Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - September 10, 2016

Sep 10, 2016 3:16PM PDT
Two critical bugs and more malicious apps make for a bad week for Android

"Google releases fixes for newer devices and ejects apps following reports."

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google's official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren't eligible to receive the fixes.

Continued : http://arstechnica.com/security/2016/09/two-critical-bugs-and-more-malicious-apps-make-for-a-bad-week-for-android/

Related:
Patched Android Libutils Vulnerability Harkens Back to Stagefright
https://threatpost.com/patched-android-libutils-vulnerability-harkens-back-to-stagefright/120481/
Warning! Just an Image Can Hack Your Android Phone — Patch Now
http://thehackernews.com/2016/09/hack-android-phone-security.html

Discussion is locked

- Collapse -
Google Chrome to shame leaky non-HTTPS sites from January
Sep 10, 2016 3:19PM PDT

Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP.

If you use the ad giant's Chrome browser, and a lot of people do, in its 56th build and onwards any website that does not use a security certificate will feature a red exclamation mark and the text "Not secure," also in red, at the start of the web address.

Those that do use certificates and so have an HTTPS connection will continue to get a nice little green padlock icon.

Continued : http://www.theregister.co.uk/2016/09/08/chrome_to_shame_non_https_sites/

Related:
Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017
https://threatpost.com/chrome-to-label-some-http-sites-not-secure-in-2017/120452/
Unencrypted website? Expect to start being shamed by Google Chrome from January
https://www.hotforsecurity.com/blog/unencrypted-website-expect-to-start-being-shamed-by-google-chrome-from-january-16597.html

- Collapse -
Small problem
Sep 10, 2016 9:40PM PDT

If I'm dealing with a web page I'm looking at the page.
I'm not looking at the address bar.

Unless there is something to draw my eyes to the address bar I would not notice what color it is.

- Collapse -
USB device makes it easy to steal credentials from locked PC
Sep 10, 2016 3:20PM PDT

"Attackers can use rogue USB-to-Ethernet adapters to steal credentials from locked Windows, and possibly OS X, computers"

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week.

Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.

Continued: http://www.computerworld.com/article/3117742/security/a-usb-device-makes-it-easy-to-steal-credentials-from-locked-pcs.html

Related:
Stealing login credentials from a locked PC or Mac just got easier
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/

- Collapse -
The Limits of SMS for 2-Factor Authentication
Sep 10, 2016 3:22PM PDT

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

Mark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.

Continued : http://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/

- Collapse -
CallJam malware infects Androids and keeps ringing premium..
Sep 10, 2016 3:51PM PDT
.. rate numbers

"Malware masquerades as Android game with a four-star rating on Google Play!"

A new mobile malware known as "CallJam" loves to continuously hit up premium phone numbers from the Android devices it infects.

Just like other Android trojans (such as Android.Xiny.19.origin and the DroidJack remote access tool), CallJam likes to masquerade as downloadable games in the official Google Play Store.

Specifically, this particular malware takes the form of a game called "Gems Chest for Clash Royale."

Continued: https://www.grahamcluley.com/2016/09/calljam-malware-infects-androids-keeps-ringing-premium-rate-numbers/
- Collapse -
This USB stick will fry your unsecured computer
Sep 10, 2016 4:46PM PDT

A Hong Kong-based technology manufacturer, USBKill.com, has taken data security to the "Mission Impossible" extreme by creating a USB stick that uses an electrical discharge to fry an unauthorized computer into which it's plugged.

"When the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds," the company said in a news release.

Continued: http://www.computerworld.com/article/3118344/computer-hardware/this-usb-thumb-drive-will-fry-your-unsecured-computer.html

Related:
Now you can buy a USB stick that destroys anything in its path
http://www.zdnet.com/article/now-you-can-buy-a-usb-stick-that-destroys-laptops/
New USB Kill 2.0 Thumb Drive Can Kill Your Laptop or PC in a Second
http://news.softpedia.com/news/new-usb-kill-2-0-thumb-drive-can-kill-your-laptop-or-pc-in-a-second-508126.shtml