Is Your Smartwatch Safe?

LG WatchI’m going to have to be careful with my new LG Watch!

Smartwatches Could Become New Frontier for Cyber Attackers

Dark Reading – By: Jai Vijayan – “Watches with network and communication functionality are opening up a new frontier for cyber attackers thanks to a largely cavalier attitude towards security by manufacturers, a new study by HP warns.

HP assessed the available security features on 10 smartwatches along with their Android and iOS cloud and mobile application components and found every single device to have significant vulnerabilities such as insufficient authentication and lack of data encryption.

As part of the study, HP looked at smartwatch management capabilities, network communications, their mobile and cloud interfaces and other potentially vulnerable components.

All of the watches that HP evaluated collected personal data in the form of names, addresses, birth dates, weight, gender and heart rate. Yet not one of them had adequate controls in place for ensuring the privacy and security of the collected data either while on the device or in transit.

For instance, every smartwatch that HP tested was paired with a mobile interface that lacked two-factor authentication. None of the interfaces had the ability to lock out accounts after multiple failed login attempts. A significant 40 percent of the tested products used weak cyphers at the transport layer while a full 70 percent had firmware related insecurities.

‘We found that smartwatch communications are easily intercepted in 90 percent of cases, and 70 percent of watch firmware is transmitted without encryption,’ says Daniel Miessler, lead researcher for the study at HP. ‘These statistics reveal areas of security risk and are extremely worrisome, as smartwatches are likely to become a key access control point as adoption expands,’ Miessler said in emailed comments to Dark Reading.

Current use cases for smartwatches extend beyond the usual activity and health monitoring applications to areas like messaging, monitoring and schedule checking. Because the smartwatch depends on an intermediary mobile device to pass information from and to the watch, the security of the gateway device becomes an important factor was well, HP noted in its report.

‘The combination of account enumeration, weak passwords, and lack of account lockout means 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts,’ HP said.

Though smartwatch adoption is largely consumer driven, the security concerns associated with their use extend to enterprises as well. Given the amount of network connectivity, the attack surface areas present, and the highly adaptive nature of the Internet of Things in general, it’s important for enterprises to consider IoT and wearables to be untrusted, unless fully tested, analyzed, and secured, Miessler said.

‘Wearables and other IoT related devices should always be segmented from the internal network,’ he said.

The increasingly sophisticated recording capabilities of smartwatches and other wearables pose another near-term problem for enterprises, Miessler said. Wearbles, for instance, make it easier for users to surreptitiously record documents and events without being noticed.’ For enterprises that may be discussing very sensitive information, or presenting that information in cubes or meeting rooms, the potential for data loss via this method increases significantly,’ Miessler said.

Mitigating the threat posed by smartwatches and other IoT devices starts with an awareness of the risks they pose, he said. It starts with knowing what type of sensors the watches have, and whether the devices can capture audio, video and data, he noted. Administrators also need to be aware of data are entered into these ecosystems, and where that data is sent, Miessler added.

‘From there, it will be a matter of creating policies for managing IoT and wearables within the enterprise, whether that’s creating isolated segments on the LAN, determining what types of devices and capabilities are allowed in sensitive corporate areas,’ and similar measures, he said.”

Chrysler Has To Issue a Bug Fix on 1.4 Million Cars!

Chrysler DashboardHow would YOU like it if your car turned on you? What if someone could take it over? Sounds like a Mission Impossible movie, but it is real!

After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix

Wired – By: Andy Greenberg – “Welcome to the age of hackable automobiles, when two security researchers can cause a 1.4 million product recall.

On Friday, Chrysler announced that it’s issuing a formal recall for 1.4 million vehicles that may be affected by a hackable software vulnerability in Chrysler’s Uconnect dashboard computers. The vulnerability was first demonstrated to WIRED by security researchers Charlie Miller and Chris Valasek earlier this month when they wirelessly hacked a Jeep I was driving, taking over dashboard functions, steering, transmission and brakes. The recall doesn’t actually require Chrysler owners to bring their cars, trucks and SUVs to a dealer. Instead, they’ll be sent a USB drive with a software update they can install through the port on their vehicle’s dashboard.

