Connect with us

Biz & IT

BMW says ‘ja’ to Android Auto

Published

on

BMW today announced that it is finally bringing Android Auto to its vehicles, starting in July 2020. With that, it will join Apple’s CarPlay in the company’s vehicles.

The first live demo of Android Auto in a BMW will happen at CES 2020 next month and after that, it will become available as an update to drivers in 20 countries with cars that feature the BMW OS 7.0. BMW will support Android Auto over a wireless connection, though, which somewhat limits its comparability.

Only two years ago, the company said that it wasn’t interested in supporting Android Auto. At the time, Dieter May, who was then the senior VP for Digital Services and Business Model, explicitly told me that the company wanted to focus on its first-party apps in order to retain full control over the in-car interface and that he wasn’t interested in seeing Android Auto in BMWs. May has since left the company, though it’s also worth noting that Android Auto itself has become significantly more polished over the course of the last two years.

“The Google Assistant on Android Auto makes it easy to get directions, keep in touch and stay productive. Many of our customers have pointed out the importance to them of having Android Auto inside a BMW for using a number of familiar Android smartphone features safely without being distracted from the road, in addition to BMW’s own functions and services,” said Peter Henrich, Senior Vice President Product Management BMW, in today’s announcement.

With this, BMW will also finally offer support for the Google Assistant after early bets on Alexa, Cortana and the BMW Assistant (which itself is built on top of Microsoft’s AI stack). The company has long said it wants to offer support for all popular digital assistants. For the Google Assistant, the only way to make that work, at least for the time being, Android Auto.

In BMWs, Android Auto will see integrations into the car’s digital cockpit, in addition to BMW’s Info Display and the heads-up display (for directions). That’s a pretty deep integration, which goes beyond what most car manufacturers feature today.

“We are excited to work with BMW to bring wireless Android Auto to their customers worldwide next year,” said Patrick Brady, vice president of engineering at Google. “The seamless connection from Android smartphones to BMW vehicles allows customers to hit the road faster while maintaining access to all of their favorite apps and services in a safer experience.”

Source link



Source link

Continue Reading

Biz & IT

Microsoft issues emergency patches for 4 exploited 0-days in Exchange

Published

on

Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.

The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Microsoft Corporate Vice President of Customer Security & Trust Tom Burt wrote in a post published Tuesday afternoon. “Promptly applying today’s patches is the best protection against this attack.”

Burt didn’t identify the targets other than to say they are businesses that use on-premises Exchange Server software. He said that Hafnium operates from China, primarily for the purpose of stealing data from US-based infectious disease researchers, law firms, higher-education institutions, defense contractors, policy think tanks, and nongovernmental organizations.

Burt added that Microsoft isn’t aware of individual consumers being targeted or that the exploits affected other Microsoft products. He also said the attacks in no way are connected to the SolarWinds-related hacks that breached at least nine US government agencies and about 100 private companies.

The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019. The four vulnerabilities are:

  • CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

The attack, Burt said, included the following steps:

  1. Gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access
  2. Create a web shell to control the compromised server remotely and
  3. Use that remote access to steal data from a target’s network

As is usual for Hafnium, the group operated from leased virtual private servers in the US.

More details, including indicators of compromise, are available here and here.

Microsoft credited security firms Volexity and Dubex with privately reporting different parts of the attack to Microsoft and assisting in the investigation that followed. Businesses using a vulnerable version of Exchange Server should apply the patches as soon as possible.

Continue Reading

Biz & IT

Rookie coding mistake prior to Gab hack came from site’s CTO

Published

on

Gab.com

Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.

The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of “reject” and “filter,” which are API functions that implement programming idioms that protect against SQL injection attacks.

Developers: Sanitize user input

These idioms “sanitize” the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

“Sadly Rails documentation doesn’t warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you’d have heard of SQL injection, and it’s not hard to come across warnings that find_by_sql method is not safe,” Dmitry Borodaenko, a former Production Engineer at Facebook who brought the commit to my attention wrote in an email. “It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline.”

Marotto didn’t respond to an email seeking comment for this post. Attempts to contact Gab directly didn’t succeed.

