We're here again, with another exploit to watch out - this time with security researcher Adam Gowdiak discovering a new zero-day vulnerability in Java. This new bug is said to be in currently-supported versions of Java, such as Java 5, Java 6, and Java 7 and has the ability to allow attackers to install malware on close to 1 billion systems (based on the installation numbers from Oracle themselves).
This exploit affects both Macs and PCs, meaning that any Java-powered PC is at risk. Right now, the exploit doesn't pose much threat to the general public, but Gowdiak who is known for finding similar issues within Java, has said that he isn't currently aware of any active attacks that exploit this particular vulnerability.
Gowdiak found the exploit last week and has spent the last few days testing a proof-of-concept before he revealed the exploit to Oracle. Oracle has since confirmed that the vulnerability with Gowdisk, and have said that it will be fixed in a future security update. Oracle haven't given a date on when this update will be pushed out, but the next scheduled update is a while way - October 16.
As most Android users know, carriers and smartphone manufacturers aren't the best at keeping your device updated to the latest Android operating system. Unfortunately, never upgrading, or slow upgrading, leaves consumers' devices open to vulnerabilities that have been patched in the later version.
According to one study, the number of devices with vulnerabilities that have been patched in later versions is in excess of 50 percent. This news comes from a new statup that is receiving funding from the Department of Defense. Users who ran their X-ray app had their phone scanned by the app for known vulnerabilities that are unpatched.
"The stat is based on over 20,000 users who downloaded and ran the X-Ray mobile application on their device, and the current global distribution of Android versions," said Jon Oberheide, CTO of Duo Security. "As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users' mobile devices often remain vulnerable for months and even years."
Unfortunately, this means a more insecure operating system for users who's carriers or manufacturers don't update the devices. This could ultimately be the downfall of Android, if the manufacturers don't start keeping devices up-to-date.
A member of Anonymous has claimed responsibility for the hacking of GoDaddy today, which has affected sites across the web. GoDaddy's site has been down today, along with sites hosted with the service. Other sites that use GoDaddy for DNS or other services have also been affected, though not all are down for everyone.
GoDaddy has acknowledged the problem with a Tweet:
Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it.
@AnonymousOwn3r has Tweeted the following, taking credit for the attack:
I'm taking godaddy down bacause well i'd like to test how the cyber security is safe and for more reasons that i can not talk now
@AnonOpsLegion, the official Twitter for Anonymous responded with the following:
@AnonymousOwn3r Good job brother, glad to see you back!
GoDaddy has provided the following updates:
Update: Still working on it, but we're making progress. Some service has already been restored. Stick with us.
We're continuing our work to get back on track. This is our #1 priority. We'll keep posting updates here. Thanks for all the support.
It's not clear when all services will be restored, but GoDaddy is working as quickly as possible to bring everything back online. I'm sure will come out in the following hours and days and we will be sure to keep you updated on the latest.
If all the existing cameras on our streets, front-facing cameras on our smart devices, and even the ones that are now being baked into our TVs aren't enough, the Federal Bureau of Investigation (FBI) are spending $1 billion on a next-generation facial recognition system.
This new next-gen system would be capable of identifying someone under various conditions with as much as 92% accuracy. The Next Generation Identification (NGI) pilot program was launched two years ago, and if the results are anything to go by, the best algorithms were capable of narrowing down someone's identity 92% of the time, from 1.6 million mugshots, impressive.
The person doesn't even need to be looking directly at the camera, as the technology is able to match the person to the available mugshot in the database using various biometric analyses. Said algorithms can analyze features on front and side views of mugshots, create a 3D model of the face, and even rotate the model as much as 70 degrees in order to match the angle of the face in the photo.
According to the latest report from security company Symantec, cybercrime cost customers across the world nearly $110 billion in 2011. For the US alone, consumers lost $20.7 billion in the twelve-month period, which saw 71 million Americans finding themselves victims to cybercrime.
An average of $197 in direct financial loss to each victim across the world, with US losses per victim tallying up to $290. The report states that a whopping 556 million adults across Earth had found themselves experiencing first-hand experience of cybercrime in 2011.
This figure of 556 million people affected, is nearly half of all adults on the Internet, which is staggering, and is also up 45% from 2010. The reason for the increase in cybercrime and affected consumers, is the meteoric rise in social network and mobile use. 21% of online adults report that they have been victims to social- or mobile-based crime. The report also states that 15% of Internet users have had their social networking account hacked, with 1 in 10 users falling victim to fake links or scams through Facebook.