Chrysler says it’s also taken steps to block the digital attack Miller and Valasek demonstrated with ‘network-level security measures’—presumably security tools that detect and block the attack on Sprint’s network, the cellular carrier that connect Chrysler’s vehicles to the Internet.

Miller, one of the two researchers who developed the Uconnect-hacking technique, said he was happy to see the company respond. ‘I was surprised they hadn’t before and I’m glad they did,’ he told WIRED in a phone call. He particularly praised the move to work with Sprint to prevent attacks through its network.

‘Blocking the Sprint network is a huge thing,’ Miller adds. ‘The biggest problem before was that cars would never get fixed or fixed way down the road. Assuming that they did [the Sprint network fix] correctly…you don’t have to worry about that tail-end of cars that won’t get fixed.’

Valasek wrote on Twitter that he’d tested the attack again and found that Sprint’s network does now appear to be blocking the Jeep attack:

‘Looks like I can’t get to @0xcharlie’s Jeep from my house via my phone. Good job FCA/Sprint!’

Chrysler had already issued a patch in a software update for its vehicles last week, but announced it with a vague press release on its website only. A recall, by contrast, means all affected customers will be notified about the security vulnerability and urged to patch their software. ‘The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action,’ writes a Chrysler spokesperson in an email.

In its press statement about the recall, Chrysler offered the following list of vehicles that may be affected:

  • 2013-2015 MY Dodge Viper specialty vehicles
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

That list of potentially vulnerable cars is slightly longer than the one Chrysler gave WIRED on Monday, which excluded the the Chrysler 200 and 300, and the Dodge Charger and Challenger. The 1.4 million number it’s targeting with the recall is also far larger than the 471,000 vehicles Miller and Valasek had estimated to possess the vulnerable Uconnect computers.

In its statement, Chrysler also said that to its knowledge the hacking technique Miller and Valasek had developed had never been used outside of the WIRED demonstration. It also pointed out that hacking its vehicles wasn’t easy. That’s true: Miller and Valasek had worked on their Jeep hacking exploit for over a year. ‘The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,’ reads Chrysler’s statement.

In one less credible part of the statement, however, Chrysler also claims that ‘no defect has been found,’ and that ‘[Fiat Chrysler Automobiles] is conducting this campaign out of an abundance of caution.’

Given that Miller and Valasek were able to hack the Jeep I was driving on a highway from a laptop 10 miles away, that ‘no defect’ claim doesn’t hold up. ‘No defect was found (other than the remote vulnerability that can result in full physical control),’ wrote Valasek on his twitter feed.

Careful Chrysler owners don’t need to depend on that network protection or wait for a USB drive to be mailed to them to patch their Uconnect computers. They can download the patch to a computer right now, put it on a USB drive, and install it on the dashboard. Start here to get that software fix.

One recall won’t change the fact that cars, SUVs and trucks are increasingly connected to the Internet and vulnerable to hacker attacks like the one Valasek and Miller have demonstrated. Congress has taken note of the rising threat of car hacking, too, with two senators introducing a bill earlier this week to set minimum cybersecurity standards for automobiles.

That bill would require cars to be designed with certain security principles, such as isolating physical components from Internet connections and including features that detect and block attacks. But for now, Miller says that a recall is a strong first step for Chrysler. ‘What I really want is for them to design secure cars and include detection mechanisms,’ Miller says. ‘They can’t do that in three days. This is the most we could hope for.'”

Pluto Photos Are Amazing!

Pluto Fly-ByHave you been keeping up with the Pluto Fly-by? How cool is that? The ninth PLANET in our solar system (take THAT Neil Degrasse Tyson!) It looks very strange, very cold, and cool… ta dum dump! New Horizons’ mission rocks!

