Who doesn’t have an Amazon account? If you do it may be worth changing your password as Amazon recommends users take the precaution after it discovered that some of their Amazon accounts could be found online.
Amazon discovered the leaked passwords were contained within a password list online, and while not exclusive to Amazon services, it has recommended that users change their passwords, even more, so if they use the same password on several sites. If your accounts email address was found to be on any of the lists then Amazon has taken the precaution to force a password reset on your account.
While many recommend against it, it’s common practice for people to use the same password and email combinations on several sites, thus increasing the chance that if one account is hacked, others will be compromised alongside.
Apple vs the FBI looks liked it would never end, originally starting with the FBI requesting (and then a federal judge ordering) Apple’s support in unlocking and gaining access to an iPhone in a court case. Apple looked to defend itself and ultimately the FBI recalled its actions when it received support from an outside party. It has now been revealed how the tool used by the FBI gained access to the iPhone through the use of a security flaw.
The security flaw, one that was previously unknown to Apple, allowed the creation of a tool to crack the four digit pin used to protect the phone from 10 failed attempts to gain access to a phone. The group that provided the tool to the government was a group of “grey hat” hackers who actively seek out flaws in software to then sell on to groups such as the government.
The exposed flaw affects both the iPhone 5 and iOS 9 iPhones, and may not affect work on newer versions of both iPhones and the iOS operating system. With FBI director James B. Comey saying that they may or may not disclose the security flaw to Apple, but with the latest leak revealing where they need to focus, Apple may now fix the problem before others are able to exploit it.
After the recent court battle people, the FBI have been rather quiet regarding how they managed to get into an encrypted iPhone. That was until recently when the FBI started briefing senior officials about the methods they used, so it’s likely we won’t hear about it anytime soon.
The FBI have already given a briefing to senator Dianne Feinstein (Vice chairman of the Senate Select Committee on Intelligence) about the technique they used to get into the iPhone 5C. Although no real details were given, it would seem that this may be the first of many with senator Richard Burr (the chairman of the Senate Intelligence Committee) was also offered a briefing, something that he has not accepted yet.
Feinstein and Burr are currently supporting a bill that would see companies required to help the government gain access to encrypted technologies that companies create. This new bill would see Apple and other companies compelled to help bypass or remove encryption on their hardware and software, something which the White House has yet to support.
With the new bill in sight, Feinstein and Burr also believe that companies like Apple shouldn’t be informed about the techniques the FBI used to gain access to their device, with Feinstein saying, “I don’t believe the government has any obligation to Apple. No company or individual is above the law, and I’m dismayed that anyone would refuse to help the government in a major terrorism investigation.”.
With encryption now one of many technological advances that governments and law enforcement now struggle with dealing with, it should be interesting to see how governments address this and if they choose to work with or against companies in dealing with the dangers this technology possesses if used in the wrong hands.
Google’s latest patch for their Android operating system is one of the biggest security patches ever released for the OS. This monthly security update covers 39 vulnerabilities that had been found, of which 15 were of the highest rating, critical, which mean they could be used to lead to total compromisation of a device. This patch, which is part of the latest firmware image for Android devices rolled out to Nexus devices starting on Monday, with the update to be added to the Android Open Source Project during the next 24 hours.
One of the vulnerabilities that were included in this patch is one that Google was alerted to just two weeks ago, which has already been employed by a publicly available rooting application. With the tracking tag of CVE-2015-1805, this flaw was originally in the Linux kernel until April 2014, but until recently it wasn’t known that Android was also affected.
As many as nine critical remote code execution flaws were patched in Android’s media codec, media server, and Stagefright library. Of these, five were rated as high impact, including one privilege escalation vulnerability and four information disclosure issues. Critical flaws were also patched in the Android kernel, the Dynamic Host Configuration Protocol client, Qualcomm Performance module and the Qualcomm RF modules.
Aside from CVE-2015-1805’s use in a rooting application, there is no known exploitation of the other vulnerabilities fixed in this patch according to a security advisory from Google. As a result of the large number of high-impact and critical flaws fixed in this patch, it is highly recommended that any updates to Android 6 offered by manufacturers are installed before attacks that make use of them are released into the wild.
Cyber-security is a big issue, with people and companies finding out the hard way that their security is exposed when it turns up online for sale or they receive phone calls advertising features with details they never hand out. With big companies like TalkTalk and even the government being victims of hacks, people are acting more and more with security at their mind front. This may change though soon as a survey of executives found they felt like cyber-security is just an “IT problem”.
