NEWS - October 15, 2015

Attackers can use Siri, Google Now to secretly take over smartphones

A team of researchers from the French Network and Information Security Agency (ANSSI) has devised a way to covertly exploit the Siri and Google Now voice activated personal assistants in order to make the target's smartphone send messages and emails, visit potentially malicious sites, make pricey phone calls or even become an eavesdropping device.

For the attack to be successful, the devices must have headphones with a microphone plugged in, and the attacker must be within close range of it, but doesn't have to have immediate physical access to the device.

The attack works like this: the headphones’ cord functions as an antenna, and the wire converts electromagnetic waves sent by the attackers into electrical signals, which the OS interprets as voice commands coming via the microphone.

Continued :

Hackers Can Silently Control Siri From 16 Feet Away
Hijacking phones with radio waves, Siri and headphones. Should we worry?
Ingenious attack shows how Siri could be hijacked silently from 16 feet away, but don't lose any sleep
Discussion is locked
Reply to: NEWS - October 15, 2015
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 15, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Dridex botnet taken down, multi-million bank fraud suspect..
.. arrested

The US Department of Justice (DoJ) has just announced the disruption of an active botnet and the arrest of its alleged operator.

A botnet, as you probably know, is a "robot network" - a collection of computers in homes and offices around the world that are infected by malware that allows an operator, known as the botherder, to take control of those zombie computers from afar.

And a takedown is when law enforcement, often with the assistance of ISPs and security researchers, infiltrates the botnet in order to reduce the harm it can do.

Continued :

Related: Law Enforcement Shuts Down Dridex Operation
- Collapse -
YOU are the computer security problem!
Graham Cluley wrote in his above titled blog post yesterday .......

Today law enforcement agencies warned the public about the Dridex malware that has been targeting customer of online banks for the last year or so.

Interestingly, Dridex doesn't rely upon any vulnerabilities or sneaky shortcuts in its quest to infect your Windows PC. Instead, the malicious hackers spam out their attacks as email attachments using social engineering lures to trick potential victims into opening, say, a poisoned Word document and enabling macros to allow the malicious code to run.

In other words, you allowed your computer to become infected by Dridex by opening an unsolicited email attachment, and then perhaps gave its malicious macro to run.

How are you going to "patch the bug in your brain" that so many internet attacks rely upon?

The post and his VIDEO response can be found here:
- Collapse -
Researchers Find 85 Percent of Android Devices Insecure

Roughly 85 percent of Android devices been exposed to one of 13 critical vulnerabilities that plague the operating system – and because of a chronic failure by carriers to issue patches, many linger without getting fixed for far too long, researchers said.

Especially in the wake of Stagefright, the disparity between how carriers apply Android patches has been well documented – some devices remain vulnerable for months, others years. Now researchers are assigning numbers to each company to identify just who’s better protecting users, in hopes that it serves as an incentive for them to deliver more prompt fixes.

Continued :

- Collapse -
Windows 10 upgrade installing automatically on some ..
.. Windows 7, 8 systems

"Microsoft says that the optional update was enabled by mistake."

For the first year of its availability, Windows 10 is available for free to most Windows 7 and 8 users, and Microsoft has been trying to coax those users to make the switch by delivering the operating system through Windows Update. Until now, the OS has been delivered as an optional update; while Windows Update gives it prominent positioning, it shouldn't be installed automatically.

This system has already generated some complaints, as Windows Update will download the sizeable operating system installer even if you don't intend to upgrade any time soon, but, over the last couple of days, the situation seems to have become a little more aggressive. We've received a number of reports that people's systems are not merely downloading the installer but actually starting it up. [Screenshot]

Continued :
- Collapse -
Phishing sites exploit trust in valid SSL certificates

"Cyber criminals are taking advantage of cheap, low-cost options to grab valid SSL certificates for phishing sites"

Certificate authorities aren’t scrutinizing who gets their SSL certificates, and now a large number of phishing sites have legitimate certificates, said Netcraft, a United Kingdom-based Internet security and research company.

SSL certificates rely on trust. Website operators deploy SSL on their sites so that the data transferred between the Web browser and the server are sent over a secure connection. Certificate authorities issue SSL certificates to show the holder is a legitimate owner of the site. Web browsers typically display a padlock sign to indicate the site has a valid certificate.

Continued :

- Collapse -
Google Patches Chrome, Changes Mixed Content Warnings

Google has made some changes to the way it presents browser warnings in Chrome.

Starting with Chrome 46, don’t expect to see the yellow warning icon on HTTPS pages with minor errors. Google announced on Tuesday that it would start marking those pages with the neutral icon it uses on unencrypted HTTPS pages; the change, it said, will affect HTTPS pages with mixed content.

“Site operators face a dilemma: Switching an HTTP site to HTTPS can initially result in mixed content, which is undesirable in the long term but important for debugging the migration. During this process the site may not be fully secured, but it will usually not be less secure than before,” Lucas Garron and Chris Palmer of the Chrome security team wrote in a blog post yesterday.


- Collapse -
Android Security Update Includes Fix for Stagefright ..
.. Vulnerabilities Discovered by Trend Micro

From the "TrendLabs Security Intelligence Blog" :

The discovery of the first Stagefright vulnerability last July is turning out to be just the beginning of many security concerns for Android users.

The latest Nexus security bulletin released earlier this month includes updates for 15 remote code execution vulnerabilities related to libstagefright, all tagged as critical. We discovered four of the mentioned vulnerabilities (all affecting Lollipop 5.1 and below):

Continued :

CNET Forums