Last week we reported on AntiSec's claims that they had somehow gotten their grubby mits on millions of unique device identifiers for Apple devices (UDIDs), which were reportedly stolen from an FBI notebook. But, it looks like Apple have finally weighed in on the serious claim. Apple spokeswoman, Natalie Kerris, told AllThingsD:
The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID.
The FBI have since stated that the story is completely false:
At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
At the end of the day, who knows what the truth is. Are the FBI not telling us everything? Are AntiSec pulling our leg? Are Apple covering themselves from a potentially huge security scandal?
A new leak has shown up on Pastbin. This latest showing comes from AntiSec and contains a list over 1 million Apple UDIDs, allegedly taken from a list of over 12 million that was on an FBI laptop. The UDIDs were supposedly in the file with other personally identifiable information such as zip codes, names, and other data, but that has been stripped out for the leak.
The file, according to the Pastebin post, came from the Dell laptop of Supervisor Special Agent Christopher K. Stangl which was exploited by a Java exploit back in March 2012. The details of the hack, along with information on how to get the data is available on Pastebin. Several tools have popped up to check if your UDID is on the list.
during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.
A new vulnerability has been found in the latest version of Java. The vulnerability is a rather massive hole and users with Java installed in their browser should likely disable it right now to prevent themselves from being infected. Have I scared you enough? But wait, I haven't even told you the problem!
The new security hole allows malicious people to break into users' computers and install nasty malware and viruses. This security hole fits into a category of security flaws known as a "zero-day" threat because it is the first time it has been found. Due to this, there currently exists no way to fix the problem or defend against it, other than disabling Java.
The vulnerabilities were actually found back in April, according to a few sources, and they reportedly told Oracle about the problem. However, Oracle had decided to hold off until the October patch release date to do anything about them. Now, the vulnerabilities have been integrated into BlackHole, a hacking tool.
"SophosLabs has seen samples of [the exploit] from Blackhole and are analyzing them now to determine if they actually work," Chester Wisniewski, a senior security adviser at antivirus firm Sophos, said Tuesday via email. "So, yes, we can confirm it has been added, but still working out if they did it right."
If you're a heavy Google user like myself, you might be concerned with your data privacy. But, it looks like the Mountain View-based company is building themselves a privacy "red team" for such matters.
Google's new division comes hot on the hells of the FTC's $22.6 million record-setting fine, where the company was accused of a tracking cookie incident that allegedly occurred sometime in 2011 and 2012.
The 'Red Team' plans were found from a recent job posting, and according to ZDNet, a red team would normally work internally at a company to go over everything from policies and products, to services and the workforce in general. The job is usually described as a quality control measure taken a bit further, to make the company work more efficiently.
Google have announced the second Pwnium hacking competition after widthdrawning from this TippingPoint's annual Pwn2Own which was previously held back in February. Google have thrown $2 million in rewards for anyone who can find bugs in their popular Chrome browser, exploit them and detail how they achieved the hack.
The first Pwnium that was held in March, in Vancouver, only had $1 million up for grabs, and only a slice of that was handed out. This was because there were only two submissions, requiring Google to sign over just $120,000 of the $1 million they had up for grabs. So, what are Google offering? $60,000 for a full Chrome exploit using only bugs found in the web browser itself. $50,000 for a partial Chrome exploit using Chrome itself, or other browser, or Windows flaws such as Webkit or kernel-level flaws.
Finally, $40,000 for a non-Chrome exploit for a bug found in Flash, Windows or a driver. In addition incomplete or unreliable exploits may be eligible for a prize, where Google have said "our rewards panel will judge any such works as generously as we can". Sounds like Google just want to give money away! Rules have changed from the annual Pwn2Own hacking competition, with TippingPoint no longer requiring entrants to reveal all the details about exploits used to compromise security. Google has said that this change is "worrisome" and decided to leave the competition, promoting their own Pwnium challenge instead.
Saudi Aramco, who has the title of the world's largest oil company, has been struck by a cyber attack. The company has reported that nearly all of their workstations have been hit by malware, and the breach is said to be similar to the attack on Iranian systems back in Apri, but oil-production industrial equipment was not affected.
Saudi Aramco have said they've disconnected their entire network from the Internet as a precautionary measure, and expect a full recovery of their systems before the end of the week. The oil company hasn't said who is involved, but have insisted that the production of oil has not been altered as a result of the breach. The company said in a statement:
The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems.
