Not all clouds are security threats. (flickr.com/kky)

Researchers at North Carolina State University and the University of Oregon have discovered a way to turn cloud computing into hacker heaven.

Disguising data transfers with URL-truncating services like TinyURL or Bit.ly, researchers found that cloud-based processing power intended to shift computing tasks from laptops, tablets and mobile devices could be converted to crack encoded passwords or used for a large scale denial-of-service attack.

WhiteHat Security's Jeremiah Grossman told Dark Reading that cloud browser providers need to "ensure adequate security controls are in place to prevent their end users from abusing the system."

N.C. State researcher William Enck said one key is awareness:

NC State's Enck says there are ways for cloud-based browsing providers to better monitor their traffic -- namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. "It's similar: You can say, 'Here are the clients from where [the traffic] is coming from and the IP addresses.'"

Dark Reading notes that users of the Silk browser on Amazon's Kindle Fire have to register with the service, and each tablet has a unique key that identifies that user and device to the browsing service. The university researchers who discovered these vulnerabilities believe Amazon's strategy is a sound way to keep cloud users honest. They also recommend using CAPTCHAs so potentially malicious cloud users can't write scripts that will automatically create multiple accounts they could later use in large-scale hacks or cyber-attacks.

We're not really looking forward to the day we can say hackers have maliciously used the cloud to "make it rain."

Ravi Borgaonkar demonstrating Galaxy handset flaws. (Screengrab)

During a recent security conference in South America, a Berlin-based researcher revealed that Samsung has a major problem with its iPhone challengers, the Galaxy 3 and Galaxy S2 smartphones.

Both can easily be remotely wiped by code embedded in a web page.

Ravi Borgaonkar found that the Galaxy's "service loading" feature, its method of communicating with application servers, can be exploited with just one line of code tucked away in a web page's HTML. If the attack is successful, the malicious code reverts the phones to their factory settings. Worse still, once the attack begins, the phone's user can't do a thing about it.

That's bad enough. There's also this:

Alongside web pages, the code can also be embedded in malicious text messages, or triggered by a QR code or NFC tag.

Security researchers are pressing Samsung to patch the problem because as DigitalSpy reports, experts say this is a "major security vulnerability."

Mr. Borgaonkar, who reportedly wondered aloud what Samsung's engineers were smoking when they created the vulnerable system, demonstrates how it works in the video below.

Viewers may need headphones to hear Mr. Borgaonkar clearly, but the shocked audience reaction at 2:10, when he uses a link from a tweet to demonstrate how quickly a malicious web page can reset the phone, is unmistakable.

Leaky. (Screengrab)

If you own one of the world's billion or so Windows computers, we are sorry to inform you it probably contains a Java vulnerability that could allow a malicious attacker to sidestep Java security and exploit your browser.

According to Softpedia, most browsers are vulnerable:

The researchers have confirmed that Java SE 5 – Update 22, Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.

The affected web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and Internet Explorer 9.0.8112.16421.

Researchers at Security Explorations, who have made it their business to pick out all the vulnerabilities in Java, have given Oracle a full breakdown of the problem complete with source code and proof-of-concept demonstrations of how the exploit might work.

Oracle doesn't issue critical patch updates for Java until the middle of October. Whether much of the planet's population waiting for this hole to be fixed will goose them into moving faster to fix the problem remains to be seen.

Get off the phone, CEO guy. (flickr.com/perspective)

Attendees at the EuSecWest-sponsored World Security Professional Summit in Amsterdam are participating in a contest called Mobile Pwn2Own. Contestants are, yes, basically revealing that our mobile devices can be easily pwned by someone with the know-how. Quell your bubbling phone fanboy or fangirl rage right now: it looks like both Androids and iPhones are vulnerable. The Next Web describes the Android pwnage, which was partially done, by the way, via near-field communication, or NFC:

The 0day exploit was developed by four MWR Labs employees (two in South Africa and two in the UK) for a Samsung Galaxy S 3 phone running Android 4.0.4 (Ice Cream Sandwich). Two separate security holes were leveraged to completely takeover the device, and download all the data from it.

The first, a memory corruption flaw, was exploited via NFC (by holding two Galaxy S 3s next to each other) to upload a malicious file, which in turn allowed the team to gain code execution on the device. The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.

A second malware infiltration gave attackers complete control over the Galaxy S 3. They gained the ability to transfer whatever data they wanted--emails, texts, photos--to wherever they wanted. The Next Web reports MWR Labs will publish a detailed blog post about the hacks only after the vulnerabilities have been eliminated.

The Dutch researchers who found a vulnerability in the iPhone 4S pursued the exploit because they felt the Apple product was a hard target. ZDNet reports on their exploit:

The hack, which netted a $30,000 cash prize at the mobile Pwn2Own contest here, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.

"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol [...], CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."

The researchers couldn't get everything a real hacker might be after. They managed to snag contacts, photos and videos and web-surfing data, but SMS and email records were too deeply encrypted to reach.

Mr. Pol and Mr. Keuper say the WebKit bug can be found in iOS 6 as well.

Mr. Pol also noted that if someone wanted to use the exploit "in the wild," they could perhaps embed it in ad networks, which would be dangerous to all unwitting mobile web surfers.

Mr. Pol also sounded a warning every mobile user should hear, regardless of brand affiliation, telling ZDNet that CEOs "should never be doing email or anything of value on an iPhone or a BlackBerry."