TweakTown NewsRefine News by Category:
Are you a good bug finder? You might be able to collect a nice paycheck from Microsoft. Microsoft has offered up $100,000 as a top prize for finding an exploit that allows you to bypass the protections built into Windows 8.1. The time frame for this bounty program is ongoing and requires a truly novel exploitation technique.
Microsoft has offered up an additional $50,000 if you provide defensive ideas along with the Mitigation Bypass bug, bringing your grand total to $150,000. This time frame is also ongoing.
Microsoft isn't just concerned with Windows 8.1 security. They have also offered up 30 days to submit critical vulnerabilities found in Internet Explorer 11 Preview on Windows 8.1 Preview. This period will go from June 26 to July 26, 2013. Qualifying bugs are worth up to $11,000.
Kaspersky Labs has announced the discovery of what it is calling the "most sophisticated" Android trojan yet. Kaspersky identifies the trojan as "Backdoor.AndroidOS.Obad.a" and notes that the trojan is capable of many different functions with the added ability to be extremely hard to remove.
Obad.a is capable of sending SMS to premium-rate numbers, downloading other malware, sending malware over Bluetooth, and remote console commands. Obad.a makes use of code obfuscation and several previously undiscovered security holes in Android to make itself hard to remove or analyze.
Once it gains Device Administrator privileges, it's nearly impossible to remove:
One feature of this Trojan is that the malicious application cannot be deleted once it has gained administrator privileges: by exploiting a previously unknown Android vulnerability, the malicious application enjoys extended privileges, but is not listed as an application with Device Administrator privileges.
Google has been informed by Kaspersky of the various security holes discovered and the security company notes that the trojan only amounts to 0.15 percent of all malware infection attempts, making it a rather minor threat for now.
According to researchers, your iPhone is vulnerable to a malicious charger. You might consider being careful the next time you plug your iPhone into some unknown USB charger a stranger offers you. These researchers from the Georgia Institute of Technology will show off a proof-of-concept charger at the Black Hat security conference in late July.
The researchers say that this malicious charger easily hacks the latest iPhone running the latest iOS software, regardless of whether or not the device is jailbroken. It also requires no user interaction, meaning your device could be hacked simply by plugging it into one of these hacked chargers.
Their proof-of-concept device makes use of a $45 BeagleBoard, The BeagleBoard is quite a bit bigger than a normal charger, so it might look a bit suspicious, however, the researchers note they were working on a limited budget and limited time. The researchers have contacted Apple, but they haven't heard back yet.
US entertainment industry wants Congress to give them permission to install rootkits, spyware, ransomware and trojans to consumers' PCs to 'attack pirates'
If you want to read an 84-page report from the Commission on the Theft of American Intellectual Property, then check it out here. There's something that is quite shocking in this report, which is the proposal to legalize the use of malware for the goal of punishing people believed to be copying illegally.
The 84-page report also proposes that software would be installed into the systems of people that would somehow (feel free to tell us) tell if you were a pirate, and if it found out that you were, lock your system up and take your files hostage until you call the police and confess your crimes. This is actually used right now by shifty people online, when they deploy ransomware.
Here's a scary number: 99.9% of new mobile malware detected in Q1 2013 was designed to attack Android-based phones according to a new report released on Kaspersky Labs. Most of these arrive in the form of trojan viruses.
This also includes SMS trojans, which steal money by sending unauthorized texts to premium rate numbers, which are the most common with 63% of total infections. Kaspersky noticed a huge surge in mobile malware for the first quarter of 2013, with the three-month period seeing around half of the total number of malware that the entire of 2012 saw. kas
Yesterday Spotify saw one of its worst fears come true when a Google Chrome extension popped up in the Chrome Web Store that allowed Spotify users to download music from the streaming service. This hole in Spotify's DRM became possible because of the fact that the company's web player does not encrypt the MP3 file that is downloaded for playback.
