An anonymous hacker group has remotely jailbroken a new iPhone running iOS 9.1, winning themselves a cool $1 million from startup Zerodium (self-described as a "premium exploit acquisition platform"). The winnings are pending final verification of the exploit, but results at this stage look good.
To put the difficulty of this feat in context: a chain of zero-day bugs needed to be found, the hack needed to be remote (much more difficult -- Chinese hacking team Pangu already hacked the new iPhone, but couldn't do it remotely) and made through Safari, Chrome, or a text or multimedia message, and full system access needed to be obtained. An iPhone has not been remotely jailbroken for over a year, since iOS 7. Zerodium says Apple will likely patch these bugs "in a few weeks to a few months".
T-Mobile has just announced that it has been hacked, with up to 15 million people affected. The hack hit Experian, which T-Mobile uses to process its credit applications.
The names, addresses, birth dates and social security numbers of 15 million customers were hacked, with the encrypted data including social security numbers and drivers license numbers. Experian says that the encryption protecting those precious bits and bytes of data was also compromised.
The hack took place between September 1, 2013 and September 16, 2015 - which means that anyone who had a credit check for a new line of service or a new smartphone could be affected. T-Mobile CEO John Legere has said that he's "incredibly angry" about the attack, and that the company would be going through a "thorough review" of their relationship with Experian. Legere reiterated that its payment systems and network were not attacked, with the blame placed on Experian.
T-Mobile and Experian will now be offering free credit monitoring and identity protection services for the next two years, which is a decent consolation prize.
While I'm not sure if this should be listed under the category of 'Hacking & Security' or 'Humor & WTF', Lenovo has allegedly been caught installing spyware yet again, developing and installing a program that is designed to send user data directly to this company on some refurbished laptop models.
The program is called "Lenovo Customer Feedback Program 64" and will operate daily on these systems, with this software's purpose being described by Lenovo as to "upload[s] Customer Feedback Program data to Lenovo." As seen on Gadgets 360 and Computerworld, this program comes with a few extra goodies in the form of "Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll, and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll."
What does this gibberish mean? Well, Omniture is an online marketing and Web analytics company, set out to monitor and track user usage in order to drive business. Lenovo does state on its website that there may be software installed on sold systems that connect to online servers, but it does not say anything about farming your data for financial gain.
Now readily available on Github, anyone with access to a 3D printer has the ability to download and create their very own TSA master keys, enabling them to open any TSA-recognized lock around the globe. This tool was made possible thanks to The Washington Post posting an image of TSA master keys in 2014.
OMG, it's actually working!!! pic.twitter.com/rotJPJqjTg— Bernard Bolduc (@bernard) September 9, 2015
In comes Github user Xyl2k, using the published image in order to duplicate these real-life keys on a computer, releasing the final STereoLithography (STL) files to the world. If you're wondering about the legitimacy of this 3d-printed project, Bernard Bolduc, a security researcher, tried it for himself and it worked without fault - check the Twitter post above.
We certainly don't encourage breaking into anyone's baggage at home or abroad, however, we do suggest you purchase a new style lock as soon as possible.
Unearthed by CynoSure Prime, these originally-cryptographically scrambled passwords were decoded through a single-computer process taking only a few hours, meaning analysts were able to look into similarities between accounts. This uncovered the unsurprising fact that '123456' was one of the most commonly-used passwords, used a total of 120,511 times.
Other culprits include 'f**ckme' and 'f**ckyou' both sitting just under 8,000 each, while the unimaginative password 'ashleymadison' saw use 6,213 times in total. We've talked about trends in terrible passwords before and it seems that '123456' may be in the number one spot until the end of time.
It looks like Intel is on a mission, where the chipmaker wants to see facial recognition or fingerprint scanners to replace the traditional, and easily penetrated passwords we all use for countless services, websites, bank accounts, and more.
Intel not only things it's a possibility, but that it's something it can get into motion very quickly. Kirk Skaugen, Senior VP and General Manager of Intel's Client Computer Group said at the Citi Global Technology Conference earlier this week: "We want to eliminate all passwords from computing. I can confidently say today, you can eliminate all your passwords today, if you buy a 6th Generation Core system".
So the company is saying that its Skylake architecture is capable of true facial recognition security thanks to Windows 10, where you can use the entire feature set of Windows Hello. This, mixed with Intel's RealSense 3D camera, we could see true facial recognition security that is much more secure than the traditional password. Skaugen added: "You can do everything from measure blood pressure, blink detection, all these kinds of things... In fact, in Berlin, one of my funniest demos in my 23 years at Intel is when I brought two identical twins out on stage and I mixed them up and only one could log in with the PC, and it actually worked". Now that, is some exciting stuff.
Businesses have been taken for at least $1.2 billion in fraud-related losses from October 2013 until August 2015, with cybercriminals targeteing businesses that interact with international suppliers, according to the FBI Internet Complaint Center (IC3).
Fraud ring operators typically say they are lawyers or some type of representative from a law firm - and claim they are responsible for addressing confidential and time-sensitive manners. Once contact has been made, they try to rely on pressuring a victim to send payments quickly.
"The scam has been reported in all 50 states and in 79 countries," according to the FBI memo. "Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong."
Six teenagers have been arrested, and are now out on bail, suspected of using the Lizard Squad's Lizard Stresser distributed denial of service (DDoS) attack tool, according to the UK National Crime Agency. The arrests were part of "Operation Vivarium," and included coordination between the NCA and several police agencies.
The arrested men include one 15-year-old, a 16-yearold, one 17-year-old, and three 18-year-olds. Earlier in the year, officials arrested two other teenagers for allegedly using the Lizard Stresser.
"By paying a comparatively small fee, tools like Lizard Stresser can cripple businesses financially and deprive people of access to important information and public services," said Tony Adams, senior operations manager of the NCA national cybercrime unit.
Avid Life Media was unable to find a willing suitor for Ashley Madison, and trying to generate new funds proved extremely difficult.
Avid Life sent a letter to investors that it was interested in purchasing $10 million worth of shares, amid pressure to improve the company's liquidity. Any aspirations for an IPO would be crippled in a "doomsday scenario," according to bankers speaking to Reuters prior to the massive data dump.
"Over the last couple of years, we have not been successful in exploring various alternatives including a sale of the business and seeking debt from third parties," a letter from the board of directors confirmed.
Julian Assange knows a little something about trying to avoid extradition, and urged former NSA contractor Edward Snowden to select Russia over Latin America. Not only was reaching Latin America a difficult journey, but Snowden's personal safety would have been at risk, Assange noted.
Assange urged Snowden to disregard "negative PR consequences" about choosing Russia, where his physical safety has been provided by the Russian government - a guarantee that would have been significantly less likely if he ended up somewhere in Central or South America.
Sarah Harrison, one of Assange's most trusted senior staff members, actually met with Snowden while the American was in Hong Kong - at a time when it was unknown where Snowden would end up.