NASA – “New close-up images of a region near Pluto’s equator reveal a giant surprise: a range of youthful mountains rising as high as 11,000 feet (3,500 meters) above the surface of the icy body.

The mountains likely formed no more than 100 million years ago — mere youngsters relative to the 4.56-billion-year age of the solar system — and may still be in the process of building, says Geology, Geophysics and Imaging (GGI) team leader Jeff Moore of NASA’s Ames Research Center in Moffett Field, California.. That suggests the close-up region, which covers less than one percent of Pluto’s surface, may still be geologically active today.

Moore and his colleagues base the youthful age estimate on the lack of craters in this scene. Like the rest of Pluto, this region would presumably have been pummeled by space debris for billions of years and would have once been heavily cratered — unless recent activity had given the region a facelift, erasing those pockmarks.

‘This is one of the youngest surfaces we’ve ever seen in the solar system,’ says Moore.

Unlike the icy moons of giant planets, Pluto cannot be heated by gravitational interactions with a much larger planetary body. Some other process must be generating the mountainous landscape.

‘This may cause us to rethink what powers geological activity on many other icy worlds,” says GGI deputy team leader John Spencer of the Southwest Research Institute in Boulder, Colo.

The mountains are probably composed of Pluto’s water-ice ‘bedrock.’

Although methane and nitrogen ice covers much of the surface of Pluto, these materials are not strong enough to build the mountains. Instead, a stiffer material, most likely water-ice, created the peaks. ‘At Pluto’s temperatures, water-ice behaves more like rock,’ said deputy GGI lead Bill McKinnon of Washington University, St. Louis.

The close-up image was taken about 1.5 hours before New Horizons closest approach to Pluto, when the craft was 47,800 miles (77,000 kilometers) from the surface of the planet. The image easily resolves structures smaller than a mile across.”

Adobe Makes Flash Somewhat Safer With Google’s Help!

Firefox is blocking Flash, tons of folks are switching to HTML5 (which, of course, they should) and Adobe’s Flash is being hated on by computer geeks everywhere!

Adobe Secures Flash, With Help From Google

eWeek – By: Sean Michael Kerner – “Adobe is under tremendous pressure to do more to secure its Flash Player technology, which has been aggressively exploited in 2015. However, Adobe isn’t alone in its efforts to secure Flash, as a very key ally is contributing significantly to Flash’s defense—none other than Google.

Flash’s weaknesses are numerous, but common ones are use-after-free (UAF) memory vulnerabilities. In the last month, Adobe has patched Flash for 38 different Common Vulnerabilities and Exposures (CVEs), three of which were identified as zero-day exploits that were found in the breached materials of Italian security vendor Hacking Team.

However, the largest single source of Flash exploit discovery so far in July was not a zero-day exploit, but rather it was from Google’s Project Zero security initiative. Adobe credited Google with the discovery of 20 CVEs in its APSB15-16 security bulletin. But as it turns out, Google didn’t just report vulnerabilities in Flash; the company went a step further and is helping Adobe remediate the flaws and prevent them in the first place.

As of the Flash v18.0.0.209 update, which was released on July 14, Flash now includes new attack mitigations, courtesy of Google’s Project Zero security initiative.

Google security engineers Mark Brand and Chris Evans detail the full mitigation in a technical post, but what it really boils down to is protection for a common class of UAF exploits that take advantage of weaknesses in memory. To that end, there are now multiple mitigations integrated in the latest Flash release to reduce the attack surface. One of those mitigations is a technique known as heap partitioning.

‘Heap partitioning is a technique that isolates different types of objects on the heap from one another,’ the Google engineers explain. ‘Chrome uses heap partitioning extensively, and it has become a common defensive technique in multiple browsers. We have now introduced this technology into Flash.’
Another new mitigation that Google is helping Adobe with is improved randomization of the Flash memory heap. The idea of memory randomization is not a new one. On Windows operating systems, address space layout randomization (ASLR) is a well-established technology. Google, however, is specifically improving Flash’s memory in a stronger, more randomized way than what the operating system enables on its own.

