WebProNews

Tag: hack

  • Hacker Boasts of Massive T-Mobile Data Breach, Company Investigating

    Hacker Boasts of Massive T-Mobile Data Breach, Company Investigating

    A hacker is claiming to have obtained data for some 100 million T-Mobile customers and is trying to sell it.

    In a forum post online, a hacker claims to have compromised T-Mobile servers and made off with a treasure trove of customer data. While the post itself didn’t specify the company, Motherboard reached out to the hacker and received confirmation the target company was T-Mobile.

    The data in question is allegedly full customer information, including names, addresses, social security numbers (SSN), phone numbers, driver license information and unique IMEI numbers. Motherboard was given access to a sample of the data and confirmed its validity.

    It appears T-Mobile has closed the security issue that allowed the hackers access, but not before they copied the data and made multiple backups. The hacker(s) is trying to sell a subset of the data, composed of 30 million SSNs and driver licenses, for 6 bitcoin, or roughly $270,000. The rest of the data is being sold privately.

    Motherboard reached out to T-Mobile and received the following statement:

    “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”

  • Garmin the Latest Victim of Ransomware

    Garmin the Latest Victim of Ransomware

    GPS company Garmin is the latest high-profile organization to be the victim of a major ransomware attack.

    Garmin’s customers experienced widespread outages, with some having far-reaching consequences. For example, pilots that rely on flyGarmin lost the ability to download up-to-date aviation information, effectively grounding them unless they could use an alternative option.

    The company has said “it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”

    Beyond that, Garmin is not disclosing many additional details, including whether they paid the ransom or were able to begin decrypting their systems through other means. In fact, Garmin is only describing the incident as a “cyber attack” although, as the BBC points out, multiple outlets have confirmed it was indeed a ransomware attack.

    Garmin says its services should be up and running within a few days, although there may be some delays as the company catches up on the information backlog.

  • Ashley Madison Hack Might Be a Hoax?

    Ashley Madison Hack Might Be a Hoax?

    The Ashley Madison hack has put the fear into some people who believed that the company’s “have an affair” offer was safe from prying eyes. When hackers claimed they had collected info on thousands of Ashley Madison subscribers, people scrambled to think up excuses, cover their tails, and figure out how to combat the impending fights with spouses.

    Hackers released two names as proof that they had the list they threatened to have. One was an American from Massachusetts, the other was Canadian, from Mississauga.

    “Sometimes, you’re just curious, looking for friends,” the Mississauga man told the Toronto Sun when asked about his Ashley Madison activity, “but then it doesn’t necessarily appeal to you. I haven’t been on the site in a long, long time. It is a stupid (website). You go just to see what is out there. It was pretty much a waste of time … to join.”

    The American has not spoken to the press about his Ashley Madison account.

    So far, only two names have been verified. The rest are on a supposed list. One Christian website in French published a partial list of 5,000 names said to be culled from the larger list.

    However, as one commenter on Reddit pointed out, something is amiss with that list.

    “I will say that I googled some of the less common names (or those I perceived to be more unique). Hardly any of the search results turned up actual people. I would think that those digitally savvy enough to go looking for an affair on a website would also likely have a Facebook account, twitter, instagram, LinkedIn, etc. 8 out of 10 turned up only around 4 pages of results, with many of them being the names of people deceased LONG ago.”

    Now folks are starting to wonder if these Ashley Madison hackers may have just gotten their hands on two names, released those as “proof” they had more, and put the fear into many people. Maybe there isn’t actually anything to worry about?

  • Ashley Madison Victims Are Discussing How To Handle Fallout

    Ashley Madison Victims Are Discussing How To Handle Fallout

    Ashley Madison users are nervous. When the famous infidelity website — with the motto “Life Is Short. Have An Affair” — was reportedly hacked. Thousands upon thousands of people had a very bad day. Questions were racing around the Internet, this time as anonymously as possible.

    What if my spouse finds out I had an Ashley Madison account, even if I never did anything else?

    What was hacked? Credit card info? Messages passed back and forth on the site? Just user names?

    Even people who have never used Ashley Madison at all were wondering what the hack might portend for society,

    What could be done with the data that was taken? Could it be used to compromise people in sensitive positions?

