Security researchers have discovered a bug in the Android WiFi Direct feature that could allow hackers to launch denial-of-service (DoS) attacks on Android devices.
WiFi Direct allows Android devices to connect to one another directly without needing a third-party device like a wireless router. The feature runs as standard in most Android smartphones today.
The guys at Core Security found the vulnerability, dubbed CVE-2014-0997, and said that a number of Android smartphones are vulnerable and can be affected by a DoS attack when scanning for WiFi Direct-capable devices.
An attacker could implement the DoS attack by sending a specially crafted 802.11 probe response frame “causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class”, said Core Security.
“On some Android devices processing a probe response frame with a WiFi-Direct (P2P) information element that contains a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException. As this exception is not handled the Android system restarts.”
In laymen’s terms, the attacker could essentially reboot an Android device remotely, knocking it off the wireless connection.
Devices currently affected by the bug include the Nexus 5 and Nexus 4 running Android version 4.4.4, the LG D806 and the Samsung SM-T310 running Android 4.2.2, and the Motorola RAZR HD running Android 4.1.2.
Core Security said that other devices could also be affected. Android 5.0 Lollipop is not vulnerable to the exploit, so the firm suggests that Android users should update to the latest version where possible.
It’s patch week again for Adobe Flash Player, and this time the update is designed to fix a critical security bug in the much-maligned browser’s multimedia plug-in.
Flash Player has been updated to version 18.104.22.1686 to solve the vulnerability previously identified in the APSA15-01 Security Bulletin. The bulletin now contains information about the new version.
Flash Player 22.214.171.1246 was released with auto-update enabled on 24 January, two days earlier than the expected distribution date.
The standalone release was released on 26 January, as Adobe anticipated in the original bulletin, and users or sysadmins can download the full exe/msi installer straight from the official site.
Flash Player 126.96.36.1996 is now available for Internet Explorer and the plug-in based browsers on Windows and Mac systems.
A new version (188.8.131.520) is available for Linux operating systems and Oracle Solaris on the same page that provides the Windows/Mac versions.
Adobe is also said to be working with the company’s “distribution partners” to make the update available for those browsers that embed the Flash plug-in, namely Internet Explorer 10 and 11 and Google Chrome.
Flash Player 184.108.40.2066 is meant to end the exploitation of a zero-day vulnerability classified as CVE-2015-0311, for which a working exploit was already circulating in the wild.
Successful attacks via drive-by downloads were confirmed against machines running Internet Explorer and Firefox on Windows 8.1 and below.
The bug “could cause a crash and potentially allow an attacker to take control of the affected system”, Adobe warned in the original security bulletin.
Installing the updated version of the Flash Player plug-in is recommended.
The new Flash Player release contains no new features apart from fixing the CVE-2015-0311 bug.
These devices, known as automated tank gauges (ATGs), are also used to trigger alarms in case of problems with the tanks, such as fuel spills.
“An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” said HD Moore, the chief research officer at security firm Rapid7, in a blog post. “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
Earlier this month, Moore ran a scan to detect ATGs that are connected to the Internet through serial port servers that map ATG serial interfaces to the Internet-accessible TCP port 10001. This is a common set-up used by ATG owners to monitor the devices remotely.
“Approximately 5,800 ATGs were found to be exposed to the Internet without a password,” Moore said. “Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.”
Rapid7 decided to run the scan after being alerted of the problem by Jack Chadowitz, the founder of Kachoolie, a division of BostonBase that provides secure tank gauge access services.
Chadowitz had already developed an online service where ATG owners, particularly those using “a Gilbarco/Veeder Root TCP/IP card or a TCP/IP to serial converter such as those commonly available from Digi or Lantronix,” can check if they are at risk.
Some systems provide the capability to protect serial interfaces with a password, but this functionality is not commonly enabled, according to Moore.
Notorious malware kjw0rm and Sir DoOoM have been uncovered in a hacker forum as evolved versions, developed with advanced functionality, according to researchers at Trend Micro.
A threat response engineer at Trend Micro, Michael Marcos, said that he uncovered the malware while examining the Arabic language on a bogus “computer enthusiast site”, called dev-point.com forum.
“One of the notable topics in the forum talked about new malware ‘kjw0rm’ and a worm named ‘Sir DoOom’, which both came about after the release of the Njw0rm malware source code in the same forum,” he explained.
