Local News

World News

Saturday, November 22, 2014

Billions of Android Devices Vulnerable to Privilege Escalation Except Android 5.0 Lollipop

A security weakness in Android mobile operating system versions below 5.0 that puts potentially every Android device at risk for privilege escalation attacks, has been patched in Android 5.0 Lollipop – the latest version of the mobile operating system.
The security vulnerability (CVE-2014-7911), discovered by a security researcher named Jann Horn, could allow any potential attacker to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target device under certain circumstances. ASLR is a technique involved in protection from buffer overflow attacks.
The flaw resides in, which fails to check whether an Object that is being deserialized is actually a serializable object. The vulnerability was reported by the researcher to Google security team earlier this year.

According to the security researcher, android apps can communicate with system_service, which runs under admin privileges (UID 1000) and using Intents with the attached Bundles, these are "transferred as arraymap Parcels and arraymap Parcels can contain serialized data," in this way, any android app can attack the system_service.
After hearing a talk at a university about a vulnerability in a PHP web app involving deserialization of attacker-provided input data, Horn thought about serialization in other contexts, such as Android operating system.
Based on the assumption that Java ensures that the classes used are actually serialized and that ObjectInputStream may sometimes receive untrusted inputs, he figured out if the Android developers took the precaution to verify for deserialization possibility under this scenario. "Went home, checked, the [vulnerability] was there," Horn writes in a thread about the security vulnerability on Reddit.
"When ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created," the security advisory from Horn says. "All fields of that instance can be set to arbitrary values."
"The malicious object will then typically either be ignored or cast to a type to which it doesn't fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object’s finalize method."
In order to explain the issue, the security researcher has provided technical details and also developed a proof-of-concept (PoC) that crashes system_service. Till now, a full exploit of the bug has not been created and also Horn is not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap. However, in order to exploit this vulnerability on a vulnerable device, one need to get a malicious app onto the target device.
Horn disclosed the security bug to Android development team on June 22 and after addressing the bug, on November 3, a patch was delivered in Android Lollipop as part of the AOSP (Android Open Source Project) code release, but lower versions of Android OS are still vulnerable.
Android 5.0 Lollipop is the latest mobile operating system by Google, who describe Lollipop as "the largest Android release yet," with more than 5,000 new APIs. But users of Lollipop are warning others not to immediately upgrade their mobile OS, after experiencing broken apps, repeated crashes, and device slowdowns.

Firing Range — Open Source Web App Vulnerability Scanning Tool From Google

Google on Tuesday launched a Security testing tool "Firing Range", which aimed at improving the efficiency of automated Web application security scanners by evaluating them with a wide range of cross-site scripting (XSS) and a few other web vulnerabilities seen in the wild.
Firing Range basically provides a synthetic testing environment mostly for cross-site scripting (XSS) vulnerabilities that are seen most frequently in web apps. According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google’s Vulnerability Reward Program are cross-site scripting flaws.

In addition to XSS vulnerabilities, the new web app scanner also scans for other types of vulnerabilities including reverse clickjacking, Flash injection, mixed content, and cross-origin resource sharing vulnerabilities.
Firing Range was developed by Google with the help of security researchers at Politecnico di Milano in an effort to build a test ground for automated scanners. The company has used Firing Range itself "both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!)."
What makes it different from other vulnerable test applications available is its ability to use automation, which makes it more productive. Instead of focusing on creating realistic-looking testbeds for human testers, Firing Range relies on automation based on a collection of unique bug patterns drawn from in-the-wild vulnerabilities observed by Google.
Firing Range is a Java application that has been built on Google App Engine. It includes patterns for the scanner to focus on DOM-based, redirected, reflected, tag-based, escaped and remote inclusion bugs.
At the Google Testing Automation Conference (GTAC) last year, Criscione said that detecting XSS vulnerabilities by hand “at Google scale” is like drinking the ocean. Going through the information manually is both exhausting and counter-productive for the researcher, so here Firing Range comes into play that would essentially exploit the bug and detect the results of that exploitation.
"Our testbed doesn't try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools," Criscione explained on the Google Online Security Blog.
Firing Range tool has been developed by the search engine giant while working on "Inquisition", an internal web application security scanning tool built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features and has a low false positive rate.
A deployed version ( of Firing Range is available on Google App Engine and since the tool is open source you can also find and check out the Source code on GitHub. Users are encouraged to contribute to the tool with any feedback.

