For a while now (many years actually) I have argued that the rush to turn everything into a techno-gadget has been irresponsible and dangerous. However, companies that are looking into the “Internet of things” simply do not care. They see dollar signs and revenue streams in adding services to their devices that were a one-time purchase before. Because of this they are blindly rushing products to market that are open to attack on a massive scale. Consumers who are ignorant to these flaws are buying them up at a rapid pace leaving themselves exposed to data theft and worse.
Although much of the press surrounding AMD at the moment is focused on their lackluster earnings for Q2, there is some potentially good news from them. AMD’s dive into the use of High Bandwidth Memory is going to continue with their next GPU line up. According to the information available the next generation of GPUs will be code named Artic Islands and should be manufactures on a 16nm FinFET process.
Last year during DEF CON 22 we saw a demonstration of a UEFI root kit that was extremely worrying. This root kit was installed using a multipart systems to infect the UEFI BIOS in such a way as to grant the same level of access to an attacker as the CPU has (Ring 0). It was an almost unprecedented style of attack. When we reported on this many seemed to feel that it was not an issue. Now researchers are finding evidence of this same type of attack in the data lifted from the Hacking Team.
After three spate 0-day vulnerabilities are found in your product you can pretty much expect the market to call for you go away. This is the situation that Adobe is in right now. After fighting to their little slice of dominance in the computing industry Adobe’s Flash is arguably one of the most commonly used APIs to rendering rich content. This has made them a rather large target for a number of years… well this and the fact that the Flash development team has made some rather poor choices when it comes to their application.
Although it will not come as a surprise, there seems to be yet another bug in Adobe’s flash player that allows for an attacker to potentially take control of a system by forcing a crash of the application. According to TrendMicro, CVE 2015-5123 is a critical bug in the latest version of Flash player for Linux, Windows, and OSX operating systems. Adobe has already released a customer advisory stating they are already aware of this flaw being exploited in the wild.
The Italian Security firm Hacking Team is now admitting that their spying software is potentially in the hands of bad guys. After a hack that saw roughly 400GB of company information liberated from their systems they have been monitoring what is being released online. They have now concluded that there is sufficient source code for their monitoring applications to allow someone to mount the same style surveillance that they were providing to their clients.
Irony is one of those things that is not appreciated by security guys. They do not find humor in it nor do they enjoy it when someone points an ironic situation involving them out. This has to be the case for the privacy company LifeLock. A pair of security researchers (Eric Taylor and Blake Welsh) have found an interesting feature in LifeLock’s web site. The flaw allows for a cross-site scripting attack to be used to do a fair amount of damage including injecting malware.
When you use a search engine like Yahoo or Google you expect to get relevant results for your efforts. In many cases this does really happen, but often times we enter what we are looking for and find very little that relates to the actual search. One of the reasons for this is (and has been for a long time) the ability of search providers to artificially alter the search results through internal ranking systems. Google and Yahoo both have done this in the past and in some cases with good reason.
Cisco has acknowledged (and released patches for) a fairly serious security bug in three of their virtual appliances that, oddly enough, are related to security. The three products in question are the Cisco Web Security Virtual Appliance, the Email Security Virtual Appliance and the Security Management Virtual Appliance. These three devices all share a default preinstalled SSH encryption key. This meddlesome little fact means that it is very simple to get into an SSH session because you can grab the key off of another copy of the product. We are pretty sure that the default keys are already floating around on the internet somewhere as well.
Over the course of its development there has been a lot to like about Windows 10. There seems to be a good blend of the traditional Windows desktop with some of the touch-centric features that Microsoft tried to force in Windows 8. You are also getting more than a few performance improvements including DX12. If you have not heard about all of the goodness in DX12 you are in for quite a pleasant surprise. However, despite all of the good there is in Windows 10 there seems to be a group at Microsoft that have still not learned lessons from the past.