RSS
 

Posts Tagged ‘Security’

Adobe pushes critical security updates for Bridge, Photoshop and Prelude

24 Jul

Adobe has pushed live security updates for its Bridge, Photoshop and Prelude applications that patch a number of critical vulnerabilities, including a few that could enable threats to execute code on Windows computers.

While Adobe’s vague ‘Security Updates’ changelog brushes on the patches, security site ThreatPost offers a more detailed look at what Adobe has done to address 12 common vulnerabilities and exposures (CVEs) in Adobe Bridge, Adobe Photoshop and Adobe Prelude, which were first discovered by Mat Powell of Trend Micro’s Zero Day Initiative.

ThreatPost says each of the 12 ‘critical flaws stem from out-of-bounds read and write vulnerabilities, which occur when the software reads data past the end of — or before the beginning of — the intended buffer, potentially resulting in corruption of sensitive information, a crash, or code execution among other things.’ Specifically, five flaws were addressed in Adobe Photoshop, three in Adobe Bridge and four in Adobe Prelude.

According to Adobe, no known uses of these critical bugs have been reported in the wild, but you’re going to want to make sure all of your programs are up to date if you don’t have automatic updates installed. You’ll want to make sure you’re running versions 20.0.10 and 21.2.1 for Photoshop CC 2019 and Photoshop 2020, respectively. Adobe Bridge and Adobe Prelude should be running versions 10.1.1 and 9.0.1, respectively.

All updates can be downloaded via the Creative Cloud desktop app for macOS and Windows computers.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Adobe pushes critical security updates for Bridge, Photoshop and Prelude

Posted in Uncategorized

 

US Interior Department grounds Chinese-made drones in its fleet citing ongoing security concerns

31 Jan

Yesterday, the United States Interior Department signed an order to ground its fleet of more than 800 drones for non-emergency operations following ongoing concerns of cybersecurity threats.

As reported by NPR, Interior Secretary David Bernhardt didn’t specifically say the fleet of drones were capable of being hacked in the order, but did note that information collected by the drones could potentially be ‘valuable to foreign entities, organizations and governments.’

This new order cements a ‘pause’ Bernhardt ordered roughly three months ago to cease the use of Chinese-manufactured drones for Interior Department business, with the exception of emergency use-cases. In a statement given to The Verge at that time, Interior spokesperson Melissa Brown said ‘the Secretary has directed that drones manufactured in China or made from Chinese components be grounded unless they are currently being utilized for emergency purposes, such as fighting wildfires, search and rescue, and dealing with natural disasters that may threaten life or property.’

No specific companies were mentioned in the initial order, nor yesterday’s, but it’s clear Chinese drone manufacturer DJI is in the crosshairs.

Following yesterday’s order from Bernhardt, Chinese drone manufacturer DJI issued a statement on its website, saying:

[DJI] is extremely disappointed by the U.S. Department of the Interior (DOI) order released today which inappropriately treats a technology’s country of origin as a litmus test for its performance, security and reliability […] We are opposed to the politically-motivated country of origin restrictions masquerading as cybersecurity concerns and call for policymakers and industry stakeholders to create clear standards that will give commercial and government drone operators the assurance they need to confidently evaluate drone technology on the merits of performance, security and reliability, no matter where it is made.

DJI manufactures specific ‘government edition’ versions of its Matrice 600 Pro and Mavic Pro drones, both of which are currently listed in the Interior Department’s fleet. These specific models use special firmware and software to fit the needs of the Interior Department and were previously signed off for use by the Interior Department following a 15-month testing period that concluded with a 53-page report. Other drones in the U.S. agency’s fleet include the Autel Evo, Parrot Anafi, FireFLY Pro/S, 3DR Solo Quadcopter and Pulse Vapor 55TM Helicopter.

DJI’s Matrice 600 Pro drone is just one of the half-a-dozen different drone models in the Interior Department’s drone fleet.