Monday, November 10, 2014

VIRAL: Traffic Enforcer who sells Bibingka as sideline gains respect by Netizens

We were so used for police officer and traffic enforcers or men in uniforms wherein they're involve in some kind of "kotong" allegations and various kinds of negativity that surrounds bribing and power trip.

 Photo credit: Czes Rivera/Top Gear Philippines

That is why this certain police/traffic enforcer had been gaining a lot of attention and popularity as he is a breath of fresh air that revives a whole new image for officers in general

Mr. Gonzales, the officer who was seen selling bibingka and different types of kakanin gained a lot of attention and respect as he is one of those that made a difference and proved that not every officer are as what the nation perceived them to be.

It was obvious that Officer Gonzales is a father that would do things just to make ends meet in a rather hard but proudful way.

I'm sure his kids were very proud and dignified of what he is as a father, officer and person.

After 30 minutes of the news being posted it got viral not only on the locals but worldwide as well

Officer Gonzales received words of praises from netizens around the world comparing his ways to other corrupt officers in position nowadays.

Compostela Valley student tops ‘Doodle 4 Google’ tilt

A 15-year-old high school student from Compostela Valley was hailed as the first grand winner of “Doodle 4 Google” Philippines, yesterday afternoon at the Music Hall, Mall of Asia in Pasay City.
The over-all winner, Kim Patrick Saren of Nabunturan Comprehensive High School, bested 50, 000 other hopefuls from all over the country with his entry “Sari-Jeepney.”
He described his doodle as a sarimanok - inspired idea. It symbolizes Filipino culture with deep appreciation for hardwork. His winning doodle currently displaying on the Google Philippines homepage (on Nov. 10). The theme evolved on the question: “What can I do for the Philippines?”
A colorful jeepney with wings, the Philippine flag underneath, and a key on the tail were dominantly seen in Saren’s entry.
“The concept is created to solve problems like traffic, economy, education, and basic needs. The key on the tail signifies the solutions to the problems wherein we must fly high with pride and honor,” Saren wrote in his artwork.
Saren received a specially designed trophy by Google, an Acer C720 Chromebook, Acer kit from National Book Store, P400,000 educational grant from BPI foundation for the college of his choice and P350,000 connectivity grant for his present school from PLDT-SMART foundation. He was the winner for the 15-17 age group.
Aside from Saren, other winners per age group category were: Angela Kaitlin Tiu, 8, Grace Christian College, “Love and care for the Philippines” (ages 5-8); Avryll Nartates, 11, St. Scholastica’s College-Paranaque, “Coral Ripped or Coral Reef” (ages 9-11); and Jay Portallo, 14, Iligan City East High School, “Symphony for Peace” (ages 12-14). They each received a trophy, Nexus 7 tablet, 3D doodling pen, and P5,000 worth of gift certificate from National Book Store.
Ryan Morales, Google Philippines country marketing manager, said that the event was the first in the country.
“We usually hold ‘Doodle 4 Google’ in countries with new Google offices, which are just 1-2 years old,” he said. It was launched in the Philippines last July.
Google Philippines, in partnership with the Department of Education and National Youth Commission gathered the entries through a school by school caravan throughout the country. Other entries were just sent online.
Among the 51,000 entries from Luzon, Visayas, and Mindanao only 400 finalists were chosen. The pool of judges was composed of: Katy Wu, doodler of Google, Fidelina Corcuera, senior vice president of BPI foundation, Ma. Esther Santos, president of PLDT-SMART foundation, Efren Penaflorida, 2009 CNN hero of the year and CJ De Silva, senior art director of TBWA-Santiago Mangada Puno.