Revisionist history

Besides the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing the commits from its website. Critics say the move violates terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, an open source software package for hosting social networking platforms.

Critics say the removal violates terms that require forked source code be directly linked from the site. The requirements are intended to provide transparency and to allow other open source developers to benefit from the work of their peers at Gab.

Gab had long provided commits at https://code.gab.com/. Then, on Monday, the site suddenly removed all commits—including the ones that created and then fixed the critical SQL injection vulnerability. In their place, Gab provided source code in the form of a Zip archive file that was protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotation marks).

Representatives from the Mastodon project didn’t immediately respond to an email asking if they shared the critics’ concerns.

Besides questions about secure coding and license compliance, the Gab git commits also appear to show company developers struggling to fix their vulnerable code. The image below shows someone using the username “developer” trying unsuccessfully to fully fix the code containing the SQL injection vulnerability.

Thread participants respond by sarcastically pointing out the difficulty the developer seemed to be having.

Gab’s security breach and behind-the-scenes handling of code before and after the incident provide a case study for developers on how not to maintain the security and code transparency of a website. The lesson is all the more weighty given that the submission used the account of Gab’s CTO, who among all people should have known better.

Continue Reading

Biz & IT

Donald Trump is one of 15,000 Gab users whose account just got hacked

Published

on

The founder of the far-right social media platform Gab said that the private account of former President Donald Trump was among the data stolen and publicly released by hackers who recently breached the site.

In a statement on Sunday, founder Andrew Torba used a transphobic slur to refer to Emma Best, the co-founder of Distributed Denial of Secrets. The statement confirmed claims the WikiLeaks-style group made on Monday that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in its code.

“My account and Trump’s account were compromised, of course as Trump is about to go on stage and speak,” Torba wrote on Sunday as Trump was about to speak at the CPAC conference in Florida. “The entire company is all hands investigating what happened and working to trace and patch the problem.”

An important data set

GabLeaks, as DDoSecrets is calling the leak, comes almost eight weeks after pro-Trump insurrectionists stormed the US Capitol. The rioters took hundreds of thousands of videos and photos of the siege and posted them online. Mainstream social media sites removed much of the content because it violated their terms of service.

“The Gab data is an important, but complicated dataset,” DDoSecrets personnel wrote in a post on Monday morning. “In addition to being a corpus of the public discourse on Gab, it includes every private post and many private messages, as well. In a simpler or more ordinary time, it’d be an important sociological resource. In 2021, it’s also a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup.”

Gab and a competing site called Parler were some of the last refuges that allowed much of the content to remain publicly available. Amazon and web hosting providers later cited a lack of adequate content moderation in suspending service to Parler.

Shortly before the shuttering, however, somebody found a way to use Parler’s publicly available programming interfaces to scrape about 99 percent of the user content from the site and subsequently make it publicly available.

While law enforcement groups likely had other ways to obtain the Parler data, its public availability enabled a much wider body of people to do their own research and investigations. The leak was especially valuable because materials contained metadata that’s usually stripped out before users can download videos and images. The metadata gave people the ability to track the precise timelines and locations of filmed participants.

DDoSecrets said that the 70GB GabLeaks contains over 70,000 plaintext messages in more than 19,000 chats by over 15,000 users. The dump also shows passwords that are “hashed,” a cryptographic process that converts plaintext into unintelligible characters. While hashes can’t be converted back into plaintext, cracking them can be trivial when websites choose weak hashing schemes. (Best told Ars they didn’t know what hashing scheme was used.) The leak also includes plaintext passwords for user groups.

Hate-speech haven

Gab has long been criticized as a haven for hate speech. In 2018, Google banned the Gab app from its Play Store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.

Gab has also been investigated by Pennsylvania’s attorney general. In January, the Anti-Defamation League called on the US Justice Department to investigate Gab for its role in the insurrectionist attack on the capitol.

Attempts to reach Torba for comment didn’t succeed.

Best said that DDoSecrets is making GabLeaks available only to journalists and researchers with a documented history of covering leaks. People can use this link to request access.

Continue Reading

Trending