The Old Reader

21 Jan 19:09

Android Vulnerability Enables VPN Bypass

by Brian Donohue

A vulnerability in the Android mobile operating system could allow hackers to write applications that would bypass a secure virtual private network connection and redirect traffic in clear text to an attacker.

Researchers from Israel’s Ben Gurion University claim that the vulnerability can be exploited by a specially crafted, malicious application that bypasses a VPN configuration and redirects device traffic to separate network address.

In a write-up on the university’s cyber security blog, Dudu Mirman, the department’s chief technical officer, writes that a potentially malicious application capable of bypassing a VPN would not require root permissions. Furthermore, he claims, there is no indication to the user that his or her data is being captured during the exploit process.

In a video demonstration, the researcher tests his exploit on a Samsung Galaxy S4 device, though he says he tested the exploit on a number of devices from various vendors. In the background of the video, the researcher is running a packet capturing tool on a desktop machine connected to the same network. As Mirman opens his malicious application, presses the exploit button, turns on the VPN, and sends an email, you can see computer monitor in the background begin collecting information in transit from the Android device.

The vulnerability will reportedly leak transport layer security (TLS) and secure sockets layer (SSL) traffic as well, though that information will remain encrypted after it is captured. Mirman says that the bug is confirmed on the most widely deployed Android version: 4.3 Jelly Bean. The researchers are in the process of testing the exploit on the newer, 4.4 KitKat variety of Android.

Mimran says he reported the vulnerability to Google’s Android security team on Jan. 17 and that he will publish the full bug details as soon as Google resolves the issue. A request to Google to confirm the existence of the flaw was not returned by the time of publication. This research is part of Ben Gurion University Cyber Security Labs’ ongoing effort to uncover mobile security vulnerabilities. Late last year, another researcher there uncovered a serious security flaw in Samsung Knox.

Below is a video demonstration of the hack:

17 Jan 14:42

Homeless man VS your cat

by Matthew Inman

View

Lblock, Stephanie.hammell likes this

17 Jan 14:23

Starbucks App Stores User Information, Passwords in Clear Text

by Chris Brook

Corey G
Nice! I wonder if there was actually some support logic about including the CLSLog methods in production release.

A vulnerability in Starbucks’ mobile app could be putting coffee drinkers’ information–including their usernames, email addresses and passwords–at risk.

The problem stems from the way session.clslog, the Crashlytics log file, handles those credentials in the event of a crash. Within the file there are “multiple instances” where the credentials are stored in clear text, something that could allow attackers to recover and later leverage the information to access a users’ account, either on the device in question or online at Starbucks’ account log-in page.

The vulnerability exists in the most recent build of the app, version 2.6.1 for iOS.

Starbucks’ app lets users connect their Starbucks card to their smartphone, reload funds via Paypal or credit card and allows them to treat the device like cash in stores worldwide. Ardent java fans can manage their card through the app and accrue Rewards with each purchase.

Daniel Wood, a Minneapolis-based security researcher and pen tester discovered the vulnerability last year, reported it to Starbucks in December but has yet to hear from the company regarding a fix.

It wasn’t until Monday however that Wood went public and published his findings on seclists.org’s Full Disclosure.

According to Wood, the file, which can be found at /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog, contains more than just the user’s login information.

In re-testing the vulnerability last night Wood discovered that the user’s full name, address, device ID and geolocation data are all being stored in clear text as well. This information popped up after Wood reinstalled the app and monitored the session.cslog file during user signup.

Wood also found the app’s OAuth token and the OAuth signature attached to the device in question.

“It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service,” Wood said in his write-up.

It’s unclear if a fix is in the works for the app but Starbucks hasn’t released an update since May 2, 2013.

Wood, a member of Open Web Application Security Project (OWASP), recommends future versions of the app adhere to best practices.

In this case, Starbucks should filter and sanitize data upon output “to prevent these data elements from being stored in the Crashlytics log files in clear text, if at all,” Wood writes in his disclosure.