More Ways to Control What You See in Your News Feed

News Feed is where you go to catch up on what’s happening with your friends and find the content that matters to you.
What you do in News Feed helps determine what you see in News Feed. You decide who you want to connect to, and what Pages and public figures you want to follow.
Starting today, there will be more ways for you to control and give feedback on your News Feed.
Quickly Unfollow and re-follow people, Pages and Groups
News Feed settings will now show a list of the top people, Pages and Groups that you’ve seen in your News Feed over the past week. You can choose to sort by people, Pages or Groups posts, or see an overall summary. Unfollow any friend, Page or Group if you don’t want to see their stories in your News Feed. You can also see who you’ve unfollowed in the past and can choose to re-follow them at anytime.
New ways to give feedback about your News Feed
If you see a story you’re not interested in or don’t want to see, you can tap the arrow in the top right of that story to hide it. Starting today, when you hide a story you’ll have the option to ask to see less from that person or Page.
If you choose to see less, you are then given the option to unfollow them if you don’t want to see any of their stories in your News Feed. You can always visit News Feed settings to see everything you’ve unfollowed and have the option to re-follow them.
News Feed settings will be available starting today on desktop and mobile. The new options for giving feedback about your News Feed will be available today on desktop, and coming to mobile in the coming weeks. For more information, visit our Help Center.

Google Must Make Android Safer (Op-Ed)

This article was originally published at The Conversation. The publication contributed the article to Live Science's Expert Voices: Op-Ed & Insights.
Over the past few months, the Android platform developed by Google and based on the Linux operating system has been having a difficult time. Hackers, with malicious intent and those without, have been investing time in finding out how weak this operating system is.
Android runs on more than four out of five mobile devices. It is popular because it is free and its terms do not dictate to device manufacturers what hardware it must be used on.
The hacking seen so far is partly a result of this popularity. But there also seem to be inherent problems, which experts and hackers have discovered don’t exist on other mobile platforms.

What are the issues?

Android is getting the most attention from malware creators, because it has more than 40,000 different malware compromises. This is worrying especially as the same systems for Windows and Apple phones seem to have only handful such issues (on non-jailbroken devices).
In June concerns arose about an SMS worm that could propagate via Android devices. One of the primary issues is the version control system these devices uses. As new and better versions of Android have been released, manufacturers having committed their development efforts to one version cannot always allow for upgrades. This is commonplace among the lower-priced devices, which tend to be fixed to a specific version of Android. Currently new devices are using the KitKat version of Android, but previous versions, such as JellyBean and IceCreamSandwich, remain in use.
In July researchers published their analysis of Android devices purchased on eBay. Even though these devices had had the information on them deleted, they could recover and analyse it. Naked Selfies among other confidential data were found, exposing a serious flaw in the encryption used by Android. The factory reset option, which should be able to permanently wipe any historical data from the device, seemed not to work well either. (This is the same issue, which was reported earlier in August, regarding the Tesco Hudl tablet, which uses Android as the operating system.)
Now researchers have found a flaw in the Gmail application on Android devices. The flaw makes it easy to create malware to obtain personal information, effectively using the email application as a route to extract all kinds of data from your phones. The researchers have claimed that this is also possible on iPhones and Windows phones. What they neglect to share is that Microsoft and Apple have app stores that undergo a range of stringent security checks before any app is allowed on their devices. This is unlike the Google Play environment, which is not the only source for apps on Android device.
There are many non-Google Android app stores – some legitimate but many not. Worse still, the security community has also exposed issues with the official Google Play store. We can trust almost all applications downloaded on Apple and Microsoft phones, but for any on the Android platform the risk is considerably higher. Unless you have up-to-date anti-malware software and are extremely cautious, chances are that your Android phone may eventually be compromised.

Should I be concerned?