The Njw0rm’s source code was leaked in May 2013. The evolved kjw0rm is currently available in two versions, both of which have advanced infiltration and infection mechanisms.
The first Kjw0rm V2.0 appeared initially on the forum in January 2014, while the updated 0.5X version and new Sir DoOoM malware followed in December.
The V2.0 malware is the most basic of the three and reportedly hides itself in bogus files within infected systems.
“The propagation method of this malware targets all folders in the root directory of the removable drive,” read the advisory.
V0.5X follows a developed version of the same tactic, and Sir DoOoM adds an anti-virtual machine capability.
“[V0.5X] obfuscated some portions of the malware code. The malware author utilises an obfuscator tool that converts characters to hex values, adds filler functions, and performs computations that make analysis more difficult and time-consuming,” explained Marcos.
“[Sir DoOoM] also has an anti-virtual machine routine. It first searches for a list of the installed programs in the affected computer.
“If this variant found itself in a computer where a virtual machine program is installed, it will uninstall and terminate itself from the affected system. This prevents analysts testing to determine malware behaviour.”
Trend Micro senior engineer Bharat Mistry told V3 that the variants are dangerous as they add several advanced functions.
“Previous versions were there mainly for password stealing from browsers. As the malware has evolved, after the initial infections it now has the ability to download and execute Visual Basic code [VBS],” he said.
“VBS is a powerful coding language and can be used to interact directly with the operating system on the infected device.
“Also it now has the ability to recognise if it is being used in a security testing environment known as a sandbox by looking for the presence of a virtual machine.
“Finally the replication has also advanced with the use of hidden files on removable storage devices such as USB sticks.”
He added that the new powers could be used to mount a variety of attacks.
“The malware can be used to perform a number of different functions, including download, installation and execution of additional files or tools to potentially gain administrator or privilege credentials,” he said.
“Once this is gained hackers then have the ability to move laterally in the organisation and start looking for crown jewels or simply advertise that a point of presence has been created in a organisation that could then be ‘rented’ out to perform attacks, such as DDoS.”
Kjw0rm and Sir DoOoM’s appearance follows the discovery of several evolved attack tools. These include the defence-dodging Skeleton Key malware and the advanced Cryptowall 3.0 ransomware.
IBM has made the Power8 version of the latest Red Hat Enterprise Linux (RHEL) beta available through its Power Development Platform (PDP) as the firm continues to build support for its Power systems.
IBM and Red Hat announced in December that RHEL 7.1 was adding support for the Power8 processor in little endian instruction format, as the beta release was made available for testers to download.
This version is available for developers and testers to download from today through the IBM PDP and at IBM Innovation Centres and Client Centres worldwide, IBM announced on its Smarter Computing blog.
“IBM and Red Hat’s collaboration to produce open source innovation demonstrates our commitment to developing solutions that efficiently solve IT challenges while empowering our clients to make their data centres as simple as possible so they can focus on core business functions and future opportunities,” said Doug Balog, general manager for Power Systems at IBM’s Systems & Technology Group.
The little endian support is significant because IBM’s Power architecture processors are capable of supporting little endian and big endian instruction formats. These simply reflect the order in which bytes are stored in memory.
The Power platform has long had Linux distributions and applications that operate in big endian mode, but the much larger Linux ecosystem for x86 systems uses little endian mode, and supporting this in Red Hat makes it much easier to port applications from x86 to Power.
Suse Linux Enterprise Server 12 launched last year with little endian support for the Power8 processor, as did Canonical’s Ubuntu 14.04 LTS.
However, Red Hat and Suse are understood to be continuing to support their existing big endian releases on Power for their full product lifecycles.
IBM sold off its x86 server business to Lenovo last year, and has focused instead on the higher value Power Systems and z Systems mainframes.
In particular, the firm has touted the Power Systems as more suitable for mission critical workloads in scale-out environments like the cloud than x86 servers, and has been forging partnerships with firms such as Red Hat through its OpenPower Foundation.
ARM has created a course to teach IoT skills to students at University College London (UCL)
The course is designed to encourage graduates in science, technology, engineering and maths (Stem) to seek careers in IT.
The IoT Education Kit will teach students how to use the Mbed IoT operating system to create smartphone apps that control mini-robots or wearable devices.
Students are expected to be interested in building their own IoT business, or joining IoT-focused enterprises like ARM. The course will also try to limit the number of Stem graduates pursuing non-technology careers.
