New Chrome vulnerability can hand over control of your Android phone with just a link

November 21st, 2015 | Edited by | software

Nov
21

Fortunately, Google is already aware of the exploit, but it’s another sign of how essential regular security updates have become.

A security researcher revealed a new exploit that could allow someone to take control over someone else’s Android phone remotely with just one Chrome link.
Researcher Guang Gong showcased this nefarious plan at MobilePwn2Own, part of Tokyo’s PacSec conference. The full details weren’t revealed, in order to deter anyone with malicious intent from putting it into action.
Gong was able to take control of a Project Fi Nexus 6 by attacking a JavaScript vulnerability in Chrome. Through the exploit, he installed an application granting total access to the phone without any user notification.

angry-android

Luckily, a member of Google’s security team was at the event, so Google will soon be at work on a patch (along with offering a hefty reward bounty for Gong). As long as you avoid sketchy websites and stick to the Play Store for downloads, you should be fine, but it’s always to good to keep an eye on the security landscape.
Why this matters: The Stagefright vulnerability raised the issue of Android security to a higher level because of how easily someone could unknowingly infect their devices from an MMS message. In response, Google now sends out a monthly patch to Nexus devices, while other hardware makers have said they’re going to also step up their security game. It’s badly needed, as Android’s large marketshare demands a robust security structure and update system.
For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Source: www.pcworld.com

Google Chrome gets new iOS beta program

November 19th, 2015 | Edited by | software

Nov
19

Google is now letting iPhone and iPad users take a cutting-edge version of its browser for a spin.

Google is now letting iPhone and iPad users take a cutting-edge version of its browser for a spin. The company on Friday quietly launched a new Chrome for iOS public beta program, which leverages Apple’s TestFlight system to give users the chance to try out a new version of the browser.
Users can sign up by going to Google’s Chrome Beta page on their iOS device, and they’ll then be taken to a form where they can enter their name, email address and agree to Chrome’s terms of service. After that, Google will send an email to confirm their email address.

chrome-logo

Opting into the beta program ought to give users access to a version of the Chrome app that will have features before consumers get access to them. According to a post by 9to5Mac, that includes a new app icon that takes advantage of the 3D Touch capabilities built into the iPhone 6S and 6S Plus.
Users can press down hard on the Chrome beta icon and get a quick access menu for running a Web search and opening new tabs in both a standard browser window and Chrome’s Incognito Mode.
However, while it’s possible to put in your name for inclusion in Google’s beta program, it’s not clear how many people will actually get access to it. Apple now allows developers to test early versions of their apps with up to 2,000 people through TestFlight, and it seems like Google has already hit that cap. I applied to join the program with two different email addresses (one already associated with a TestFlight account, one not) and neither of them have been invited to join the beta.
Google may be taking in sign-ups and then weeding out inactive users in order to make room for other testers, but it seems like this program is likely going to be limited to an elite few, at least for the time being.
Like other beta software offerings, the Chrome beta isn’t designed to be the best option for people who want a bug-free browsing experience. Instead, the best people to take part in this testing will be those who want to try out the latest features and don’t mind a few rough edges.

Source: www.pcworld.com

BitLocker encryption can be defeated with trivial Windows authentication bypass

November 17th, 2015 | Edited by | software

Nov
17

Domain-joined Windows computers that use BitLocker should be patched as soon as possible.

Companies relying on Microsoft BitLocker to encrypt the drives of their employees’ computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.
Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part of a domain, a common configuration on enterprise networks.
When domain-based authentication is used on Windows, the user’s password is checked against a computer that serves as domain controller. However, in situations when, for example, a laptop is taken outside of the network and the domain controller cannot be reached, authentication relies on a local credentials cache on the machine.
In order to prevent an attacker from connecting a stolen, lost or unattended laptop to a different network and creating a spoofed domain controller that accepts another password to unlock it, the authentication protocol also verifies that the machine itself is registered on the domain controller using a separate machine password.
This additional check doesn’t happen when the controller cannot be reached, because the protocol developers assumed that the attacker can’t change the user password stored in the local cache. However, Haken figured out a way to do it—and it only takes a few seconds if automated.

