A REALLY bad security threat: USB devices

Yes, USB devices can carry malware, we all know that. This is new and different. Basically, it is not difficult to hack the hardware that controls the USB device, be it memory stick, external hard drive, or possibly smart phone or tablet. Malware injected in to the controller is pretty much undetectable, and if it can't be detected, it can't be removed.

I haven't seen reports of this problem being found in the wild, but if security researchers have found it and exploited it, there's no reason to think that bad actors such as criminals or government agencies haven't done it.

Solution? There isn't one at this time, it's too low-level of a problem like malware in hypervisors, all but impossible to detect. The best posited solution would be to apply checksums against all USB firmware, which would entail replacing all USB devices. At least you'd know if a device had been altered and was therefore untrustworthy, the question at that point would be whether the device could be remediated or should be destroyed.

http://www.wired.com/2014/07/usb-security/

https://www.schneier.com/blog/archives/2014/07/the_fundamental.html

New ways to compromise smartphones, including iPhones

The Blackhat security conference is coming up very soon, and with it, advanced information about all sorts of wonderful problems. In this case, two new ways to compromise smartphones.

First up, a report on a tool that's built in to all smartphones: Androids, Blackberrys, iPhones sold by Sprint. They haven't tested Windows phones yet. It's a management tool that allows the cell providers to update firmware in the phone through over the air updates, and the security implementation isn't very good.

Granted, this is a team of advanced security researchers, but they were able to get in and totally pwn the phones they were working with. They've notified the maker of the management tool and the cell companies, so a fix should be distributed over the next few months that will make this more secure. Also, no evidence of this being exploited in the wild.

http://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/


Next up, an iPhone, if connected to a compromised Windows PC, can potentially be turned in to a botnet! This is interesting stuff as it has falsely been assumed that Apple had pretty tight security on its iPhones, which is broadly true, but they're also kinda slow pushing updates. I assume that the exploit would also be effective against iPads that also have cellular radios built-in.

http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnetthanks-to-windows/

Good ol' Mitt

"Our esteem around the world has fallen. I can't think of a major country, it's hard to think of a single country that has greater respect and admiration for America today than it did five years ago when Barack Obama became president. And that's a very sad, unfortunate state of affairs."

-- Mitt Romney, earlier this year, making an assertion that is contradicted by Pew Global Attitude Project polls in 2006 and 2014 regarding confidence in the U.S. president to do the right thing regarding world affairs: the only two countries where confidence in Bush was stronger than confidence in Obama were Russia and Pakistan.

I saw a breakdown of this lie and of some of the lies he told during his presidential run. Basically, he's very good at doubling-down on lies even when they've been rigorously disproved.

Sounds to me like he's considering running again in '16.

Jimmy John's Gourmet Sandwiches appears to be the next credit card fraud victim

The basic symptoms are like the Target et al hacks of late, but the curious part is that most of the JJ stores are independent they largely use the same point of sale system. So again, it's an breech upstream of the actual merchant.

http://krebsonsecurity.com/2014/07/sandwich-chain-jimmy-johns-investigating-breach-claims/