Security

Your Stolen Identity Goes For $20 On the Internet Black Market 57 57

HughPickens.com writes: Keith Collins writes at Quartz that the going rate for a stolen identity is about twenty bucks on the internet black market. Collins analyzed hundreds of listings for a full set of someone's personal information—identification number, address, birthdate, etc., known as "fullz" that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. The listings ranged in price from less than $1 to about $450, converted from bitcoin. The median price for someone's identity was $21.35. The most expensive fullz came from a vendor called "OsamaBinFraudin," and listed a premium identity with a high credit score for $454.05. Listings on the lower end were typically less glamorous and included only the basics, like the victim's name, address, social security number, perhaps a mother's maiden name. Marketplaces on the dark web, not unlike eBay, have feedback systems for vendors ("cheap and good A+"), refund policies (usually stating that refunds are not allowed), and even well-labeled sections. "There is no shortage of hackers willing to do about anything, computer related, for money," writes Elizabeth Clarke. "and they are continually finding ways to monetize personal and business data."
Android

OnePlus Announces OnePlus 2 'Flagship Killer' Android Phone With OxygenOS 149 149

MojoKid writes: The OnePlus 2 was officially unveiled [Monday] evening and it has been announced that the smartphone will start at an competitively low $329, unlocked and contract free. The entry level price nets you a 5.5" 1080p display, a cooler-running 1.8GHz Qualcomm Snapdragon 810 v2.1 SoC paired with 3GB of RAM, 16GB of internal storage, a 13MP rear camera (with OIS, laser focusing and two-tone flash), 5MP selfie camera, and dual nano SIM slots. If you don't mind handing over an extra $60, you'll receive 4GB of RAM to back the processor and 64GB of internal storage. Besides beefing up the internal specs, OnePlus has also paid some attention to the exterior of the device, giving it a nice aluminum frame and a textured backplate. There are a number of optional materials that you can choose from including wood and Kevlar. Reader dkatana links to InformationWeek's coverage, which puts a bit more emphasis on what the phone doesn't come with: NFC. Apparently, people just don't use it as much as anticipated.
Security

Air-Gapped Computer Hacked (Again) 80 80

An anonymous reader writes: Researchers from Ben Gurion University managed to extract GSM signals from air gapped computers using only a simple cellphone. According to Yuval Elovici, head of the University’s Cyber Security Research Center, the air gap exploit works because of the fundamental way that computers put out low levels of electromagnetic radiation. The attack requires both the targeted computer and the mobile phone to have malware installed on them. Once the malware has been installed on the targeted computer, the attack exploits the natural capabilities of each device to exfiltrate data using electromagnetic radiation.
Security

Hacker Set To Demonstrate 60 Second Brinks Safe Hack At DEFCON 147 147

darthcamaro writes: Ok so we know that Chrysler cars will be hacked at Black Hat, Android will be hacked at DEFCON with Stagefright, and now word has come out that a pair of security researchers plan on bringing a Brinks safe onstage at DEFCON to demonstrate how it can be digitally hacked. No this isn't some kind of lockpick, but rather a digital hack, abusing the safe's exposed USB port. And oh yeah, it doesn't hurt that the new safe is running Windows XP either.
Android

950 Million Android Phones Can Be Hijacked By Malicious Text Messages 120 120

techtech writes: According to security firm Zimperium a flaw called "Stagefright" in Google's Android operating system can allow hackers take over a phone with a message even if the user doesn't open it. The vulnerability affects about 950 million Android devices. In a blog post Zimperium researchers wrote: "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone."
Businesses

Trillion-Dollar World Trade Deal Aims To Make IT Products Cheaper 97 97

itwbennett writes: A new (tentative) global trade agreement, struck on Friday at a World Trade Organization meeting in Geneva, eliminates tariffs on more than 200 kinds of IT products, ranging from smartphones, routers, and ink cartridges to video game consoles and telecommunications satellites. A full list of products covered was published by the Office of the U.S. Trade Representative, which called the ITA expansion 'great news for the American workers and businesses that design, manufacture, and export state-of-the-art technology and information products, ranging from MRI machines to semiconductors to video game consoles.' The deal covers $1.3 trillion worth of global trade, about 7 percent of total trade today. The deal has approval from 49 countries, and is waiting on just a handful more before it becomes official,
Android