bitlockericonhero

How it works

First, the attacker sets up a mock domain controller with the same name as the one the laptop is supposed to connect to. He then creates the same user account on the controller as on the laptop and creates a password for it with a creation date far in the past.
When authentication is attempted with the attacker’s password on the laptop, the domain controller will inform Windows that the password has expired and the user will automatically be prompted to change it. This happens before verifying that the machine is also registered on the controller.
At this point the attacker will have the ability to create a new password on the laptop, which will replace the original one in the local credentials cache.
Logging in while connected to the rogue domain controller would still fail, because the controller does not have the machine password. However, the attacker could disconnect the laptop from the network in order to force a fallback to local authentication, which will now succeed because only the user password is verified against the cache.
This is a logic flaw that has been in the authentication protocol since Windows 2000, the researcher said. However, physical access did not used to be part of the Windows threat model, because in such a situation an attacker could boot from an alternative source, like a live Linux CD to access to the data anyway.
That all changed when BitLocker was introduced in Windows Vista. Microsoft’s full-disk encryption technology, which is available in the professional and enterprise editions of Windows, is specifically designed to protect data in case a computer is stolen or lost—in other words when an unauthorized individual has physical access to it.
BitLocker stores the data encryption key in a Trusted Platform Module (TPM), a secure hardware component that performs cryptographic operations. The key is unsealed from the TPM only if the same boot process is followed as when BitLocker was first activated.
The various stages of the boot process are cryptographically verified, so an attacker with physical access to a BitLocker-enabled laptop will not be able to boot from an alternative OS to read the data stored on its drive. The only possibility left for the attacker in this case is to boot normally to unlock the encryption key and then to bypass the Windows authentication to gain access to the data, which Haken’s attack allows.
Microsoft fixed the vulnerability Tuesday and published the corresponding MS15-122 security bulletin.
This attack shows that when it comes to security, we constantly need to reexamine old truths, Haken said.
BitLocker offers the option to enable preboot authentication using a PIN or a USB drive with a special key on it, in addition to the TPM. However, such configurations are a hard sell for enterprises, because they introduce friction for users and make it difficult for administrators to remotely manage computers, Haken said.
In its own documentation, Microsoft admits that preboot authentication is “unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network.”

Source: www.pcworld.com

How to remove Bing from Edge or Internet Explorer

November 12th, 2015 | Edited by | software

Nov
12

Maybe you like Google. Or Yahoo. Or DuckDuckGo. Choosing your own search engine just takes a few steps.

Microsoft, of course, would rather you used its Bing search engine in its browser running inside its operating system. But you don’t have to. Even if you’d prefer to stay with Microsoft’s browser, you can change that browser’s default search engine.
I’ll give you instructions for both Internet Explorer 11 and Edge.
[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

Internet Explorer 11

In Internet Explorer, go to the Internet Explorer Gallery webpage. Scroll down a bit, and you’ll find a block of add-ons. Some of them, such as Google and Yahoo, will be clearly labeled as Search.

1109-add-ons

 

Here’s the unfortunate part: If your preferred search engine isn’t on this page, you can’t make it your default. You can make Google or Yahoo your default, but not, for instance, the privacy-friendly DuckDuckGo.
Click your preferred search engine (or at least the best in the group). This will take you to another webpage, where you can click the Add to Internet Explorer button.
In the resulting Add Search Provider dialog box, check Make this my default search provider and click Add.

dialog-box

That’s it: you’ve changed Internet Explorer’s Search provider.