    The same sort of questions that the Ashley Madison hack raised were floated when Adult Friend Finder was hit back in May.

    While there have been lots of news stories about the hack of Ashley Madison, there have not been many suggestions for persons fearing for their privacy. The usual topics about watching out for phishing schemes and such — useful for any data breach — are common.

    But what if you know your life would be completely turned upside-down if your membership in Ashley Madison were found out? What suggestions are out there for you? Indeed, many seem to be snickering at the “just desserts” people who took Ashley Madison up on its offer are being threatened with getting.

    So these guys had to band together, gather what info they could, and come up with a plan. To that end, there was a “mega thread” started on Reddit, compiling as many of the smaller discussions that had sprung up as they could. Some of the observations and suggestions passed in those comments may prove to be useful or helpful to those worried about the Ashley Madison hack.

    One commenter heavily encouraged joining a class action suit against Avid, owners of Ashley Madison.

    I chatted with a great internet privacy lawyer, nationally known, who is taking my case. Engaging her Monday, so she will be in contact directly with AM corporate and legal. Fuck their customer service. I am going to sue the living sh*! out of Avid. This makes me feel alot better. I assume you all are in on this class action? I kid not, this is for real. This is the only power that we, the VICTIMS, have in this situation.

    Another suggested that, if the worst happens, everyone maintain a front of denying it still.

    Everyone needs to stop sweating. Even if it comes out there will be 1 and 10 people in North America on it. Lie. You’ve been lying all along and deny til the very end. Say the list is fake and trolls are using it for extortion. The list was manufactured from social media and your credit card number was stolen and you didn’t notice. Play this shit off til the very end. If you weren’t physically caught cheating it’s pretty hard to prove. Even your pictures can be stolen from social media. Unless of course messages come out and they are personal. Then you’re fucked. But until then enjoy everyday not being caught.

    But one of the most insightful responses to the Ashley Madison hack was the idea that fake name lists should be put out, including peppering such lists with viruses.

    The only way to stem the spread through normies, is if fake lists with malware/viruses are distributed. This will make most hesitate.

    If a legitimate list exists, having the static and overlap of many fake lists might mitigate the damage, make it deniable. If even viewing a list is seen as dangerous because of virus booby traps, then maybe few would even look at the lists.

  • Snapchat Photo Hack, If Real, Wasn’t Snapchat’s Fault (Says Snapchat)

    Photos taken and transmitted via Snapchat may or may not have leaked on Thursday, but if they did, Snapchat assures you that its servers were never breached and it’s the fault of unauthorized third-party apps.

    Early Friday, Business Insider reported on “The Snappening”, a supposedly massive Snapchat hack that includes upward of 200,000 photos. The hack was reportedly organized and disseminated on 4chan, with databases of the stolen photos popping up online.

    Apparently, the leak has been in the works for some time.

    Snapchat has responded, blaming banned third-party apps for the security breach.

    “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed,” said Snapchat.

    Reports vary, but apps like SnapSave and SnapSaved.com are said to be the culprits. These both allow Snapchat users to save photos – something the regular Snapchat app prohibits. Business Insider points out the SnapSaved.com now redirects to a Danish e-commerce site. That’s obviously a bit fishy.

    The initial report of “The Snappening” seems to have originated from a blog run by a guy named Kenny Withers, who claims to be a social media marketer. He posted some of the nude images, and well as various 4chan threads concerning the leaks.

    So, is this a real leak? Some have their doubts. This reddit thread pretty much sums up those doubts – mainly that most of these so-called “leaked” images have existed for some time and that if anything, this could be another attempt to make 4chan look bad in the wake of the celebrity nude leak “The Fappening”.

    But Snapchat’s statement carries an air of certainty regarding there at least being some sort of breach – even if the company isn’t taking responsibility for it.

    If hundreds of thousands of Snapchat photos were in fact stolen from a third-party app, there’s likely a ton of images of underage users – which poses its own set of problems apart from the general theft of private photos. We’ll update when we learn more about the alleged leak, but in the meantime, if you use Snapchat, you might want to be extra careful about the third-party apps you use.