The survey questioned 1,530 C-level executives, that is anyone who’s job title contains chief or another word beginning with c in it. This illusion of responsibility, one which often ends up landing with executives, comes as companies spent 25% more on information security in 2015 compared to 2014.
These figures are certainly more than a little scary, with company executives feeling like they aren’t responsible on every level for protecting your information or even being aware of the threats and dangers that they encounter. In a day and age where you are more than likely to be attacked via the internet and your computer systems than on a street, it is the responsibility of everyone, especially those in power, to make sure that they uphold their legal responsibilities, even if that comes at a weeks crash course in cyber-security.
Hack the Pentagon, the US intelligence agency’s new bug bounty program, is set to begin this month, its organiser HackerOne has revealed. The challenge, which is open to anyone who thinks they have the technical nous to find and exploit weaknesses in the Pentagon’s cybersecurity systems, will commence on 18th April, running until 12th May.
“This is an effort for the Government to explore new approaches to its cybersecurity challenges,” the official website reads, “and evolve to adopt the best practices used by the most successful and secure software companies in the world, the DoD can ensure U.S. systems and warfighters are as secure as possible.”
Apple has worked hard to make it difficult to allow users to unwittingly install unauthorized and malicious apps onto their devices. Despite this, there is still one way in that attackers are still able to exploit: the mobile device management protocol. Researchers from Check Point Software Technologies will be demonstrating the hack as part of a presentation at the Black Hat Asia security conference on Friday.
The technique to inject malware onto iOS devices involves taking advantage of the communication between MDM products and iOS devices being vulnerable to man-in-the-middle attacks and can be performed with minimal user interaction. MDM products are used by companies to configure, control and secure the devices of employees remotely, as well as providing access to private app stores for easy internal app deployment. Of course, this attack relies on the target device being registered to an MDM server in order for there to be a connection to hijack.
Initially, a user would have to be tricked into installing a malicious configuration profile on their device, which could be easy to slip in with a number of the profiles that corporate users are used to installing such as VPN, Wi-Fi, email and other important settings. The malicious profile would then install a root certificate to route the device’s internet connection through a proxy. This can be used to route all traffic through a server under the attacker’s control and engage the man-in-the-middle attack. From there, the attacker is free to push malicious apps to the device using a stolen enterprise certificate or a malware app could be disguised as an app the user expects. A user must still accept the choice to install the app, but even if it is refused, the attacker is free to push the request repeatedly, essentially locking the device up until the install is accepted.
Check Point have named this vulnerability Sidestepper, due to the fact that it effectively side-steps the new restrictions for enterprise app deployments in iOS9. Misuse of enterprise certificates is nothing new either, with Check Point finding that in one Fortune 100 company, over 300 sideloaded apps signed with over 150 enterprise certificates existed. So while MDM technologies may be great for businesses, users must be just as much on their guard against attacks targeting those deployments as any other app or profile they may install.
Apple vs the FBI may be over but that doesn’t mean the question about decryption and the law is over. In the most recent case to catch our ears a suspect from the UK being asked to decrypt his devices for the US authorities.
Lauri Love is a British computer scientist, who is a suspect in the breach of US government networks, which are claimed to have caused “millions of dollars in damage”. After being initially arrested in 2013, and then released, Love was re-arrested back in 2015 and is facing extradition to the US for the suspected crime. While he has not been charged with any crimes, Love has been asked as part of a Section 49 RIPA notice (doesn’t sound that bad does it?) to decrypt his devices by providing them with the passwords and keys required to unlock his devices.
With his devices confiscated, something that Love is now fighting in a counter-sue in civil court, the authorities want to access the data on his devices which include, a Samsung Laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card and a Western Digital hard drive. Alongside this, the National Crime Authority, the UK branch that has demanded the devices be decrypted, are interested in files located on the SD card and external drive that are encrypted using TrueCrypt.
What is most worrying is that if Love was to provide the keys, and this evidence is used against him in the US, then it would breach his fifth amendment rights within the US. The fifth amendment can be described as allowing someone to present evidence against themselves, meaning that you can’t be forced to prove your guilt, by unlocking a computer for example.
