Archive for the ‘Comms’ Category

Hundreds of thousands of engine immobilisers hackable over the net

Homer Simpson driving

Kiwi hacker finds brutal holes in location, tracking units

Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as “Response” sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit’s relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function – in the worst case scenario – into a means to shut off fuel supply to cars while in motion over the internet.

Read More by Darren Pauli

No root for you! Google slams door on Symantec certs

Soup Nazi

Google being ‘alarmist’ claims Symantec

The four-month row between Google and Symantec over SSL certificate issuing has just gone nuclear, with the Chocolate Factory making good on its threats and beginning a blockade.

“Over the course of the coming weeks, Google will be moving to distrust the ‘Class 3 Public Primary CA’ root certificate operated by Symantec Corporation, across Chrome, Android, and Google products,” said Google software engineer Ryan Sleevi.

“Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements. As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.”

Sleevi said that Symantec had informed Google that the root certificate would be used for purposes other than for publicly trusted connections, but isn’t saying what else they might be used for. As a result, it’s on Google’s naughty list.

“Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal,” Sleevi said. “Further, Symantec has also indicated that, to the best of their knowledge, they do not believe customers who attempt to access sites secured with Symantec certificates will be affected by this.”

Read More by Iain Thomson

Pause Patch Tuesday downloads, buggy code can kill Outlook

MS15-115 is one to miss

Microsoft patch

The El Reg inbox has been flooded with reports of a serious cock-up by Microsoft’s patching squad, with one of Tuesday’s fixes causing killer problems for Outlook.

“We are looking into reports from some customers who are experiencing difficulties with Outlook after installing Windows KB 3097877. An immediate review is under way,” a Microsoft spokesperson told us.

The problem is with software in one of the four critical patches issued in yesterday’s Patch Tuesday bundleMS15-115. This was supposed to fix a flaw in the way Windows handles fonts, but has had some unexpected side effects for some Outlook users.

“Today I’ve deployed latest Outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too,” complained one TechNet user.

“Come on guys, do you EVER do proper QA before releasing anything Office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”

The break point appears to come not when an email that contains certain fonts is opened, but when it’s scrolled through. Outlook 2010 and 2007 seem affected, but the issue is reportedly fixed when the patch is uninstalled.

Read More by Iain Thomson

Social Media Links
Latest Tweets
Archives

Social Widgets powered by AB-WebLog.com.