    And for Snapchat, this is a bad time to be embroiled in a security scandal.

    Image via Snapchat, Twitter

  • Home Depot Data Breach Affected 56 Million Cards

    The world’s biggest home improvement store has just given us the specifics on the lengthy data breach it confirmed a little over a week ago.

    According to the company, the attack put 56 million credit cards at risk.

    “Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners. The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards,” said Home Depot.

    The attack was carried out from April to September.

    The company assures customers that the malware has been identified and eliminated. Also, its beginning to employ “enhanced encryption” measures.

    “We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”

    The breach, the biggest and most high-profile hack on a retailer since Target was attacked last year, affects customers in the US and Canada. Home Depot says it doesn’t believe any debit PIN information was compromised.

    Image via Wikimedia Commons

  • Kris Jenner Impersonated And Threatened

    Kris Jenner Impersonated And Threatened

    While a number of celebrities were having their phones hacked and their naked photos stolen, Kris Jenner was also being hacked, but for another purpose.

    In July a tape turned up that allegedly contained a recorded conversation between a gossip blogger named Jacky Jasper and a woman he identifies as Kris Jenner.

    The tape is over an hour long and allegedly captures Kris cursing and saying a lot of racist comments. Kris denied the tape and insisted that she had been hacked and impersonated.

    Although her story sounded like a lame excuse, the FBI began investigating the tape and found out that Kris had indeed been hacked and that she wasn’t the voice on the tape.

    The hacker was able to hack into Jenner’s iCloud account and mimic her voice. The hacker also made reservations at restaurants and sent photos, emails and texts from Jenner’s account.

    Things got so bad that Jenner started receiving death threats related to the hack and material that was being shared by the hacker.

    On Friday the FBI raided a Four Seasons hotel room and seized electronic equipment they think was used in the attacks. They also served a warrant to the suspect, an unnamed women.

    The woman claimed that she was innocent and was letting someone else use her computer for the last few months and that was the person who had sent the death threats to Kris.

    “On Friday morning I was asleep in my hotel room when I heard a knock on the door. I asked who it was and they said FBI,” the woman told Radar of the terrifying event. “I opened the door and was told to turn around, and was handcuffed, facing 12 agents with guns pointed at me,” the suspect said.

    “They told me they’d been tracking me and had been building a case. They asked who certain people’s cars were and about people they’d seen me with,” the alleged perpetrator said and added that “I told them it was someone I let use my computer and laptop a lot over the course of eight months.”

    The woman is working with the police to find the person behind the death threats.

  • Identity Theft Could Soon Be A Reality For eBay Users

    Identity Theft Could Soon Be A Reality For eBay Users

    Identity theft is a constant concern for those who entrust their personal information to Internet companies. Now millions of users are at risk following a massive cyber-attack that recently hit eBay.

    Last week, we reported that eBay was hit by a massive cyber-attack when hackers broke into the company’s database that hold customers’ personal information. While no financial information was taken, customers’ email addresses, passwords and physical addresses were exposed. Skilled hackers can use this information to gain access to more personal information through social engineering tactics.

    As with most major cyber attacks, eBay can’t do much now that the damage is done. What it can do is ask that its customers change their passwords:

    EBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.

    Unfortunately, the hackers didn’t just take user information. Ebay reports that that the hackers also took some employee log-in credentials. There’s no indication that this information was used to access databases that may contain more sensitive information, but eBay is working with law enforcement to bring in those responsible.

    As you can imagine, people are not pleased with eBay at the moment. Much like the Target hack of last year, Attorneys General from various states are now opening up investigations to see if eBay could have done more to protect user information. The Attorneys General will also be looking into how eBay is planning to prevent future attacks.

    “My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General George Jepsen. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”

    Image via Wikimedia Commons

  • Target Tech Chief Resigns Following Massive Data Breach

    Target Tech Chief Resigns Following Massive Data Breach

    The chief information officer (CIO) of Target Corporation has turned in her resignation following months of a devastating data breach.

    Since 2008, Beth Jacob served as executive vice president of technology services and chief information officer of the retail company. She first started out as an assistant buyer at a store division in 1984. Then, in 2002 she became the director of Target’s contact centers.

