Something that just hit my inbox minutes ago is from Riot Games, announcing that they've had their US-based servers hacked. The attack didn't hit all of its servers, but just a 'portion' of its US servers.
The hackers were able to access usernames, e-mail addresses, salted password hashes, and some first and last names. Riot Games is also investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers has been accessed. The League of Legends developer is contacting these players to alert them.
In order to hopefully escape more issues, Riot Games will require players in the US to change their passwords within the next 24 hours. Once this time hits, you'll be automatically prompted to change your password anyway.
Today, TOR began advising its users to avoid using Microsoft Windows at all cost. The advisory comes after NSA spying was discovered that used malware injected by using the Firefox zero-day vulnerability to gather users' machine names and Mac addresses, which were then being sent back to US government servers.
In the ongoing saga of NSA spying, it appears that not even the darknet is safe. Today, reports came in that an exploit has been discovered in the Tor version of Firefox 17 that comes packaged with the Tor browser bundle. An exploit in the browser's code allowed malware to be injected into the system which then beamed the machine's hostname and MAC address back to a remote server in Reston, Virginia.
The vulnerability is only present in the Windows version of the Firefox Extended Support Release 17 browser that was bundled with the Tor Browser Bundle before June of this year. Because automatic updating is turned off in this version, anyone who downloaded the Tor Browser Bundle before June is susceptible to the spying. Tor recommends that users download the new version of the Browser Bundle to stay secure.
With all the recent revelations and allegations about the NSA and other foreign agencies been able to spy on you through backdoors in your computers and through the microphones on your smartphones, tablets, and other mobile devices, it should come as no surprise that your Smart TV may be spying on you as well.
It's not pleasant all the stories are popping up at the same time, as this week the world's largest security conference known as Black Hat took place in Las Vegas, Nevada. Yesterday, two researchers named Aaron Grattafiori and Josh Yavor demonstrated several vulnerabilities found in the 2012 models of Samsung's Smart TV line. The demonstration took place as Black Hat was wrapping up and it showed how hackers could turn on the built-in camera, take control of social media apps, and access files that were stored on the television.
"Because the TV only has a single user," Grattafiori explained in an interview with Mashable, "any type of compromise into an application or into Smart Hub, which is the operating system--the smarts of the TV--has the same permission as every user, which is, you can do everything and anything."
The two researchers discovered these issues back in December 2012 while working for security firm iSEC. They said that they alerted Samsung back in January and the company has since patched these holes via three software updates and on future generation devices, however, TVs that have not downloaded the update still remain vulnerable.
If you still thought you had privacy after all of the news you've been reading about the NSA PRISM system, or the GCHQ, then you'd be wrong. Very wrong. The Wall Street Journal is now reporting that the FBI has the power to remotely activate microphones in Android smartphones and laptops to record conversations.
This is all coming from a single anonymous former US official, who says that remotely forcing a cellular microphone to listen in on a conversation isn't something new. The FBI used something they called "roving bugs" to spy on alleged mobsters back in 2004, and further back in 2002 they used the roving bugs to keep tabs on supposed criminals using the microphone in a vehicle's emergency call system.
The anonymous US official said that there is a dedicated FBI group that regularly hacks into computers, where they use a mix of custom and off-the-shelf surveillance software which they purchase from private companies. One of the Journal's sources said that the "Remote Operations Unit" will sometimes install software by physically plugging in a USB device, but they can also do it through the Internet by "using a document or link that loads software when the person clicks or views it."
Yesterday, I covered a story about the big chip manufacturers allegedly installing hardware level backdoors into the processors used in all of our PCs. The allegations came from two security industry experts who both claim to have proof of concept demonstrations already. Earlier today, AMD's Michael Silverman contacted me with an official statement on the matter in which he called the allegations "unfounded."
Providing security to users of our processors is a key priority for AMD. We've been incorporating security features into our silicon for many years. There's no reason for the unfounded speculation that has been occurring.
With the Black Hat conference wrapping up today, we will be keeping our eyes open for any whitepapers or proof of concept demos that prove the backdoors exist. I have reached out to both of the security experts for statements as well, but have yet to receive a response. If and when that response comes in, I will be sure to post an update.
The Australian Finance Review has just published a new story that suggests that the NSA may have hardware level backdoors built into current generation AMD and Intel processors. Leading security expert Steve Blank says that he first caught on to the practice when he noticed that the NSA had access to Microsoft emails before they were encrypted. He says that he would be extremely surprised if the NSA did not have access to a processor microcode level backdoor on every PC in America.
His reasoning behind the theory is quite simple. The sheer power needed to brute force crack AES 256-bit encryption on a single file would be equivalent to "the power of 10 million suns" and that a hardware backdoor would require almost no effort to enter and would allow agents access inside your PC in a matter of minutes. Jonathan Brossard, another expert in the security field, demonstrated this as a proof of concept at last year's Black Hat conference. These backdoors are made possible because they are placed inside the microcode which is stored on the chip itself and gets updated every time Microsoft, Apple, or any other OS pushes out an update.