This new order will, like the pause announced back in October 2019, will remain in effect until a subsequent order overturns it, as there is no end-date mentioned. Like the pause back in October, emergency use-cases ‘will continue to be allowed in approved situations for emergency purposes, such as fighting wildfires, search and rescue, and dealing with natural disasters that may threaten life or property,’ according to an Interior Department spokesperson.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on US Interior Department grounds Chinese-made drones in its fleet citing ongoing security concerns

Posted in Uncategorized

 

Security firm warns Android camera vulnerability lets hackers spy on phone owners

21 Nov

Security analyst firm Checkmarx has detailed the discovery of an Android security issue that enables hackers to access a smartphone’s camera app, existing videos and images, audio from the microphone and location information pulled from EXIF data. Though the issue has been fixed on Google and Samsung phones, it remains in many camera apps from other vendors

The security researchers first analyzed the Google Camera app included on the Pixel smartphones. Upon discovering the security vulnerability, which involves ‘manipulating specific actions and intents,’ they found the same issue could be exploited in the Samsung Camera app included in its various smartphone models.

The vulnerability is extensive, according to the researchers. Hackers can access the camera app, use it to capture videos and photos even if the display is turned off or a call is in progress and access content saved to the phone. In addition to accessing the images, hackers could pull the location information from image metadata and use that to locate the handset’s owner.

The exploit introduces a number of privacy issues for users; attackers could use the video recording functionality to record a phone call, for example, and could retrieve sensitive images from the user’s phone for blackmail purposes.

According to Checkmarx, Google confirmed that the issue isn’t limited to the Pixel phones and that it is working with its Android partners ‘to coordinate disclosure.’ Both Google and Samsung released fixes for the security issue in their respective camera apps before Checkmarx published its report. It’s unclear how many phones from other vendors may still be vulnerable to the exploit, however.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Security firm warns Android camera vulnerability lets hackers spy on phone owners

Posted in Uncategorized

 

Security firm Check Point shows how ransomware can be installed on Canon cameras

13 Aug

Security researchers with Check Point Research have demonstrated that it is possible to incapacitate a DSLR camera using wirelessly transmitted ransomware, a type of malware that forces victims to pay in order to decrypt their data. Though the demonstration involved using Wi-Fi, the researchers say it is also possible to hijack a DSLR camera using USB.

Modern cameras feature an unauthenticated protocol called Picture Transfer Protocol (PTP) that comes in two varieties: PTP/USB for wired connections and PTP/IP for wireless connections. Whereas USB requires the hacker to compromise the camera owner’s computer, Wi-Fi makes it possible to target the camera directly by simply being located near the device.

The DSLR malware demonstration involved a Canon EOS 80D camera, with the researchers explaining that they chose this model due to Canon’s popularity combined with the 80D’s support for USB, Wi-Fi and open-source software called Magic Lantern.

The researchers detailed the technical aspects of developing this malware in a blog post, ultimately explaining:

‘The ransomware uses the same cryptographic functions as the firmware update process, and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user.’

It’s possible for hackers to set up a rogue Wi-Fi access point that causes these Wi-Fi-enabled cameras to automatically connect to the network, after which point the ransomware can be deployed. In a real-world scenario, this malware would demand payment from the victim — usually a few hundred dollars — in order to decrypt the images on the camera.

According to Check Point Research, Canon was contacted about these vulnerabilities in March and worked with the company to patch the security issues. Canon released the first security patch on August 6 alongside an advisory, shared below, detailing the PTP vulnerability and the cameras affected by by it.

Product advisory:

Regarding the security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions

August 6, 2019 — Thank you very much for using Canon products.

An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates. (CVE-ID: CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001?

Due to these vulnerabilities, the potential exists for third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.

At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.

  • Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
  • Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
  • Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
  • Disable the camera’s network functions when they are not being used.
  • Download the official firmware from Canon’s website when performing a camera firmware update.

Please check the Web site of the Canon sales company in your region for the latest information regarding firmware designed to address this issue.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Security firm Check Point shows how ransomware can be installed on Canon cameras

Posted in Uncategorized

 

EyeEm, Fotolog and other photo sites affected by security breach

19 Feb

Turns out the 500px data breach we reported on last week wasn’t an isolated incident. According to The Register the data breach affected not only 500px but a total of 16 websites, including mobile image sharing platform EyeEm, Animoto, Artsy and Fotolog.

Overall the details of 617 million online accounts were stolen and offered for sale on the dark web.

EyeEm sent an email out to its user base, saying 22 million of its accounts had been compromised but no payment or payout data had been affected. The breach exposed users’ names, email addresses, and encrypted versions of passwords, however.

The company also writes that it only recently become aware of the hack, despite the fact that it happened back on July 5th 2018. Upon discovery of the issue all passwords were disabled and emails went out to the EyeEm community.

