Apple to Patch JailbreakMe Security Flaw

Posted on July 9, 2011 by admin

Please share this story

Share

Shortly after the JailbreakMe hack that uses Mobile Safari to jailbreak iPhones, iPads and the iPod touch hit the Web, Apple announced that it will be patching the potential security flaw the hack takes advantage of, according to Yahoo! Finance.

Jailbreaking is a process that hacks iOS so third-party apps that aren’t available through Apple’s iTunes-based App Store can be installed.

Unlike other jailbreak tools, JailbreakMe doesn’t require a computer to handle the hacking process. Instead, users only need to go to the JailbreakMe Web site on their iPhone, iPod touch or iPad, and the security flaw the hack takes advantage of is exactly what Apple plans to patch.

While patching the flaw will take away the ease of use that JailbreakMe offers, it will also block a security flaw that could potentially be used for more nefarious deeds.

The flaw takes uses specially crafted PDF documents to install software on user’s iOS devices, potentially without their permission or knowledge. So far, there aren’t any reports of malicious uses of the flaw, only the JailbreakMe hack.

Bethan Lloyd, a spokesperson for Apple, said the company is “aware of this reported issue and developing a fix that will be available to customers in an upcoming software update.”

There isn’t any word yet on when to expect the security update to be released.

Posted in Hacking | Tagged , , , | Leave a comment

Here’s how easy it is to hack a phone

Posted on July 9, 2011 by admin

Please share this story

Share

(CNET) British tabloid News of the World said today it is closing down over a phone hacking scandal in which workers for the Rupert Murdoch-owned newspaper allegedly snooped on voice mail messages left on the mobile phones of murder victims, as well as celebrities, politicians, and the British royal family.

If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, “Ghost in the Wires,” and who serves as a security consultant, helping clients prevent against privacy breaches such as this.

Phone hacking, also known as “phreaking,” is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I’m listening to a voice message a friend of mine left me last night that I hadn’t erased.

“See how easy it is?!” Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator’s equipment into registering the call as coming from the handset–basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I’m keeping some of the details sketchy to avoid providing a how-to for phreaking.)

“Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes,” Mitnick said. “If you’re not adept at programming, you could use a spoofing service and pay for it.”

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims’ voicemail accounts, assuming correctly that many people wouldn’t bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn’t address the fact that mobile operators don’t authenticate caller ID. “The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it,” Mitnick said. “Caller ID is automatically trusted.”

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won’t put an end to the practice.

Posted in Hacking | Tagged , , | Leave a comment

Hacked Fox News tweets claim Obama dead

Posted on July 9, 2011 by admin

Please share this story

Share

Fox News was the latest victim of a hack, with a posting Monday on its political Twitter account – @foxnewspolitics – saying President Obama had been assassinated in Iowa, the shooter unknown and that Joe Biden replaced him.

The series of six tweets showed up early Monday morning on the account, which has more than 36,000 followers. Fox News issued a statement calling the tweets “malicious” and “false,” and said the hacking incident is under investigation.

The tweets are still visible on the @foxnewspolitics Twitter page as of 11:00 AM ET Monday.

The Guardian reported that a representative of the group ‘Scriptkiddies’ claimed responsibility:

“We are looking to find information about corporations to assist with antisec [a concerted hacker attack on corporate and government security]. Fox News was selected because we figured their security would be just as much of a joke as their reporting.”

FoxNews.com said that it alerted the U.S. Secret Service, and the company is working with Twitter to address the situation.

“We will be requesting a detailed investigation from Twitter about how this occurred, and measures to prevent future unauthorized access into FoxNews.com accounts,” said Jeff Misenti, vice president and general manager of Fox News Digital.

Source: http://www.cbsnews.com/8301-501465_162-20076649-501465.html

Posted in Hacking | Tagged , , | Leave a comment

LulzSec hackers disband after last data dump

Posted on June 27, 2011 by admin

Please share this story

Share

(Reuters) – The Lulz Security group of rogue hackers announced it was disbanding on Saturday with one last data dump, which included internal AOL Inc and AT&T documents.

LulzSec, which gained wide recognition for breaching the websites of Sony Corp, the CIA and a British police unit among other targets, said in a statement that it had accomplished its mission to disrupt corporate and government bodies for entertainment.

“Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind — we hope — inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love,” the group said.

Known for irreverence and a fondness for naval metaphors, the hacker group took to Twitter — the microblogging site where it had more than 277,000 followers — to release its statement.

A link to the release also was posted on www.lulzsecurity.com but there was no way to independently contact the group to confirm the release.

The abrupt dissolution came a few days after LulzSec threatened to escalate its cyberattacks and steal classified information from governments, banks and other major establishments.