According to a new study, the world's GPS system is open to hackers who could hack virtually any and all GPS units and take control of commercial airliners, for example.
The tools required are simple: a laptop, a small antenna, and an electronic GPS "spoofer" which would cost $3,000. The report comes from GPS expert Todd Humphreys and his team at the University of Texas who took control of a sophisticated navigation system that was built into an $80 million, 210-foot super-yacht in the Mediterranean Sea.
Humphreys told Fox News: "We injected our spoofing signals into its GPS antennas and we're basically able to control its navigation system with our spoofing signals." The team hacked into the yacht's navigation system by sending it counterfeit radio signals and were able to navigate the ship off course, steering it in any direction they wanted.
Over the weekend, the Ubuntu forums went down after a massive security breach resulted in over 1.8 million user credentials being stolen. Canonical made a decision to put the forums in maintenance mode in an attempt to ward off any further attacks. The company says that the attackers managed to get away with every user's local username, password, and email address that was stored in the Ubuntu forum's database.
The company says in the passwords were stored as salted hashes instead of plaintext, but they still recommend that you change any and all passwords that were used on other services such as email, Facebook, or other forum accounts in which you might have use the same password. Canonical says that Ubuntu One, Launchpad, and other related services were not affected by the breach and users of those services need not worry.
Today, the popular version control code repository GitHub issued a statement to the media announcing that it has been fending off a massive attack on its system which managed to knock it servers off-line early Friday morning. The company said that around 10:40 UTC the site was struck with a massive DDoS attack from unknown sources.
Roughly an hour and a half later, the company had implemented processes that began to alleviate the load on their servers but things were not yet back to full functionality. "We've put mitigation in place that should deflect the attack, and services are recovering. We're continuing to monitor closely," GitHub said in a statement.
This is the second large DDoS attack against GitHub this year with the first happening back in March. Before that, the site experienced another massive attack in September 2012 and one before that during February 2012 that lasted for a whole week. It is unclear who keeps attacking the site or what motivates them to try and bring down the service.
After the last month or so with the unveiling of the NSA PRISM system from Edward Snowden, as well as GCHQ, you'd think people would be up in arms over their security. How deep does the rabbit hole go, you ask?
Well, it's now coming to the point where Hewlett-Packard have had to admit, for the second time in a month, that they've built secret backdoors into their enterprise storage products. Technion, a blogger, is the one who has blown the whistle on this one, who saw the security issue in one of HP's StoreOnce systems last month, but then found more backdoors in HP's storage and SAN products.
HP's statement, after Technion blew the whistle, admitted that "all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer."
Defcon organizers ask feds to not attend the hacker conference this year, marks first time ever since the event was founded
When it was first founded over 20 years ago, Defcon was been known as the gathering place where anarchist, geeks, hackers, and the feds could all hang out, talk security and get along on neutral ground. Unfortunately for the feds, the NSA has managed to break a bond of trust that lasted over two decades.
This morning, we learned that the organizers of the Defcon Hacker Conference, held in Las Vegas Nevada, have asked that all federal employees planning to attend the show to please sit out this year as they are not welcome. This may seem like a drastic move to some, but others see it as a way to express the loss of trust many in the online community are feeling at the moment.
"For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory," Jeff Moss, aka The Dark Tangent, wrote in a blog post published Wednesday night. "Our community operates in the spirit of openness, verified trust, and mutual respect."
Ubisoft has announced that one of their sites was hacked and allowed unauthorized access to user account data. Ubisoft has not revealed the number of affected users, though it potentially could be the entire Ubisoft customer base as most of Ubisoft's games require a user account to play. The company has recommended that users change their passwords and passwords on any site that makes use of the same password.
During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending you to change your password by clicking this link.
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
The hackers will have to decrypt the passwords before they are useful, though this shouldn't take too long. Ubisoft stresses that the hackers did not obtain any payment data as it is not stored by the gaming studio. We're hoping to find out just how many of Ubisoft's customers were affected by the hacking, but we're not sure Ubisoft will be forthcoming with that data.
Are you a good bug finder? You might be able to collect a nice paycheck from Microsoft. Microsoft has offered up $100,000 as a top prize for finding an exploit that allows you to bypass the protections built into Windows 8.1. The time frame for this bounty program is ongoing and requires a truly novel exploitation technique.
Microsoft has offered up an additional $50,000 if you provide defensive ideas along with the Mitigation Bypass bug, bringing your grand total to $150,000. This time frame is also ongoing.
Microsoft isn't just concerned with Windows 8.1 security. They have also offered up 30 days to submit critical vulnerabilities found in Internet Explorer 11 Preview on Windows 8.1 Preview. This period will go from June 26 to July 26, 2013. Qualifying bugs are worth up to $11,000.
Kaspersky Labs has announced the discovery of what it is calling the "most sophisticated" Android trojan yet. Kaspersky identifies the trojan as "Backdoor.AndroidOS.Obad.a" and notes that the trojan is capable of many different functions with the added ability to be extremely hard to remove.