    Most recently, Jacob played a major role in overseeing the company’s latest futuristic technology lab in San Francisco.

    According to the Los Angeles Times, Chief Executive Gregg Steinhafel confirmed in a statement Wednesday that they are now looking for a new interim CIO who can “guide Target through this transformation.”

    Target announced during the holidays that “40 million payment card accounts were hacked during the pre-Christmas shopping season, and added later that about 70 million customers may have also had their addresses, phone numbers and other information compromised.”

    Most customers believed that the one to blame for the breach is Jacob.

    Here is an interview featuring Jacob in January 2013:

    Some experts feel that her resignation may have been in response to the ever-changing roles that a CIO has to conform to daily. Not only does the public expect them to supervise technology, but also the security of the company systems now that data hacking is gaining momentum.

    Jacob apparently left because she felt that it was “time for a change,” but some assume that her departure was definitely provoked by public criticism.

    “People are questioning Target’s security and she was the fall guy,” said a New York-based retail consultant.(image)

    Target’s data theft is reportedly the most notorious scandal ever witnessed in retail history.

    “To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” he said in a statement, according to the Los Angeles Times.

    The corporation is currently working with Promontory Financial Group, which will help them move forward with a $100 million technology and infrastructure renovation. Target plans to implement payment cards designed with encrypted chips. The company expects this new system to improve future security within their information database.

    The company continues to suffer from a decline in consumer loyalty. Since last week, they have witnessed their profits fall 46 percent and their revenue by 5.3 percent.

    Target’s hacking expenses cost the corporation $61 million, but they’re hoping that insurance will cover most of it.

    Here is Steinhafel’s full statement tweeted by a FOX TV reporter:

    Image via YouTube

  • ATMs Hacked With USB Drives for Cash

    The BBC is reporting that hackers have found a way to get Automatic Teller Machines (ATMs) to spit out cash, and even have systems worked out that allow them to return to the same machines over and over again to continue draining them of bills.

    Details of how the hackers were pulling off the cyber-heists were presented at the Chaos Communication Congress in Hamburg. Apparently, the activity was the work of gangs, but required detailed knowledge of how the machines worked.

    Gang members would approach an ATM, cut a hole in a particular spot, exposing a USB port. They would then plug in a USB stick that contained a batch file that launched and displayed information on the ATM screen. Using a 12-digit code, the hacker would determine how much money was in the machine, and in what denominations. They would then proceed to command the machine to spit out only the largest-denomination bills, apparently to minimize their time in front of the machine, thus exposing them to potential arrest.

    One interesting twist to how the hackers operated was that they instituted a two-step coding process that required the member at the ATM to call another member to process a second input number. Thus, no gang members could go solo and empty ATMs all over town without the knowledge of other members.

    When the cyber-heist was over, members would patch up the hole they had cut, hiding evidence of their crime, but also allowing them to return to the same machine on other days, remove the patch, and plug in more quickly this time.

    So far, no arrests have been made in the crimes.

    Image via ThinkStock

  • Senator Thinks Smart TVs Might Be Watching You

    Smart TVs are incredibly easy to hack. In a report from last year, hackers had discovered an easy exploit in Samsung Smart TVs that allowed them to take control of the camera and spy on the owner of said TV. A similar hack has one Congressman very concerned.

    Sen. Chuck Schumer wrote a letter to television manufacturers earlier this week detailing his concerns regarding the security of smart TVs. He points to an exploit shown off at Black Hat USA last week in Las Vegas that allowed hackers to remotely take control of the microphone and camera in a smart TV. In response to this revelation, he asks TV manufacturers to work on security in smart TVs.

    “You expect to watch TV, but you don’t want the TV watching you,” said Schumer. “Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching TV in your living room. Our computers have access to firewalls and other security blocks but these televisions do not and that’s why manufacturers should do everything possible to create a standard of security in their internet-connected products.”

    Some might scoff at Schumer’s concern since smart TVs aren’t exactly flying off store shelves. That might not be the case for much longer, however, as Gartner predicted in late 2012 that most TVs will be connected to the Internet by 2016. That doesn’t necessarily mean that these TVs will have cameras and microphones, but they can still be accessed remotely by hackers. What if TVs start to store transaction data locally for when viewers buy movies or TV shows? A simple hack could lead to identity theft on a grand scale.