ARM reported statistics from a 2012 study by Oxford Policy and Research revealing how many engineering graduates (36 percent of males, 51 percent of females), technology graduates (44 percent, 53 percent) and computer scientists (64 percent, 66 percent) end up with non-Stem jobs.
The IoT Education Kit will be rolled out by UCL’s Department of Electronics from September 2015, with a week-long module for full-time and continuing professional development students.
The Kit comprises a complete set of teaching materials, Mbed-enabled hardware boards made by Nordic Semiconductor, and software licensed from ARM. A second teaching module for engineering graduates is being developed for 2016.
“Students with strong science and mathematical skills are in demand and we need to make sure they stay in engineering,” said ARM CTO Mike Muller.
“The growth of the IoT gives us a great opportunity to prove to students why our profession is more exciting and sustainable than others.”
UCL professor Izzat Darwazeh also highlighted the importance of Stem skills, saying that “many students are not following through to an engineering career and that is a real risk to our long-term success as a nation of innovators”.
The company said it had introduced an option to allow Facebookusers to flag a story as “purposefully fake or deceitful news” to reduce the distribution of news stories reported as hoaxes.
Facebook said it will not remove fake news stories from its website. Instead, the company’s algorithm, which determines how widely user posts are distributed, will take into account hoax reports.
“A post with a link to an article that many people have reported as a hoax or chose to delete will get reduced distribution in the News Feed,” Facebook explained.
Facebook has become an increasingly important source of news, with 30 percent of adults in the U.S. consuming news on the world’s largest social network, according to a 2013 study by the Pew Research Center in collaboration with the John S. and James L. Knight Foundation.
Facebook cited stories about dinosaur sightings and research supposedly proving the existence of Santa Claus as examples of fake news stories.
Facebook said “satirical” content, such as news stories “intended to be humorous, or content that is clearly labeled as satire,” should not be affected.
The European Space (ESA) has deployed a private, on-premise cloud platform designed to serve its community in Europe. The infrastructure is partly based on a custom version of Red Hat Enterprise Linux (RHEL).
The ESA Cloud needs to be constantly available to the space agency’s large user base, ensuring high levels of reliability and flexibility and the management capabilities of a modern IT environment, according to Red Hat.
Hosted applications include software development and testing, satellite data processing, document management and “more traditional” corporate IT services used during day-to-day operations.
The ESA Cloud infrastructure is based on systems from VCE, including a blade architecture with x86 CPUs, and cloud management software from Orange Business Services.
RHEL is one of the platforms supported within the ESA Cloud, and the space agency worked closely with Red Hat to customise the enterprise OS.
The customisation and implementation phase was particularly important, the ESA said, because its requirements are “dramatically” different to those of any other enterprise.
The scenarios Red Hat and the ESA IT team had to deal with were quite often “absolutely new”, the company stated.
The ESA Cloud is designed to provide complex virtual environments “within minutes” to end users, shortening the time needed to reach an organisation’s business and scientific targets.
Monitoring computing resources consumed in real time is another important feature of ESA’s private cloud, allowing the IT team to optimise the available capacity to support specific agency projects.
The first ESA Cloud data center is ready for production in Frascati, Italy, and the space agency has already completed a similar site in Darmstadt, Germany.
Future targets include increasing the number of available services, and disaster recovery capabilities to face “any possible large-scale calamity”.
“Most of our acquisitions will probably be on an ‘as a service’ basis, as opposed to an on-premise model,” CFO Martin Schroeter said during IBM’s quarterly earnings call, in response to a question.
“That’s the nature of the market and where we have a lot of opportunity, because we don’t play in some of those areas today,” he said.
IBM could use the growth. On Tuesday it said revenue for the last quarter declined across all major segments — hardware, software and services. Profits were down as well, though they beat the forecast of financial analysts polled by Thomson Reuters.
IBM sees cloud services as one of its best chances for growth, as sales of its more traditional products, including mainframes and Unix servers, continue to decline.
Two years ago it bought SoftLayer to help it compete with Amazon Web Services, and last year it bought Cloudant, which provides a database as a service, and Light House Security, another cloud provider. This year, it looks like more cloud deals will be in the works.
Meanwhile, CEO Ginni Rometty has been selling off businesses that produce little or no profit. In October, she announced a plan to sell IBM’s chip manufacturing business for US$1.3 billion to Global Foundries, and before that she sold its x86 server business to Lenovo.
