Cars Technica, Risk Assessment

OwnStar Wi-Fi attack now grabs BMW, Mercedes, and Chrysler cars’ virtual keys

Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar’s server, or—as is more common in mobile apps using HTTPS to access Web services—use a “pinned” certificate hard-coded into the application itself. OnStar quickly resolved the issue with a RemoteLink app update.

But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler’s Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: “no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device.”

The OwnStar device packs all the components required to execute this attack into a portable case that can be placed near a targeted vehicle. Like a virtual bear trap, it can capture the login credentials of a car owner using a mobile app to remotely unlock, lock, or start the vehicle, which can then be loaded onto a copy of the targeted mobile app on the attacker’s own device—giving the attacker the ability to execute all of the functions of the telematics system on the targeted vehicle. And it’s all because of a flaw that is all too common to mobile applications—reliance on a remote server’s certificate being valid, regardless of what network the connection is over.

Read 3 remaining paragraphs | Comments

chip cards, credit card fraud, EMV, fraud, Ministry of Innovation, Square, Twitter

Square will absorb its customers’ liability for fraud during EMV shift

On October 1, 2015, US commerce will undergo a considerable change—a variety of big credit card companies, financial groups, and issuers will require that merchants upgrade their point-of-sale (POS) terminals to accept chip-based cards as well as (and eventually, instead of) magnetic stripe cards. You may have already received chip-based replacements for your magnetic stripe cards in the mail.

The plan to transition to the new payment standard—called EMV for EuroPay, MasterCard, and Visa, (the developers of the standard)—was agreed upon in 2012, but a MasterCard press release circulated today cited a survey that said that 28 percent of small and medium business owners still aren’t aware of the new payment standard. That’s particularly troubling, because in the event of magnetic stripe card fraud at a store’s POS, the store will be liable for that faulty transaction if they don’t have up-to-date hardware that can accept chip cards. (Website-based transactions, commonly considered “card-not-present transactions,” are not part of the EMV transition and are treated separately.)

Today, payments processing company Square, founded by Twitter co-founder Jack Dorsey, said it wants to try to speed that adoption rate up in the next month or two, and hopefully convert some businesses to Square’s platform.

Read 4 remaining paragraphs | Comments

apple, Apple TV, Comcast, Infinite Loop

Report: Apple’s efforts to build a live-TV service have stalled

A report from Bloomberg today said that Apple is struggling to come to common ground with CBS, Fox, and Comcast-owned NBC in negotiations to offer a live TV streaming service much like Dish’s Sling TV.

The rumored service would be targeted at cord cutters, hosting a handful of live channels bundled together for about $30 to $40 a month. Back in March, the Wall Street Journal reported that Apple’s service would include networks like ABC, CBS, Fox, and various subsidiary channels like ESPN and FX. Apple has been pushing hard to develop a news and entertainment ecosystem to keep its users locked into its product line—earlier this year Apple announced a music streaming service and a curated news platform.

Although a September launch date—which would have coincided with the start of the new TV season—had originally been rumored for the service, Bloomberg‘s sources now say that live-TV streaming won’t hit the market until 2016. Besides the stalemate Apple has reached with CBS, Fox, and NBC, Bloomberg says that Apple decided to put a live-TV service on the back burner because it “doesn’t have the computer network capacity in place to ensure a good viewing experience.” Network capacity is a big deal for live-streaming—in Sling TV’s early days it struggled with the crush of customers demanding March Madness games.

Read 1 remaining paragraphs | Comments

Android, exploits, Gear & Gadgets, malware, Risk Assessment, Technology Lab, vulnerabilities

Android security on the ropes with one-two punch from researchers

Android security woes got worse on Thursday, with two separate reports of code defects that put millions of end users at risk.

The first involves the update Google released last week fixing a flaw that allowed attackers to execute malicious code on an estimated 950 million phones with nothing more than a maliciously crafted text message. Seven days later, security researchers are reporting that the patch, which has been in Google’s possession since April, is so flawed that attackers can exploit the vulnerability anyway.

“The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping,” Jordan Gruskovnjak and Aaron Portnoy, who are researchers with security firm Exodus Intelligence, wrote in a blog post published Thursday. “The public at large believes the current patch protects them when it in fact does not.”

Read 6 remaining paragraphs | Comments

Facebook, Law & Disorder

By “liking” ex-girlfriend’s Facebook pics, man may have violated protective order

Justin Bellanco

Earlier this week, a Pennsylvania county court arraigned a man on charges of contempt of court: he clicked a “like” button in possible breach of a restraining order that had been filed against him by his ex-girlfriend.

The case involves April Holland of Pittston, Pennsylvania, who filed a protection from abuse (PFA) order against her ex-boyfriend Justin Bellanco in July 2015. The Wilkes-Barre Times Leader reported that according to her PFA application, Bellanco “threatened to shoot her knee cap to watch her suffer.”

Earlier this month the application was granted, forbidding Bellanco from having any contact with Holland for a year.

Read 9 remaining paragraphs | Comments

Features, IT, Software, Technology Lab

How to succeed in business—er, remote IT work—without really trying

With more people than ever using ’em, it’s probably difficult to find an Ars reader who doesn’t have a family member or old friend that’s lost at sea when it comes to keeping a computer running. And when that familiar call or e-mail comes—”Do you have a minute? How do you…”—it’s instantly obvious. This person needs a significant amount of long-term help.