    Schumer’s main concern may be hackers spying on consumers, but I would argue that the above scenario is a far more pressing issue. Hackers would really have no interest in seeing what you’re doing in your living room. They’re far more interested in the information that may be stored on the television, and security standards should be updated to prevent that data from being stolen.

    Here’s the letter Schumer sent to television manufacturers in full:

    Dear Television Manufacturer,

    I was disturbed to read recent reports of hackers exploiting new features in television sets in order to break into the home entertainment systems of users and spy on unsuspecting channel surfers. For a TV to secretly function as a spycam would violate a fundamental expectation of privacy in the American home.

    As technology has advanced in recent years, we are connected in ways that were previously unimaginable. Televisions now have Wi-Fi, cameras, and other features similar to those of a computer, and are able to complete new and exciting tasks: surfing the internet, making calls, streaming videos and more. These advances can dramatically improve the viewing experience of the American consumers. What has not changed, however, is that Americans expect that when they turn on the television they are in the safety and privacy of their home or office, and not being spied on by hackers.

    With these expanding features, televisions must include additional security measures. I would ask that you, as the leading producers of televisions in the United States, work to adopt a uniform set of safety and security standards so that hackers cannot break into our TV’s. It is imperative that we protect people that purchase televisions with these features from being hacked or spied on, and possibly divulging information they do not desire to.

    I look forward to hearing from you on this important issue.

    Sincerely,

    U.S. Senator Charles E. Schumer

    [h/t: The Hill]

  • Developer Works Around Google Glass Restrictions With Custom OS

    Google Glass has a lot of potential, but some may feel that Google is squandering said potential with its heavy handed regulation. The company has already banned porn and facial recognition apps from being developed for the device. Before Google can ban more capabilities, one developer wants to free Glass from Google’s reach.

    NPR reports that Stephen Balaban, a developer out of San Francisco, has re-engineered his Google Glass with a new operating system. Unlike Google’s OS for Glass, Balaban’s OS allows any and all kinds of apps. His end goal is to create an OS that “runs on Glass but is not controlled by Google.”

    Balaban is creating the custom OS because he’s already run afoul of Google’s policies when his employer, Lambda Labs, tried to submit a facial recognition app. Instead of just packing up and going home, however, he decided to create a custom OS that would let developers do anything with Google Glass.

    Balaban’s heart is in the right place, but some people are not going to be very happy about it. Google is already dealing with accusations that Glass in its current state is a massive infringement of privacy, and custom operating systems will only make Glass critics even more worried.

    In fact, Congress has even started to ask questions regarding what Google intends to do to protect privacy in the age of Glass. A custom operating system would make Google’s efforts to regulate Glass a moot point, and Congress could take that as an excuse to regulate the hardware. Google certainly doesn’t want that, and the people making custom operating systems don’t want that either.

    We’re still months away from Google Glass’ public debut. Before that, Google can work with its developer partners to find a way for Glass to protect privacy while letting developers go nuts. Whether that means Google relaxing its policies remains to be seen, but it couldn’t hurt.

  • Have A Uplay Account? You Might Want To Change Your Password

    If you play any Ubisoft game on the PC or consoles, you probably have a Uplay account. It’s required on the PC and console gamers get perks for signing up for the service. In short, there are potentially millions of people with Uplay accounts, and those accounts were recently compromised.

    Ubisoft announced today via its blog that it was recently the victim of – for lack of a better word – a hack. They found that some information had been taken by the attacker, but thankfully no payment information was present on the compromised server. Here are all the details:

    We recently discovered that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close this off and to begin a thorough investigation with the relevant authorities, internal and external security experts, and to start restoring the integrity of any systems that may have been compromised.

    During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. It’s important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion.

    For now, Ubisoft encourages all Uplay members to change their passwords right away. If not, the attacker, or anybody they sell the information to, could gain access to your account. You may not think you have much information stored on your Uplay account, but it may just house important details like your phone number or address. Such information could be used to lure more people into phishing scams and other cybercrimes.

