Why “error handling” is part of the security
checklist.
A new
CSS-based web attack will crash and restart your iPhone
Sabri Haddouche tweeted a
proof-of-concept webpage with just 15 lines of code which, if
visited, will crash and restart an iPhone or iPad. Those on macOS
may also see Safari freeze when opening the link.
The code exploits a weakness in iOS’ web
rendering engine WebKit, which Apple
mandates all apps and browsers use, Haddouche told TechCrunch.
He explained that nesting a ton of elements — such as
tags — inside a backdrop filter property in CSS, you can use up all
of the device’s resources and cause a kernel panic, which shuts
down and restarts the operating system to prevent damage.
“Anything that renders HTML on iOS is affected,”
he said. That means anyone sending you a link on Facebook or
Twitter, or if any webpage you visit includes the code, or anyone
sending you an email, he warned.
Someone should tell the FBI because this will
allow them to grab the encryption key on laptops.
F-Secure
Says Almost All Computers Are Vulnerable to New Cold Boot Attack
… According
to security
firm F-Secure, almost
every computer is vulnerable to this type of attack.
At the heart of
this attack is the way computers manage RAM via firmware. Cold boot
attacks aren’t new — the first ones came along in 2008. Back
then, security researchers realized you could hard reboot a machine
and siphon off a bit of data from the RAM.
This could include
sensitive information like encryption keys and personal documents
that were open before the device rebooted.
In the last few years, computers have been hardened against this
kind of attack by ensuring RAM is cleared faster. For example,
restoring power to a powered-down machine will erase the contents of
RAM.
The new attack can get
around the cold boot safeguards because it’s not off — it’s
just asleep. F-Secure’s Olle Segerdahl and Pasi Saarinen found a
way to rewrite the non-volatile memory chip that contains the
security settings, thus disabling
memory overwriting. After that, the attacker can boot
from an external device to read the contents of the system’s RAM
from before the device went to sleep.
… Rather
than letting computers go to sleep, F-Secure recommends using
hibernation. Hibernation will clear encryption keys from RAM, but
other files could still be at risk. Shutting
your computer all the way off is still the best defense.
Should make for some interesting arguments.
New York
sues U.S. to stop fintech bank charters
New York state’s top banking regulator on Friday
sued the federal government to void its decision to award national
bank charters to online lenders and payment companies, saying it was
unconstitutional and put vulnerable consumers at risk.
… She said New York could best regulate those
markets, but the OCC decision left consumers “at great risk of
exploitation” by weakening oversight of predatory lending, allowing
the creation of more “too big to fail” institutions, and
undermining the ability of local banks to compete.
… OCC spokesman Bryan Hubbard said in an email
that the regulator, part of the U.S. Department of Treasury, would
vigorously defend its authority to grant national charters to
qualified companies “engaged in the business of banking.”
Vullo’s complaint joins a slew of litigation
from regulators in Democratic-controlled or -leaning states
challenging Trump administration policies.
It seeks a declaration that the OCC exceeded its
authority under the National Bank Act and violated the Constitution’s
10th Amendment by usurping state powers.
No comments:
Post a Comment