IRS Hacked By The Same Issue They Were Protecting People From

Last year the US Internal Revenue System revealed that they had been hacked. At first they said that up to 100,000 people were affected by the hack, only to then bump that up to 334, 000 in August. The latest figures put that closer to 724,000 and set to only get worse as it seems they have been hacked yet again.

When filing a tax return you are now required to provide the “Identity protection PIN” that you are given by the IRS. These are specific codes given to people to place on tax returns, failure to do so invalidates the tax return and the IRS will reject it. Sounds like a good idea doesn’t it? So what happens when the IRS’s record of these secret PIN’s are hacked?

Becky Wittrock, an accountant in South Dakota, went to file her tax return this year only to find that the pin had already been used to file a “large refund request” more than three weeks prior. How did the hackers get access to the PIN? Seems that if you lose your PIN you can retrieve it by logging into the IRS website. Seems this is where the problem lies, as the technology used to secure this login process is the same technology that was breached last year.

That’s right, in order to protect people from a hack the IRS used the same technology that was breached by that hack. In order to retrieve your PIN you were asked questions (known as KBA or knowledge-based authentication) such as “on which of the following streets have you lived?” and other multiple choice questions, a system that allowed a hacker to answer the questions correctly.

Seems like a big mistake for the IRS to make, costing both the government and hard working people time, money and stress because they didn’t check that their fix didn’t use the very thing that got them into trouble in the first place.

iPhone Unlock Perused After Defendant Pleads Guilty

In recent years, technology has evolved in such a way that the law is often trying to catch up with the technology that comes out. In the last few months, technology companies have come to odds with the government regarding a range of topics but none more so than encryption.
Encryption is the process of messing up information in a logical way so if you just so happen to bump into it (or catch it on purpose), unless you were meant to read it you are unable to (or at least find it difficult). Apple has recently come at odds with the U.S. government as they have been asked to unlock (effectively disabling the protection and encryption on) an iPhone. The case just got more interesting though with them claiming that they should still unlock the phone after the defendant pleaded guilty.

The government quoted a law written in the 18th Century called the All Writs Act. A writ is essentially an order for a company or person to perform an action, and its use has displeased many people, with Ken Dreifach (the attorney representing Apple) clarifying why this is a worrying use of an old power,

“The government could seemingly co-opt any private company it wanted to provide services in support of law enforcement activity, as long as the underlying activity was authorized by a warrant. The All Writs Act does not confer such limitless authority.”

Even though the defendant, Jun Feng, has since pleaded guilty to one count of conspiracy to distribute and possession with intent to distribute methamphetamine, the prosecutors are still requesting that Apple unlock the phone just in case it contains information that could help other “ongoing” cases. The iPhone in question is running iOS7, as of iOS 8 Apple have enabled full encryption in an act it has stated would prevent them from complying with such orders.

Do you think Apple should unlock the phone? Should companies be forced to perform any action they can at the request of a court?

Ransomware Locks Your Android Phone Pin And Asks For Cash

Ransomware is akin to the booming stock market of yesteryear for hackers, the notion of locking an individual’s infected device is a powerful reality for today’s modern day connected gadgets. As such it can be no surprise that a new technique has surfaced which implements a free app on third-party app stores which changes the device’s locking PIN and then asks for $500 as a kind of screw you post it.

Technique of this ransomware.

Let’s take a look at the details; it may take a while so make yourself comfortable. Security firm ESET has detected this threat as a Android/Lockerpin.A, users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset, but this would delete all data as a consequence.

After successful installation, this type of malware attempts to obtain user admin privileges by attempting to trick users, it does this by overlaying the activation window with the Trojan’s malicious window which pretends to be an “Update patch installation”. As the user clicks through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window.

This is lethal considering the moment you click “continue” within the installation activation window, your device has fallen victim, the Trojan app has now obtained Administrator rights and has silently locked your device by setting a new PIN for the lock screen. Not long after this has happened, the user will be prompted to pay a $500 dollar ransom for allegedly viewing and harbouring forbidden pornographic material, below is a screenshot of this warning notice.

The device is then locked after the warning screen is displayed within the standard Android lock screen. The new PIN is generated randomly and not sent to the attacker. The only practical way to unlock is to reset to factory defaults.

Lockpin’s self defence mechanism part 2.

Not only does this type of ransomeware acquire device admin privileges it also stops users from attempting to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted.

