“Find My Mobile” system can be used to attack Samsung mobiles and other handsets

Samsung’s ‘Find My Mobile’ system, which allows you to to locate, lock, ring, and wipe your device should it be stolen or lost, can be taken over, potentially allowing a hacker to remotely lock the device, change its passcode, or wipe the device according to Mashable.

The remote hack exploits a flaw in Samsung’s Find My Mobile system to enact denial-of-service attacks. If ‘Find My Mobile’ is enabled, it means that hackers can lock the Samsung handset and change its unlock code.

The government’s own National Vulnerability Database explains that the hack is possible because Samsung devices do not validate the source of lock-code data through the network, making handsets from the South Korean manufacturer more susceptible to this manner of attack. It gives the exploit a severity score of 7.8 (or high).

Slashgear warns Samsung users that, “although not enabled by default, once a user creates a Samsung account, which owners might do to get access to Samsung-exclusive apps and services on their device, it becomes enabled.”

While options for a hacker are limited because of the remote nature of the hack, it might still be possible to hold a phone owner to ransom via a personalized message that Find My Mobile allows you to post to the lock screen. “There’s precedent for such attacks,” The Register explains, “last May an attacker using the handle ‘Oleg Pliss’ locked scores of antipodean iPhones and demanded $50 to unlock the devices.”

A Samsung spokesman told Mashable that “Samsung takes the security of our products very seriously and we are currently investigating the matter.”

“Hacking” cars on the road wirelessly is easy or not….

Sports-Car_Toyota-FT-HS-Hybrid

 

It is perfectly possible to “hack” a car while it is driving on the road, seize control, and force the vehicle into a fatal crash, says a car security specialist, speaking to Network World.

Security researchers have demonstrated such hacks using wired systems or short-range wireless such as Bluetooth, but Toucan Systems claims that attacks can be conducted from half the world away, from a computer at a desk.

Jonathan Brossard, quoted by the Sydney Morning Herald, “does not know of a car that has been hacked on the road but says his company does it for vehicle manufacturers in Europe.”

”The vehicle is remote from me. I am sitting at the desk and I am using the computer and driving your car from another country. I am saying it is possible. A car is, technically speaking, very much like a cell phone and that makes it vulnerable to attack from the internet. An attack is not unlikely.”

A report by CNN Money describes the security of “connected” cars as simply behind the times. CNN describes the 50 to 100 computers controlling steering, acceleration and brakes in the typical automobile as “really dumb” – and says “there’s a danger to turning your car into a smartphone on wheels”.

“Auto manufacturers are not up to speed,” said Ed Adams, a researcher at Security Innovation, speaking to CNN Money. “They’re just behind the times. Car software is not built to the same standards as, say, a bank application. Or software coming out of Microsoft.”

The report claims that the next generation of cars from both Audi and Tesla will be wirelessly connected to the internet via AT&T – and thus much more vulnerable.

Writing about a demo at the Blackhat conference in Las Vegas last year, some of experts said, “Traditionally, cars have had rudimentary computing systems, implemented to carry out fixed tasks like measuring fuel for injection, making your transmission shift more smoothly under gentle acceleration or to improve gas mileage – things like that.

But with some manufacturers hoping to roll out location-aware browser-based or embedded information systems, can scams be far behind?”

The CNN Money report compared the 145,000 lines of computer code used in the spaceship that put men on the moon, Apollo 11, with the average modern automobile, which has 100 million.

Last year, Senator Edward J Markey, Democrat, Massachussets, pointed out in a publicly availableletter to 20 auto manufacturers that average cars now have up to 50 electronic control units, often controlled by a car “network, and that manufacturers had a duty to protect consumers against hackers.

The open letter has ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

Hacks against cars have been demonstrated before – but thus far, have relied on attackers having physical access to the vehicles. At the DefCon conference this year, two researchers showed how they could seize control of two car models from Toyota and Ford by plugging a laptop into a port usually used for diagnostics.

So far, though, attacks where vehicles are “taken over” wirelessly have not been widely demonstrated.

“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Charlie Miller, one of the ‘car hackers’ at Defcon. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”

“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Senator Markey wrote. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.

Markey argues that car companies should use third parties to test for wireless vulnerabilities, and should assess risks related to technologies purchased from other manufacturers.

A report by CNBC earlier this year described some of these threats in detail, describing car-hacking as “the new global cybercrime.”

Millions in Bitcoin stolen from Sheep dark market as user flees ……

One of the ‘dark marketplaces’ offering illegal and semi-legal services via the anonymized web browser Tor has shut down, according to reports – with a user fleeing with millions of dollars worth of Bitcoin.