In today’s ever more technological and connected world, these requests tend to come often. And while it’s maddening enough playing amateur IT professional for someone in the same house, how do you cope when increasingly the tech-challenged live across town or even across the country? To no one’s surprise, there are as many strategies out there as there are readers.

Luckily for you (and agonizingly for me), I’ve had some experience here.

Read 40 remaining paragraphs | Comments

Ministry of Innovation

Facebook user gets away with nearly a full day of trolling Target commenters

Mike Melgaard

9 more images in gallery

While Facebook facilitates plenty of interaction between big companies and their customers, its interface doesn’t scale incredibly well once company-page comments creep into the hundreds (or more) per day. In particular, “comments by users” on a company page are relegated to a sidebar that is pretty hard to parse. On Sunday, one intrepid Facebook user took advantage of that to sneak onto a company page and mess with commenters before the company could get wise to it—and lucky for us, he screencapped the whole thing.

This week’s case came from American retailer Target, whose Facebook feed began to blow up with unhappy comments over the weekend after the company announced plans to remove gender-specific signs in departments such as Toys and Entertainment. The retailer didn’t get around to individually responding to commenters, but that didn’t stop a user from creating a new account on Sunday, giving it a Target-styled bullseye icon and pretending to be an official company spokesperson.

That user, Scottsdale, Arizona, resident Mike Melgaard, went on to respond to at least 52 negative comments left on Target’s official Facebook page with an account named “Ask ForHelp,” but rarely were his responses helpful. Melgaard heaped on sarcastic smiley faces, grammatical criticisms, and jokes about doing away with all gender-specific labels at the store (including bathrooms and changing rooms). It’s hard to pick a favorite among the jokes—we’ve posted a few of its safe-for-work screencaps above—but our favorite might be when he got into a multiple-comment conversation with one complainer, which he ended with a phony exclamation that it was his “first day, and this is just really frustrating dealing with all of this!”

Read 2 remaining paragraphs | Comments

business, DLC, EA, on-disc, Opposable Thumbs

EA exec says complaints about “on-disc DLC” are “nonsense”

Every few months, it seems, certain gamers get up in arms when it’s discovered that a brand new game disc contains content that is to be sold in the future as “downloadable content.” In a new interview, EA Chief Operating Officer Peter Moore said this kind of controversy comes from a fundamental misunderstanding of the way that DLC is made.

“A lot of that resistance comes from the erroneous belief that somehow companies will ship a game incomplete, and then try to sell you stuff they have already made and held back,” Moore told Gamespot in a Gamescom interview. “Nonsense. You come and stand where I am, next to Visceral’s studio, and you see the work that is being done right now. And it’s not just DLC, this is free updates and ongoing balance changes.”

Moore compared the bits of DLC that are found on some game discs to scaffolding put in place to support the actual downloadable product when it’s ready. “Think of them as APIs,” he said. “Knowing down the road that something needs to sit on what you’ve already made, means you have to put some foundations down. What people are confused about is they think DLC is secretly on the disc, and that it’s somehow unlocked when we say.”

Read 2 remaining paragraphs | Comments

Ministry of Innovation, Technology Lab, throttling, unlimited data, verizon wireless

Verizon stopped throttling 3G data when net neutrality rules took effect

A year ago, Verizon Wireless announced that it would begin throttling 4G LTE service for users on unlimited data plans, using the same policy it already applied to its slower 3G network. Verizon caved after criticism from Federal Communications Commission Chairman Tom Wheeler, so the 4G throttling never went into effect. However, Verizon kept right on throttling its 3G customers.

That finally changed two months ago, though we didn’t notice it at the time.”Beginning in 2011, to optimize our network, we managed data connection speeds for a small subset of customers—those who are in the top five percent of data users and have 3G devices on unlimited data plans—and only in places and at times when the network was experiencing high demand. We discontinued this practice in June 2015,” Verizon now says on its website. A reader pointed out the updated language to us yesterday, and RCRWireless News reported the change today.

The change in June occurred in the same month that the Federal Communications Commission’s network neutrality rules against throttling took effect. Though carriers could argue that some throttling is allowable under an exception for “reasonable network management,” Sprint stopped throttling its heaviest users just in case.

Read 5 remaining paragraphs | Comments

Gear & Gadgets, Infinite Loop, OS X, yosemite

Apple releases OS X 10.10.5 to squash Mail, Photos, and QuickTime bugs

Apple has just released OS X 10.10.5, the fifth (and likely last) major update to OS X Yosemite. It can be downloaded now through the Update tab in the Mac App Store, or you can look for standalone installers to hit Apple’s download page later in the day.

The update contains a fix for a bug that gives attackers unfettered root privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware. Shortly after the vulnerability was publicly disclosed, adware distributors started exploiting it in the wild so they could install potentially unwanted applications without requiring end users to enter system passwords.

The list of specific feature fixes is short: it improves Mail’s “compatibility with certain e-mail servers,” fixes a problem with GoPro camera imports into the Photos app, and a problem that kept Windows Media files from playing in QuickTime. The update also fixes an extensive list of security problems in Apache, Bluetooth, CloudKit, the OS kernel, and a handful of other apps and services—all of that information is available here.

Read 1 remaining paragraphs | Comments

Some stuff about things