There’s more, this locker also attempts to kill running AV processes when the user tries to deactivate its Device Admin rights. The Trojan tries to protect itself from three mobile anti-virus applications which include ESET, Avast and Dr Web as well as the com.android.settings which prevents standard uninstallation through the application manager.

ESET state that its own self-protection mechanisms will prevent the malware from removing this vendor’s AV. Software.

Distribution of this malware

This Ransomware pretends to be an app for viewing adult/porn videos. In all cases, the application calls itself “Porn Droid”, giggity. 75% of so far infected devices have originated from the US; this is because malware coders are attempting to attack citizens of the US with the aim of collecting bigger payouts.

Unlocking the device

The only way to unlock your device without implementing a factory reset is to root your device; the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible (Settings -> Developer options -> USB Debugging) before using the commands

> adb shell
> su
> rm /data/system/password.key

The only crumb of comfort is that you cannot download this malicious app from the official Google Play Store, ESET recommends keeping your mobile AV software up to date if you have one. If not, be careful what you download, if you stick to official routes and be cautious of both unknown and suspicious apps which purport to be too good to be true. Back up any sensitive data and always update legitimate software, tech is becoming more advanced and so are the attackers.

Thank you eset for providing us with this information.

Image courtesy of xperiaseries

Hackers Want to Make You Play ‘Doom’… on an ATM!

Normally when you hear about hackers and ATMs, you think of someone attempting to steal your credit card details or make the machine spit-out some bills. This time however, it is more fun than drama, since you can get to see how a game can be played on an ordinary ATM.

An Australian hacker named Ed Jones, who also goes by the name of Aussie50, has posted a YouTube video which shows how he is kicking off in ‘Doom’ on the ATM machine. He is stated to give some credit to his partner, Julian, who is said to have sorted out “the software, wiring and logic side”.

There are a lot of questions surrounding the achievement, such as where did he acquire the actual ATM from or, most commonly, will we able to play games on ATMs in the future. Nobody has those answers at present, but the real question is: Does it matter? No, mainly due to the fact that you don’t get to see this everyday. I mean, who doesn’t want to play Doom on an ATM?

[youtube]https://www.youtube.com/watch?v=PW5ELKTivbE[/youtube]

There have been discussions on Ed’s YouTube channel about turning the PIN pad into a controller and using the side panel to select weapons, while also discussing about making the receipt printer into a high-score note to keep after you finish your game session.

When talking about modern games, such as Minecraft for example, Ed pointed out that it is physically impossible to get them running on ATMs, mainly due to the fact that it lacks the performance needed to run them. While he can ‘upgrade’ his customized ATM if he wanted to, that would mean he would have to change about every OEM component found in the ATM.

“I could upgrade the hell out of it and play modern games, but that defeats the purpose of using all of its OEM (original equipment manufacturer) hardware with minimal modification. It lacks a PCI-E slot, so a subtle video card and RAM upgrade is not possible,” Ed stated.

Ed is stated to be thinking of introducing a coin mech below the card reader, which wouldn’t be such a bad idea. A ‘re-invention’ like this could make old games such as Doom popular again and accessible almost everywhere. Julian and Ed are not at their first wacky invention yet. They have been stated to have made Doom available previously on a LED billboard.

[youtube]https://www.youtube.com/watch?v=PxIGuMif1Nk&list=UUlSOZJ7swsJqRadXieu1nlQ[/youtube]

Thank you Mashable for providing us with this information

Hackers Can Get Your Wi-Fi Password By Simply Hacking Your Smart Lightbulbs

Though everyone wants to bring a variety of ‘Internet of things’ products on the market, from microwaves, to refrigerators, and even light bulbs, not everyone thinks about the bad side of all this. This means that, despite everything linking to your local area network, not everything connected is currently secure. This is how some engineers over at Context uncovered a way to hack your network through smart lightbulbs.

LIFX, the company making the actual light bulbs in question and their software, have not released the 1.1 version to the public, making it harder for hackers to fiddle with it. Even so, the Context engineers have apparently removed the microcontroller embedded inside each bulb and connected different JTAG pins ti special debugging hardware in order to monitor the signals sent when the light bulbs were added or removed to the network.

The company has quickly responded to the engineers’ findings, having to release LIFX software version 1.3, which is stated to encrypt all 6LoWPAN traffic using an encryption key derived from the Wi-Fi credential while also including functions for secure processing when new bulbs join a network.

