Hack the USAF [Engadget]

Whilst finding vulnerabilities is a bad thing, having them found by white hat hackers is a good thing. Hackathons like this one prove that it can be constructive to get a group of them in to find and help fix vulnerabilities in your system before they are found in public and exploited to death before you have a chance to fix them.

The US Air Force’s second security hackathon has paid dividends… both for the military and the people finding holes in its defenses. HackerOne has revealed the results of the Hack the Air Force 2.0 challenge from the end of 2017, and it led to volunteers discovering 106 vulnerabilities across roughly 300 of the USAF’s public websites. Those discoveries proved costly, however. The Air Force paid out a total of $103,883, including $12,500 for one bug — the most money any federal bounty program has paid to date.

 

https://www.engadget.com/2018/02/19/hack-the-air-force-2/

 

Massive Intel Chip Security Flaw Threatens Computers

An Intel flaw that has been sitting hidden for a decade has finally surfaced.

Being on the chip rather than the OS, it doesn’t affect a single OS — with Linux, Windows and MacOS being mentioned in this article.

https://www.linuxinsider.com/story/85039.html

Apache bug leaks contents of server memory for all to see—Patch now | Ars Technica

Another vulnerability hits the news. Whilst similar to heartbleed in leaking memory contents, it does not seem to be too risky if you’re running it as a single user, and the memory leak isn’t huge quantities.

Saying that, this vulnerability also may also affect cloud systems. For example, on AWS, (which has httpd), doing a version check:

$ httpd -v
Server version: Apache/2.4.27 (Amazon)
Server built: Aug 2 2017 18:02:45

However, without knowing how Amazon have setup Apache behind the scenes, are we able to say definitely that we are/aren’t affected?

Source: Apache bug leaks contents of server memory for all to see—Patch now | Ars Technica

No, 900 million Android devices are not at risk from the ‘Quadrooter’ monster | Computerworld

You’ve probably seen articles inducing panic around the number of android devices vulnerable to this Quadrooter bug. But read through the below first.

 

 

Another day, another overblown Android security scare. Who’s ready for a reality check?

Source: No, 900 million Android devices are not at risk from the ‘Quadrooter’ monster | Computerworld

Guys, gals, aardvarks, fishes: I’m running out of ways to say this. Your Android device is not in any immediate danger of being taken over a super-scary malware monster.

It’s a silly thing to say, I realize, but we go through this same song and dance every few months: Some company comes out with a sensational headline about how millions upon millions of Android users are in danger (DANGER!) of being infected (HOLY HELL!) by a Big, Bad Virus™ (A WHAT?!) any second now. Countless media outlets (cough, cough) pick up the story and run with it, latching onto that same sensational language without actually understanding a lick about Android security or the context that surrounds it.

To wit: As you’ve no doubt seen by now, our latest Android malware scare du jour is something an antivirus software company called Check Point has smartly dubbed “Quadrooter” (a name worthy of Batman villain status if I’ve ever heard one). The company is shouting from the rooftops that 900 million (MILLION!) users are at risk of data loss, privacy loss, and presumably also loss of all bladder control — all because of this hell-raising “Quadrooter” demon and its presence on Qualcomm’s mobile processors.

“Without an advanced mobile threat detection and mitigation solution on the Android device, there is little chance a user would suspect any malicious behavior has taken place,” the company says in its panic-inducing press release.

Well, crikey: Only an advanced mobile threat detection and mitigation solution can stop this? Wait — like the one Check Point itself conveniently sells as a core part of its business? Hmm…that sure seems awfully coincidental.

TL;DR: A “mobile threat detection and mitigration solution” is already present on practically all of those 900 million Android devices. It’s a native part of the Android operating system called Verify Apps, and it’s been present in the software since 2012….. Android has had its own built-in multilayered security system for ages now. There’s the threat-scanning Verify Apps system we were just discussing. The operating system also automatically monitors for signs of SMS-based scams, and the Chrome Android browser keeps an eye out for any Web-based boogeymen.

%d bloggers like this: