Android OS API-Breaking Flaw, Thousands of MikroTik Routers Hacked, John McAfee’s unhackable Bitcoin wallet is hackable, misconfigured 3D printers, Researchers used Sonar Signal to steal unlock passwords, and the Linux Foundation sets to improve Open-Source code security. Ron Gula from Gula Tech Adventures joins us for expert commentary, so stay tuned, for this episode, of Hack Naked News!
- Android OS API-Breaking Flaw Offers Useful WiFi Data to Bad Actors – Researchers from Nightwatch Cybersecurity System said that certain all-points-bulletins sent out by the Android OS expose sensitive information about the user’s device to any app that’s installed on the phone, regardless of whether the app requires the data to function. It’s information that can be used for any number of nefarious attacks, including physically locating the user. Basically any app can use interprocess communications to interact with Wifimanager to get data such as your MAC address and BSSIDs. After being informed of the problem in March, Google fixed the issue earlier this month in Android P (Android 9). However, it said that it doesn’t plan to fix older versions of the OS, so users should upgrade as soon as possible.
- The Linux Foundation Set to Improve Open-Source Code Security – The Linux Foundation is set to expand its Core Infrastructure Initiative (CII) for improving open-source code security, that was initially setup in the aftermath of the OpenSSL Heartbleed vulnerability in 2014. In a video interview at the Open Source Summit, Jim Zemlin, Executive Director of the Linux Foundation explains why the CII remains a critical effort for his organization and what is coming next to help improve open source security. “Most security vulnerabilities are just bugs,” Zemlin said.
- Google ‘Titan Security Key’ Is Now On Sale For $50 – Google’s Titan Security Key is a tiny USB device—similar to Yubico’s YubiKey—that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks. Google’s Titan Security Key is now widely available in the United States, with a full kit available for $50, which includes: USB security key, Bluetooth security key, USB-C to USB-A adapter,USB-C to USB-A connecting cable.
- Thousands of MikroTik Routers Hacked to Eavesdrop On Network Traffic – Now Chinese security researchers at Qihoo 360 Netlab have discovered that out of 370,000 potentially vulnerable MikroTik routers, more than 7,500 devices have been compromised to enable Socks4 proxy maliciously, allowing attackers to actively eavesdrop on the targeted network traffic since mid-July
- Researchers show Alexa skill squatting could hijack voice commands – Thanks to the way Alexa handles requests for new “skills”—the cloud applications that register with Amazon—it’s possible to create malicious skills that are named with homophones for existing legitimate applications. Amazon made all skills in its library available by voice command by default in 2017, and skills can be “installed” into a customer’s library by voice. This is interesting, difficult to target, but a concern for Amazon users.
- John McAfee’s ‘unhackable’ Bitcoin wallet is hackable, company admits – Two weeks ago, it seemed safe to say that John McAfee’s supposedly “unhackable” cryptocurrency wallet had been hacked. (It’s been nearly four weeks since the first security researchers reached that conclusion.) But it’s only today, in the wake of yet another hack (more details at the link), that wallet-maker Bitfi has decided to admit defeat. If you say “unhackable”, someone will hack it.
- Thousands of misconfigured 3D printers on interwebz run risk of sabotage – Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet. “These printers are controlled using the open source software package ‘OctoPrint’ but it’s likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way,” Mertens explained.
- Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords – In the case of SonarSnoop, for example, the information the hacker is looking for is the phone’s unlock password. Instead of brute forcing the password by trying all the possible combinations or looking over the person’s shoulder, SonarSnoop exploits secondary information that will also reveal the password—in this case, the acoustic signature from entering the password on the device.