A senior user of Sheep Marketplace “stole” a large number of bitcoins totalling $4.9 million, according to the BBC’s report.The actual figure may have been much higher. Business Insider claims up to $44 million was taken.

“We are sorry to say, but we were robbed on Saturday 11/21/2013 by vendor EBOOK101. This vendor found bug in system and stole 5400 BTC – your money, our provisions, all was stolen,” the site admins said in a statement.

“We were trying to resolve this problem, but we were not successful. We are sorry for your problems and inconvenience, all of current BTC will be ditributed to users, who have filled correct BTC emergency adress. I would like to thank to all SheepMarketplace moderators by this, who were helping with this problem. I am very sorry for this situation. Thank you all.”

Sheep Marketplace gained many customers and sellers during the brief period Silk Road was inactive. At present, the site is unreachable via Tor. Some reports, such as this via TapScape, suggest that the entire site was a scam designed to earn Bitcoin, created during the period while Silk Road was offline.

Business Insider reports that the theft may have been much bigger than initial reports, “Sheep users and other Bitcoin followers on reddit say that the administrators began blocking withdrawals of bitcoins from the site more than a week ago, and may have absconded with as much as $44 million from the site’s users, pointing to a movement of 39,900 bitcoins visible in the public record of Bitcoin transactions known as the blockchain.”

Site users have begun their own detective work, chronicled on a Reddit thread devoted to the thefts, “He was desperately creating new wallet addresses and moving his 49 retirement wallets through them, but having to wait for 3 or 4 confirmations each time before moving them again. Each time I caught up, I “666″ed him – sent 0.00666 bitcoins to mess up his lovely round numbers like 4,000. Then,all of a sudden, decimal places started appearing, and fractions of bitcoins were jumping from wallet to wallet like grasshoppers on a hotplate without stopping for confirmations.”

“I think he’s asleep now in the czech republic. When he awakes, he will see my “666″ next to his 96,000 stolen, freshly-laundered bitcoins. Along with lots of insults attached to fragments of bitcoins that I hope you are about to send here…”

It’s the latest in a series of “heists” involving the cryptocurrency, as reported. Despite FBI action against ‘dark market’ sites such as Silk Road, illegal commerce still thrives on Tor – and Silk Road relaunched as Silk Road 2.0.

Within the last few days, two sites hosting online wallets for the cryptocurrency Bitcoin were targeted by hackers – the ‘heists’ netted more than $1 million each.

 

Oddly, though, this has not adversely affected the value of the cryptocurrency, which seems to thrive on publicity, whether positive or negative.

 

Despite the heists, plus high-profile law-enforcement actions against ‘dark market’ sites such as SILK ROAD, which conducted transactions in Bitcoin, the currency is now valued at $919 per coin, it’s highest-ever valuation.

 

Earlier this year, Some famous threat blogs detected new variants malware that attempted to steal Bitcoins, mine Bitcoins illegally, or break into wallets. Malware targeting other similar currencies such as Litecoin.

 

We Live Security spoke to  James Andrews, Finance Editor at Yahoo UK, for a perspective on the currency from outside the world of technology.

 

“Nothing in finance is truly safe.” “Real currencies collapse, but the Bitcoin is less safe than most. It’s been called the world’s most perfect speculative material, which is fair. It has absolutely no value or use bar it’s rarity. If people stop valuing that it’s entirely worthless more or less instantly. Equally, though, prices might just keep rising and rising and rising – as more people buy into the idea and demand rises.”

 

On Twitter, an image showing the enormous rise and sudden collapse in prices of Dutch Tulips during the brief craze when the bulbs were first introduced in 1637 has circulated.

 

Could the same happen to Bitcoin? Perhaps – but there are steps you can take to keep your Bitcoins safer than most.

 

If your wallet’s stolen, act fast

 

If your Bitcoin wallet HAS been stolen, it’s not quite as easy for the attacker as stealing a real wallet – he or she has to move the currency out of it. If you’re lucky, and fast, this can sometimes save your coins.  When the Bitcoin wallet is stolen from the victim, the attacker will have to “spend” the Bitcoins in it – by either adding them to his own wallet, purchasing something, etc.

 

“The only way to get away without losing the money is if the victim is lucky enough to “spend” the Bitcoins (purchase something or import them to a new wallet) before the attacker does. Obviously, the chances of that are pretty slim.”