    To change your password, hit up the link here. You might also want to change your password for other services that use the same password.

    [h/t: PCMag]

  • Hacker Group Claims To Have Cracked Wii U’s Security

    Like every console before it, the Wii U will eventually be hacked and people will use that hack to play pirated games on the console. The challenge comes in the form of actually hacking the console to allow this functionality. One group claims to have done it, and will soon be selling their secret to the world.

    Wiikey, a group that sells mod chips for the Nintendo Wii, have announced the WiikeÜ. Like the mod chips before it, this soft mod for the Wii U allows gamers to play Wii and Wii U games off of any USB media. The official line is that gamers can use this mod chip to play backups of Wii U games, but most would obviously use it to play pirated Wii U titles.

    Some are calling shenanigans as the group has yet to provide any proof of the exploit. The group says it’s real though, and will be selling the USB emulator in the near future to allow others to hack their Wii U consoles.

    So, what does Nintendo have to say about all of this? The company takes a hardline against piracy so it shouldn’t come as a surprise that Nintendo is watching this very closely. In a statement to Ars Technica, Nintendo said it’s “aware that a hacking group claims to have compromised Wii U security.” That being said, the company has “no reports of illegal Wii U games nor unauthorized applications playable on the system while in Wii U mode.” Nintendo finished up its statement with a classic by saying that it “will take the necessary legal steps to prevent the facilitation of piracy.”

    If the Wii U is anything like the Wii, the system’s security will be constantly compromised during its lifetime. Of course, this will only lead to Nintendo issuing more frequent mandatory system updates to patch security holes that only serve to annoy legitimate customers while doing nothing to stop those hellbent on playing games off disc.

  • Google Glass Already Jailbroken, Could Be Used For Nefarious Purposes

    Google Glass really freaks some people out. Those people are understandably concerned that those wearing Glass could be secretly recording their every move. There are some obstacles programmed into Glass to prevent this, but it might not be for long.

    ZDNet reports that a hacker by the name of Jay Freeman has already jailbroken Glass. The jailbroken Glass can be used to bypass a number of obstacles that prevent Glass from becoming the surveillance tool of the future.

    The big thing is that hackers can remove all indication that Glass is recording video. In the vanilla OS, Glass will show the video as it’s recording on the glass prism above the eye. If a person was close enough, they could tell that Glass was recording video. Freeman says that Glass’ OS can be modified to remove this so that you can record video while everybody is none the wiser.

    Of course, you couldn’t record minutes of footage as the current Glass only allows video recordings of up to 10 seconds. Oh wait, that’s controlled by the OS as well so you could bypass that limitation to allow unlimited video recording. Glass only has 12.5GB of embedded flash memory though so there’s not much space for video.

    That’s where Freeman starts to get creative. He says you can modify Glass to take a picture every 30 seconds while recording low bit rate audio. It takes up much less storage than HD video, but provides what is essentially the same information. Freeman speculates such tactics could be used for corporate espionage or for planning robberies.

    Should you be afraid of Google Glass, especially after all of this has come to light? The short answer is no. The long answer is that Google Glass is just a tool, and like any other tool can be used for good or evil. It doesn’t mean that you shouldn’t be cautious though. Bars, strip clubs and other establishments that make it a priority to protect customer privacy have an obligation to prevent Glass and other recording equipment from being used on their premises.

    It should be noted that we’re still in the infancy of Google Glass. Google may lock down the consumer versions of Glass to prevent unwarranted surveillance on a massive scale. We’ll find out in about a year when Google Glass finally launches.

    [Image: Stop the Cyborgs]

  • Anonymous Hacks North Korea’s Twitter, Flickr Accounts

    Did you know North Korea has a Twitter and flickr account? The nation uses these accounts to spread its propaganda, but recent world events have made the nation’s online presence a target for hackers.

    The Guardian reports that North Korea’s Twitter and flickr accounts have been compromised by hackers claiming to be a part of Anonymous. The reasoning behind the attacks seems to be in retaliation to North Korea’s most recent threat to attack the United States and its allies with nuclear weapons. In fact, one of the images posted on flickr calls out North Korean leader Kim Jong-Un for “threatening world peace with ICBMs and nuclear weapons” among other things.

