Security Leftovers
-
IBM researchers show how “warshipping” turns physical mail into [an attack] vector
The researchers pulled it off with a simple hand-built computer they cobbled together from off-the-shelf components. The device, which cost about $100 to assemble, consisted of a single circuit board packing a 3G modem for communicating with a remote-control server and executing attacks.
“While in transit, the device does periodic basic wireless scans, similar to what a laptop does when looking for Wi-Fi hotspots. It transmits its location coordinates via GPS back to the C&C [command and control server,” Henderson detailed.
“Once we see that a warship device has arrived at the target’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target’s wireless access,” he elaborated. “The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab.”
-
Warshipping: Attackers can access corporate networks through the mailroom
The expression has been coined by IBM X-Force Red researchers to describe a new attack vector, which consists of covertly delivering to the target’s premises small devices that can be used to gain access to the home or office wireless network and assets connected to it.
-
What's behind the Google Cloud-VMware partnership? [Ed: VMware is a back doors company; Snowden showed EMC/RSA role.]
Kurian and his peer Sanjay Poonen, chief operating officer for customer operations at VMware, each used that post to identify a pool of customers that had been asking for better interoperability between the two vendors, with the Google Cloud VMware Solution by CloudSimple announced as a result.
This new product, which will be generally available later this year, allows customers to run workloads on VMware's flagship vSphere platform natively in Google Cloud Platform.
-
[Attackers] Can Break Into an iPhone Just by Sending a Text
At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched five of them, a few have yet to be patched.
-
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible.
Santamarta admits that he doesn't have enough visibility into the 787's internals to know if those security barriers are circumventable. But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking technique. "We don't have a 787 to test, so we can't assess the impact," Santamarta says. "We’re not saying it’s doomsday, or that we can take a plane down. But we can say: This shouldn’t happen."
-
Attack on Connected Cars Could Could Kill Thousands, Advocacy Group Claims [iophk: bad design at the bottom of this]
Meanwhile, the auto industry is doing little, or not enough, to protect a mass attack on the most critical mode of transport, the car, within a critical industry.
-
Newcomer EndeavourOS Offers a Friendlier Arch Linux Experience
EndeavourOS has a lot of potential. It is an impressive addition to the shortlist of distros that want to make using Arch a more rewarding experience. For a Linux distro built around one of the more challenging Linux families, EndeavourOS is a stable, solid performer with few, if any, noticeable quirks. That shouts volumes, given the relative youth of the first stable release following beta development. EndeavourOS is not an easy choice for Linux users with no hands-on experience with the Arch Linux ecosystem. Despite its newness, though, it is a better Arch Linux choice than other Arch variants. It is a great choice for those willing to roll up their sleeves and learn Arch Linux's inner workings. Hopefully, EndeavourOS succeeds in making the Arch-based neighborhood a more inviting place for new users and seasoned Arch users as well.
Ubuntu 18.04.3 LTS Is Out with Linux Kernel 5.0 from Ubuntu 19.04, Download Now
Coming six months after the Ubuntu 18.04.2 LTS release, which shipped with the hardware enablement (HWE) kernel from the not deprecated Ubuntu 18.10 (Cosmic Cuttlefish) operating system, Ubuntu 18.04.3 LTS here as the third point release in the Ubuntu 18.04 LTS (Bionic Beaver) series with up-to-date components. Ubuntu 18.04.3 LTS includes all the latest software and security fixes that have been published on the official repositories of the Ubuntu 18.04 LTS release since February 14th, 2019, when Ubuntu 18.04.2 LTS hit the streets. It also ships with updated kernel and graphics stacks from Ubuntu 19.04 (Disco Dingo), such as Linux kernel 5.0.