Sadly, I think all Android users should be concerned. It is an excellent mobile operating system and has enabled low-cost smartphones and tablet computers to exist in the market place. But Google needs to tighten controls on how applications can enter this device as well as some of its underlying features.
Whenever I meet someone with an Android device, the first question I ask them is if they have any anti-malware installed. They often give me a quizzical look. The reality is that, if they don’t have such security apps installed, the data on their Android is not safe.

This is how your Gmail account got hacked

How easy is it to steal your passwords?

If your Gmail account got hacked, blame your friends.

You are 36 times more likely to get scammed if your contacts' accounts have been hacked, according to a study released this week by Google (GOOG).
It's rare. On an average day, only nine in 1 million accounts gets stolen. But when it happens, the operation is swift. These are professional criminals at work, looking through your email to steal your bank account information.
The criminals are concentrated in five countries. Most of them live in China, Ivory Coast, Malaysia, Nigeria and South Africa. But they attack people worldwide, duping them into handing over Gmail usernames and passwords.
Google has effective scans to block them and emergency options to get your account back. But criminals still manage to pull off the attacks.
Here's some more of what Google found in its three-year study.

In the mind of a hacker
Effective scams work 45% of the time. This number sounds huge, but well-crafted scams can be convincing. They send official-looking emails requesting your login credentials. And sometimes they redirect you to a page that looks like a Google login, but it's not.
Safety tip: Don't ever email your username or password -- anywhere. And always check the Internet address in the URL above to ensure you're at the actual Gmail site.
They usually steal your account in less than a day. Once they have your login credentials, the average criminal hijacks your account within seven hours. For an unlucky 20%, the bad guys do it in just 30 minutes. Then they change your password to lock you out.
Safety tip: Sign up for account alerts on your phone or a backup email. And move fast.
Related: Apps aimed at children collect a shocking amount of data
It takes only 3 minutes to scan your email for valuable stuff. They're looking for any email that shows your bank account information and images of your real life signature. They also search for login credentials for other accounts at Amazon (AMZN, Tech30) or PayPal. They use the email search feature, looking for phrases like "wire transfer," "bank" and "account statement."
Safety tip: Perform this search yourself. Go ahead and erase any email with this sensitive data. Don't leave this stuff lying around.
Expect your friends to get preyed on too. Criminals will send emails in your name asking friends for money. Typically, they use a sob story, claiming you got stuck somewhere and need help.
Fraudsters are smart at keeping this under the radar too: 15% of them create automatic email rules that forward your friends' responses to another email address. So even if you get your account back, you won't know your friends were targeted, because you'll never get their responses.
Worst of all? Sometimes fraudsters delete all your emails and contacts to prevent you from warning friends afterward. Google has an account recovery option to bring them all back -- but that's only if you actually recover your account.
Safety tip: Just make it impossible to break into your email in the first place. Sign up for two-step authentication, a second password you get by text message. It's an extra 30 seconds on every new computer, but it's worth it in the long run.
Related: How safe are you? CNNMoney's cybersecurity Flipboard magazine
Related: Apps aimed at children collect a shocking amount of data

Sunday, November 9, 2014

Priests Pose Naked For Calendar Aimed At Battling Homophobia

A calendar featuring naked Orthodox Catholic priests has launched, with its creators calling it a blow against global homophobia.
calendarThe OC Calendar, which with comes in both SFW and x-rated editions, was shot in Romania and follows a theme of the Seven Deadly Sins. Six different photographers capturing the clerical subjects, who keep their identities anonymous.
The OC 2015 edition pays tribute to social tolerance, in reaction to the Orthodox hierarchy’s medieval views. According to them, LGBT people have suddenly become the worst kind of sinners – an omen of the impending end of the world.
What about wrath, avarice, sloth, pride, lust, envy, and gluttony? Maybe we’re missing something, but the last time we checked, homosexuality was not one of the Seven Deadly Sins!
So, are these guys actually Eastern Orthodox priests? The OC site refers to them as “members” of Church, which could mean a lot of things.
If they are, we need to start going to Mass a LOT more.
calendar 2