In his argument, Love states that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt”. An argument that if extended to other circumstances, could be seen as worrying for any groups that share information and protect journalists, whistleblowers and anyone within the legal profession.
The FBI are known for their digital prowess, although they may require some help when it comes to breaking into an iPhone. One of their most recent successes was the tracking of people using the Tor network, but after a judge ruled that the defendants representatives needed to know how he was identified the FBI has declined to say how they tracked people across the Tor network.
The ruling was provided by the Judge overlooking the case and was provided so that the defendants experts could check that the method used to identify the client was both within the FBI’s authority and also properly identified the client amongst the thousands of users of the Tor network.
The Tor network is a system (also known as the Onion Router) which people can use to hide their true identity by encrypting their traffic and bouncing it around the world in a series of steps. The network is also known for hiding a selection of “secret” websites that can only be accessed from within the network.
The FBI claim that they have already provided enough details for the defence to figure out if they went beyond their authority. FBI Agent Daniel Alfin, states in the court papers filed by the DOJ in the case, as saying “knowing how someone unlocked the front door provides no information about what that person did after entering the house”. While a valid argument, one would also argue that if someone breaks into your house, stealing something from your house and gaining access were both things you need to be made aware, not just one of the two.
When it comes to security and privacy, there is little more protected than military details. As a result, the information is often protected by several layers of protection, and even if these are breached the chances of it going unnoticed are even slimmer than being able to gain access in the first place. Something Su Bin found out the hard way when he pleaded guilty to leaking US military aircraft blueprints. Su Bin, a Chinese national, has pleaded guilty to illegally accessing sensitive military data and distributing this material to China for financial gain. Bin’s role in the scheme was to obtain access to Boeing and other companies servers, in the process retrieving information about their military aircraft
Su Bin, a Chinese national, has pleaded guilty to illegally accessing sensitive military data and distributing this material to China for financial gain. Bin’s role in the scheme was to obtain access to Boeing and other companies servers, in the process retrieving information about their military aircraft such as the C-17 and even fighter jets. Once he obtained access, he told two associates, un-named in his plea deal, which servers to hack and what information was useful on the projects. He even provided a translating service, converting the documentation from English to Chinese before sending it back to China, all at a cost.Sending both server details and names of US executives (and their emails)
After being caught in Canada in 2014 and then extradited to the US last month, Bin will now be charged with stealing data listed on the US Munitions List contained in the International Traffic in Arms Regulations.
With countries becoming more and more aware of the risks and dangers regarding the digital world, catching anybody is a stark warning that just because you can do something, doesn’t mean that you will get away with it.
The legal case of the year is over already. Apple vs the FBI is over in a court case that saw the question of security vs privacy raised on a national, and even global, level. After cancelling a court hearing with Apple, the FBI have officially closed the court case.
It would seem that even without their assistance, the FBI claim to have managed to break into and access the data required on the iPhone in question. In their response, the FBI stated that the new hack was “sufficiently plausible” to a point where they could stop pursuing Apple’s assistance.
Currently, there is no information about who performed the hack or how many iPhones the hack works against. With so little information about the hack, it’s hard to tell if the court case could reemerge in the future with over a hundred phones in government control still locked.
In their response the Department of Justice reminded us that they would continue to gather information from encrypted devices, saying that “It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety”, and then there is a small reminder that with or without help, “either with cooperation from relevant parties or through the court system”.
We use email every day, be it sending them for work or personal reasons or getting a thousand and one emails advertising everything from something you are interested in helping a foreign prince distribute their wealth. One way that you can be protected when sending emails is to send encrypted emails, something which has risen in use by 25% for Gmail users.
What caused this spur of encrypted emails? Google stated last year that they would start flagging up emails which were unencrypted, warning users which providers and emails were being sent from services that supported TLS encryption. This change came into effect in February this year, the end result of which was the 25% increase in encrypted emails that Gmail has reported in the last month.
Google isn’t acting alone on this, with Comcast, Microsoft, Yahoo and other companies in the industry looking to create SMTP, a new standard that could be used to help protect emails from man-in-the-middle attacks.
Combining all these with their recent push on security updates in Chrome and Android, including their use of two-factor authentication encryption and warning people about state-sponsored attacks on accounts, it’s becoming more and more clear that even in the digital world, companies want your private information to remain private.
