All GSM phones, such as those that run on T-Mobile and AT&T in the United States, are vulnerable to a major security flaw that could allow hackers to send text messages or place phone calls remotely using a new security flaw, one hacker said recently. Speaking to Reuters ahead of a hacking convention in Berlin, Karsten Nohl, the head of Germany’s Security Research Labs, said the attack could be initiated on a large scale, too. ”We can do it to hundreds of thousands of phones in a short timeframe,” Nohl explained. “None of the networks protects users very well.” Nohl didn’t provide details on how hackers could take advantage of the flaw, although Reuters said it’s likely that those attending the conference will try to recreate it themselves. Nohl also explained that carriers can easily patch the security hole and that some simply need to update their software. “Mobile network is by far the weakest part of the mobile ecosystem, even when compared to a lot attacked Android or iOS devices,” Nohl said, noting that Germany’s T-Mobile and France’s SFR wireless carriers are the most secure against hackers.

Read

Microsoft employee Ben Rudolph recently tweeted that any Android phone owner who has a device infected with malware can tweet his or her story with the hashtag #windowsphone upgrade for a chance to win a free Windows Phone. That sounds like an attractive promotion, especially given Microsoft’s fresh batch of powerful and solid Windows Phone 7.5 (Mango) devices. Google has reportedly pulled more than 100 malware applications from the Android Market but Microsoft isn’t exactly an anti-malware poster boy itself. In fact, earlier on Tuesday WinRumors posted a story about a security flaw that allows a user to send a text message that automatically reboots any Windows Phone device and then renders the messaging client completely useless. Microsoft hasn’t yet responded to the report and WinRumors, rightly, didn’t explain exactly how the flaw works. A video of the Windows Phone flaw follows after the break.

Read [Ben Rudolph] Read [WinRumors]

A report was recently published by Android Police that suggests HTC’s Sense user interface has several major security flaws that provide HTC with access to SMS data, phone numbers, system logs, location information and much more. Worse, the flaw could potentially allow any third-party application to access the same private information without having permission from the user to do so. The security issue has been identified on the HTC ThunderBolt, EVO 4G and EVO 3D. “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible,” HTC said in a statement. “We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.” HTC addressed a browser privacy issue in June and also commented on another report in early September which suggested the Sensation and EVO 3D were spying on users. HTC responded to the browser issue with a fix and said the “spying” allegations were a result of an HTC “opt-in” feature that allows HTC to collect data so that it can improve its phones. 

[Via Phone Scoop]

Read

Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user. That means typing the command: “dscl localhost -passwd /Search/Users/Roger” will actually prompt you to set a new password for Roger. As CNET points out, a hacker could only take advantage of the known bug if he or she has local access to the computer and Directory Service access. CNET suggests disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts as some preventative measures to keep your Mac secure.

[Via CNET]

Read

A security expert at Italian security firm AIR Sicurezza Informatica claims to have found a security flaw in Google’s new social network that allows hackers to potentially use Google+ servers to execute DDoS attacks. Simone Quatrini explained the flaw on the IHTeam Security Blog, and he wrote a script that can perform the attack, repeatedly prompting Google’s server to send requests to the target site. DDoS attacks, or distributed denial-of-service attacks, flood a web server with requests in an effort to prevent it from functioning. Such attacks require appropriate resources and bandwidth to execute, and Google servers would obviously have more than enough of these resources to launch a significant attack.

[Via The Hacker News]

Read

How’s this for an undocumented feature? Apple’s newer MacBook, MacBook Air and MacBook Pro notebooks have a security flaw that can allow hackers to remotely prevent the batteries from charging. Better yet, hackers can exploit the same flaw and remotely cause batteries to explode. Apple laptops’ new “smart” battery technology is intended to provide added control over power management, and it does just that. Unfortunately, it also gives hackers added control because the microcontroller chip that ships in recent Apple laptops can be accessed remotely using a default password shared by each and every notebook. Charlie Miller, the security expert who discovered the vulnerability, plans to showcase the flaw next month at the Black Hat security conference. There, Miller will show that he is able to access the battery controller remotely and cause it to refuse a charge, or even heat up until it catches fire and explodes. “These batteries just aren’t designed with the idea that people will mess with them,” Miller told Forbes last week. “What I’m showing is that it’s possible to use them to do something really bad.” Thankfully, the security expert also intends to showcase a fix for the flaw, which Apple will hopefully implement as soon as possible.

Read

Apple released iOS 4.3.4 on Friday in an effort to fix a security vulnerability that was present on both the iPhone and the iPad. The fix was supposed to prevent hackers from using a PDF security hole to jailbreak both devices. That didn’t quite work. The next day iPhone Dev Team was able to route around the security fix and issued a jailbreak tool for iOS 4.3.4. iPhone Dev Team has released the latest redsn0w jailbreak tool, but unfortunately it forces iOS 4.3.4 users to keep their iPhone or iPad tethered to their computer during sync and reboot. In other words, if you haven’t already updated to iOS 4.3.4 and want your iPhone or iPad to remain jailbroken, you’re going to be best off sticking with iOS 4.3.3 until another workaround is found.

