Hasta La Gadget!

Lock screens are around for a reason: to keep people from getting where they shouldn’t. They aren’t always infallible, though, and a few weeks ago, we saw a vulnerability in several builds of iOS 6 that granted access to the phone module without a passcode. Then, a couple of days ago, we reported on a Galaxy Note II bug that allows the quick-fingered to launch anything immediately behind the lock screen. Now, a similar flaw has been found on the Galaxy S III that breaks the lock screen altogether, permitting full use of the phone. To replicate the bug, you’ll need to tap the “Emergency Call” button on the lock screen, then go into the ICE (emergency contacts) menu. From there, press the home button, followed quickly by the power button, and that’s it. If successful, pressing the power button again will bring up the home screen straight away, and what’s more, the lock screen won’t return until the handset is restarted. Sounds worryingly simple, right? In our experience, not so much.

We first tried this method on an S III running Android 4.0.4 ICS, and a Note II for good measure, but to no avail. Then, we had a crack at an S III running 4.1.2 Jelly Bean, and were close to giving up trying to replicate it when voilà, it worked. We hoped to provide you with a video of the bug, but it must be camera shy. Despite literally hundreds of attempts in front of the lens and several more behind it, we’ve only managed it once — we found it impossible to nail down the correct timing between the home and power button pushes. Samsung’s likely aware of the bug already and when quizzed about the Note II vulnerability, said a fix for lock screen issues on affected “Galaxy devices” was in the works (read: they didn’t say the Note II specifically). We’ve reached out for comment just to be sure, but until a patch is provided, keep your phone concealed from nosey types who read tech sites and have saint-like patience.

Update: Samsung has responded, confirming a fix is indeed on its way:

“Samsung considers user privacy and the security of user data its top priority. We are aware of this issue and will release a fix at the earliest possibility.”

Filed under: Cellphones, Software, Mobile, Samsung

Comments

Via: SlashGear

Source: Full Disclosure

Evernote is planning on implementing two-factor authentication with its services soon in light of its recent security blunder. Evernote was hacked over the weekend and its users’ emails, usernames, and passwords were all compromised. The company had to initiate a password reset on all accounts in order to protect its users information. While all of the accounts were compromised, Evernote says that there were no signs of personal notes or account details being accessed

The company stated that it had planned on implementing the two-factor authentication sometime in the future, but because of this security breach, it plans on accelerating the implementation very soon. The authorizations can be delivered in a variety of ways, including SMS messaging, a code delivered via phone call, a one-time code delivered by a smartphone app, or perhaps (and least likely) a code delivered via a hardware token, similar to the Battle.net Authenticator.

Evernote isn’t the first company to be taking advantage of two-factor authentication. Like I mentioned above, Battle.net has its own Authenticator that players can purchase to further protect their accounts. There is also a Battle.net authenticator app available for free on Android and iOS. The authenticator was a security feature added after many player accounts were hacked resulting in many valuable in-game items being lost. Dropbox also implemented a two-factor authentication feature when they had a security breach that compromised all of its users’ emails.

There is no specific date as to when two-factor authentication will find its way to Evernote’s services, but it’s a step in the right direction. Security officials stated that Evernote used the MD5 cryptographic algorithm to hash its passwords, but it turns out that that algorithm is considered to be a terrible choice for security. If they had two-factor authentication, Evernote would still have been hacked, but at least its users’ account information would have been protected.

[via Android Community]

Evernote will implement two-factor authentication soon is written by Brian Sin & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

A security flaw allowing brief – but potentially dangerous – access to the Samsung Galaxy Note II‘s homescreen, even if the phablet has been locked, has been identified, again raising questions about the company’s security policies. The not-quite-a-hack, identified by security researcher Terence Eden, requires nothing more than a few well-timed button presses, and potentially gives – brief – access to whatever apps, widgets, and direct-dial shortcuts are saved on the homescreen.

The exploit relies on the fact that, when certain buttons are pressed in sequence, the Note II’s homescreen flashes up. That happens no matter whether the phone has been locked with a PIN, pattern lock, password, or Android Face Unlock, and indeed Eden says third-party launchers and lock screens can’t prevent it.

In short, hitting Emergency Call on the homescreen, and then pressing the bottom left “ICE” button, followed by holding down the home button, will prompt the homescreen to show for a short period. What access an attacker might then have depends on what widgets and shortcuts the device’s owner has placed on the homescreen itself: if they’re triggers to call people, for instance, then if tapped before the screen locks again, the call will still go through.

Alternatively, other apps will begin running in the background if tapped in time, or an attacker could simply read through whatever information was being currently shown in a widget. That might be a few recent email inbox entries, or details of the upcoming calendar.

Eden says he alerted Samsung of the exploit’s existence – which he has tested on the UK version of the Galaxy Note II N7100 – several days ago, and yet despite being assured by people close to the company that it had been internally noted, no public response has been given. In the meantime, he recommends removing any homescreen shortcuts that might either cost money if triggered, or give access to sensitive data.

[via Engadget]

Galaxy Note II hack exposes homescreen is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

It seems that a company is not considered to be “cool” these days if it was not hacked. Evernote has “joined” this “esteemed club” of companies, where their cloud-based services have actually suffered a serious security breach over the weekend. This has caused Evernote to implement a service-wide password reset after attackers managed to gain access to user information.

Good to know that these compromised passwords accessed were “salted hashes”, and in plain English, would be a whole lot harder to crack compared to a plain text password. Some of the other user information that hackers had access to included user IDs as well as e-mail addresses. Having said that, Evernote users were required to reset their respective passwords just in case the attackers managed to recover passwords from the salted hashed list. The password reset will be applicable to all apps that were given access to Evernote accounts, too. Apple, Facebook, Twitter and Microsoft bid Evernote welcome to the hacked club.

By Ubergizmo. Related articles: Raspberry Pi Cake Does Bites Instead Of Bytes, Bing Maps Gets New World Imagery,

Popular cross-platform note-storing service Evernote has revealed in a blog post that it has been the subject of hacking attacks. The operations and security team is keen to point out that there is no evidence that any stored notes and content was accessed, but that some user information — including passwords and emails — were. The data breached does benefit from one-way encryption (hashed and salted), but the firm is issuing a site-wide password reset just in case. In short, all users of the site will be required to set a new password, and are advised to log-in as soon as possible to do so. For more details and updates, we suggest keeping a close eye on Evernote’s official blog and twitter. Both of which can be found below.

Filed under: Internet

Comments

Source: Evernote Blog, Evernote (Twitter)