Tracking you with audio signals your phone can hear, but you can’t???

The technology, called ultrasonic cross-device tracking, embeds high-frequency tones. 

These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been

For More Info:
http://arstechnica.com/security/2016/11/how-to-block-the-ultrasonic-signals-you-didnt-know-were-tracking-you/

Do you have an android phone - You might be vulnerable to Drammer.(deterministic Rowhammer)

It is a DRAM related vulnerability
and 
There is a  partial fix for the flaw (CVE-2016-6728)


From the article:

The name Drammer is short for deterministic Rowhammer

The vulnerability, dubbed Drammer, could give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.

The attack method employs an existing PC-based hack known as Rowhammer, a technique that targets rows of cells of memory in DRAM devices to induce cells to flip from one state to another.

“Drammer is the first Android root exploit that relies on no software vulnerability and is an instance of the Flip Feng Shui exploitation technique,” 

The Android Security team said it would issue a partial fix for the flaw (CVE-2016-6728) with its November security bulletin. However researchers point out, Google’s patch will make it much harder for an attacker to launch a Drammer attack, it does not eradicate it. “We hope to see a more sophisticated fix soon,” according to researchers.

For more details:
https://threatpost.com/rowhammer-vulnerability-comes-to-android/121480/

IoT is the new frontier - Can the IoT vendors learn anything from a Electric Saw Company?

Good ideas are everywhere. The question is are we looking for them?



From the article:

This is how we need to think from a security perspective.

Safety Cover: There is a plastic safety cover that protects the entire rotating blade. The only time the blade is actually exposed is when you lower the saw to actually cut into the wood. The moment you start to raise the blade after cutting, the plastic cover protects everything again. This means to hurt yourself you have to manually lower the blade with one hand then insert your hand into the cutting blade zone.

Power Switch: Actually, there is no power switch. Instead, after the saw is plugged in, to activate the saw you have to depress a lever. Let the lever go and saw stops. This means if you fall, slip, blackout, have a heart attack or any other type of accident and let go of the lever, the saw automatically stops. In other words, the saw always fails to the off (safe) position.

Shadow: The saw has a light that projects a shadow of the cutting blade precisely on the wood where the blade will cut. No guessing where the blade is going to cut.

Safety is like security, you cannot eliminate risk. But I feel this is a great example of how security can learn from others on how to take people into account.


For more info:
https://securingthehuman.sans.org/blog/2016/10/18/what-iot-and-security-needs-to-learn-from-the-dewalt-mitre-saw

VPN is good - No it could send you to Jail and a 545K fine

UAE (F)Law:
Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs 500,000 and not exceeding Dhs 2,000,000, or either of these two penalties.

For more info:
http://www.theregister.co.uk/2016/07/28/vpn_users_in_uae_face_544k_fine/

Do you what "Bunker Buster" means? (Hint - it is software Bug)

Put into plain English, this means that the security checks used by the host to stop guests messing with each other’s memory didn’t always work. Full security checks were slowing things down, so a shortcut was programmed that turned out to be inadequate, introducing a loophole for attackers.

In this case, the bug wan’t just a guest-to-guest problem, but a guest-to-host bug. In other words, the guest could mess with the entire server, and thus implicitly with any other guest as well.

For more info:
https://nakedsecurity.sophos.com/2016/07/28/the-xen-bunker-buster-bug-what-you-need-to-know/

"Think before you Click" - will save us from a lot of trouble but, can we?

Why Phishing still succeeds?

Check out below

Attackers generally take advantage of a combination of five factors when constructing and distributing phishing emails:

1.Timing

Seasonal attacks can be very effective as recipients are likely to be expecting to receive particular messages

2. Emotional status of the target

Attacker might not know which employee is currently under negative stress, there is a good chance that at least one will respond differently due to their level of stress when targeted.

3. Tone of the language used in the email

Specifically design emails to cause alarm but to not give away too much information, hoping instead to prompt the recipient to open the message and follow the instructions within

4. Social media exposure

Many people expose far too much of their personal and professional lives via social networking sites, to the extent that attackers can easily construct a highly convincing message

5. State of mind

Working conditions that lead to exhaustion and/or anxiety can make employees far more susceptible

For More info:

http://www.scmagazine.com/phishing-what-makes-people-click/article/509451/

Can you be arrested for sharing a password?

EFF said language around "authorization" or "ownership" in the ruling opens the possibility that even spouses who use their partner's credentials to access a bank account, or a child using a parent's password to login to Hulu or Amazon, could be swept up by an over-reaching prosecutor.

For more info:
http://www.scmagazine.com/ninth-circuit-ruling-upholds-password-sharing-risk/article/508859/