When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.

Crashlytics Cofounder Wayne Chang said via email that the issue appears to involve one of the service’s plaintext logging features and that Crashlytics doesn’t collect usernames or passwords automatically. The feature, CLSLog, is an “optional feature that developers can use to log additional information.”

Wood admits he’s only done static analysis of the application so far and has yet to examine network traffic but suspects there is a privacy issue.

“During my static analysis I noticed some JSON requests which contain some sensitive data in the request,” Wood said, suggesting a vulnerability could be present.

Maggie Jantzen, a spokeswoman for Starbucks claimed the company was aware of Wood’s research and what it has deemed “theoretical vulnerabilities” but insisted Wednesday that there isn’t a direct impact to its customers at this time.

“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way,” Jantzen said.

12 Jan 18:00

John Vs The Trees: Woodcutter Simulator 2013

by John Walker

Corey G
I played this game at a LAN, it was the stupidest thing I've ever played. But, it was a sort of interesting stupid.

I know a classic when I see it. There it is, near the top of Steam’s list of new games: Woodcutter Simulator 2013. Sure, it’s already out-of-date, and likely won’t feature 2014′s most exciting range of woodcutting innovations, but I was prepared to suck that up and get on. I, as a woodcutter, am burly, powerful, able to take on anything. Look at my rugged frame! My bushy woodsman beard! LOOK AT ME HOLDING A CHAINSAW!

(more…)

12 Jan 17:57

[CES 2014] Hisense Blurs The Line Between Phone And Tablet With The Massive 6.8-Inch X1

by Michael Crider

Corey G
I would be so much more impressed with a well spec-ed 4.3-4.5" phone.

The likes of HTC and Samsung have been pushing phones to larger and larger dimensions for years, but humble Chinese manufacturer Hisense is about to shoot for the moon. Their high-end X1 prototype is being shown off at CES 2014, and it's big enough to comfortably fit in a form factor that was previously reserved for "small" tablets. Its 6.8-inch screen makes almost every other phone look small.

Liliputing has an initial hands-on with the device, which has some high-end hardware to match the big frame.

Done With This Post? You Might Also Like These:

[CES 2014] Hisense Blurs The Line Between Phone And Tablet With The Massive 6.8-Inch X1 was written by the awesome team at Android Police.

12 Jan 17:54

Razer Announces Easy-To-Upgrade Project Christine

by Nathan Grayson

Corey G
Very nice case design, kind of just want that.

My PCs' names are DarkLord (with sporty pink background!) and Sir Face. What are yours?

Razer’s latest bit of PC mad science might look like an alien ribcage, but it aspires to big things. For those of us who worship at The Impossibly Tall Altar Of Horace, building a PC is a routine task, but those who’ve yet to realize the stars in the sky are merely his universe-nourishing teats aren’t as keen on it. There are cards and motherboards and cooling systems and cases and wires. Sure, the process might be easier than ever, but it’s still not the sort of thing you see grandmothers doing in place of jigsaw puzzles (well, except for really, really cool grandmas). With Project Christine, Razer wants to make PC upgrades simple for everyone. But also, you know, probably proprietary.

(more…)

12 Jan 17:53

[Hands-On] The Air Dock Wireless Car Charger Might Get Everything Right

by Ryan Whitwam

Corey G
$63, hmm. I just built a similar magnetic car qi charger for about $30 in materials that integrates into my dash a bit better.

As even a brief survey of the world could tell you, we live in the future. As such, isn't it about time to stop plugging wires into all your devices? Qi-compatible charging is showing up in more phones and tablets to make it easier to get some juice by just setting your phone down. Still, there isn't a good wireless solution for the car, but the Air Dock might be the first.

Done With This Post? You Might Also Like These:

[Hands-On] The Air Dock Wireless Car Charger Might Get Everything Right was written by the awesome team at Android Police.