The Google security engineers admit that it’s a ‘cat and mouse’ game with attackers, with each new mitigation likely to produce a new counter-mitigation from hackers.

‘We’ll be looking out for attackers’ attempts to adapt, and devising further mitigations based on what we see,’ the Google engineers wrote. ‘Perhaps more importantly, we’re also devising a next level of defenses based on what we expect we might see.’

Google’s efforts in helping to secure Flash make a whole lot of sense given that the Chrome browser directly integrates Flash. As a result, a Flash vulnerability makes all Chrome users vulnerable, and that’s not a good situation for Google.
However, despite the tough month that Adobe has had with Flash security, things are changing. Adobe and its partners are not standing still waiting for the next exploit; rather, they are putting in place proactive techniques to limit future risks.

The challenges of UAF are not limited to Adobe Flash, and Google isn’t the only security vendor that has a few ideas on remediations either. In February, Microsoft awarded Hewlett-Packard researchers $125,000 in awards as part of the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. HP’s research was focused on Microsoft’s Internet Explorer browser and UAF vulnerabilities. At the time of the award, Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK that the UAF protection techniques HP provided to Microsoft are specific to the IE browser, though in the future they might be able to help others. HP plans on publishing a full white paper on its UAF mitigation at the end of the year, according to Gorenc.

Although Adobe’s Flash has been strongly impacted in 2015, UAF is a common scourge of modern Web applications. Even as attackers exploit UAF weaknesses, there are improved defenses in the works to secure the Web—thanks to the work of Adobe, Google and HP.”

YouTube Viewing Climbs to an Average of 40 Minutes per Session

Can you say, “It’s because of the movies?”

People Now Spend An Average Of 40 Minutes On YouTube Per Viewing Session

Tech Times – By: Christian de Looper – While at one time, people would have used their smartphones to watch a targeted YouTube video lasting maybe five minutes, the average YouTube viewing session on mobile devices is now reportedly 40 minutes.

This is double what it was last year — highlighting the increasing tendency to watch videos on mobile devices rather than on desktop computers.

Google didn’t reveal what kind of content people were looking at for that long, and while watching some music videos and movie trailers – scattered throughout the day – could certainly add up to a lot of viewing time, the 40-minute figure represents uninterrupted viewing.

Watching videos on YouTube has grown in popularity over the past few years, with apps like Vine and Periscope greatly contributing to video-watching on mobile devices. Of course, these apps are much younger than the likes of YouTube, but they have still become hugely popular in a very small period of time.

YouTube isn’t just stopping at mobile use. A number of key executives at Google have referenced the fact that YouTube is going after more traditional TV, saying that YouTube reaches more people between the ages of 18 and 49 than any cable television network.

‘The number of users coming to YouTube, who start at the YouTube homepage similar to the way they might turn on their TV, is up over three times year-over-year,’ said Omid Kordestani, Google chief business officer, in an interview with Business Insider. ‘Plus, once users are in YouTube, they are spending more time per session watching videos. On mobile, the average viewing session is now more than 40 minutes, up more than 50 percent year-over-year.’

These findings are extremely important for YouTube at this point in its growth. The site is no longer just a place for people to upload their videos; it’s now a place for people to discover new content — both curated and otherwise.

Of course, YouTube still has a ways to go before well and truly replacing traditional TV viewing. In the U.S., people watch traditional ‘linear’ TV for almost five hours per day, while they use their computer and smartphones to go online for about half that time. Not only that, but while YouTube is becoming more valuable for advertisers, TV is still the biggest avenue for advertisers. Last year, global TV spending reached a massive $230 billion, while online video advertising sat at $11 billion.

M2 Slingbox Changes Things Up!

