Last week, Google has released the 4.4 (KitKat) version of their omni-popular Android OS. Between the improvements, some have noticed several security-related changes. So, how much more secure is Android 4.4?
When talking about Android 4.4 (KitKat) major security improvements, they can be divided into 2 categories:
1. Digital certificates
Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.
2. OS hardening
SELinux is now running in enforcing mode, instead of permissive mode. This helps enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. Android 4.4 comes compiled with FORTIFY_SOURCE set at level 2, making buffer overflow exploits harder to implement.
via Android 4.4 arrives with new security features – but do they really matter? – Securelist.
The last word
In summary, here is our minimum recommendation for safe storage of your users’ passwords:
Use a strong random number generator to create a salt of 16 bytes or longer.
Feed the salt and the password into the PBKDF2 algorithm.
Use HMAC-SHA-256 as the core hash inside PBKDF2.
Perform 10,000 iterations or more. (November 2013.)
Take 32 bytes (256 bits) of output from PBKDF2 as the final password hash.
Store the iteration count, the salt and the final hash in your password database.
Increase your iteration count regularly to keep up with faster cracking tools.
Whatever you do, don’t try to knit your own password storage algorithm.
It didn’t end well for Adobe, and it is unlikely to end well for you.
via Serious Security: How to store your users’ passwords safely | Naked Security.
security hole in Samsung TVs which could have allowed hackers to get in to your television, watch you, change channels and plant malware.
Now, a UK blogger, known only as ‘DoctorBeet’, has apparently discovered that his LG Smart TV has actually been sending data about his family’s viewing habits back to the South Korean manufacturer.
After some investigation he found that his Smart TV would send data back to LG, even after he disabled an option in the system settings menu called “Collection of watching info.”
He said that his LG set, model number LG 42LN575V, connects to a non-functional URL with details of the times and channels being watched.
Worse still, he also discovered that the filenames of some media on a USB device connected to the TV were also transmitted, saying that:
My wife was shocked to see our children’s names being transmitted in the name of a Christmas video file that we had watched from USB.
This discovery prompted DoctorBeet to create a mock video file which he transferred to a USB stick. He deliberately chose a filename – Midget_Porn_2013.avi – that couldn’t possibly be confused with the TV set’s firmware. After connecting the USB drive to his TV he later found that the filename had been transmitted in an unencrypted format to GB.smartshare,lgtvsdp.com.
Strangely, not all filenames belonging to media on USB devices were transmitted:
via LG Smart TVs phone home with viewing habits and USB file names | Naked Security.
Brilliant site for creating and publishing online brochures:
Converts from PDF. All text is searchable. Web links are clickable. Very good for SEO
Sample wedding brochure created as a test case:
Plans & Pricing.
Cryptolocker is a rather unpleasant strain of malware, first spotted in August, that encrypts documents on the infiltrated Windows PC and will throw away the decryption key unless a ransom is paid before a time limit. The sophisticated software, which uses virtually unbreakable 256-bit AES and 2048-bit RSA encryption, even offers a payment plan for victims who have trouble forking out the two Bitcoins (right now $1,200) required to recover the obfuscated data.
via Cryptolocker infects cop PC: Massachusetts plod fork out Bitcoin ransom • The Register.