12 Jan 17:48

International Space Station Awaits Orbital-1 Resupply Mission

The sun shines through a truss-based radiator panel and a primary solar array panel on the Earth-orbiting International Space Station (ISS) in this photograph taken by an Expedition 38 crew member on Jan. 2, 2014. The crew on the ISS is awaiting the first commercial resupply mission to the ISS by Orbital Sciences, Orbital-1. Orbital Sciences will proceed with a 1:07 p.m. EST launch attempt of the Orbital-1 cargo resupply mission to the ISS today, Thursday, Jan. 9. Meanwhile, as more than 30 heads of space agencies from around the world gather in Washington Jan. 9-10 for an unprecedented summit on the future of space exploration, the Obama Administration has approved an extension of the ISS until at least 2024. Join the conversation on Twitter by following #Orb1. Image Credit: NASA

View attached file (2.18 MB, image/jpeg)

12 Jan 17:45

SSH debugging sucks

by Everything Sysadmin

How much human productivity is lost every day due to the horrible debugging messages in SSH? I bet it is thousands of hours world-wide. It isn't just sysadmins: programmers, web developers, and many non-technical users are frustrated by this.

I'm pretty good at debugging ssh authentication problems. The sad fact is that most of my methodology involves ignoring the debug messages and just "knowing" what to check. That's a sad state of affairs.

The debug messages for "ssh -v" should look like this:

HELLO!
I AM TRYING TO LOG IN. I'VE TOLD THE SERVER I CAN USE (method,method,method).
I AM NOW TRYING TO LOG IN VIA (method).
I AM SENDING (public key).
THAT DID NOT WORK. I AM SAD.
I AM NOW TRYING TO LOG IN VIA (method).
I AM SENDING USERNAME foo AND a password of length x.
THAT DID WORK. I AM LOGGING IN.  I AM HAPPY.</code>

Similarly on the server side, "ssd -d" should look more like:

HELLO!
SOMEONE HAS CONTACTED ME FROM IP ADDRESS 1.1.1.1.
THEY HAVE TOLD ME THEY CAN LOG IN USING THE FOLLOWING METHODS: (method1,method2,method3).
THEY ARE NOW TRYING (method)
THEY GAVE ME (first 100 bytes of base64 of public key)
THAT DID NOT WORK.
TIME TO TRY THE NEXT METHOD.
THEY ARE NOW TRYING (method)
THEY GAVE ME A PASSWORD OF LENGTH x
THAT DID WORK.
I WILL LET THEM LOG IN NOW.

Instead we have to look at messages like:

debug1: monitor_child_preauth: tal has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_newkeys_from_blob: 0x801410a80(150)
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x801410a80(150)

Sigh.

I actually started looking at the source code to OpenSSH today to see how difficult this would be. It doesn't look too difficult. Sadly I had to stop myself because I was procrastinating from the project I really needed to be working on.

I'd consider paying a "bounty" to someone that would submit a patch to OpenSSH that would make the debug logs dead simple to understand. Maybe a kickstarter would be a better idea.

The hard part would be deciding what the messages should be. I like the Kibo-esque (well, actually B1FF-esque) version above. I hope you do too.

If anyone is interested in working on this, I'd be glad to give input. If someone wants to do a kickstarter I promise to be the first to donate.

04 Jan 13:38

Quiet Corona and Upper Transition Region of the Sun

This image, taken on Dec. 31, 2013 by the AIA instrument on NASA's Solar Dynamics Observatory at 171 Angstrom, shows the current conditions of the quiet corona and upper transition region of the Sun. Image Credit: NASA/SDO

View attached file (2.37 MB, image/jpeg)

24 Dec 16:18

Reddit's Earliest Days Were a NSFW Wonderland

by Jamie Condliffe

Reddit's Earliest Days Were a NSFW Wonderland

Reddit's come a long way since it first appeared online in 2006—but how has it changed over time? This visualization shows how the relative sizes of its subreddits have changed.

Corey G

Shared posts