Edge

Just about any search engine works here, including DuckDuckGo.
First, go to your preferred search engine’s main page. You don’t have to do anything there. You just have to bring up the page in Edge. Then follow these instructions:
1.   Click the menu icon (three dots) in the top-right corner and select Settings

edge-settings

2.   Scroll down the Settings panel, then find and click the View advanced settings button.
3.   Scroll down the Advanced settings panel to “Search in the address bar with.” Click the pull-down menu. You’ll find two options: Bing and <Add new>. Click <Add new>.

edge-add-new

4. Here’ you’ll find all of the search engines you’ve visited. Select the one you want and click Add as default.

edge-add-provider

That’s it. Edge will now default to your favorite search engine.

Source: www.pcworld.com

Installing Linux on a Chromebook: What you need to know

September 26th, 2015 | Edited by | software

Sep
26

Installing Linux on a Chromebook isn’t difficult–if you know what you’re doing.

Chromebooks are more powerful than you realize already, but zooming around the web in Google’s browser is just the beginning of what Chromebooks are capable of.
Chrome OS is built on top of the Linux kernel, and you can install a full Linux environment alongside Chrome OS on your Chromebook. This gives you access to Steam and over a thousand PC games, Minecraft, Skype, and everything else that runs on desktop Linux.

acer-chromebook

ARM vs Intel

If you do plan on getting a Chromebook and using Linux on it, you should consider whether it has an ARM chip or an Intel chip.
ARM-based Chromebooks can use a full Linux environment too, but they’re cut off from a whole ecosystem of closed-source software designed for traditional x86-based PC chips—including Steam and all its games. If you’re planning on running desktop Linux, get an Intel-based Chromebook. You could even use Steam’s in-home streaming to stream games running on a gaming PC to a Chromebook. But this isn’t possible an on ARM Chromebook, as Steam only runs on Intel CPUs.

Developer mode

Installing Linux isn’t officially supported by Google. It requires putting your Chromebook into “developer mode,” which gives you full write access to the entire operating system. Outside of developer mode, these files are normally protected to preserve the operating system’s security from attack. So you’ll have to enter developer mode before you can start installing Linux—check the official wiki for instructions, which are device-specific.
This will boot you into recovery mode, where you can “turn off OS verification.” After that, you’ll be able to have full access to the entire operating system—though that freedom entails some minor headaches. You’ll have to press Ctrl+D or wait 30 seconds every time you boot. Your Chromebook will beep at you and bug you, providing a scary warning that the normal verification process has been disabled. This ensures it’s always obvious when a Chromebook is in developer mode.

Installing Linux

There are several ways to install Linux. For example, you could install it to an SD card and boot from there.
But the best way to install Linux is to install it alongside Chrome OS on your hard drive, despite the limited storage capabilities in most Chromebooks. This lets you run both Chrome OS and a traditional Linux desktop or terminal at the same time, switching between them with a quick keystroke. You can also bring that Linux desktop straight onto your Chrome OS desktop. This also means that Linux environment can use all the same hardware drivers provided with Chrome OS, ensuring good hardware support.
I recommend using Crouton for this. It will help you install Ubuntu or Debian alongside Chrome OS. While this isn’t officially supported by Google, it is developed by a Google employee in his spare time. After you enable developer mode, you’ll be able to open the integrated Chrome OS shell, download the installation script, and run it. It’ll install and set up the Linux environment. The Crouton webpage provides instructions on installing it.

Using your Linux environment

With Linux installed via Crouton, you can run a certain command to launch the Linux session and then switch back and forth between the Linux environment and Chrome OS desktop with Ctrl+Alt+Shift-Back and Ctrl+Alt+Shift-Forward. Again, check Crouton’s webpage for more instructions.
But rather than constantly switching back and forth, you’ll probably want to install the Crouton integration extension from the Chrome Web Store. This will give you a full Linux desktop in a window on your Chrome OS desktop so you can see everything at once without having to switch back and forth.

If you decide you’re done with Linux, you can simply disable developer mode and go back to the normal Chrome OS system state. You’ll be prompted to do this every time you boot your Chromebook. Doing this will erase everything on your Chromebook and set the operating system back to its clean, default state.

Source: www.pcworld.com

Page 2 of 1612345...10...Last »