Slingbox M2I had one of the old original Slingbox units. It was pretty cool, I would LOVE to test one of these someday!

New ‘M2′ Slingbox Drops Mobile App Fees

MultiChannel – By: Jeff Baumgartner – “Taking another stab at the consumer mainstream, Sling Media has launched the Slingbox M2, a video place-shifter that won’t require users to buy the requisite mobile apps, but will expand its use of advertising.

The M2 (ZatzNotFunny caught wind of the product a few days ago) runs on the same hardware as the Slingbox M1, $149 product launched a year ago, but M2 buyers will no longer be on the hook to pay extra for the SlingPlayer app for iOS and Android tablets and smartphones, which typically runs $15 per app per device. There’s no recurring monthly fees, and M2 users also have the ability to stream content from their mobile device to Apple TV, Roku and Amazon Fire TV devices as well as to Chromecast adapters.

With the M2, a product outfitted with WiFi and 1080p capabilities that carries an MSRP of $199.99, Sling Media will instead try to make up for that by selling ads that run on standalone apps for mobile device and PCs, as well as Sling’s browser-based clients.

Those users will see a pre-roll ad when they fire up those apps, and ads will also appear in the app viewing window (no ads will be placed on top of the video itself, however). Display ads will disappear completely when M2 customers use the apps in full-screen mode, Mark Vena, Sling Media’s worldwide vice president of marketing, said. ‘We think that’s a great tradeoff,’ Vena said, noting that M2 Slingbox users will have the option to avoid ads on the mobile apps by purchasing the apps separately.

The ad model isn’t a new one for Sling Media. Last fall, the company started to stitch ads into its free Web browser client and a new standalone PC app for the M1 model. The decision was controversial in that it didn’t go over well with some Slingbox customers, but Sling Media defended the decision because it helps the company offset the costs of ongoing engineering and technology testing requirements. Sling Media hasn’t revealed how many retail Slingboxes have been shipped (on the leased end of the spectrum, Dish Network embeds the technology in its new Hopper HD-DVRs, and Arris is Sling’s exclusive distributor of a place-shifting device optimized for cable operators and telcos). Vena estimates that the M1 currently makes up about 60% to 65% of the recent sales mix. Its high-end Slingbox 500 model runs $299.99. From this point on, the M2 is the company’s flagship Slingbox model.

Sling Media will look for the M2 to help it gain more ground in the consumer arena, even as the place-shifting platform faces off with multiscreen TV Everywhere offerings. Sling is trying to distance itself by promoting the fact that its products provide users with remote access to their full pay TV subscriptions, including DVR recordings, rather than to a subset of channels and features typically found in most TVE offerings. Last year, Sling Media introduced a consumer campaign that mocked the limitations of TVE.

Looking ahead, Sling Media plans to introduce a free app upgrade in October that will bring its Gallery view to smartphones that shares similarities with the company’s iPad app. The new app will also feature 20% quicker loading and connection times. Sling Media also provided some revised usage data. -Of its U.S. user base, 34% of Slingbox place-shifting is to Europe, followed by Asia (32.6%), and Mexico (9.6%). -The longest Slingbox session recorded so far spanned 12,380 miles (from Asunción, Paraguay, to Taipei, Taiwan). -About 75% of watched hours via the Slingbox occurs out of the home, and 80% of Slingbox viewing is of live TV, versus 20% from a DVR.”

Microsoft OneDrive for Android Now Supports Chromecast

The new version of Microsoft OneDrive for Android now supports the Chromecast!

OneDrive for Android Now Supports Chromecast

OMG! Chrome – By: Joey-Elijah Sneddon – “OneDrive for Android supports Chromecast streaming as of its latest update.

Microsoft had previously teased plans to support Chromecast streaming for files stored in its free cloud storage service.

With OneDrive (v3.2) for Android this feature is delivered.

You can fling compatible images, music and video files stored in OneDrive account to a nearby TV with just a couple of taps.