    Anonymous Hacks North Korea's Twitter, Flickr Accounts

    Other images on the flickr account include an image of the North Korean flag with a Guy Fawkes mask, and a simple “We Are Anonymous” in white text on a black background.

    The Twitter hack is far less entertaining, however, as the only updates to it thus far have been multiple messages that say “hacked” while linking to North Korean Web sites that have been taken down by Anonymous.

    Unlike other recent hacks, I doubt that North Korea will try to wrestle away its accounts from Anonymous. I highly doubt that Twitter and flickr are in the mood to help them get the accounts back either.

  • Hackers Obtain Xbox Live Accounts Owned By Microsoft Employees

    Hackers Obtain Xbox Live Accounts Owned By Microsoft Employees

    Xbox Live is generally seen as pretty secure – at least more so than others. The service has never been taken down by hackers, but it has seen its fair share of account hacks.

    Ars Technica reports that Xbox Live accounts belonging to former and current Microsoft employees have been hijacked by hackers. It’s suspected that those responsible may belong to a group of hackers going by the name of Team Hype. The group reportedly has a history of obtaining Xbox Live accounts and selling them to other players.

    To Microsoft’s credit, the company confirmed the hijacking with Ars Techinca, and said it is working on a solution:

    “We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees. We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use.”

    Unfortunately, there may be more account hacks on the horizon as a Microsoft Entertainment Awards Facebook app accidentally revealed account information for nearly 3,000 Xbox Live members. No passwords or other critical information was leaked, but the information that was revealed could be enough to obtain more through social engineering.

    In this case, the best thing you can do is change your Xbox Live account password if you happened to use the Xbox Entertainment Awards app earlier this week. You should also be wary of any messages sent over Xbox Live asking for your password of other personally identifiable information.

  • Just Disable Java Already: Plugin Hit With Third Zero-Day Exploit This Year

    Just Disable Java Already: Plugin Hit With Third Zero-Day Exploit This Year

    Oracle has had a busy 2013 so far as it has scrambled to fix dangerous zero-day exploits found in its Java browser plugin. The company will have no rest, however, as security researchers have found more exploits.

    Security research firm Security Explorations reported two new zero day exploits hit Java on February 25. Since then, the company has provided a number of updates on the progress its made with Oracle to patch these security holes:

    25-Feb-2013

  • Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
  • Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
  • Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.
  • Oracle provides tracking numbers for Issues 54 and 55, but claims they are still not confirmed.

    • 27-Feb-2013

  • Security Explorations asks Oracle whether it needs any assistance in running the received Proof of Concept Code or whether a confirmation of reported vulnerabilities from a 3rd party such as US-CERT would be helpful for the company. Security Explorations informs Oracle that it expects a clear confirmation or denial of Issues 54 and 55 (in the past, reception of tracking numbers from Oracle was equivalent to the confirmation of a given report).
  • Oracle provides the results of its assessment and informs that Issue 54 is not a vulnerability (it demonstrates the “allowed behavior”). The company confirms Issue 55.
  • Security Explorations disagrees with Oracle’s assessment regarding Issue 54 and provides the company with its arguments. Security Explorations demonstrates to Oracle a corresponding sample of “allowed behavior” of Issue 54 that leads to a denied access and a security exception.

    • 28-Feb-2013

  • Security Explorations provides Oracle with another example illustrating denied access for a similar condition as Issue 54. The company asks Oracle whether it still considers Issue 54 as a non-vulnerability demonstrating the “allowed behavior”.

    • The issues referenced above – 54 and 55 – can apparently be combined to “gain a complete Java security bypass in the environment of Java SE 7 (Update 15).” Issue 54 is being labeled by Oracle as a non-issue, but issue 55 has been picked up for further investigation.

    This latest discovery only further stains Java’s reputation as it has not only been exploited twice in the past two months, but said exploits led to major firms like Apple and Facebook being hacked. Granted, Oracle can’t predict every new exploit that comes its way, but you would think it would be more thorough before releasing updates.

    So, what can you do to prevent any Java-based attacks? It’s rather simple really – just disable Java. Firefox automatically disables it for you, and it’s easy enough to disable on other browsers as well.

