...from:
http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-att…
Android hijacking bug may allow attackers to install password-stealers
Half of Android devices may be vulnerable to surreptitious install exploits.
by Dan Goodin<http://arstechnica.com/author/dan-goodin/> - Mar 25, 2015 2:40pm CDT
Roughly half of all Android handsets are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.
The "Android installer hijacking" vulnerability, as it has been dubbed by researchers from Palo Alto Networks, works only when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library. Technically, it's based on what's known as a Time-of-check to time-of-use vulnerability<http://en.wikipedia.org/wiki/Time_of_check_to_time_of_use>. Affected devices fail to verify that the app being installed at the time of use was the one the end user approved during the time of check, which occurs when a user approves app permissions such as network access or access to the contacts database. The bug involves the way the system application called PackageInstaller installs app files known as APKs.
"A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background," Palo Alto Networks researcher Zhi Xu wrote in a blog post published Tuesday<http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijack…>. "Verified with Android OS source code posted in AOSP [Android Open Source Project], it shows that the PackageInstaller on affected versions does not verify the APK file at the 'time of use.' Thus, in the "time of use' (i.e., after clicking the 'install button), the PackageInstaller can actually install a different app with an entirely different set of permissions."
One scenario for exploiting the vulnerability involves an attacker using a benign-looking app to install malware in the future. A second scenario uses the same weakness to mask the true permissions an app requires. In both cases, targeted users can end up installing apps that are vastly different from the ones they approved during the permissions process.
The vulnerability has been patched in Android version 4.3_r0.9 and later, but Xu warned that some Android 4.3 devices remain vulnerable. By Google estimates<https://developer.android.com/about/dashboards/index.html>, that accounts for 49.9 percent of the handsets the company monitors. Palo Alto Networks has released a scanner app<http://play.google.com/store/apps/details?id=com.paloaltonetworks.ctd.ihsca…> that will indicate if a given device is vulnerable. People using vulnerable devices should steer clear of third-party app stores and use Google Play as their sole source of apps.
...from:
http://www.forbes.com/sites/judystone/2015/02/04/a-dongle-for-detecting-hiv…
A Dongle For Detecting HIV And Syphilis
Rapid, inexpensive, easy to use point-of-care (POC) diagnostic tests are critically important in stemming infectious diseases, particularly in developing countries. Researchers at Dr. Sam Sia’s Columbia University<http://orion.bme.columbia.edu/~sia/> lab have invented a promising device that can detect both HIV and syphilis and have successfully piloted it in Rwanda.
The Columbia device pairs a microfluidic cassette dongle with a smartphone. Test reagents are preloaded into the cassette. A “one-push” vacuum, like a bulb on an old-fashioned blood pressure cuff, is used to fill the chamber of the cassette with a blood sample, and reduce the need for electricity. Further, the audio jack on a smartphone is used to power the dongle and for data transmission.
[cid:E558023E-BC12-4249-AA10-838DA368784E]Step-by-step illustration of dongle testing. [Credit: Tassaneewan Laksanasopin]
.....from:
http://stm.sciencemag.org/content/7/273/273re1
A smartphone dongle for diagnosis of infectious diseases at the point of care
1.
• Tassaneewan Laksanasopin1,*,
• Tiffany W. Guo1,*,
• Samiksha Nayak1,
• Archana A. Sridhara1,
• Shi Xie1,
• Owolabi O. Olowookere1,
• Paolo Cadinu1,
• Fanxing Meng1,
• Natalie H. Chee1,
• Jiyoon Kim1,
• Curtis D. Chin1,
• Elisaphane Munyazesa2,
• Placidie Mugwaneza3,
• Alex J. Rai4,
• Veronicah Mugisha2,
• Arnold R. Castro5,
• David Steinmiller6,
• Vincent Linder6,
• Jessica E. Justman7,
• Sabin Nsanzimana3 and
• Samuel K. Sia1,†
• ↵†Corresponding author. E-mail: ss2735(a)columbia.edu<mailto:ss2735@columbia.edu>
Abstract
This work demonstrates that a full laboratory-quality immunoassay can be run on a smartphone accessory. This low-cost dongle replicates all mechanical, optical, and electronic functions of a laboratory-based enzyme-linked immunosorbent assay (ELISA) without requiring any stored energy; all necessary power is drawn from a smartphone. Rwandan health care workers used the dongle to test whole blood obtained via fingerprick from 96 patients enrolling into care at prevention of mother-to-child transmission clinics or voluntary counseling and testing centers. The dongle performed a triplexed immunoassay not currently available in a single test format: HIV antibody, treponemal-specific antibody for syphilis, and nontreponemal antibody for active syphilis infection. In a blinded experiment, health care workers obtained diagnostic results in 15 min from our triplex test that rivaled the gold standard of laboratory-based HIV ELISA and rapid plasma reagin (a screening test for syphilis), with sensitivity of 92 to 100% and specificity of 79 to 100%, consistent with needs of current clinical algorithms. Patient preference for the dongle was 97% compared to laboratory-based tests, with most pointing to the convenience of obtaining quick results with a single fingerprick. This work suggests that coupling microfluidics with recent advances in consumer electronics can make certain laboratory-based diagnostics accessible to almost any population with access to smartphones.
There have been a few security concerns washing through the Internet the past few weeks. Fixes and patches have been coming from various quarters as they have been readied.
Today saw Apple's most recent security patch for OS X (following closely on the heals of the Safari patch earlier this week).
In addtion, there is an iPhoto update to improve transition to the upcoming Photos app that will replace it later this year.
Just launch the APP STORE and check the UPDATES section to begin the installation of these.
...from:
http://9to5mac.com/2015/03/09/apple-shuttle-bus-workers/http://www.mercurynews.com/business/ci_27673431/exclusive-apple-gives-shutt…
Apple improves deal for shuttle bus workers following earlier deal for security guards<http://9to5mac.com/2015/03/09/apple-shuttle-bus-workers/>
[Shuttle-Bus]
Apple is ensuring that its sub-contracted shuttle bus workers get a better deal, directly funding a 25% bump in their pay and requiring contractors to pay a higher hourly rate for split shifts–where drivers work both mornings and evenings but are kept hanging around without pay between the two …
Apple is also requiring bus companies to improve rest areas, reports the Mercury News<http://www.mercurynews.com/business/ci_27673431/exclusive-apple-gives-shutt…>:
“Over 5,000 Apple employees in the Bay Area take advantage of our commute alternatives program every day,” said Apple spokeswoman Kristin Huguet. “We’re working with the bus companies to help make a number of changes for the more than 150 drivers of our commute shuttles, including funding a 25 percent increase in hourly wages, premium pay for coach and shuttle drivers who work split shifts and improving the driver break and rest areas.”
One of Apple’s shuttle contractors, Royal Coach Tours, said the pay rise would make the drivers among the highest paid in Silicon Valley. Contract drivers for Apple and other tech companies voted to unionize<http://9to5mac.com/2015/01/13/apple-drivers-unionize/> back in January.
Jesse Jackson wrote to Tim Cook last November, urging Apple to take a lead in creating “world-class working conditions” for low-paid contractors like security guards and shuttle drivers. The two met<http://9to5mac.com/2015/03/09/apple-shuttle-bus-workers/world-class%20worki…> to discuss the issue in December, and Apple last week announced<http://9to5mac.com/2015/03/03/apple-security-contractors-staff/> that it would be taking on the majority of its security guards as direct employees, ensuring that they would receive health insurance and retirement benefits.