Select Page

Author: winuxe

Password bypass flaw in Western Digital My Cloud drives puts data at risk

A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year. Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data. The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access. The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter. Details of the bug were also independently found by another security team, which released its own exploit code. Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines. After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings. A year later, WD still hasn’t released a patch. The company confirmed that it knows of the vulnerability but did not say why...

Read More

iOS 12.1 beta hints at new iPad Pro

iOS 12 is still brand new, but Apple is already testing iOS 12.1 with a developer beta version. Steve Troughton-Smith and Guilherme Rambo found references to a brand new iPad that would support Face ID. First, there are changes to Face ID. You can find references to landscape orientation in the iOS 12.1 beta. Face ID on the iPhone is limited to portrait orientation. Chances are you didn’t even notice this limitation because there’s only one orientation for the lock screen and home screen. But the iPad is a different story as people tend to use it in landscape. And even when you hold it in landscape, some people will have the home button on the left while others will have the home button on the right. In other words, in order to bring Face ID to the iPad, it needs to support multiple orientations. This beta indicates that iOS 12.1 could be the version of iOS that ships with the next iPad. If that wasn’t enough, there’s a new device codename in the setup reference files. This device is called iPad2018Fall, which clearly means that a new iPad is right around the corner. Analyst Ming-Chi Kuo previously indicated that the iPad Pro could switch from Lightning to USB-C. This would open up a ton of possibilities when it comes to accessories. For instance, you could plug an external...

Read More

Google Home Mini was the best-selling smart speaker in Q2

Amazon’s Echo Dot may have been a bestseller on Prime Day, but Google’s Home Mini device is now the top-selling smart speaker worldwide, according to a new report out this morning from Strategy Analytics. The analyst firm says Google’s small speaker accounted for 1 in 5 smart speaker shipments in Q2 2018, edging out the Echo Dot with its 2.3 million global shipments compared to Echo Dot’s 2.2 million. Combined, these two entry-level smart speakers – the Echo Dot and Home Mini – accounted for 38% of global shipments, the firm found. In total, 11.7 million smart speaker devices were shipped during Q2, with 4 out of the top 5 devices coming from either Amazon or Google. Following the Dot, was Amazon’s flagship Echo device with 1.4 million shipments, then Alibaba’s Tmail Genie (0.8m), and Google Home (0.8m). Apple’s HomePod wasn’t ranked in the top five, but took a 6% share of the shipments in Q2. However, HomePod’s premium focus and higher price tag allowed it to take a sizable chunk of smart speaker revenue during this period. While the Home Mini and Echo Dot combined accounted for 17% of smart speaker revenues, Apple’s HomePod alone took a 16% share of wholesale revenues. And in terms of devices above the $200 price point, the HomePod had a 70% revenue share. Strategy Analytics’s report also indicated this growing market is...

Read More

Hackers stole customer credit cards in Newegg data breach

Newegg is clearing up its website after a month-long data breach. Hackers injected 15 lines of card skimming code on the online retailer’s payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name — likely to avoid detection. The server even used an HTTPS certificate to blend in. The code also worked for both desktop and mobile customers — though it’s unclear if mobile customers are affected. The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings. Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it’s not known precisely how many customers completed transactions during the period. When reached, a Newegg spokesperson did not immediately comment. Klijnsma called the incident “another well-disguised attack” that looked near-identical to the recent British Airways credit card breach. Like that breach, RiskIQ attributed the Newegg credit card theft to the Magecart group, a collective of hackers that carry out targeted attacks against vulnerable websites. The code used in both skimming...

Read More

An Intel drone fell on my head during a light show

It didn’t hurt. I thought someone dropped a small cardboard box on my head. It felt sharp and light. I was sitting on the floor, along the back of the crowd, and then an Intel Shooting Star Mini drone dropped on my head. Audi put on a massive show to reveal its first EV, the e-tron. The automaker went all out, putting journalists, executives and car dealers on a three-story paddle boat for a two-hour journey across the San Francisco Bay. I had a beer and two dumplings. We were headed to a long-vacated Ford manufacturing plant in Richmond, Calif. By the time we reached our destination, the sun had set and Audi was ready to begin. Suddenly, in front of the boat, Intel’s Shooting Star drones put on a show that ended with Audi’s trademark four ring logo. The show continued as music pounded inside the warehouse, and just before the reveal of the e-tron, Intel’s Shooting Star Minis celebrated the occasion with a light show a couple of feet above attendees’ heads. That’s when one hit me. Natalie Cheung, GM of Intel Drone Light Shows, told me they knew when one drone failed to land on its zone that one went rogue. According to Cheung, the Shooting Star Mini drones were designed with safety in mind. “The drone frame is made of flexible plastics, has prop guards,...

Read More