The lottery is all about odds, from your numbers being picked to choosing to stay with your classic numbers or go for a lucky dip this weekend. It seemed that a group of people didn’t quite want luck to factor in and had in fact hacked lottery terminals in order to print winning tickets.
A group of six people has been charged with the crime in which they worked or owned retail stores that took part in the 5 Card Cash game in Connecticut. The only reason they got caught? They were winning too much.
Typically the state average for winning the lottery was 24 percent, but in one of the stores, there was a 76% chance of winning. They were able to do this by tampering with the terminals used to print lottery tickets and then cash them in. They might not be all of it though as investigators are claiming that “more arrests may be made in the future”.
“An investigator for the Connecticut Lottery determined that terminal operators could slow down their lottery machines by requesting a number of database reports or by entering several requests for lottery game tickets. While those reports were being processed, the operator could enter sales for 5 Card Cash tickets. Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners. If tickets were not winners, the operator could cancel the sale before the tickets printed.”
The 5 Card Cash game was cancelled after several months when the lottery officials realised that it came with more winning tickets than the system should have allowed. To this day, the game has remained suspended and looks to remain that way with the revelation of how many people were able to break the system for profit.
With all the apps and systems that are used, created and updated every day it is often impossible for you to be absolutely certain about their security. This resulted in the creation of external help through schemes like bug bounties unless your Uber who change the scope of what bug bounties they’ll be paying.
Bug bounty schemes are simple. If you find a problem in the code or system that a company uses, you report it to the company running the scheme and if they find it was a problem, you get paid. Even Microsoft and GitHub run schemes to help narrow down and find problems with their software. The issue comes here is that only this week popular taxi alternative app Uber launched its own bug bounty scheme.
Sean Melia found a few issues or rather a few admin panels/ports that were open. This fell in line with what Uber wanted under the grouping of “publicly accessible login panels” and “exposed administration ports (excluding OneLogin)”. After reporting the first issue which was quickly accepted as a bug, Melia went about finding others resulting in the large group he ended up reporting. The problem was that by this time Uber had updated their documentation to make these reports invalid, without informing people using the scheme. Free security support anyone?
The reason for the change? Ubers security engineering manager, Collin Greene, has stated they changed the rules so that they stopped researchers wasting their time on minor bugs. Greene then stated that “a successful bug bounty rests on researchers trusting us to run it well, which we take very seriously”, something that may not go down so well when you are willing to change the goalposts without telling people.
Was Uber right in this case? Should they have acted differently? A problems a problem, even with a lesser payment, should Melia have received something given that he did the work under the old rules?
The revelation comes as a seller has begun advertising the sale of a database with information for 1.5 million customers of Verizon entertainment, all being offered for the price of $100,000. If you feel like that is a little much you can buy 100,000 records for just $10,000. The thread also contains the option to buy information about security vulnerabilities in Verizon’s website, leading people to question just how safe their data is.
In response, Verizon stated that they had “recently discovered and remediated a security on our enterprise client portal”. Regarding the data itself they state that “an attacked obtained basic contact information on a number of our enterprise customers”.
This would appear to authenticate that the data is real although it may not be as juicy and chock filled with information as some might hope it is. This only looks bad for Verizon Enterprise as they are the ones commonly finding flaws and reporting on breaches like these every year. If you were wondering just how much that could have an impact on people, Verizon’s Enterprise client list includes 99% of Fortune 500 companies.
When it was revealed I couldn’t believe my eyes. Someone walks up to a car and its locked, someone else walks up and can instantly get in and at the press of a button start the engine, no key required. Wireless key technology is now employed in cars all over the world and allows for users to avoid the hassle of finding their car keys, sadly it looks like a radio attack lets hackers do exactly the same thing without you even knowing.
A group of german vehicle security experts have studied how the radio hack uses your keys to break into your own key. The whole principle of wireless keys is that the engine and the doors will only work when the keys are within a certain range of the vehicle, this means that if you aren’t near your car it’s just an expensive piece of metal and technology.
Munich-based automobile club, ADAC, tested a hacking technique that uses the principle of “amplification” to fool your car into believing that the keys are actually closer than they actually are. In total, their study found 24 different vehicles were vulnerable, and it wasn’t just one manufacturer that was involved, 19 different manufacturers were vulnerable to the radio attack. What does this mean? Using this kind of attack someone can walk up to your car, and using a small pocket amplification device, unlock and drive away your car. No alarms,
What does this mean? Using this kind of attack someone can walk up to your car, and using a small pocket amplification device, unlock and drive away your car. The total cost of this hack? $225 for the device. Compare that to the cost of the Audi A3, A4 and A6, Ford Galaxy, Mitsubishi Outlander, Renaults Traffic and countless other models that are vulnerable to this attack.