So IBM’s revenue is shrinking in part by design, but it needs to expand its other, more profitable businesses to compensate for the losses. And that isn’t yet happening at a fast enough rate.
In 11 of the 12 countries surveyed as part of a report published by Microsoft, respondents said that technology’s effect on privacy was mostly negative. Most concerned were people in Japan and France, where 68 percent of the respondents thought technology has had a mostly negative impact on privacy.
A majority want better legal protections and say the rights of Internet users should be governed by local laws irrespective of where companies are based.
Internet users in India, Indonesia and Russia were the least concerned, according to the survey. In general, those in developing countries were less bothered.
Surveys like this one should always be looked at with a healthy dose of skepticism. But there is little doubt that people are wary of how their personal data is used by companies and governments, according to John Phelan, communications officer at European consumer organization BEUC.
That people shouldn’t take privacy for granted has been highlighted on several occasions in just the last week.
Shortly after the horrific Paris shootings, British Prime Minister David Cameron was criticized for saying that authorities should have the means to read all encrypted traffic.
Also, U.S. mobile operator Verizon Wireless found itself in hot water over the way one of its advertising partners used the Unique Identifier Headers Verizon embeds in its customers’ Internet traffic to recreate tracking cookies that had been deleted by users. Online advertising company Turn defended its practises, but still said on Friday it would stop using the method by next month.
Worries about privacy aren’t likely to subside anytime soon, with more devices becoming connected as part of the expected Internet of Things boom.
The “Views from Around the Globe: 2nd Annual Poll on How Personal Technology is Changing our Lives” survey queried 12,002 Internet users in the U.S., China, India, Brazil, Indonesia, South Africa, South Korea, Russia, Germany, Turkey, Japan and France.
Canonical has announced a new version of the Ubuntu operating system designed to bring a united front to the Internet of Things (IoT), after a preview alpha was trialed late last year.
The super-stripped down, lightweight Snappy Ubuntu Core is designed to allow developers to create IoT applications quickly and easily and release them securely across the network.
This means that many devices with firmware that would have been unpatched after vulnerabilities such as Heartbleed can now be updated quickly, easily and silently.
Apps are at the heart of the infrastructure, with app store functionality able to offer off-the-peg firmware, applications and runtime libraries to help facilitate common standards across the IoT.
“We found that the IoT required a way of installing apps similar to the way you do on your phone,” Maarten Ectors, Ubuntu VP for the IoT, told The INQUIRER.
“Developers can have app stores for things that don’t have app stores today. That could be your vacuum cleaner, it could be your robot, it could be a drone.”
The company hopes that the future of robots will be a large part of the success of Snappy, and is working closely with a range of start-ups and Kickstarter projects to bring home automation and intelligent robotics to life.
“As people add more items and add complexity to their home networks, they want stuff to just work and to keep working, no matter what vulnerabilities we discover in the huge mountain of open source software that is powering all of it,” added Mark Williams, founder and guvnor of Ubuntu.
“Many of these items that you’ll be buying will be Ubuntu anyway, but Snappy will allow them to be fully robust, fully automated and fully secure.”
Ubuntu Core requires a tiny footprint. It can work with as little as 600MHz of processing power and 128MB of RAM, with suitable ARM processor baseboards starting at $35 retail.
Also x86 compatible, this flexibility means that the overall product could see IoT products being mass produced for matters of pennies.
Last year Broadcom offered a similar device called the Wiced Sense, a $20 kit aimed at helping to design IoT prototypes.
The first Snappy Ubuntu Core products are expected to be announced in the second quarter. Expect to see a lot of them on Christmas lists for 2015.
CCS Insight has said that, while Microsoft’s share of the tablet market is expected to grow, Windows 10 will have “little impact” before the end of 2016.
CCS has cast its eye over tablet sales, and said that while the market saw minimal growth in 2014, sales are likely to increase by 28 percent in 2015.
The growth will largely be driven by Android, thanks to affordably priced tablets running Google’s software, while Apple is expected to continue to woo those in the market for a high-end device.
Apple will also grow its position in the business tablet market, CCS expects, thanks to its partnership with IBM.
However, CCS stressed that Microsoft should not be overlooked. Sales of Windows-based tablets won’t see huge growth this year, but will gain a bigger share of the market.