Though people might think they are missing out if their household appliances are not connected to the network, security breaches such as this one still reminds us that not everything should be linked to the internet, at least not yet. The big names in the tech industry, namely Microsoft, Apple and Google, have devoted large amounts of resources to ensure their devices are secure and stay that way. Even so, breaches are still inevitable from time to time.

Thank you Wired for providing us with this information
Images courtesy of Wired

Motorola Touchless Control App Can Unlock Your Phone By Speaking Out Your PIN

Have you ever wanted a device that will listen to you even when it is locked? There are times when your phone’s voice commands are useless as you still have to unlock your device before using them, and that is not at all possible if you are doing something that requires both of your hands. But look no further, because apparently Motorola has recently introduced a new update to its Touchless Control app over on Google Play, which would ensure that your smartphone will be more versatile even when it is in a locked state, as extra Google Now commands should now be able to jive with your smartphone when it is idle and locked.

You will be able to unlock your PIN simply by speaking it out, and Touchless Control will do all the rest. A new tone is also introduced when you say “OK Google Now.” Apparently, this particular update does seem to be made available only to devices that have Android 4.4 KitKat as the operating system of choice, which pretty much rules out the recent DROID family, at least until Motorola and Verizon do something to remedy that situation soon.

Unlocking your phone using your PIN is not really practical, especially in a crowded place. I mean you have a PIN for a reason, otherwise you would just say something like “Phone Unlock”. We hope that Motorola will update the feature soon and maybe add a feature to unlock the phone with a specific phrase rather than use your PIN.

Thank you Uborgizmo for providing us with this information
Image courtesy of Uborgizmo

Google Announces The Availability Of Google Wallet Debit Cards

It looks like the Google Wallet Card has been officially released. The prepaid debit card lets Google Wallet users make payments with their Wallet balance at ATMs, banks, and any business that accepts MasterCard Debit. You can request your own card as long as you’ve verified your identity, and Google says it should arrive within 10 to 12 days. Shipping is free, and there are no activation fees to get started with the card. From there, the Google Wallet Card can be used for purchases both online and in physical stores just like any other debit card, and you’re also able to withdraw cash from ATMs nationwide.

Your Wallet security PIN doubles as the debit card’s PIN when buying things, and Google has set a maximum limit of spending per day to $5,000. The Google Wallet Card was rumored to arrive earlier this year, but reports say that the project was put on hold by CEO Larry Page.

Thank you The Verge for providing us with this information
Images courtesy of The41st

Researchers Found A Way To Use The Smartphone Camera To Figure Out PINs

It appears that researchers have found a way to figure out what personal identification number someone is typing into their smartphone by using the device’s built-in cameras and microphones to secretly record them. Security researchers at the University of Cambridge detailed how they exploited the smartphone’s camera and microphone to detect PINs and gave some suggestions for making this type of hack more difficult.

First, the microphone detects that a person is entering a PIN. On many apps, the device will vibrate each time a number is tapped. That vibration creates a sound that is picked up by the microphone, which lets the malware know that a “touch event” is happening. In this case it is the entering of a secret PIN. Then the camera takes over.

The camera isn’t looking for reflections in your eyes or triangulating what numbers you’re looking at while typing in the code. The researchers use the camera to detect the orientation of the phone and determine where the user’s finger is on the screen. On-screen keypads typically display number in a standard order, so if the program can tell where a finger is tapping on the screen based on how the person is holding it, it can deduce what number is there.

This type of malware doesn’t exist in the wild just yet. The PIN Skimmer program was created by Cambridge’s Ross Anderson and Laurent Simon. The idea is to identify potential security holes before they can be exploited by criminals. In tests, the PIN Skimmer had a 30% success rate detecting four-digit PINs after monitoring a few attempts, and that number went up after it grabbed information over five tries.

In their example, researchers assume people are holding their phones with one hand and typing in numbers with their thumb. The malware captures some photos and a few seconds of video and uploads them to a remote server, evading detection by hiding any data usage charges by possibly waiting for the phone to have a WiFi connection. Depending on the phone, it could take some additional precautions like disabling any LED light that would let a person know their smartphone camera was recording. The researchers tested the program on the Galaxy S3 and Google Nexus Android phones.

Security researchers have warned that criminals could use other phone sensors like the accelerometer and gyroscope to puzzle out what someone is typing. It looks like the predictions are becoming facts and that nothings is as secure as it seems.

Thank you CNN for providing us with this inforamtion