EyeEm also asks its users to not reuse old passwords, not use the same password on multiple websites, use multi-factor authentication whenever possible and use as password management tool. This is sensible advice, no matter if you’re affected by any of the hacks or not.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on EyeEm, Fotolog and other photo sites affected by security breach

Posted in Uncategorized

 

Film crew arrested for allegedly trying to sneak a ‘fake bomb’ through airport security

24 Jan

A Dutch television film crew was arrested last Thursday at the Newark Liberty International Airport in New Jersey after attempting to take what is being called a ‘fake bomb’ through security. The alleged fake bomb was composed of a PVC pipe, wires, and a motor, according to law enforcement sources speaking to ABC News, though the crew’s production house claims it was actually ‘vacuum compression luggage.’

The arrests involved nine cast and crew members working on an upcoming series called “Staten Island Hustle” for Endemol Shine North America and Left Hook Media, according to a statement released by Endemol Shine.

You can watch the short news report by ABC News and see a picture of the ‘fake bomb’ from the TSA below:

Photo: TSA

In a statement given to NJ Advance Media, the company said the device wasn’t a fake bomb, but rather a prototype for vacuum luggage able to accommodate a larger number of items than ordinary luggage:

Unfortunately, there appears to have been a misunderstanding, and we regret any inconvenience to TSA and other authorities on the ground for complications that may have been caused.

However, TSA officials allege that the crew attempted to sneak the contraption past security officials while secretly recording the incident for a TV episode, and that the vacuum luggage system had all the indicators of being an IED. According to NJ.com, all nine individuals have been charged with conspiracy, creating a false public alarm, and interference with transportation.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Film crew arrested for allegedly trying to sneak a ‘fake bomb’ through airport security

Posted in Uncategorized

 

Modular PITTA camera transforms into drone, action, and security cameras

04 Jan

$ (document).ready(function() { SampleGalleryV2({“containerId”:”embeddedSampleGallery_5360811256″,”galleryId”:”5360811256″,”isEmbeddedWidget”:true,”selectedImageIndex”:0,”isMobile”:false}) });

PITTA, a modular ball-shaped 13MP camera that transforms into a drone, is currently blasting its way through a campaign on Kickstarter. The small, sphere-shaped modular camera launched on the crowdfunding platform with a $ 50K goal, but as of this writing it has already raised well over a quarter million dollars.

Eyedea, the company behind PITTA, describes its product as a multi-purpose device:

It’s not just aerial, not just handheld, not just wearable or mountable, it’s all of these. It’s a complete system packed into a single device.

Here’s a quick intro video from the company’s Kickstarter:

In its most basic form, PITTA looks like a simple black sphere, which is the 200g/7oz camera body. The sphere-shaped body features a 13MP sensor, support for 4K/30fps recording, and “software image stabilization.” Additionally, the body contains various sensors including GPS/GLONASS, gyroscope, accelerometer, barometer, magnetometer, object detection and visual tracking hardware, and optical flow positioning sensors.

Joining that is an Action Cam Module, Charging Cradle, and Drone Module. When docked in the Charging Cradle, PITTA can be used as a stationary security camera or livestreaming camera.

When used with the Action Module, PITTA can be attached to a tripod or other mount and used as an action camera that supports burst shot, 60fps slow-motion recording, livestreaming, and time lapse, as well as direct sharing to the major social media platforms.

The Drone Module, meanwhile, transforms the camera sphere into a drone via a snap and twist-to-lock design. The resulting camera drone is controlled using a smartphone and companion app, which itself offers several operation modes. PITTA as a drone supports taking panoramas, hovering in place, orbiting around the operator, auto-following the operator, as well as a “Come Back Home” function, terrain awareness, auto-landing, and GPS. The slow-motion and time lapse functions aren’t available in drone mode.

$ (document).ready(function() { SampleGalleryV2({“containerId”:”embeddedSampleGallery_0862783015″,”galleryId”:”0862783015″,”isEmbeddedWidget”:true,”selectedImageIndex”:0,”isMobile”:false}) });

PITTA is being offered to Kickstarter backers who pledge $ 290 for a Kickstarter Exclusive Basic Kit or $ 320 for a Kickstarter Exclusive Full Package, though other pledge packages are also available. Shipments to backers are expected to start in May 2018, though as with any crowdfunding campaign, plans could change, so proceed with caution.