The technique works by “amplifying” your keys signal. In reality, what happens is the key fobs signal is relayed through a pair of radios. Is this an example of technology being made too smart, at the cost of security, in order to save us a few seconds of inconvenience?
On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone. Testing is required to determine whether it is available method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc. (“Apple”) set forthin the All Writs Act Order in this case.
As much as the FBI would love to think that they came up with the solution, but it was Snowden criticizing the FBI’s claims about unlocking the phone that seems to have been the tipping point. With numerous groups claiming to have ways to unlock the iPhone, the FBI pushing for Apple to create a way for them to unlock an iPhone has long been suspected of being an entry to the encrypted software.
If the FBI had this alternative available since the start, it would appear suspicions about the FBI using this an attempt to make future requests easier were true. If this is the case, trust in the FBI could be damaged even more with people questioning why the FBI wanted easy access to everyone’s iPhones.
The Metaphor exploit uses a set of back-and-forth communications that allow attackers to probe the defenses of a target device before attempting the compromise. When a victim visits a website that has a malicious MPEG-4 file embedded in it, it will cause Android’s built-in media server to crash, and send data on the device’s hardware to the attacker, it will then send another video file, capture additional data and finally deliver a video file that is able to compromise the device. The procedure may seem long and complicated, but in reality, Metaphor was found to be able to break into most devices within 20 seconds. Unfortunately for fans of stock Android, the attack was found to be most effectual on Nexus 5 devices running their stock firmware, but the customized versions of Android found on phones from HTC, LG and Samsung are not safe.
While this attack may pose a threat to the 275 million Android phones running versions 2.2 all the way to 5.1, devices that are running the most up-to-date version, 6.0 Marshmallow are safe. Additionally, the attack needs to be tailored to a specific set of Android hardware, so it is likely that only those running the most popular devices would be targeted for the attack, as well as many of them having already received patches specifically to defend against Stagefright. As a result, those with older Android devices may want to be careful or think about a new handset, lest they remain vulnerable to this exploit if it enters the wild.
The security company Kaspersky released a new report that clearly shows just how much of a problem the Steam Stealer malware is. Not only does the malware infect thousands of people each month, it is also very to easy to use and to cheap to purchase for criminals that want to get their hands on your Steam accounts.
The Steam multi-OS distribution entertainment platforms owned by Valve has over 100 million registered users and several thousand games available for download worldwide. Such a popularity makes it a prime target for criminals that want to make a quick buck of your hard earned collection. A recently published report shows that 77 thousand Steam accounts are highjacked and pillaged every month, making it a huge problem.
The prime suspect in the account highjackings is the malware known as Steam Stealer (Trojan-psw.Msil.Steam, Trojan.Msil.Steamilik, and Trojan.Downloader.Msil.Steamilik, amongst others). The malware is thought to originate from Russian-speaking cybercriminals, but it doesn’t matter as much where it originates from as how it is being used.
Steam Stealer works as a malware-as-a-service business model which in itself isn’t that new. Other malware types are using the same business model, but there is a difference in the costs. Previously known models have cost in the range of £350, making it something you really want to do in order to pay up the cash to use the service. Steam Stealers, on the other hand, are available for prices as low as £20. That’s something people will pay just to make a joke, which makes everything worse. On top of that, Steam Stealer malware-as-a-service is available with distinct features such as free upgrades, user manuals, custom advice for distribution and more.
The malware is mainly distributed via fake cloned websites or social engineering attacks with direct messages. Once you’ve got the malicious file and opened it, the malware will steal the entire set of Steam configuration files, locate the Steam KeyValue file that contains your credentials, and even grab your session data. With this information, your account is wide open to the criminals to plunder and pillage.
Where a steam account once only had a smaller value due to the games being locked into the account, that has changed with the introduction of all sorts of collectables and in-game items that at times can be worth thousands of pounds each. That makes Steam accounts a highly valuable target.