 

Keep your PC clean if you’re dabbling in Bitcoin

 

Cybercriminals love Bitcoin. Thatswhy Bitcoin and other crypto-currencies are being targeted by cybercriminals. There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both . So Keep your computer clean and uncompromised by “thinking before you click” and keeping your system, applications and anti-virus up-to-date.

 

Encrypt your wallet

 

Despite Bitcoin’s own beautiful illustrations of glittery coins, what you’re dealing with are numbers – long encryption keys. To stay safe, you just have to ensure no one else ever has access to these.  There are several important rules to keep  Bitcoins safe.

        The key words here are: BACK UP and ENCRYPT.

Bitcoin provides a way to encrypt wallets, and this would make it much more difficult for the attacker to get his hands on the Bitcoins.” Clever Bitcoin users will encrypt all their wallets – although this slows performance – and have several for different uses. Very small amounts of money

 

Don’t keep all your eggs in one basket – or your Bitcoin in one wallet

 

Bitcoin is a special case – if you’re worried a site breach or Trojan attack may have put your hoard within reach, don’t just change passwords, even if your wallet is encrypted. Make a new one, and move your coins to it (with a new, strong password). Lipovsky says that the Bitcoin foundation’s own advice is excellent, “If a wallet or an encrypted wallet’s password has been compromised, it is wise to create a new wallet and transfer the full balance of bitcoins to addresses contained only in the newly created wallet.”

 

Most finance experts advise – don’t put your life savings in Bitcoin

 

Yahoo’s Andrews says that the soaring price of Bitcoin isn’t a signal to invest: “If you’ve made a profit on Bitcoins you already own, well done.  There’s simply no way to know whether their prices will keep rising, stabilise or collapse. And there are a lot of risks – everything from them being hacked, your e-wallet being hacked, someone successfully forging them or Bitcoins being made illegal.”

 

If you must store Bitcoins online, don’t store large amounts

 

Online Bitcoin wallets are not designed to work like bank accounts – they’re convenient, as you can access them from anywhere – but they’re a prime target for cybercriminals. An attack on Bitcoin site BIPS targeted web wallets. CEO Kris Henrikson said, ““Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in,” after his site was robbed of $1.2 million in Bitcoin.  Bitcoin says, tactfully, “Online wallets have a number of pros and cons.” After Bitcoin siteInputs.io was hacked, and $1.2 million stolen, its founder said, “I don’t recommend storing any bitcoins accessible on computers connected to the internet.”

 

Mobiles and Bitcoins don’t mix

 

Various Android apps offer ways to carry Bitcoins with you – but again, these come with their own risks. Earlier this year, a flaw in Android rendered ALL Bitcoin wallets unsafe – although it was rapidly patched – and apps which allow transfer via NFC add additional risks, particularly if a device is lost. “Mobile wallet applications are available for Android devices that allow you to send bitcoins by QR code or NFC, but this opens up the possibility of loss if mobile device is compromised. It is not advisable to store a large amount of bitcoins there.”

 

Keep your fortune in “cold storage”

 

If you’re serious about Bitcoin, the security procedures are long and complex – even Bitcoin admits that setting up an offline wallet, stored on CDs and USB sticks is “tedious” and “not user friendly”. A good guide to how to do this is here – and it may also provide an illustration of why mainstream PC users might want to consider sticking to good old US dollars. Bitcoin says, “Because bitcoins are stored directly on your computer and because they are real money, the motivation for sophisticated and targeted attacks against your system is higher than in the pre-bitcoin era.” Bitcoin’s own procedure for creating an “offline” wallet, which never contacts the internet in plaintext form, is here. This procedure is also known as creating an “air gap” or “cold storage”. Followed correctly, it provides protection from malware and cyberattacks – although not, of course, from traditional crimes such as extortion.

 

Still worried? Store them on paper

 

One safe – if extreme – way of ensuring Bitcoins don’t fall into the hands of hackers is to store them on paper. Bitcoin says, “When generated securely and stored on paper, or other offline storage media, a paper wallet decreases the chances of your bitcoins being stolen by hackers, or computer viruses.With each entry on a paper wallet, you are securing a sequence of secret numbers that is used to prove your right to spend the bitcoinsThis secret number, called a private key, most commonly written as a sequence of fifty-one alphanumeric characters, beginning with a ’5′.” Be sure, though, your PC is clean before you print – the free software used to generate codes has been targeted by cybercriminals. Run a complete scan of your machine first, then keep AV software running as you print out.