To learn more or pledge for your own, head over to Kickstarter by clicking here.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Modular PITTA camera transforms into drone, action, and security cameras

Posted in Uncategorized

 

Researcher says he was threatened after finding major DJI security flaw

28 Nov

Drone maker DJI has been criticized roundly this weekend over its alleged response to security researcher Kevin Finisterre’s discovery of a significant security issue involving the company’s system. According to Finisterre, he began hunting for bugs in DJI’s system under its recently established bug bounty program. In the process, Finisterre says he discovered a major security issue, but rather than rewarding him for his effort, DJI accused him of hacking and threatened to report him to the authorities.

DJI announced its bug bounty program in August following a report that claimed the U.S. Army had banned use of the maker’s drones over security concerns. As part of its announcement, DJI had stated:

The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create.

According to a long report on the matter published by Finisterre, he spent many weeks communicating with DJI through email about the scope of its bug bounty program, which hadn’t yet been publicly defined. After receiving confirmation that it included the company’s servers, Finisterre went to work in writing up a report disclosing his discoveries. Speaking of which…

Due to multiple security issues, including publicly available AWS private keys for DJI’s photo-sharing service SkyPixel, Finisterre reports that he was able to get access to highly sensitive user data, including: identification cards and passports, flight logs, and drivers licenses. Once he found this flaw, he claims that he alerted DJI to this vulnerability, and that the company acknowledged it.

After more than 130 emails back and forth between DJI and Finisterre, he states in his report that DJI said he would be rewarded with $ 30,000 under the bug bounty program (the maximum award). However, Finisterre reports that weeks later he received an agreement for his particular bug bounty that was “literally not sign-able.” As he goes on to explain in his report:

I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.

Efforts to alter the agreement didn’t pan out as hoped, says Finisterre, who goes on to claim that several different lawyers advised him that DJI’s final offer was, “likely crafted in bad faith,” and that it was “extremely risky” for him to sign it. It was about this time that Finisterre also receive a legal demand from DJI ordering him to delete/destroy the data he had gathered during his investigation, while appearing to threaten Finisterre with the Computer Fraud and Abuse Act.

In a statement to Ars Technica, who was the first to cover this spat between DJI and Finisterre, the Chinese drone giant referred to Finisterre as a “hacker,” claiming that he had accessed one of the company’s servers without permission and that he had tried to claim it under the company’s bug bounty program without following “standard terms for bug bounty programs.” The statement goes on to claim that Finisterre “refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

For his part, Finisterre says that he ultimately turned down the $ 30,000 in favor of going public with what he sees as an unsettling and unacceptable experience, concluding with the following statement:

If you that are wondering if DJI even bothered to respond after I got offended over the CFAA threat, you should be happy to know it was flat out radio silence from there on out. All Twitter DM’s stopped, SMS messages went unanswered, etc. Cold blooded silence.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on Researcher says he was threatened after finding major DJI security flaw

Posted in Uncategorized

 

DJI releases offline mode to calm fears over privacy and security

16 Aug
Photo by Aaron Burden

Earlier this month, drone maker DJI took a huge PR hit when the US Army abruptly stopped using the company’s drones due to ‘cyber vulnerabilities.’ The decision was revealed in a leaked memo, and DJI was left defending its privacy and security practices to a suddenly skeptical public. Today, the company takes its privacy efforts a bit further with the release of a ‘Local Data Mode’ that allows pilots to fly their DJI drones without an internet connection.

The mode was announced yesterday, and it does exactly what it sounds like: when enabled, it stops all data transfer and connectivity between DJI’s apps and the internet. It’s like incognito mode for drones.

DJI uses that internet connection to “ensure a drone has the most relevant local maps and geofencing data, latest app versions, correct radio frequency and power requirements, and other information that enhances flight safety and functionality,” but the company understands that not all customers need or want this functionality to be on all the time.

“We are creating local data mode to address the needs of our enterprise customers, including public and private organizations that are using DJI technology to perform sensitive operations around the world,” DJI Vice President of Policy and Legal Affairs Brendan Schulman says in the press release. “DJI is committed to protecting the privacy of its customers’ photos, videos and flight logs. Local data mode will provide added assurances for customers with heightened data security needs.”

Despite the timing of the release, DJI has told the New York Times that the company has not been in touch with the US Army about its security concerns, and besides, this update seems to have been in the works since before the memo in question went public. Still, this ‘offline’ option feels like a win for privacy advocates and the military alike.