    [h/t: ZDNet]

  • Anonymous Hacked By Rival Hacker Collective

    Over the past few days, a number of high profile brands and people have had their Twitter accounts hacked. Burger King was the first to fall victim to the hacks with Donald Trump’s personal account following a day later. Now the latest victim is connected with the group responsible for the hacks.

    BBC News reports that the popular Anonymous Central Twitter (@Anon_Central) was hacked by a rival hacker group known as Rustle League. The Twitter feed was forced down, and now the account is starting from scratch.

    While this was going on, most of the dramas was taking place on the fellow @Anon_Central Twitter. Some were saying that a fight between rival hacker collectives was wonderfully entertaining, but most were asking the two groups to work together instead of fighting amongst themselves.

    Of course, some people find the idea of Anonymous getting hacked to be scary in and of itself:

    It should be noted that not all hackers are related to Anonymous, and some really hate Anonymous. In this case, it seems that Rustle League was in it for the “lulz.” There might be cases in the future, however, where rival hacker collectives take things to serious new levels by posting personal information on those involved in each group. For hackers veiled in anonymity, that would be the worst possible thing.

  • Update Flash Now: Abobe Just Patched Two Security Holes

    Update Flash Now: Abobe Just Patched Two Security Holes

    Java and Internet Explorer have both been rocked with some pretty nasty zero day exploits earlier in the year, but they’re not the only software that gets hit with exploits. Adobe’s Flash is frequently targeted by hackers as well, and said hackers have been having their way with it recently thanks to two zero day exploits.

    Computer World reports that Adobe has issued a patch ahead of schedule that fixes the two zero-day exploits that hackers were using to hijack Windows PCs and Macs. Here’s the report from Adobe:

    Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

    Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

    If you don’t want to be hit by something that nasty, you might want to update to the latest version of Flash now. Most Flash users probably have automatic updating turned on, however, and won’t need to worry as the update will take care of itself. For those who do not, you’ll want to download the latest version from Adobe’s Web site.

    There might be other zero-day vulnerabilities floating around in Flash for hackers to find and exploit users with. Always stay on guard and only use Flash on trusted Web sites. You can do this by installing a plugin that disables any Flash content from automatically playing unless you authorize it. This technology is built into Firefox. Chrome users can grab the popular FlashControl extension here. If you’re using Internet Explorer, especially IE8, you should probably just stop.

  • Turns Out Anonymous Did Hack Into The Federal Reserve

    On Sunday evening, Anonymous leaked over 4,000 banker profiles it claimed to have stolen from the federal reserve. The information contained names, addresses, IP addresses, hashed passwords and other sensitive information. Now the federal reserve has confirmed the hack, but says no “critical functions” were affected.

    ZDNet reports that the Federal Reserve sent out notices to affected individuals earlier this week confirming an intrusion on their system. In a statement to Reuters, a spokesperson said the Federal Reserve was “aware that information was obtained by exploiting a temporary vulnerability in a Web site vendor product.” The vulnerability was reportedly fixed, and should cause no more problems in the future.

    Of course, that doesn’t fix the fact that a list containing the personal data of over 4,000 bankers is still floating around the Internet. The Federal Reserve downplayed the hack by telling those affected that their passwords were not compromised. That’s technically true, but there’s still cause for concern.

    Speaking to ZDNet, Jon Waldman, a senior information security consultant for financial institutions, said the hashed passwords included in the leak could be easily decrypted by hackers. The list which contained the information is no longer on the original hacked Alabama Web site, but it’s reportedly being hosted on a Chinese Web site for hackers to get a hold of. Waldman says the existence of this information means that banking executives “will be specific targets of Social Engineering and hacking attacks.”

    It remains to be seen if any of the leaked information has led to attacks on individual banks. Waldman certainly thinks they’re at risk, but you would hope that banks would be wary of any attempts to solicit info after this latest attack.

    We’ll continue to follow the exploits of Anonymous in #OpLastResort. It doesn’t appear that the hacktivist collective is done just yet, and likely has more attacks planned in the coming weeks.

    [Image courtesy Wikimedia Commons]