“The gaming community has become a highly desirable target for cybercriminals. There has been a clear evolution in the techniques used for infection and propagation, as well as the growing complexity of the malware itself, which has led to an increase in this type of activity. With gaming consoles adding more powerful components and the Internet of Things on our doorstep, this scenario looks like one that will continue to play out and become more complex. At Kaspersky Lab, we hope that our research will develop into an ongoing investigation, bringing a much-needed balance to the gaming ecosystem. Security should not be something developers think about afterwards, but at an early stage of the game development process. We believe that cross-industry cooperation can help to improve this situation,” comments Santiago Pontiroli, Global Research & Analysis Team, Kaspersky Lab.
To stay safe, you should make sure that you have up-to-date security software installed and it couldn’t hurt to check out Valve’s own security measures either. Maybe you can secure your account better than you already have and take that extra step to protect your valuable gaming content.
Many companies seek to outsource the finding of vulnerabilities in their products to external hackers, offering monetary rewards in exchange for details on successful hacks that they can fix. In a show that should both display their faith in the security of the Chromebook as well as entice more hackers and security experts to probe the laptops for vulnerabilities, Google has doubled the previous bounty offered for a Chromebook hack to $100,000.
This new and larger reward has a high bar set for anyone wishing to challenge the Chromebook’s security. In order to qualify for the full $100,000 bounty, a hack must be demonstrated that is delivered through a web page accessed in guest mode and have the compromise persist in guest mode, even between boots of the device. The reason this hack is challenging is that while in guest mode, a Chromebook is employing its highest levels of security. A guest user can download files, but is forbidden from installing apps, even those officially released from Google’s store, which circumvents one of the major angles of attack that are used by hackers. Chromebooks are also set to automatically install updates, runs all of its software in sandboxed environments and even has a “verified boot” function, which can detect if the OS is compromised by malware on boot and roll it back to a clean version.
“Since we introduced the $50,000 reward, we haven’t had a successful submission,” Google wrote on their security blog. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” Whether that means that no-one can hack the Chromebook or simply not enough people have tried remains to be seen, but we will have to see whether anyone will be able to claim this bounty in the near future
In history there is a tale as old as time, no matter how large something gets, no matter what happens, when they start to perform questionable acts it will always be someone on the inside that will address the situation by letting everyone know about it. We’ve already seen with Edward Snowden revealing the extent that America was spying and retaining information illegally on people from all over the world. The same reason has now revealed 22,000 ISIS members details.
A defector from the group alleges to have carried with him a USB drive containing more than your average backup of files. TheUSB is claimed to have details of 22, 000 ISIS fighters, including:
The paperwork it apparently contains is reported to be filled out before fighters come to the country, therefore representing foreign fighters coming to the group from abroad. The paperwork included questionnaires filled out by members of ISIS, including information regarding how they were recruited and would get to the group from their location, bypassing the restrictions and warning systems currently in place.
Currently, agencies around the world are trying to track down and confirm that this information is genuine, but if it does prove to be real information then this could help agencies track down recruiters and start cutting off access to the group from their countries.
We’ve all had that moment, you are writing an email and are worrying so much about your wording that just as you hit send something jumps out at you. Forgot to attach the file you were talking about or added the wrong details by mistake? Imagine if you were making a bank transfer and made the same mistake, pretty big deal. Even bigger if the money doesn’t belong to you and all that stopped you getting it was the spelling mistake.
The hackers in question managed to gain access to the servers of Bangladesh Bank, from there they went about their business. In total, they were going to send somewhere close to $850 million to different accounts in the Philippines and Sri Lanka in just 13 transfers. $81 million of these went through before the fifth one was flagged up by a routing bank in Germany.
The reason for the flag was simple, “fandation”. Instead of putting “foundation”, the hackers had mistyped and put in “fandation”. If the hack had been successful it would have been one of the largest of its kind on record, while $81 million is impressive you have to think that with a little spell check they could have made off with a lot more.
While this is only the bills first reading, if the amendment went ahead companies may feel uneasy doing business in France for fear of either giving out personal information or face a fine. It should be noted though that while Amendment 90 is being considered, it could be worse with amendment 221 going so far as to increase the fine by over 5 times and requesting “all relevant” information, that means more than just the message they are looking for.
Amendment 51 went so far as to state that companies who refused to help authorities would be considered “accomplices to terrorism”, a far stretch from the truth by any imagination. With public support seeming to increase for Apple’s case in the US and companies and figures alike coming out in support of them, accepting such a controversial bill couldn’t help the French government when trying to enlist technology companies help.