Local Data Mode will be available in DJI’s fleet of apps “starting in the next several weeks”—these include DJI GO, DJI GO 4, DJI XT Pro, DJI Pilot and Ground Station Pro. But be warned, due to some local regulations and/or requirements, it might not be available in all areas.

To find out more, read the full press release below:

Press Release

DJI Develops Option For Pilots To Fly Without Internet Data Transfer

New Local Data Mode Provides Enhanced Data Privacy Assurances

August 14, 2017 – DJI, the world’s leader in civilian drones and aerial imaging technology, is developing a new local data mode that stops internet traffic to and from its flight control apps, in order to provide enhanced data privacy assurances for sensitive government and enterprise customers.

DJI’s flight control apps routinely communicate over the internet to ensure a drone has the most relevant local maps and geofencing data, latest app versions, correct radio frequency and power requirements, and other information that enhances flight safety and functionality. When a pilot enables local data mode, DJI apps will stop sending or receiving any data over the internet, giving customers enhanced assurances about the privacy of data generated during their flights.

“We are creating local data mode to address the needs of our enterprise customers, including public and private organizations that are using DJI technology to perform sensitive operations around the world,” said Brendan Schulman, DJI Vice President of Policy and Legal Affairs. “DJI is committed to protecting the privacy of its customers’ photos, videos and flight logs. Local data mode will provide added assurances for customers with heightened data security needs.”

Because it blocks all internet data, use of local data mode means DJI apps will not update maps or geofencing information, will not notify pilots of newly-issued flight restrictions or software updates, and may result in other performance limitations. However, it will provide an enhanced level of data assurance for sensitive flights, such as those involving critical infrastructure, commercial trade secrets, governmental functions or other similar operations.

“We are pleased about how rapidly DJI’s customer base has expanded from hobbyists and personal drone pilots to include professional, commercial, government and educational users,” said Jan Gasparic, DJI head of enterprise partnership. “As more of these customers have asked for additional assurances about how their data is handled, DJI has moved to address their needs by developing local data mode to provide enhanced data management options for customers who want to use them.”

DJI recognizes the importance of data privacy to its customers. DJI does not collect or have access to user flight logs, photos or videos unless the user chooses to share those by syncing flight logs with DJI servers, uploading photos or videos to DJI’s SkyPixel website, or physically delivering the drone to DJI for service.

DJI publicly committed to protecting its customers’ data privacy in April 2016. In a March 2017 white paper, DJI became the first major drone manufacturer to advocate for protecting the privacy of drone users as the United States and European governments develop regulations to monitor drone flights. No other civilian drone manufacturer there has been as vocal as DJI in protecting the operational and data privacy interests of drone users.

“Local data mode will allow customers to get the most out of their DJI flight control apps while providing added assurance that critical data is not inadvertently transmitted over the internet,” Schulman said. “We are pleased to be able to develop local data mode as part of our drive to serve our customers’ needs as well as advocate for their interests.”

Local data mode has been in development for several months and will be included in future versions of DJI apps, starting in the next several weeks. DJI’s apps include DJI GO, DJI GO 4, DJI XT Pro, DJI Pilot and Ground Station Pro, which run on smartphones and tablets that control the drone or connect to the drone’s remote control unit. The local data mode feature may not be available in locations where an internet connection is required or highly advisable due to local regulations or requirements.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on DJI releases offline mode to calm fears over privacy and security

Posted in Uncategorized

 

India says no to Google Street View, citing security concerns

13 Jun
Launched in 2007, Google’s Street View service uses imagery captured by cameras mounted on cars, backpacks, bicycles and snowmobiles. Today, the service covers locations all over the globe.

Indian officials have told the BBC that the country has rejected Google’s plans to image its towns and cities as part of its expanding Street View service. Citing security concerns around ‘sensitive defense installations,’ officials point out that planning for the 2008 Mumbai attacks was believed to have involved photographic reconnaissance. As such, the country believes, Street View could compromise national security.

This isn’t the first time that Google’s Street View service has attracted concerns. Several countries have at one time or other raised privacy and security worries. The Czech government has banned the company from taking any new imagery (current Street View images of Prague are frozen at 2014), and in 2010, almost 250,000 Germans requested that Google blur images of their homes.

Articles: Digital Photography Review (dpreview.com)

 
Comments Off on India says no to Google Street View, citing security concerns

Posted in Uncategorized

 
« Older Entries