'Stagefright' Flaw: Compromise Android With Just a Text 202 202

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."
Security

Steam Bug Allowed Password Resets Without Confirmation 57 57

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.
Security

A Plea For Websites To Stop Blocking Password Managers 365 365

An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
Operating Systems

HardenedBSD Completes Strong ASLR Implementation 65 65

New submitter HardenedBSD writes: A relatively new fork of FreeBSD, HardenedBSD, has completed its Address Space Layout Randomization (ASLR) feature. Without ASLR, applications are loaded into memory in a deterministic manner. An attacker who knows where a vulnerability lies in memory can reliably exploit that vulnerability to manipulate the application into doing the attacker's bidding. ASLR removes the determinism, making it so that even if an attacker knows that a vulnerability exists, he doesn't know where that vulnerability lies in memory. HardenedBSD's particular implementation of ASLR is the strongest form ever implemented in any of the BSDs.

The next step is to update documentation and submit updates to the patches they have already submitted upstream to FreeBSD. ASLR is the first step in a long list of exploit mitigation technologies HardenedBSD plans to implement.
AMD

AMD Starts Rolling Out New Linux Driver Model, But Many Issues Remain 61 61

An anonymous reader writes: With the upcoming Linux 4.2 kernel will be the premiere of the new "AMDGPU" kernel driver to succeed the "Radeon" DRM kernel driver, which is part of AMD's long talked about new Linux driver architecture for supporting the very latest GPUs and all future GPUs. Unfortunately for AMD customers, there's still much waiting. The new open-source AMDGPU Linux code works for Tonga/Carrizo GPUs but it doesn't yet support the latest R9 Fury "Fiji" GPUs, lacks re-clocking/DPM for Tonga GPUs leading to low performance, and there are stability issues under high-load OpenGL apps/games. There's also the matter that current Linux users need to jump through hoops for now in getting the code into a working state with the latest kernel and forked versions of Mesa, libdrm, new proprietary microcode files, and the new xf86-video-amdgpu user-space driver.
ch

Swiss Researchers Describe a Faster, More Secure Tor 59 59

An anonymous reader writes: Researchers from the Swiss Federal Institute of Technology and University College London published a paper this week describing a faster and more secure version of Tor called HORNET. On one hand, the new onion routing network can purportedly achieve speeds of up to 93 gigabits per second and "be scaled to support large numbers of users with minimal overhead". On the other hand, researchers cannot claim to be immune to "confirmation attacks" known to be implemented on Tor, but they point out that, given how HORNET works, perpetrators of such attacks would have to control significantly more ISPs across multiple geopolitical boundaries and probably sacrifice the secrecy of their operations in order to successfully deploy such attacks on HORNET.
AMD

AMD Forces a LibreOffice Speed Boost With GPU Acceleration 143 143

New submitter samtuke writes: AMD processors get rated and reviewed based on performance. It is in our self-interest to make things work really, really fast on AMD hardware. AMD engineers contribute to LibreOffice, for good reason. Think about what happens behind a spreadsheet calculation. There can be a huge amount of math. Writing software to take advantage of a Graphics Processing Unit (GPU) for general purpose computing is non-trivial. We know how to do it. AMD engineers wrote OpenCL kernels, and contributed them to the open source code base. Turning on the OpenCL option to enable GPU Compute resulted in a 500X+ speedup, about ¼ second vs. 2minutes, 21 seconds. Those measurements specifically come from the ground-water use sample from this set of Libre Office spreadsheets.
Security

Using HTML5 To Hide Malware 56 56

New submitter Jordan13 writes: SecurityWeek reports on the findings of a group of Italian researchers about web malware. They developed three new obfuscation techniques that can be used to obfuscate exploits like the one usually leveraged in drive-by download malware attacks. These techniques use some functionalities of the HTML5 standard, and can be leveraged through the various JavaScript-based HTML5 APIs. The research also contains recommendations about some of the steps that can be taken to counter these obfuscation techniques.
Bug

The OpenSSH Bug That Wasn't 55 55

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.