Marina Koytcheva, CCS director of forecasting, said: “We expect Android to continue dominating the low-end and mid-range market, with Apple taking the lion’s share of the high-end.
“But Windows is gaining a bigger slice of the pie, albeit from a very low level, and should not be overlooked.”
Koytcheva added that Microsoft’s decision to scrap its licence fee for Windows devices under 9in is a major factor.
“It has given Windows fresh impetus, as it has spurred manufacturers to produce a better range of devices at a variety of prices, as low as $99 for HP’s Stream 7, for example,” she said.
Windows 10 is expected to make its debut on 21 January, but isn’t likely to have much of an impact, according to CCS.
“Microsoft still runs the risk of failing to convert the wide availability of cheaper Windows tablets into strong growth in unit sales before 2017,” Koytcheva said.
“Windows 10 will take time to make its mark, and developers will need a few months to perfect applications for the new platform. We expect Windows 10 to have little impact on tablet sales before late 2016.”
Randy Westergren, a senior software developer with XDA Developers, looked at the Android version of My FiOS, which is used for account management, email and scheduling video recordings.
“Since Verizon has a good amount of my information, I thought it would be a good candidate for research,” Westergren wrote on his personal blog. “I was right, and the results were astonishing.”
The flaw, contained in the application’s API, could have allowed an attacker to read individual messages from a person’s Verizon inbox and even send emails from an account, he wrote.
Westergren looked at the traffic sent back and forth between My FiOS and Verizon’s servers. He found My FiOS would return the content of someone else’s email inbox by simply substituting a different user ID in a request.
He contacted Verizony, which later acknowledged the problem. Verizon issued a fix last Friday, Westergren wrote.
“Verizon’s security group seemed to immediately realize the impact of this vulnerability and took it very seriously,” Westergren wrote. “They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude.”
Google is putting its considerable resources behind PriceWaterhouseCoopers’ bid to build a new cloud-based healthcare system for the military that would support its more than 9.7 million beneficiaries.
PwC announced yesterday that it will team up with Google on a bid that will go to the U.S. Department of Defense (DoD) for what’s been dubbed the Healthcare Management Systems Modernization Electronic Health Record contract.
The DoD is looking to replace and modernize its online health system, enabling doctors and other healthcare providers, working both inside and outside of government, to easily and securely access medical records for military personnel, retirees and their families.
“Google is known for its expertise in innovative, secure and open technologies, and the power of Internet scale,” said Scott McIntyre, PwC’s global and U.S. public sector leader, in a statement. “Their capabilities can complement our proposed open-architecture solution and bring added value, agility and flexibility to the new Military Health System.”
PcW and Google have recently joined in an effort to help enterprises move their apps and data onto the cloud.
Google did not immediately respond to a request for comment.
Citrix Systems has purchased storage virtualization vendor Sanbolic in a move that could make it easier for Citrix users to use applications and virtual desktops spread across data centers and clouds.
Sanbolic sells software that lets enterprises treat the capacity in most types of storage infrastructure as a single virtual system that understands the needs of each application. Those capabilities play into Citrix’s mission of efficiently delivering virtual desktops to users and making applications fast and always available.
Sanbolic’s team will join Citrix immediately, Citrix said. The companies didn’t disclose the terms of the acquisition. Sanbolic is a 13-year-old company based in Waltham, Massachusetts. More than 200 Citrix customers already use Sanbolic’s technology, according to Citrix.
Citrix bought the company in a bid to reduce infrastructure complexity, a barrier to deployments of VDI (virtual desktop infrastructure) and application delivery technology. The company plans to use Sanbolic with its XenDesktop and XenApp products to simplify infrastructure and cut the cost of rolling it out and managing it.
Storage, which may be spread across multiple dedicated arrays, integrated into servers themselves and allocated within public and private clouds, is moving toward the kind of virtualization that has already transformed enterprise computing and is starting to change networking. Even major vendors of storage arrays, including EMC, are beginning to emphasize overarching systems over specific hardware platforms. Making the right data available to each application when it’s needed should give enterprises more freedom to deploy their IT resources in the most effective way and keep up with changing needs.
Sanbolic’s software can manage capacity across hard-disk and flash media in NAS (network-attached storage), SAN (storage-area network), server-based and cloud deployments. With the newly acquired technology, Citrix will be able to develop new products to reduce the cost and complexity of VDI and of Windows application delivery, the company said.