On the car forum 1Addicts, a one-time poster by the name of “stolen1m” uploaded the video showing how his BMW was stolen in under three minutes. He suspects the thieves used devices that plug into the car’s On-Board Diagnostic (ODB) port to program a new keyfob.
In this particular video, there are a few security flaws that the hackers are exploiting simultaneously: there is no sensor that is triggered when the thieves initially break the window, the internal ultrasonic sensor system has a “blind spot” just in front of the OBD port, the OBD port is constantly powered (even when the car is off), and last but not least, it does not require a password. All of this means the thieves can gain complete access to the car without even entering it.
BMW has acknowledged that there is a problem, but is downplaying this particular issue by saying the whole industry struggles with thievery. This is unfortunate given that the evidence seems to point towards BMWs being specifically targeted. Whether that’s because they are luxury cars or because they have a security loophole doesn’t matter: the point is BMW needs to do something about it.
If you want to protect yourself from this hack, look into how you can disable the OBD port on your BMW by disconnecting the corresponding wires. If you or your dealer needs it, you can always reenable it. Alternatively, you can try to further secure the port in your own custom way.
A team of security researchers have demonstrated how a security flaw in Android 4.0.4 can be exploited by a clickjacking rootkit.
The research team is lead by North Carolina State University professor Xuxian Jiang, who succeeded in developing a proof-of-concept rootkit that attacks the Android framework as opposed to the underlying operating system kernel. The researchers contend that such a rootkit could potentially be downloaded with an infected app and be used to manipulate the smartphone.
In the video, the demonstrator was able to hide applications on the device, as well as get them to launch when icons for other applications are clicked. If downloaded with an infected application, the rootkit could for example hide the smartphone’s browser and replace it with a browser that looks exactly the same but actually steals all of the user’s information.
Earlier today, Anonymous released a confidential conference call between the FBI and law enforcement officers in the UK. The 16-minute call discusses ongoing investigations into hackers associated with Anonymous, AntiSec, and LulzSec.
From all appearances, Anonymous retrieved the sensitive access code information and a list of attendees from an FBI email account. The group released a roughly 15-minute-long recording of what appears to be a Jan. 17 conference call devoted to tracking and prosecuting members of the loose-knit hacking group.
The email, titled “Anon-Lulz International Coordination Call”, was published on pastebin earlier today. The email with details for accessing the call was sent to law enforcement officials in Britain, France, the Netherlands and others but the only people who identify themselves on the call are from the FBI and Scotland Yard.In a message on Twitter, Anonymous posted links to the audio recording and said the FBI “might be curious how we’re able to continuously read their internal comms for some time now.”
The initial link to the conference call was for an mp3 download, but it was also made available to stream on YouTube.
The FBI and Scotland Yard have now confirmed that their internal conference call describing their investigation into Anonymous hackers was illegally intercepted, as was the email containing the conference call details. The Metropolitan Police also confirmed it, saying:“We are aware of the video which relates to an FBI conference call involving a PCeU representative. The matter is being investigated by the FBI. We continue to carry out a full assessment. We are not prepared to discuss further.”
Karen Todner, a lawyer for Cleary, said that the recording could be “incredibly sensitive” and warned that such data breaches had the potential to derail the police’s work.“If they haven’t secured their email it could potentially prejudice the investigation,” she told. Following a spate of arrests across the world, the group and its various offshoots have focused their attention on law enforcement agencies in general and the FBI in particular.
Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes.
Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon-18 Presentation.
It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms.
The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication.
“In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.” – Thomas Cannon said
Summary:
When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
Description:
When attaching an executable file, Facebook will return an error message stating:
“Error Uploading: You cannot attach files of that type.”
When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:
A team of security researchers have demonstrated how a security flaw in Android 4.0.4 can be exploited by a 
Earlier today, Anonymous released a confidential conference call between the FBI and law enforcement officers in the UK. The 16-minute call discusses ongoing investigations into hackers associated with Anonymous, AntiSec, and LulzSec.