There are other networks connected to the Aramco system, with companies Chevron and Schlumberger Ltd attached, and vulnerable. Most of the oil industry companies across the world have moved over to Windows-based systems during the Y2K scare, and could face similar problems. Also, the rapid expansion of Internet connectivity mixed with the nature of Windows has increased the chances of a cyber attack to the energy industry.
Malware is bad. It's created by people who want to cause you trouble or steal your information. It's a fact of life that Windows will always be a target of malware, but how about Android? It seems as more hackers and scammers are now targeting the mobile operating system with varying degrees of success.
In the second quarter of 2012, Kaspersky Labs found that the number of malware out there targeting Android has tripled. Likely this is the result of an increased number of Android phones giving malicious programmers a wider base to attack. This is the same reason so many different malwares are written for Windows.
During the three months that make up the second quarter, the number of new malware increased to nearly 15,000. 49 percent of the malware were multi-functional Trojans designed to steal data such as contact names, phone numbers, and e-mails. 25 percent were SMS Trojans which send texts to premium numbers to gain money for the programmer.
Trojan Spy malware only constituted 2 percent of the newly found malware and this is a good thing for users as Trojan Spy malware is the most dangerous to users. It is able to transfer information to the programmer which gives access to bank accounts and other sensitive accounts.
WikiLeaks unveils TrapWire, a very scary surveillance system, gets taken down by DDoS attack, coincidence?
This is something that I've read with great interest, and to anyone who has seen the TV show "Person of Interest", you'll understand that these types of systems are not just fiction, but they can be used for wrong-doing, too.
Last week, WikiLeaks talked of, and released internal documents and e-mails by hackers regarding TrapWire. TrapWire is a privately-owned surveillance technology that is used by various private and public agencies. TrapWire seems to work by collecting surveillance data from 'participating' private and public sources, such as CCTV cameras.
The data is then poured into the system, where TrapWire can analyze the data, detecting changes in patterns such as noticing a certain vehicle is not on its usual morning commute to work, which can then be looked at as 'suspicious behavior'. The technology is owned by Abraxas, who were eventually acquired by Cubic. In 2005, Abraxas Corp. CEO Richard Hollis talked about TrapWire:
TrapWire can help do that without infringing anyone's civil liberties. It can collect information about people and vehicles that is more accurate than facial recognition, draw patterns, and do threat assessments of areas that may be under observation from terrorists. The application can do things like "type" individuals so if people say "medium build," you know exactly what that means from that observer.
The developer behind successful titles such as the recently released Diablo III, and World of Warcraft, oh I suppose we can't leave out StarCraft, has posted an "important security update" to its official website. Blizzard have announced that their security team found an "unauthorized and illegal access into our internal network here at Blizzard".
The developer quickly took appropriate steps to close off access, and started working with law enforcement and security experts to investigate into the matter. At the moment, Blizzard have found no evidence that financial information (such as credit card details) or billing details and real names were compromised. Blizzard's investigation is ongoing, but there's nothing suggesting that these pieces of information were accessed.
What was accessed, were lists of email addresses for global Battle.net users, outside of China. This mens that players on North American-based servers, such as North America, Latin America, Australia, New Zealand, and Southeast Asia had their personal security question, and information regarding to Mobile and Dial-In Authenticators were accessed. Blizzard have noted that based on what they currently know, this information is not enough for anyone to access Battle.net accounts.
Apple slap 24-hour suspension on phone-based resets of Apple ID passwords in a bid to stem more hacks
And so they should. After having the joy of a daisy-changed hack, Mat Honan has been keeping the tech world up-to-date on the going ons of the recent hack over at Apple, and what companies are doing to make sure that it doesn't happen to anyone else.
Apple have improved their services, issuing a 24-hour ban on calling Apple support to change your Apple ID password. Honan's hack involved some social engineering, meaning that a hacker actually made a voice call, setting up accounts pretending to be him. Wired reported on the ban, saying:
Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired Reporter Mat Honan over the weekend, according to Apple employees.
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
It's a sad reality that there's always someone trying to break into Windows. This is due to the wide use that Windows has over other operating systems. Even before the official release, people are doing their best to break into Microsoft's upcoming Windows 8, and sadly, they've found three exploits to do just that.
