Tag Archive for: open

Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

/in


A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google’s Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company’s Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google’s Pixel 6 and Pixel 7 series of devices.

Android Users Face Complete Compromise

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim’s phone number, Project Zero threat researcher Tim Willis wrote.

“Tests conducted by Project Zero confirm that those four vulnerabilities [CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498] allow an attacker to remotely compromise a phone at the baseband level,” Willis said. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.” 

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being “severe” and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It’s also unclear whether, or…

Source…

The National Security Bill and the press: a threat to reputable news publishers, an open door for foreign interference?

/in


By Nathan Sparkes

The National Security Bill is intended to protect the UK from “foreign powers” and has been described as an anti-spying bill.

However, national security legislation often poses a threat to journalists’ ability to do their jobs – and this bill is no different.

A threat to press freedom

The most concerning part of the Bill for UK-based journalists is Clause 3, which states:

Assisting a foreign intelligence service

(1) A person commits an offence if the person—

(a) engages in conduct of any kind, and

(b) intends that conduct to materially assist a foreign intelligence service in carrying out UK-related activities.

(2) A person commits an offence if the person—

(a) engages in conduct that is likely to materially assist a foreign intelligence service in carrying out UK-related activities, and

(b) knows, or ought reasonably to know, that it is reasonably possible their conduct may materially assist a foreign intelligence service in carrying out UK-related activities.

(3) Conduct that may materially assist a foreign intelligence service includes providing, or providing access to, information, goods, services or financial benefits (whether directly or indirectly).

The penalty for this offence is imprisonment for up to 14 years, or a fine.

Reporters sometimes publish information which may assist a foreign intelligence service, yet its disclosure is in the public interest.

For example, the publication of data on unethical activities by UK intelligence services might both assist foreign intelligence services and be in the interests of the UK public to be known.

Some outlets, like the IMPRESS-regulated Declassified UK, specialise in reporting on alleged cases of unethical conduct committed by UK intelligence, diplomatic or military agencies.

It would be a significant threat to the freedom of the press if this provision was used to target Declassified UK and other, similar publishers acting in the public interest.

Unjustified exemptions

Alongside this heavy-handed provision, for which there is no defence for news publishers, other provisions in the bill benefit from a media exemption.

These provisions require individuals or organisations to register with the…

Source…

Cyber Security Today, Feb. 24, 2023 – Holes in open source software, ransomware gang tries to evade cyber insurers and more

/in


Holes in open source software, ransomware gang tries to evade cyber insurers and more

Welcome to Cyber Security Today. It’s Friday, February 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Creators of open-source projects still aren’t doing enough to ensure their code is squeaky clean. Researchers at Synopsys released their annual Open Source Security and Risk Analysis report this week, which looked at 1,700 audits of commercial and proprietary software. And the results weren’t pretty. Eighty-four per cent of the codebases examined had at least one known open source vulnerability. That’s up four per cent from last year. Here’s something else: Of the 1,480 audited codebases that included risk assessments by corporate owners of the software, 91 per cent contained outdated versions of open-source components. Developers of applications and IT departments that buy them need to have complete visibility of their software, says Synopsys. It helps for developers to create and buyers to demand a software bill of goods, the company adds.

Hackers have created a new class of bugs that get around the security protection of iPhones,iPads and Macs. Researchers at Trellix found the malware could evade protections preventing unapproved software running on the macOS and iOS operating systems. Normally this would be a significant breach of the Apple security model. However, the vulnerabilities were addressed with the recent releases of macOS 13.2 and iOS 16.3. Which is why you should have installed them by now.

The HardBit ransomware gang has a new tactic for dealing with corporate victims: Rather than haggling over payment to get access to encrypted data back, organizations are asked to go behind the backs of their insurers and divulge details of their cyber insurance policies (if they have one). Then the payment demanded will just be the maximum under the coverage. It’s pitched as a deal: If the gang knows you are insured only for, say $10 million, it promises not to demand more than $10 million.

A Russian citizen has been extradited to the U.S. from the republic of Georgia to face computer fraud and…

Source…

How India is driving the use of open government data

/in


Launched in 2012, India’s Open Government Data (OGD) platform has enabled millions of people to access government data to build new applications, services and more recently, to train artificial intelligence (AI) models.

Through the use of open and machine-readable formats and application programming interfaces (APIs), the platform has not only democratised access to data, but also improved transparency by enabling communities to track data points, such as those related to mortality, budget and finance, population and geography.

Lydia Clougherty Jones, senior director analyst at Gartner, said enabling public visibility and oversight of government data and insights will improve citizen trust and delivery of public services in India while driving the development of new data products.

“Open data can drive digital business outcomes by providing increased access to more data from more diverse sources, providing ‘knowable’ insights that would not otherwise be discoverable without aggregation of data from multiple government data sources.

“These insights can support more robust predictive analytics, while the underlying data can serve as training data for the ever-hungry AI models while creating new economic value by potentially matching the right data to a use case or specific business outcome,” she added.

Indian software developers have been tapping the data available through the OGD platform to build applications such as the Teeka Mobile App that lets citizens track the vaccinations of children and the pregnancy of the female members in their family.

Another app, Rainbow, helps farmers make informed decisions throughout the lifecycle of their crops by providing information such as live market prices, dam water levels and local weather updates.

But for India to unlock the value of its open data initiative, there is a need to focus on high value datasets (HVD), according to a report by India’s National Association of Software and Service Companies (Nasscom).

Open data can drive digital business outcomes by providing increased access to more data from more diverse sources, providing ‘knowable’ insights that would not otherwise be discoverable without…

Source…