From Security Weekly WikiJump to navigationJump to search
#[http://packetstormsecurity.org/news/view/19495/Vodafone-Flaws-Could-Enable-Widespread-Hacking.html Vodaphone Femtocell Hacking] - [Larry] - THC folks have been plugging away at this device since 2009, and have completely pwned it. Can you say call snooping anyone? I sure can, because THC has been able to transform the device, that allows anyone (not just femtocell and Vodaphone subscribers) to connect. that means you can gather other's traffic with a modified device. Not to mention that THC shows you how to suppress errors and alarms back to Vodaphone for your hacking goodness. I think I've said it before, but the largest threat to vendors in getting their devices compromised? Releasing them to customers.
#[http://packetstormsecurity.org/news/view/19486/Mac-Security-Firm-Ships-First-iPhone-Malware-Scanner.html So close, yet so far…] - [Larry] …for the first iPhone Malware scanning app. YAY! AV for your embedded device. Well, not quite, due to the sandbox that iOS places around apps, there is no access to memory or the file system, so all you can do is scan e-mail attachments and web downloads. Better than nothing I suppose, but a long way to go to compare to more traditional tools.
#[http://blog.didierstevens.com/2011/07/13/teensy-pdf-dropper-part-1/ Didier's Teensy PDF Mayhem
} - [Larry] - Did you know that you can create a PDF with just ASCII? Did you know that you could also include a malicious executable in that ASCII PDF? Didier Stevens did, and ported it to be delivered by a Teensy HID device. Time for Dave to add this as another Teensy attack in SET.
#[http://krebsonsecurity.com/2011/07/microsoft-fixes-scary-bluetooth-flaw-21-others/ Bluetooth on? I thought so.] - [Larry] - Remember that WiFi hack years ago that exploited a bug in wireless drivers, who would receive packets without being associated to a network to get exploits. Yeah, you didn't even need to be connected to a network, just have your adapter on. Now the same thing for Bluetooth on Vista and Win7 products. No interaction from the user. No pairing needed. To agree with a quite form Marcus Carey, I think we'll see more of this given the availability of better bluetooth auditing hardware/tools such as Ubertooth.
#[http://feedproxy.google.com/~r/hackaday/LgoM/~3/lEHjFgaauio/ Technology enabling shoulder surfing] - [Larry] So, do you come full circle when you use technology to enable shoulder surfing of new technology? Ising a video (camera, stream, file), this app analyses not the asterisks of hidden passwords of touch screen devices, but the touchscreen keyboard color change for keypresses. If you know where the keys are, you can just analyze the color that changes for keypress confirmation. Of course you can turn that feedback off, but who does that?