With three months left before the actual release of Windows 8, Microsoft has time to take care of these exploits that have been found. Sung-Ting Tsai of Trend Micro is the person who found the exploits, so he's helping Microsoft patch them rather than working on exploiting them for nefarious reasons.
The exploits are in the kernel level advanced local procedure call, the component object model (COM) application programming interface, and the Windows Runtime API. Tsai worked on several methods to attack the vulnerabilities, and while he wasn't completely successful, he says that someone with enough time could find a way to compromise the system.
Earlier today, stories were hitting the web that Ubisoft's DRM installed a browser plug-in that contained a backdoor. Ubisoft acted quickly and has released a patch to fix the security hole as it turns out that the backdoor was an accident and was in no way meant to be there, or at least not exploitable as it was.
The list of games which come with Uplay, and the vulnerability, are as follows:
Assassin's Creed II
Assassin's Creed: Brotherhood
Assassin's Creed: Project Legacy
Assassin's Creed Revelations
Assassin's Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy's H.A.W.X. 2
Tom Clancy's Ghost Recon: Future Soldier
Tom Clancy's Splinter Cell: Conviction
Your Shape: Fitness Evolved
Apple have been hit again, with security firm Intego and their virus team identifying yet another Trojan horse that attacks Apple's Mac platform. The new Trojan called "Crisis", hasn't been seen in the wild yet, but Intego says that the Trojan is engineered to make analysis of the malware difficult for security experts.
Intego have stressed alertness regarding Crisis, as it appears to be quite smart, having the ability to bypass OS X security features and install itself, all without any user interaction.
Crisis has been tracked, back to the IP address of 220.127.116.11, which it then calls back to every five minutes for instructions. There's only two OS X versions that are said to be susceptible to Crisis, OS X 10.6 and 10.7. Crisis can install and run itself without the need for the user to enter in their password. It's also resistant to reboots, and will run until it is detected and removed.
A word of warning to our readers: next time you check into a hotel room, realize you're probably not the only one that can get in. Take a moment to run your fingers along the bottom of the keycard lock and check for a power port. If you find one, it means a hacker with a couple of cheap hardware parts could gain access to your room without leaving a trace.
24-year-old Mozilla software developer and self-described hacker Cody Brocious has issued this warning after he found the vulnerability while reverse engineering Onity-manufactured locks. By connecting $50 in hardware to the DC port, the door will supposedly unlock and provide access. However, in practice, it's not quite that reliable.
While demonstrating it to a Forbe's journalist, it only worked on one of the three doors they tried and only on the second try after Brocious tweaked his software. Still, with a bit of time, a hacker could perfect the software and technique and somewhere around 4 million doors would immediately be able to be opened.
The method to do this will be released by Cody Brocious at the Black Hat security conference in Las Vegas on Thursday. Once released, other hackers can begin working on perfectly the method. Furthermore, the NSA and other governments most likely already know about this exploit and could have already perfected it and be using it.
Earlier this year, German gaming company Gamigo was hacked where over 11 million e-mail addresses and encrypted passwords were stolen. It has been the biggest breach of its kind for 2012.
Gamigo is a free-to-play MMORPG site, and after the hack security researchers analyzed the dump, which included 3 million US (.com) e-mail address, 2.4 million German (.de) addresses, 1.3 million French (.fr) addresses, and 100,000 t-online.de addresses. Gamigo have forced password resets ahead of time, meaning if you're a member of the site, you don't have to worry just yet.
But, for people who use the same e-mail address and password on multiple sites may have something to worry about. The leak contains addresses for various services including Windows Live Hotmail, Gmail and Yahoo, as well as other accounts at companies like Allianz, Deutsche Bank, ExxonMobil, IBM and Siemens.
Security firms Sophos, and F-Secure have both noted that there's a new piece of malware floating round that is targeting Mac, Windows and Linux users all at the same time. The malware pretends to be a required add-on.
Of course, it's not, and in reality its victims are opening up a Java archive file, which then detects the platform the victim is using, before connecting to a remote server to fetch the additional code, creating a back door for hackers. THe Mac-based malware is identified by F-Secure is "Backdoor:OSX/GetShell.A."
What makes this new piece of malware stand out from the very crowded sea of infectious crap that is out there is that this particular code is targeting multiple platforms at once. Most hackers usually stick to attacking Windows, or OS X. Hopefully it doesn't get too much more widespread, and people continue to educate themselves on what to, and what not to, click, open or accept.