GeekSpeak for 2015-09-26

Drone Bridge to AVG's Failure

Teaser medium

A formerly trustworthy source of protection disappoints, a trio of drones does a lovely dance you walk on, and even pressing a simple key on your computer can boggle your mind.

Bitcoin Is Officially a Commodity

Virtual money is officially a commodity, just like crude oil or wheat.
So says the Commodity Futures Trading Commission (CFTC), which on Thursday announced it had filed and settled charges against a Bitcoin exchange for facilitating the trading of option contracts on its platform. 

AVG Updates Privacy Policy, Will Sell Your Non-Identifying Data

AVG has updated its privacy policy to note that the company fully intends to use this information—data that shouldn’t identify you in any way—to make money. Its justification is that it provides security apps for free, and this is one of the few ways it can continue to do so.

Easy way to crash Skype

A thread at the Skype community forums has brought to light a critical bug in Microsoft’s Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version

Easy way to crash Chrome

Remember when it took just eight characters to crash Skype? Apparently it takes double that to take out Chrome: Typing in a 16-character link and hitting enter, clicking on a 16-character link, or even just putting your cursor over a 16-character link will crash Google’s browser.
The bug was discovered by Andris Atteka, who explained on his blog that you can easily trip up Chrome just by adding a null character in the URL string. His example was 26 characters long, but we have managed to shave off 10 characters to produce an even simpler string that will crash Chrome.

To try it yourself, fire up Chrome 45 (the latest stable version) or older and put this into your address bar:
http://a/%%30%30

Android Lollipop (Android OS) password problem

From the locked screen, open the phone’s “Emergency Call” feature. Type a few characters, then copy-and-paste the text repeatedly. The character “string” grows exponentially, so it quickly becomes close to 40,960 characters long.
Then open the phone’s camera app and prompt the phone to request a password. Paste the super long character string a few times until the system crashes. (Based on Gordon’s video, it looks like 163,840 total characters.)
Wait maybe five minutes, and the phone goes straight to the unlocked home screen.

Apple's iOS App Store suffers first major attack

The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.
It is the first reported case of large numbers of malicious software programs making their way past Apple’s stringent app review process. Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc (PANW.N).
The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.

Host content within URL

An experimental “unhosted” app that challenges the concept of the URL. By putting the post data after the # mark, the URL is (mis-)used as the data storage. You can store your data within your bookmarks list, host it via a URL-shortener(!) like here

Phishing is tricky; should feds be tested for phish-savviness or be fired?

In the wake of the Office of Personnel Management hack this year, which reportedly took advantage of a phishing attack to steal credentials used to gain access to highly sensitive personnel records, US federal agencies have been increasing their security training and employee testing around phishing. In addition to the employee awareness campaign launched by the National Counterintelligence and Security Center, more agencies are using security auditing tools that simulate phishing attacks against employees to test whether the employees abide by their information security training.