LulzSec also had said it was teaming up with the Anonymous hacker activist group to cause more serious trouble.

“… Our planned 50-day cruise has expired,” the hackers said in their statement, “and we must now sail into the distance, leaving behind — we hope — inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.”

CLOSING IN?

In what could be a sign that cyber police were making progress toward shutting down LulzSec, British police said on Tuesday they had arrested a 19-year-old man on suspicion that he was connected to the attacks on Sony, the CIA and a British police unit that fights organized crime.

London police declined to say if the teenager was a member of LulzSec but the hacking group said on Twitter that he had hosted one of its chatrooms on his computer server.

The arrest came after Spanish police earlier this month apprehended three men on suspicion they helped Anonymous.

So far LulzSec’s publicized assaults have mostly resulted in temporary disruptions of some websites and the release of user credentials.

The data the group released Saturday was a mixed bag.

Reuters was not able to access all of the files but those that were available included a list of routers — devices that handle Internet traffic — and their passwords, as well as account information for an Irish private investigation service. The AOL documents appeared to be elements of an internal technical manual.

A file list on a download site indicated there also was some AT&T internal data in the dump, although the nature of that data was not immediately clear.

AOL was not immediately available for comment, while an AT&T spokesman did not have immediate comment.

(Reporting by Ben Berkowitz and Paritosh Bansal; Editing by Tiffany Wu and Bill Trott)

Posted in Hacking | Tagged , , , , , | Leave a comment

Federal Trade Commission launches investigation of Google

Posted on June 25, 2011 by admin

Please share this story

Share

Google acknowledges that the Federal Trade Commission is looking into its business practices, including search and advertising.

By Jessica Guynn and Jim Puzzanghera, Los Angeles Times
June 25, 2011

Reporting from San Francisco and Washington— Running the world’s most popular search engine has brought Google Inc. wealth, market share and now antitrust scrutiny.

After a chorus of complaints from rivals, federal regulators, state attorneys general and foreign governments are looking at whether its dominance of the Internet is harming consumers and shutting out competitors, much the way they scrutinized Microsoft Corp. a decade ago.

Google acknowledged in a regulatory filing Friday that the Federal Trade Commission had launched a formal investigation into its business practices, including search and advertising. The FTC confirmed that an investigation was underway but declined to comment further.

While Google has faced antitrust probes into its acquisitions of companies in recent years, it has never faced broad U.S. scrutiny of its search and advertising businesses, which generate nearly all of its revenue of about $29 billion a year. Google handles about two-thirds of Web searches in the U.S. and more than 80% in much of Europe.

The investigation may not result in Google facing charges of abusing its market power; a majority of the FTC commissioners decided only that there was enough evidence to launch a formal review.

But if the FTC found Google had illegally leveraged its share of the U.S. search market to funnel customers to its other services, the agency could force a dramatic change to the company’s ever-expanding operations.

“You could limit Google to the search market. You could say Google may not go into these adjacent markets to unfairly leverage” its search dominance, said Robert Lande, an antitrust expert at the University of Baltimore School of Law.

The FTC investigation could become “of the caliber of the Microsoft case,” he said.

The FTC has been making informal inquiries about Google’s business practices for several months, said Silicon Valley antitrust attorney Gary Reback, who represents companies that have complained to the FTC about Google.

Google said it was not sure what the FTC’s concerns were. But in an interview, Amit Singhal, one of Google’s top search engineers, said the company would cooperate with the FTC and with the states investigating its business practices.

“We are here to answer all questions from all authorities,” Singhal said. “We are going to answer everything they want to know.”

Momentum has been building for months to investigate whether Google abuses its market power to favor its own services over those of competitors. In November, the European Commission began a formal investigation into allegations from several companies that Google had violated competition laws. Texas also launched an investigation into Google.

The gathering regulatory storm could pose a serious legal and business threat to the 12-year-old Internet company, similar to the impact on Microsoft in the 1990s when federal officials pursued a landmark antitrust case. Microsoft eventually reached a settlement with the Justice Department and a group of states after a judge ordered that the company be broken up.

A long-running investigation could distract Google executives just as the new chief executive, co-founder Larry Page, attempts to reenergize the company to counter rising competition from Facebook Inc. and gain ground in new businesses such as mobile advertising.

Google also faces rising scrutiny on privacy matters. In April, it agreed to submit to independent privacy audits for 20 years as part of a settlement with the FTC over allegations it violated its users’ privacy with its social networking service Buzz.

“Google is going down the road plowed by Bill Gates,” Reback said.

But observers said it would be tough for the FTC to prove any harm to consumers.

“Nobody really cares about harm to competitors,” Lande said. “If there’s no harm to consumers, the case is over before it begins.”

