Blogs | Créer un Blog | Avertir le modérateur

Battery for Fujitsu LifeBook E782

What would you do in this situation? We've cooked up a poll that includes Flash's response, plus some sensible alternatives. After you vote, go to page two to learn what really happened.The documents were left unprotected in the folders of the Windows desktops and contained information sufficiently sensitive to cause massive damage to at least three firms.That mess was one of several illustrations Ronaldson offered delegates of the Federal Government's Australian Cyber Security Conference in Canberra yesterday.The co-founder of Adelaide-based consultancy Risk Offensive says corporate sensitive data is being stolen by local and international hackers, taxi drivers and clerks – or simply being lost due to execs' own epic security blunders.“The business centre was jammed with tenders and financial information,” Ronaldson says.“Some taxi drivers get paid a lot of money to hand off information about the people who get in their cabs, to supply their audio and video footage.Ronaldson illustrated other ways executives can be hosed while travelling. One executive for an unnamed Australian firm lost every tender it submitted after a staffer's laptop was compromised at an overseas industry conference.

Those tenders were hoovered up by a rival which used the information to get a cheap head-start on the company.Another individual had blueprints for a new communications system stolen when he was invited to speak on the subject at a foreign industry conference.Ronaldson advised enterprises to enforce a privacy lockdown on executives' social media accounts such as Facebook if the high fliers insist on sharing travel information such as their check-in to airlines' frequent flyer lounges.He says all devices taken on overseas trips must be quarantined before they are connected to corporate networks to mitigate the very real risk of compromise.For best practice, top executives should leave their personal and corporate devices at home and travel with burner phones and laptops.Before you go on your business trip, know the adversary has already watched you, already knows your flight, knows that you love going to the lounge and watching the footy, and that you put your bag down and go for a drink. The specification means makers of USB devices will be able to encode them with information about their source and function. When connecting to those devices, machines like computers or phones will be able to read that descriptor and choose to connect, or not, depending on policies.

The USB 3.0 Promoter group says “For a traveler concerned about charging their phone at a public terminal, their phone can implement a policy only allowing charge from certified USB chargers.” Or perhaps you're worried that your organisation's laptop fleet could be compromised by rogue USB devices, in which case you “can set a policy in its PCs granting access only to verified USB storage devices.” It's not clear if that will allow organisations to specify individual devices, or just devices whose manufacturers have implemented the spec.USB-C needs this spec for two reasons. One is that, not to put to fine a point on it, users are idiots. How else to explain the fact that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs. Once USB-C becomes ubiquitous and makes a single wire responsible for carrying power and data, even the dimmest hackers will likely cotton on to the opportunities to craft crooked chargers or other evil devices.The second is that there are lots of scumbags churning out second-rate electronics to make a quick buck. We already know that poorly-wired cables capable of frying kit are enough of a menace that recently banned the sale of non-compliant cables on its digital tat bazaar. If devices flag such kit as sub-standard, or refuse to connect to them, it's therefore a win for all but the junk-slingers.

Details of the spec can be found in the revised USB 3.1 spec (54MB .ZIP file. Feel free to trawl through it for the finer points of the authentication. The TL:DR version is that it “references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation,” so it sounds like a conventional issue-certificates-and-check-them caper.Doubtless the revised spec explains the efforts folks behind it tried to make the authentication bullet-proof. And as sure as night follows day, efforts to find loopholes in the spec that make it possible to crank out fake kit that presents itself as authentic will surely commence.A bunch of Samsung Galaxy variants leave their modems open to receiving AT commands over the USB cable, even when they're locked.Before you dismiss the vulnerability as a local privilege escalation (which it is), consider how many people would be happy leaving a locked phone on their desk because you need the code to unlock it.The researchers, Roberto Paleari and Aristide Fattori, write that when connected to a laptop via the USB cable, the phones either automatically expose, or can be forced to expose, a serial interface that communicates with the USB modem.

“This communication channel is active even when both USB tethering and USB debugging (i.e., ADB) are disabled,” they write, “and can be accessed even when the device is locked. An attacker who gains physical access to a (possibly locked) device can thus use this interface to send arbitrary AT commands to the modem. This permits to perform several actions that should be forbidden by the lock mechanism, including placing phone calls or sending SMS messages.”Older devices expose the USB serial modem by default – for example, it turns up on a Linux laptop in /dev as a TTY device. For newer units, the attacker would have to switch the device to USB configuration number 2 – but the phone doesn't have to be unlocked for that to happen, as the researchers explain:“For our PoC we developed a very rough C tool, usbswitcher, that switches any attached Samsung device to USB configuration #2 (this is fine for the devices we tested, but your mileage might vary). The tool uses libusb to do the job, but the same task can probably be accomplished using the /sys/bus/usb pseudo-filesystem. The trick we used to force the phone to switch the configuration is to first reset the USB device (via usb_reset()), and then switching the configuration (via usb_set_configuration()). Sometimes it doesn't work at the first try, so just run usbswitcher twice to ensure the configuration is switched properly :-)”

Les commentaires sont fermés.