[Via Mac Observer]

Read

Earlier today, we told you about a study conducted by Blaze Software comparing the native browser speeds in Apple’s iOS and Google’s Android. The results of over 45,000 tests were published, and the firm concluded that Android was roughly 52% faster than iOS in terms of browser performance. Not so fast, says Apple. In a statement to blog The Loop, an Apple spokesperson pointed out a perceived flaw in Blaze Software’s methodology. “Their testing is flawed because they didn’t actually test the Safari web browser on the iPhone,” wrote Apple’s spokesperson. “Instead they only tested their own proprietary app which uses an embedded web viewer that doesn’t take advantage of Safari’s web performance optimizations. Despite this fundamental testing flaw, they still only found an average of a second difference in loading web pages.” The UIWebView framework, which was used to run Blaze’s “proprietary app” in an “embedded web viewer,” does not leverage Apple’s Nitro JavaScript engine — the part of mobile Safari that Apple claims is nearly 2x faster than its predecessor. Tests that leverage the enhanced JavaScript engine would, according to Apple, have improved Safari’s performance. Blaze Software has yet to publicly comment on Apple’s rebuttal.

Read

Just a quick follow up to an article we posted last week. It looks like Apple’s iOS 4.2 gold master candidate, which was pushed out to developers last night, closes the security loop hole that allowed the iPhone’s lock screen to be bypassed from the “Emergency Call” function. We’ve been trying, unsuccessful, to replicate the issue with the latest iOS pre-release.

If you’re not a member of the developer community, and wondering when you can get your hands on iOS 4.2, know that iOS 4.1 GM was released to developers one week before it went live to the general public.

Blog 9to5Mac has picked up on an interesting bug in iOS 4.1, running on the iPhone, that will allow users to bypass the device’s lock screen and make phone calls. From a locked iPhone pressing the “Emergency Call” button, dialing a non-emergency number (such as “###”), then quickly pressing “Send” followed by the iPhone’s lock key will actually force the device into the “Phone” application. From there you can access favorites, contacts, the dial pad, recent calls, and voicemails. The “home” button remains inactive throughout the process, preventing users from jumping to the home screen, however… going to the “contacts” tab, selecting a contact, and clicking “Email” or “Share contact” will allow a bypasser to send emails and MMS messages.

The issue is reminiscent of a bug in Motorola’s BLUR interface that allows users to make calls using voice actions from a locked screen we told you about last week. We’ve passed the information on to Apple and, hopefully, a fix is included in the next software update. We have a short video demonstrating the bug after the break.

Read

A few months ago, Mozilla threw down the gauntlet by asking developers to find major security flaws in Firefox in return for a $3000 reward. Enter, Alex Miller from San Jose, who spotted a critical security flaw hidden away in the Firefox code. Alex spent 90 minutes every day for 10 days before he stumbled onto something and reported it to Firefox’s parent company. Security program manager at Firefox, Brandon Sterne, said: “Mozilla depends on contributors like these for our very, sort of, survival. Mozilla is a community mostly of volunteers. We really encourage people to get involved in the community. You don’t have to be a brilliant 12-year-old to do that”. Pretty impressive stuff. Hit the read link for the full article.

[Via CNET]  

Read

If you happen to be in your browser looking at twitter.com you may notice that the site is somewhat useless at the moment. Thanks to a JavaScript onMouseOver exploit, a nasty little bug is spreading through the micro-blogging site like wildfire. Simply mousing-over a carefully crafted tweet can redirect your browser to a website with malicious code or, in the case of Sarah Brown (wife of the former British Prime Minister), hardcore porn. The exploit is only affecting twitter.com when viewed in the browser and not third party clients like TweetDeck, Seesmic, or m.twitter.com. If you’re out there and tweeting, be careful.

UPDATE: Bob Lord, Twitter’s security chief, has put up an official blog post explaining exactly what happened this morning. You can read that article here. 

Read

In mid-July, Mozilla announced that it was upping its “bug bounty” from $500 to $3,000 for every critical, reproducible security flaw reported. Today, MacWorld is reporting that, “Between 10 percent and 15 percent of the serious security bugs reported since Mozilla launched its bug bounty program have been provided free of charge.” Mozilla spokesperson Johnathan Nightingale said: “A lot of people would say, ‘Don’t worry about it. Donate it to the EFF or just send me a T-shirt.” Now that is the open source type spirt that just warms the cockles of your heart, isn’t it?

Read

If you are a Mac user, and fancy Safari as your default internet browser, you are going to want to pay attention to this one. A bug found in Safari’s AutoFill feature can allow a malicious website to gather personal information from a users address book card — more specifically: first name, last name, work place, city, state, and email address. There is a published proof of concept exploit for the bug that can be found here. We suggest Safari users navigate to: Preferences > Auto-fill, and uncheck “Use info from my Address Book card” until Apple sorts this one out. Hit up the read link for more details.

Read

Potentially good news for HTC EVO 4G owners, as a circulating rumor suggests that HTC is addressing the screen problems that are reportedly plaguing its flagship WiMAX handset. According to the unofficial source, HTC is aware of the screen separation issue and is playing the waiting game to see if this problem develops further. Currently, the handset manufacturer considers this problem to be minor and has made some refinements to its assembly process to eliminate this cosmetic flaw in future production runs. HTC has also reportedly acknowledged that a select number of its EVO 4G handsets suffer from a screen sensitivity problem. The screen sensitivity issue is thought to affect a disproportionate number of handsets in arid climates and HTC is working on a software patch to fix this issue. How about it EVO owners? Are you seeing any of these reported issues?

Read