Security

We’re just 2 days away from Windows 10’s official launch. Ahead of the release of its new operating system, Microsoft has been releasing a lot of security updates for Windows 10 Build 10240 lately. Unsurprisingly enough, there’s a new update today as well – the latest update is KB3074683 and there doesn’t seem to be anything new other than under the hoods improvements. It’s worth noting that the latest update replaces KB3074681 which caused File Explorer to crash for some users — meaning that the latest update fixes the crashing issues for File Explorer.

Without a doubt, storing highly sensitive data on an internet-disconnected, "air-gapped" computer network is one of the best security measures an organization can take -- but nothing is full-proof. Researchers at Ben-Gurion University in Isreal have figured out how to discreetly siphon data from a isolated computer with no wireless radios, no external connectivity and no connection whatsoever to any other computer. All it takes is a little malware and an old, non-smart mobile phone.

Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's Stagefright multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix.

Google is taking steps to make Android phones safer by including a verified boot system that checks for irregularities in the platform code. And device owners will know that their phone or tablet is safe based on startup messages from the system check.

Android Police spotted an updated Nexus support page showing the three possible boot verification messages.

If Android doesn't find any platform changes at bootup, the device will just start as it normally does. However, if there's a potential issue detected, one of three dialog messages will appear as a warning.

Fiat Chrysler’s recall of more than 1.4m of its Jeeps so they can be fitted with a software patch to make them safe from having the controls taken over remotely, draws attention to an unnerving fact: any modern car is a network of anything up to 70 powerful computers that happen to be mounted on wheels and armoured in a tonne or more of steel. Every new car sold in the past few years is running about twice as much code as the whole of Facebook.

At the 2015 Intelligent Defense European Technical Research Conference in June, Tripwire security researcher Craig Young presented Smart Home Invasion and revealed zero-day flaws in the “brains” of Internet of Things platform hubs such as SmartThings hubs, Wink hubs and MiOS Vera. The Wink and Vera products “contained critical remotely exploitable flaws.” Young warned that “if not addressed, smart home flaws can give rise to a new type of ‘smart criminal' able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.”

Today, Fiat Chrysler recalled 1.4 million vehicles possibly affected by a vulnerability in the UConnect infotainment system that could allow attackers to hijack the vehicle's steering and braking. Car hacking researchers Chris Valasek and Charlie Miller demonstrated proof of concept in striking fashion, when they wirelessly took control of a 2014 Jeep Cherokee driven by Wired reporter Andy Greenberg and brought it from 70 mph to a screeching halt.

You can bypass Apple's space-age security and gain administrator-level privileges on an OS X Yosemite Mac using code that fits in a tweet.

Yosemite, aka version 10.10, is the latest stable release of the Mac operating system, so a lot of people are affected by this vulnerability. The security bug can be exploited by a logged-in attacker or malware on the computer to gain total unauthorized control of the Mac. It is documented here by iOS and OS X guru Stefan Esser.

An interesting problem with OpenSSH  – let's call it a feature that turned out to be a vulnerability – has been publicised on the Full Disclosure mailing list.

To explain.

SSH stands for Secure Shell, one of the most widely-used and important remote access tools in the world. SSH runs on almost all Linux/Unix systems on the internet, so that sysadmins can look after them from afar. OpenSSH is by far the most widely-used implementation of SSH out there.

White-hat hackers Charlie Miller and Chris Valasek remotely took over a Jeep Cherokee, ran its controls, then cut the transmission as it sped at 70 mph along Interstate 64 in an experiment conducted with Wired.

They turned on the air conditioning, switched radio channels, turned on the windshield wipers, activated the windshield washer fluid pump, and transmitted a photo of themselves to the vehicle's digital display -- all from a laptop 10 miles away.