Image

Spy agencies working on cyberweapon “more powerful than Stuxnet”, claims Iran

An Iranian news agency has said that “malware worse than Stuxnet” may soon be unleashed, to “spy on and destroy the software structure of Iran’s nuclear program.”

The information came from an unnamed source close to Saudi Arabia’s secret service, according to The Register and suggested that $1 million had already been earmarked for the project.

“Saudi spy chief Prince Bandar bin Sultan bin Abdulaziz Al Saud and director of Israel’s Mossad intelligence agency Tamir Bardo sent their representatives to a meeting in Vienna on November 24 to increase the two sides’ cooperation in intelligence and sabotage operations against Iran’s nuclear program,” the source told Iranian news agency FARS.

“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet (a comprehensive US-Israeli program designed to disrupt Iran’s nuclear technology) to spy on and destroy the software structure of Iran’s nuclear program,” the source told FARs.

Stuxnet inspired much debate among security professionals, both for its targeting of industrial control systems, and its sophistication, which seemed to indicate that it was made by a group with the resources of a nation-state.  Senior Researchers cautioned, in the wake of the attacks, against expecting “the next Stuxnet” to be similar. It was put into a phrase “Expect the unexpected,”

Israel’s Haaretz news said that Saudi Arabia’s “shared concern” with Israel over Iran’s nuclear capability has put the two countries at odds with the United States. FARS reported that the Saudi intelligence chief described current Geneva talks aimed at limiting the country’s nuclear program through economic sanctions as “the West’s treachery.”

The Sunday Times, quoting an unnamed diplomatic source in Saudi Arabia, said that Saudi would allow Israel to use its air space, and cooperate with Israel on the use of drones and helicopters, if current talks in Geneva fail to roll back the country’s nuclear program.

“Once the Geneva agreement is signed, the military option will be back on the table. The Saudis are furious and are willing to give Israel all the help it needs,” theSunday Times’ source said.

 

Samsung unveils Galaxy Gear smartwatch with 1.63-inch AMOLED touchscreen, built-in camera, 70 apps

This week’s Galaxy Gear prototype leak didn’t leave much to the imagination. Samsung’s new wearable was expected to debut with a built-in camera, speakers and a relatively clunky design, all of which are indeed present on the device we’re meeting today. But we now have quite a bit more clarity when it comes to functionality and specifications — the rumored 3-inch display size and 4-megapixel camera resolution, for example, were incorrect. The Gear will instead ship with a 1.63-inch Super AMOLED panel with a resolution of 320 x 320. That strap-mounted camera, for its part, is designed to capture low-res shots and 10-second 720p videos, and includes a 1.9-megapixel BSI sensor and an auto-focus lens.

The big surprise here is third-party applications support — there will be a total of 70 partner programs at launch, including sharing apps like Evernote and Path, fitness companions like RunKeeper and MyFitnessPal, and a handful of other offerings, such as TripIt, Line, Vivino and even eBay. We’ll dive into software functionality a bit more in our hands-on, so for now, let’s talk compatibility and specs. We were caught a bit off guard by the wearable’s limited compartability thoImageugh — at launch, it’ll only work with the Note 3 and Note 10.1, though some Galaxy S4 owners may be able to take advantage soon, after that device scores an update to Android 4.3. Assuming your handset is compatible, the Gear will serve as a companion device, enabling access to features like S Voice, Find My Device, a pedometer and third-party additions including those outlined above.

The device is powered by an 800MHz processor and a 315 mAh non-removable cell, which Samsung reps say should provide up to a day of “regular” use. There are two built-in mics (with noise cancellation support), a speaker, Bluetooth 4.0, an accelerometer and gyroscope, 4GB of storage and 512MB of RAM. The Galaxy Gear will eventually ship, along with the Note 3, to more than 140 countries. Pricing and country-specific availability has yet to be confirmed, but some customers should expect to have it in hand (or on hand, rather) beginning September 25th. Sadly, customers in the US and Japan will have to wait until October to pick one up for $299.

THE MAN BEHIND THE PROJECT …Pranav Mistry ,tweets photos taken with the Galaxy Gear smartwatch

While a few reviews have claimed that the 1.9 megapixel camera of the Galaxy Gear smartwatch is of poorer quality than a typical smartphone camera, but it does not seem to be the case. Pranav Mistry, the man behind the Galaxy Gear smartwatch, has tweeted a couple of pictures taken with the Galaxy Gear smartwatch. The quality of these photos is decent, which hint that the camera embedded in the strap of the watch can capture pictures of acceptable quality under good lighting conditions.galaxy-gear-080913 galaxy-gear-2-080913