While adding fingerprint scanners to mobile phones seems to be a great new way to allow devices to be better secured without requiring the user to remember a lengthy password, it has been found that such scanners can easily be fooled. Apple’s Touch ID was broken by play-doh last month, now it is Samsung and Huawei’s turn in the spotlight, with the sensors on Galaxy S6 and a Huawei Honor 7 being cheated by researchers from Michigan State University.
The tools required to get into these devices was nothing more than a basic inkjet printer loaded with special ink and paper by Kai Cao and Anil Jain from the Michigan State University department of computer science and engineering. The researchers took scans of the fingerprints required to unlock the devices and printed them in 2D using the special conductive ink and paper that is designed for printing electronic circuit boards and other systems that carry an electric charge.
This wasn’t just a one-time trick either, with the researchers able to replicate the technique multiple times for different sets of fingerprints, with the whole process taking very little time using common equipment. This is one-step better than most other methods of bypassing fingerprint scanners, which typically require an imprint of the fingerprint in 3D, often requiring specialist techniques or actions by the ‘victims’ beyond a simple scan.
The number of smartphones this may affect is currently unknown, with the scanner used in the Galaxy S6 and Honor 7 being common across a number of devices including a number of Nexus phones and the LG G5. The attack does not pose a strong risk to most users, however, as it is unlikely that many attackers will be able to acquire a set of fingerprints at a high enough resolution to use, but for those in possession of prints, such as law enforcement agencies, this could be an easy way to break into the devices of criminals that are secured by fingerprint scanners.
A few years ago Sony had a rather bad hack, which affected around 70 million of their customers. In the wake of the hack, Sony offered to renew its efforts to increase security alongside some gifts to appease players who suffered during the 23-day outage. As of March 2nd, you may find that the promised free game codes have finally arrived.
Depending on the services you were signed up to when the hack happened (PlayStation Network, Qriocity and Sony Online Entertainment), you can claim a variety of rewards. As part of Sony’s initial scheme people were offered to grab a game, but don’t worry if you didn’t manage to grab one all the time back then, you can grab two now.
The games available vary based on which of the available platforms you wish to collect your reward for, with the Playstation 3, Vita and PSP all being offered free rewards as a sorry. If you want to grab a game you can now get inFamous, LittleBigPlanet and even the God Of War HD Collection for free but they will be limited to the aforementioned consoles.
With the lawsuit spawning this reward scheme valued at $2.75 million, Sony must be happy that they can get away with a few free games or even a little account credit or PSN time almost five years since the hack began the security awareness that so many companies are still suffering from.
An Indian hacker has found a remarkably simple way to access any Facebook user account. Thankfully, Anand Prakash, a security engineer from Bangalore, is a “white hat” hacker and immediately contacted Facebook about the loophole, granting him a $15,000 reward.
In a blog post – with the provocative title “How I could have hacked all Facebook accounts” – Prakash explained the process he used, including a proof-of-concept video. Effectively, he brute-forced the password reset code – a six-digit number which is sent to the user’s phone or e-mail – on Beta version of Facebook, which allowed him unlimited input attempts without locking him out. He was then able to set his own password with which he could fraudulently access other user’s accounts.
“Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110 ,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password,” Prakash wrote. “I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.”
“Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints,” he added. “I tried to takeover my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.”
According to his blog, Prakash discovered the vulnerability on 22nd February, and received his $15,000 reward from Facebook on 2nd March. Facebook is yet to confirm the veracity of Prakash’s blog post.
Apple is everywhere in the news these days. From the rumoured features of their next generation of phones to the courtrooms. In a case that recently came to light in New York, the judge ruled that Apple could not be forced to unlock an iPhone by the All Writs Act. This didn’t sit well with the DOJ who are now appealing the order.
The case in New York features another iPhone, again locked by a passcode. Repeatedly trying different passcode risks the data on the phone, thanks to a security measure put in place that states when you fail to put in the passcode 10 times, it will erase the phone. With so many combinations, the FBI are looking to enlist Apple’s help to type in passcodes through software, without the data being erased.
I say looking to enlist, but the act used (the All Writs Act) has been deemed as some as an order from a judge where no legal precedent is available for the request. A judge in New York recently ruled that Apple couldn’t be forced to remove these settings or extract the data by use of the All Writs Act.