Obad.a is capable of sending SMS to premium-rate numbers, downloading other malware, sending malware over Bluetooth, and remote console commands. Obad.a makes use of code obfuscation and several previously undiscovered security holes in Android to make itself hard to remove or analyze.
Once it gains Device Administrator privileges, it's nearly impossible to remove:
One feature of this Trojan is that the malicious application cannot be deleted once it has gained administrator privileges: by exploiting a previously unknown Android vulnerability, the malicious application enjoys extended privileges, but is not listed as an application with Device Administrator privileges.
Google has been informed by Kaspersky of the various security holes discovered and the security company notes that the trojan only amounts to 0.15 percent of all malware infection attempts, making it a rather minor threat for now.
According to researchers, your iPhone is vulnerable to a malicious charger. You might consider being careful the next time you plug your iPhone into some unknown USB charger a stranger offers you. These researchers from the Georgia Institute of Technology will show off a proof-of-concept charger at the Black Hat security conference in late July.
The researchers say that this malicious charger easily hacks the latest iPhone running the latest iOS software, regardless of whether or not the device is jailbroken. It also requires no user interaction, meaning your device could be hacked simply by plugging it into one of these hacked chargers.
Their proof-of-concept device makes use of a $45 BeagleBoard, The BeagleBoard is quite a bit bigger than a normal charger, so it might look a bit suspicious, however, the researchers note they were working on a limited budget and limited time. The researchers have contacted Apple, but they haven't heard back yet.
US entertainment industry wants Congress to give them permission to install rootkits, spyware, ransomware and trojans to consumers' PCs to 'attack pirates'
If you want to read an 84-page report from the Commission on the Theft of American Intellectual Property, then check it out here. There's something that is quite shocking in this report, which is the proposal to legalize the use of malware for the goal of punishing people believed to be copying illegally.
The 84-page report also proposes that software would be installed into the systems of people that would somehow (feel free to tell us) tell if you were a pirate, and if it found out that you were, lock your system up and take your files hostage until you call the police and confess your crimes. This is actually used right now by shifty people online, when they deploy ransomware.
Here's a scary number: 99.9% of new mobile malware detected in Q1 2013 was designed to attack Android-based phones according to a new report released on Kaspersky Labs. Most of these arrive in the form of trojan viruses.
This also includes SMS trojans, which steal money by sending unauthorized texts to premium rate numbers, which are the most common with 63% of total infections. Kaspersky noticed a huge surge in mobile malware for the first quarter of 2013, with the three-month period seeing around half of the total number of malware that the entire of 2012 saw. kas
Yesterday Spotify saw one of its worst fears come true when a Google Chrome extension popped up in the Chrome Web Store that allowed Spotify users to download music from the streaming service. This hole in Spotify's DRM became possible because of the fact that the company's web player does not encrypt the MP3 file that is downloaded for playback.
The Chrome Extension, which has now been removed from the Google Web Store, would begin downloading the DRM-free MP3 to a user specified location, as soon as it began playing. This put Spotify in a tough spot as it now allowed any user, free or paid, to download as many songs as they wanted from its massive 20 million song library.
Spotify has since patched its web player and began encrypting the data stream to prevent further exploits of this kind from happening. As an avid user of Spotify and a premium subscriber from US launch at day one, I really hope that Spotify is able to curb the possibility of future hacks, because I would be lost without its service.
US citizens' phone calls, and all electronic data is captured and recorded by the FBI, accessible by the government
Tim Clemente, a former FBI counterterrorism agent claims that there is a 'Person of Interest'-type surveillance network used by the US government to monitors their citizens. Clemente talked about this when he appeared on CNN Wednesday night.
The discussion turned to the Boston Marathon attack, and past telephone calls with Katherine Russell and her deceased husband, suspect Tamerlan Tsarnaev. The former FBI agent said those conversations would be available to investigators. Clemente discussed the issue in an exchange, below, with host Erin Burnett:
BURNETT: ' Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It's not a voice mail. It's just a conversation. There's no way they actually can find out what happened, right, unless she tells them?'
CLEMENTE: 'No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.'
BURNETT: 'So they can actually get that? People are saying, look, that is incredible.'
CLEMENTE: 'No, welcome to America. All of that
Everyone's favorite iOS hacker, Jay Freeman, or saurik, has discovered an exploit for Google Glass. The exploit is rather scary due to just how easy it is to implement. The exploit can be loaded onto Google Glass using any Android device, theoretically allowing people to quickly exploit devices while out and about.
More importantly, the exploit allows the hacker full access to the camera and microphone. All a hacker has to do is load a couple of files, which is simple due to Google Glass not having any sort of security protection. Glass has no pin lock, gesture lock, or other method of keeping it secure when not being worn.
If a hacker has full access to a camera and microphone, the device could easily be used to spy on a user's life, collect bank pins, or conduct industrial espionage. Of course, Google Glass Explorer Edition is a bit removed from what we will see in the final consumer version next year. One thing is clear, Google needs to make sure to add some sort of security to the device.