Using the feature is simple enough. When OneDrive detects a Chromecast device on the network it shows a Cast button in the toolbar. Clicking on this button prompts the user to select a target Cast device. Users can then proceed to tap on a file to open/preview it on their TV.

OneDrive joins Google Drive, Dropbox and Box as cloud storage supporting the technology.

Download OneDrive for Android

OneDrive for Android is a free applications and is available from the Google Play Store. Note that it requires a (free) Microsoft account to be use.”

PC Sales Slump in Anticipation of Windows 10

PC Sales DownIt will temporarily hurt PC sales, but, it shows how much people are anticipating Windows 10!

Anticipation of Windows 10 Release Stalls PC Sales

Redmond Magazine – By: Jeffrey Schwartz – “It’s not unusual for PC sales to fall off in advance of a new operating system release and last quarter was no exception.

PC shipments plummeted 11.8 percent in the three-month period that ended June 30 over the same period last year, according to IDC’s quarterly PC Tracker report released Thursday night. The decline was 1 percent more than IDC had earlier projected but was overall in line with the fact that the comparative period last year was buoyed by Windows XP’s end of life and the fact that sales channels were reducing inventories to make way for this month’s release of Windows 10.

Similar to Gartner, IDC doesn’t anticipate an immediate bump after Microsoft’s July 29 release of Windows 10. Gartner earlier this week said it’s predicting a 5.7 percent decrease in PC spending this year. IDC points to another noteworthy, but certainly not surprising, point: the free Windows 10 upgrade for those with Windows 7 Home and Pro editions will certainly stall new PC purchases.

Another reason IT professionals will want to wait, at least initially, is for new PCs based on Intel’s new processor line, code named Skylake, as well as a new line of Broadwell CPUs. ‘All of the hardware vendors are readying new designs based on Skylake and to take advantage of the new Windows design with thinner, lighter and better battery life,’ said Patrick Moorhead, president and principal analyst with Moor Strategy.

Moorhead, who follows the PC industry closely, believes Windows 10 will be a popular operating system. Despite the obvious criticism of its predecessor, Moorhead believes the return of application developers will be key to its success. ‘I believe there will be many more apps in this ecosystem, if nothing else because of the ease for which you can get them into Windows 10,’ Moorhead said.

However, Moorhead believes some predictions that Windows 10 will get a strong lift in in the first year are overstated. That includes our survey, published Wednesday, that found that 55 percent will upgrade in the first year, with 21 percent doing so in the first three months. A more reasonable expectation, Moorhead said, is 20 to 30 percent will roll out Windows 10 within a year. ‘I don’t believe any research out there is worth anything because upgrades will be dependent on the promotions Microsoft does,’ Moorhead said. ‘We haven’t seen them yet but they’re coming.'”

A Fix for Chromecast Connectivity

Chromecast Network ConnectorIf you have been having issues as a Chromecast user (I haven’t) then you now have a fix!

Google finally has a fix for Chromecast’s biggest problem

Techradar – By: Nick Pino – “The Google Chromecast was almost perfect when it launched in 2014.

It offered a low-cost, lightweight option to mirror exactly what you see on your handheld or tablet to the big screen. But if you didn’t have a consistent Wi-Fi signal in your living room, you could pretty much kiss any chance of having a flawless stream goodbye.

Capitalizing on the one flaw plaguing its pint-sized streaming stick, Google has finally released an ethernet adapter that will replace the power cord that ships with the basic Chromecast.

The ethernet adapter costs $15 and offers a single 10/100 ethernet port on its backside. It’s currently only available in the US and, as of when this article was written, is completely sold out on the Google Store. (If you’re in the UK or Australia, don’t worry. We’ve reached out to Google for additional details on international pricing and availability.)

Google has sold more than 10 million Chromecast units since launch worldwide and continues to be one of the highest selling streaming devices on the planet.”

1 2 3 191