The Chrome Extension, which has now been removed from the Google Web Store, would begin downloading the DRM-free MP3 to a user specified location, as soon as it began playing. This put Spotify in a tough spot as it now allowed any user, free or paid, to download as many songs as they wanted from its massive 20 million song library.
Spotify has since patched its web player and began encrypting the data stream to prevent further exploits of this kind from happening. As an avid user of Spotify and a premium subscriber from US launch at day one, I really hope that Spotify is able to curb the possibility of future hacks, because I would be lost without its service.
US citizens' phone calls, and all electronic data is captured and recorded by the FBI, accessible by the government
Tim Clemente, a former FBI counterterrorism agent claims that there is a 'Person of Interest'-type surveillance network used by the US government to monitors their citizens. Clemente talked about this when he appeared on CNN Wednesday night.
The discussion turned to the Boston Marathon attack, and past telephone calls with Katherine Russell and her deceased husband, suspect Tamerlan Tsarnaev. The former FBI agent said those conversations would be available to investigators. Clemente discussed the issue in an exchange, below, with host Erin Burnett:
BURNETT: ' Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It's not a voice mail. It's just a conversation. There's no way they actually can find out what happened, right, unless she tells them?'
CLEMENTE: 'No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.'
BURNETT: 'So they can actually get that? People are saying, look, that is incredible.'
CLEMENTE: 'No, welcome to America. All of that
Everyone's favorite iOS hacker, Jay Freeman, or saurik, has discovered an exploit for Google Glass. The exploit is rather scary due to just how easy it is to implement. The exploit can be loaded onto Google Glass using any Android device, theoretically allowing people to quickly exploit devices while out and about.
More importantly, the exploit allows the hacker full access to the camera and microphone. All a hacker has to do is load a couple of files, which is simple due to Google Glass not having any sort of security protection. Glass has no pin lock, gesture lock, or other method of keeping it secure when not being worn.
If a hacker has full access to a camera and microphone, the device could easily be used to spy on a user's life, collect bank pins, or conduct industrial espionage. Of course, Google Glass Explorer Edition is a bit removed from what we will see in the final consumer version next year. One thing is clear, Google needs to make sure to add some sort of security to the device.
Twitter continues to be in the news and not for good things. Twitter accounts continue to be compromised left and right, though not because of a bug in Twitter's system. Often times these accounts are compromised because the owner used a weak password, fell victim of a phishing scam, or simply told someone else.
But that doesn't mean Twitter is off the hook. The micro-blogging site needs to hurry up and release its two-factor authentication in order to help prevent against these visible hackings. The latest accounts to be compromised are ones of the Guardian, a daily publication in the UK:
"We are aware that a number of Guardian Twitter accounts have been compromised and we are working actively to resolve this," a Guardian spokesperson said.
The Syrian Electronic Army has claimed responsibility for these hacks, much like they claimed responsibility for the recent hackings of NPR, CBS, and Associated Press handles. It's not clear how exactly the Guardian handles were compromised, though it's likely they used a similar e-mail phishing tactic.
Over the weekend Spanish authorities arrested a Dutch man who they say is responsible for the largest DDOS attack in the history of the internet. The man was said to be in his Barcelona home at the time of the arrest, and police seized several mobile phones and computers belonging to the suspect.
The man who has only been identified as "S.K." in official reports has been unofficially identified as 35-year-old Sven Olaf Kamphuis, by sources reporting to the NY Times. Kamphuis, or "The Prince of Spam", is a self-proclaimed minister of telecommunications and foreign affairs for the Republic of CyberBunker.
He is the spokesperson for a group that had previously protested tactics used by a European anti-spam group. He operates an ISP known as CB3ROB as well as web hosting company named CyberBunker. He faces charges after being linked to a DDOS attack last month that was like no other ever witnessed.
It targeted the anti-spam group Spamhaus, which maintains one of the largest spam block lists in the world.