Further, proving such harm could be challenging in an Internet marketplace where consumers can easily shift to another search engine, said David Balto, a senior fellow at the Center for American Progress and a former FTC official in the Clinton administration.

Los Angeles Times

Posted in High Tech | Tagged , , , | Leave a comment

Hackers hit videogame giant Electronic Arts

Posted on June 25, 2011 by admin

Please share this story

Share

US videogame giant Electronic Arts (EA) on Friday revealed that hackers had looted user data in “a highly sophisticated” attack.

A computer network hosting BioWare Edmonton’s “Neverwinter Nights” game forums was hit by hackers who made off with users’ names, passwords, email addresses, birth dates and other personal information, EA said at its website.

“The server system associated with the ‘Neverwinter Nights’ forums was the target of a highly sophisticated and unlawful cyber attack,” EA said.

“We have moved swiftly to implement additional security controls to prevent this type of breach from happening again to secure your data and are conducting further evaluations now,” the message continued.

No credit card information was taken in the hack, according to the Northern California-based firm.

EA was the latest in an unrelenting string of cyber attacks with targets ranging from Arizona police and the Central Intelligence Agency to videogame makers and the US Public Broadcasting Service.

Sega on Sunday released word that hackers had stolen the personal data of some 1.29 million customers of the Japanese game maker in a theft via a website of its European unit.

The Sega Pass website, operated by London-based Sega Europe, did not contain credit card information, the Japanese firm said.

But names, dates of birth, email addresses and encrypted passwords were stolen by intruders to the site, Sega said in a Japanese-language statement.

A series of hacker attacks on Japanese electronics and entertainment giant Sony in April forced it suspend online services for weeks.

Sony suffered one of the biggest data breaches since the advent of the Internet, with personal data from 100 million accounts compromised.

Source: http://sg.news.yahoo.com/hackers-hit-videogame-giant-electronic-arts-211336757.html

Posted in Hacking | Tagged , , , | Leave a comment

Hack Attack Exposes 1.3 Million Sega Accounts

Posted on June 24, 2011 by admin

Please share this story

Share

LulzSec says to watch your Facebook, Gmail, and Skype passwords, though no one has claimed responsibility for the Sega breach.

By Mathew J. Schwartz InformationWeek

Another day, another hacked website belonging to a video game manufacturer. On Friday, Sega confirmed news reports that attackers had compromised its systems, exposing data on 1.3 million users. Sega took the hacked Sega Pass system, which is both a newsletter and account management system for the company’s online games, offline on Thursday. It gave no estimate for when the service would be restored.
According to a message posted on the Sega Pass website, “we had identified that unauthorized entry was gained to our Sega Pass database.” Attackers stole Sega Pass members’ email addresses, dates of birth, and encrypted passwords. “None of the passwords obtained were stored in plain text,” said Sega, although it didn’t detail the encryption technique used.

Despite the passwords having been encrypted, Sega reset all users’ Sega Pass passwords. It also cautioned that “if you use the same login information for other websites and/or services as you do for Sega Pass, you should change that information immediately.”

The attack against Sega follows comments made by Sega West CEO Mike Hayes to Eurogamer last month, in which he said that the PlayStation Network (PSN) hack, which resulted in over 77 million user accounts being compromised, was “an interesting wake up call for all of us.” In particular, it led Sega to conduct an immediate security audit. “Fortunately we seemed pretty solid so we didn’t have to do too many additional changes,” he said.

The prolific hacking group known as LulzSec said it wasn’t responsible for the Sega attack. Suspicion immediately fell on the group, which exploited SonyPictures.com, leading to one million user accounts being exposed, as well as game developer Bethesda, after which LulzSec released no user information, but rather exhorted Bethesda to improve its security and also finish its games more quickly.

In the case of Sega, LulzSec offered to help find the perpetrators. “@Sega – contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down,” said a message posted to the LulzSec Twitter feed.

On a related noted, LulzSec on Friday released a public warning of sorts via Pastebin, saying that the recent flurry of hack attacks likely masks a far greater number of unreported attacks. “Do you think every hacker announces everything they’ve hacked? We certainly haven’t, and we’re damn sure others are playing the silent game,” said the LulzSec message. “Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn’t silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off?”

On Sunday, in yet another Pastebin manifesto, LulzSec also announced that it was joining forces with Anonymous (from which it’s rumored to have sprung), in a venture dubbed Operation Anti-Security (#AntiSec). “Top priority is to steal and leak any classified government information, including email spools and documentation,” it said. “Prime targets are banks and other high-ranking establishments.”

