Monday, October 24, 2016

Do you have an android phone - You might be vulnerable to Drammer.(deterministic Rowhammer)



It is a DRAM related vulnerability
and 
There is a  partial fix for the flaw (CVE-2016-6728)


From the article:

The name Drammer is short for deterministic Rowhammer

The vulnerability, dubbed Drammer, could give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.

The attack method employs an existing PC-based hack known as Rowhammer, a technique that targets rows of cells of memory in DRAM devices to induce cells to flip from one state to another.

“Drammer is the first Android root exploit that relies on no software vulnerability and is an instance of the Flip Feng Shui exploitation technique,” 

The Android Security team said it would issue a partial fix for the flaw (CVE-2016-6728) with its November security bulletin. However researchers point out, Google’s patch will make it much harder for an attacker to launch a Drammer attack, it does not eradicate it. “We hope to see a more sophisticated fix soon,” according to researchers.

For more details:
https://threatpost.com/rowhammer-vulnerability-comes-to-android/121480/
Posted by at No comments:
Labels: , ,

Friday, October 21, 2016

IoT is the new frontier - Can the IoT vendors learn anything from a Electric Saw Company?



Good ideas are everywhere. The question is are we looking for them?



From the article:

This is how we need to think from a security perspective.

Safety Cover: There is a plastic safety cover that protects the entire rotating blade. The only time the blade is actually exposed is when you lower the saw to actually cut into the wood. The moment you start to raise the blade after cutting, the plastic cover protects everything again. This means to hurt yourself you have to manually lower the blade with one hand then insert your hand into the cutting blade zone.

Power Switch: Actually, there is no power switch. Instead, after the saw is plugged in, to activate the saw you have to depress a lever. Let the lever go and saw stops. This means if you fall, slip, blackout, have a heart attack or any other type of accident and let go of the lever, the saw automatically stops. In other words, the saw always fails to the off (safe) position.

Shadow: The saw has a light that projects a shadow of the cutting blade precisely on the wood where the blade will cut. No guessing where the blade is going to cut.

Safety is like security, you cannot eliminate risk. But I feel this is a great example of how security can learn from others on how to take people into account.


For more info:
https://securingthehuman.sans.org/blog/2016/10/18/what-iot-and-security-needs-to-learn-from-the-dewalt-mitre-saw

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)