Ars Technica |
Using Rowhammer bitflips to root Android phones is now a thing
Ars Technica By adding the Drammer privilege-escalation exploit, an existing code-execution attack can access core parts of the operating system, rather than being confined only to a small section of it, as envisioned under the Android security model. In the second … |
Android Headlines – Android News |
Brain Test Malware Is Back; Root Users Beware!
Android Headlines – Android News In essence, this made users part of a botnet. In the PC world, selling guaranteed installs to indie developers is common practice and is often executed in a similar manner, meaning that could have been the situation when the malware had its first go … Google Play Store Gets Rid Of 13 'Malicious Apps' – |
Dell laptops are coming preloaded with a self-signed root digital certificate that lets attackers spy on traffic to any secure website.
The reports first surfaced on Reddit and were soon confirmed by other users and security experts on Twitter and blogs. The root certificate, which has the power of a certificate authority on the laptops it’s installed on, comes bundled with its corresponding private key, making the situation worse.
With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com.
To read this article in full or to leave a comment, please click here
At least some Dell laptops are shipping with a trusted root certificate authority pre-installed, something that those who discovered the CA are comparing to the Superfish adware installed on Lenovo machines that left them open to man-in the-middle attacks.
Called eDellRoot, the trusted root CA comes as part of the standard software load on new Dell machines. A Reddit contributor who uses rotocowboy for a screen name says the implications could be dire. “For those that are unfamiliar with how this works,” he writes, “a network attacker could use this CA to sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website’s certificate chain. This CA could also be used to sign code to run on people’s machines, but I haven’t tested this out yet.”
To read this article in full or to leave a comment, please click here