As if to prove their point, LulzSec said on Sunday, via Twitter, that it had “recently” hacked into the website of InfraGard Connecticut, stealing information on more than 1,000 members. Meanwhile, on Monday, the group said that #AntiSec had launched a distributed denial of service (DDoS) attack against the website of Britain’s Serious Organized Crime Agency. A statement released by the law enforcement agency said that its public website had been taken offline in the wake of a DDoS attack, in part to mitigate its impact on the external service provider that hosts the site. The agency said that the affected website hosted no sensitive material.

LulzSec, which has already hacked the public websites of InfraGard Atlanta, the CIA, and broken into a U.S. Senate network, said that more attacks were already underway. “DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes,” it said via Twitter.

Posted in Hacking | Tagged , , , | Leave a comment

FBI targets two ‘scareware’ rings in U.S., Europe

Posted on June 24, 2011 by admin

Please share this story

Share

WASHINGTON (Reuters) – Police in the United States
and seven other countries seized computers and servers used to
run a “scareware” scheme that has netted more than $72 million
from victims tricked into buying fake anti-virus software.

Twenty-two computers and servers were seized in the United
States and 25 others in France, Germany, Latvia, Lithuania, the
Netherlands, Sweden and the United Kingdom, the U.S. Justice
Department said in a statement Wednesday.

The suspects involved in the scheme, who were not
identified, planted “scareware” on the computers of 960,000
victims. The scareware would pretend to find malicious software
on a computer. The goal is to persuade the victim to
voluntarily hand over credit card information, paying to
resolve a nonexistent problem.

Latvian authorities seized at least five bank accounts
believed to have been used by the leaders of the scam, and the
Justice Department said nothing about arrests.

U.S. authorities also said Wednesday they disrupted a
second scam, charging two Latvians with running a similar
scareware scheme that led to $2 million in losses through an
advertisement placed on a Minnesota newspaper’s website.

Peteris Sahurovs, 22, and Marina Maslobojeva, 23, were
arrested Tuesday in Latvia and face two counts of wire
fraud, one count of conspiracy and one count of computer fraud
in the United States, the Justice Department said.

“Scareware is just another tactic that cyber criminals are
using to take money from citizens and businesses around the
world,” said Assistant Director Gordon Snow of the FBI’s cyber
division.

‘BOTNETS’

Law enforcement officials would not confirm whether the
seizures were directly connected to a raid early Tuesday
morning at a web-hosting company in northern Virginia where
they took servers, a move that disrupted more than 120
websites.

U.S. authorities have been more aggressive this year in
trying to stem cybercrime and have been scrambling to
investigate several hacking attempts on U.S. institutions and
corporations.

In March, law enforcement raided servers used by a
”botnet,” essentially computers controlled by criminals without
the knowledge of the computers’ owners. Authorities severed the
IP addresses, effectively disabling the botnet.

That operation, nicknamed Rustock, had been one of the
biggest producers of spam e-mail, with some tech security
experts estimating it produced half the spam that fills
people’s junk mail bins.

In April, government programmers shut down a botnet which
controlled more than 2 million PCs around the world to spread a
computer virus named Coreflood, which grabbed banking
credentials and other sensitive financial data. Losses were
estimated at about $100 million.

A botnet is essentially one or more servers that spread
malicious software and use the software to send spam or to
steal personal information or data that can be used to empty a
victim’s bank account.
(Reporting by Jeremy Pelofsky and Diane Bartz; Editing by
Peter Cooney and Todd Eastham)

Los Angeles Times

Posted in Scam | Tagged , , , | Leave a comment

Lockheed Martin Comes Under Cyberattack

Posted on May 29, 2011 by admin

Please share this story

Share

Officials say the U.S. firm Lockheed Martin, one of the world’s biggest defense contractors, has sustained a major attack on its information systems network.

Lockheed Martin and U.S. defense officials have both confirmed that Lockheed Martin came under cyberattack. No immediate information was available on where the attack may have originated.

In a statement, Lockheed Martin described the attack as “significant and tenacious.” It said the company’s information-security team detected the attack on May 21 and took what the statement described as “aggressive actions” to protect the firm’s systems and data.

The statement said that as a result of the protective action, Lockheed Martin’s systems remained secure and “no customer, program, or employee personal data” was believed to have been seized by the attackers.

The U.S. Defense Department said the impact of the attack on the Pentagon was “minimal,” and no adverse effects are expected.

Officials said the Defense Department and the Department Of Homeland Security were working with Lockheed Martin to determine the scope of the attack and provide recommendations to reduce further risks.

Lockheed Martin is the maker of the F-16, F-22, and F-35 fighter jets, as well as other multibillion-dollar arms systems sold worldwide.

Source: http://www.rferl.org/content/lockheed_martin_comes_under_cyberattack/24208536.html

Posted in Hacking | Tagged , , | Leave a comment