by Rene Ritchie of iMore, talking about unlocking the new iPhone X with Face ID and anti-FUD.

I must say I was nervous when TouchID first came out, and I'm getting that same fuzzy feeling again. I do hope they build in some 2nd factor authorization; it could be something as simple a checking to see if an Apple watch is on. But I've always planned for the worst while hoping for the best; it's just the way I'm wired. 

Hackers Can Silently Control Siri, Alexa & Other Voice Assistants Using Ultrasound | thehakersnews

A team of security researchers from China's Zhejiang University have discovered a clever way of activating your voice recognition systems without speaking a word by exploiting a security vulnerability that is apparently common across all major voice assistants.

Dubbed **DolphinAttack**, the attack technique works by feeding the AI assistants commands in ultrasonic frequencies, which are too high for humans to hear but are perfectly audible to the microphones on your smart devices.

Vulnerability Disclosed in Ubquiti Networks Admin Interface | Threatpost

This command injection flaw exposes the Ubiquiti admin interface to a number of risky attacks, SEC Consult said. For example, an attacker could connect to a vulnerable device by opening a port binding or reverse shell, and also change the password because the service runs as root. “The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website,” SEC Consult said in its advisory. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

Hackers Threaten to Remotely Wipe 300 Million iPhones Unless Apple Pays Ransom | The Hacker News

It has been found that a mischievous group of hackers claiming to have access to over 300 million iCloud accounts is threatening Apple to remotely wipe data from those millions of Apple devices unless Apple pays it $75,000 in crypto-currency or $100,000 worth of iTunes gift cards. The hacking group, who identified themselves as 'Turkish Crime Family,' has demanded a ransom to be paid in Bitcoin or Ethereum, another popular crypto-currency.

Unpatchable 'DoubleAgent' Attack Can Hijack All Windows Versions — Even Your Antivirus! | The Hacker News

A team of security researchers from Cybellum, an Israeli zero-day prevention firm, has discovered a new Windows vulnerability that could allow hackers to take full control of your computer. Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10. What's worse? DoubleAgent exploits a 15-years-old undocumented legitimate feature of Windows called "Application Verifier," which cannot be patched.

Trump signs executive order stripping non-citizens of privacy rights

Andrew Tarantola said it well in TechCrunch's artilce "Enforcing privacy policies that specifically "exclude persons who are not United States citizens or lawful permanent residents," while aimed at enhancing domestic immigration laws, effectively invalidates America's part of the Data Shield agreement, opens the current administration up to sanctions by the EU and could lead our allies across the Atlantic to suspend the agreement outright."

Over 27,000 MongoDB Databases Held For Ransom Within A Week | thehackernews

Are you running a MongoDB or know someone that is?  It may be time to make sure it's patched and configured correctly. Last Monday a security researcher identified nearly 200 instances of MongoDB installations that have been erased and held for ransom, asking victims to pay hefty ransoms for the data to be restored. By Tuesday, this number reached approximately 2,000 databases and by Friday this count reached 10,500.

Apple iOS v10.1.1 - iCloud & Device Lock Activation Bypass via local Buffer Overflow Vulnerability - YouTube

There are claims by two anonymous researchers in which they found a way to bypass the activation lock feature in iOS. I have not personally tried this yet, but plan to and will report back at that time. However, it's important to know in the meantime. 

Their attack focuses on buffer overload. One of the few things allowed from the activation lock screen is connecting to a Wi-Fi network. It's said that by crashing the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields and in time freezing. He then proceeded to use an Apple smart cover to put the device to sleep and reopen after a few seconds later the Wifi screen crashes to the home screen bypassing the activation lock.

IBM opens new Cambridge, MA security headquarters with massive cyber range | TechCrunch

IBM today opened its new security headquarters in Kendall Square in Cambridge, MA, with what the company is calling the first commercial cyber range.

A cyber range is a networked environment used for security testing. It's more common amongst military or military contractors. IBM's Setup has been named X-Force Command. It is a massive setup consisting of 36 operators stations providing realistic simulations of a cyber crisis.

I Geek out just a bit on this stuff.