TweakTown
Tech content trusted by users in North America and around the world
6,059 Reviews & Articles | 38,954 News Posts
TRENDING NOW: Strap an iPad to your face with AirVR for mobile VR

TweakTown News

Refine News by Category:

Hacking & Security Posts - Page 75

Researchers exploit Chrome at Pwn2Own, receive $100,000 prize

At the Pwn2Own hacking competition currently running in Vancouver, Canada, two security researchers from MWR Labs have managed to exploit Google Chrome. As a result of this impressive feat, they have been awarded a $100,000 prize. The exploit relied on a bug in Chrome as well as a bug in the kernel of Windows 7.

 

TweakTown image news/2/8/28970_1_researchers_exploit_chrome_at_pwn2own_receive_100_000_prize.jpg

 

By visiting a malicious webpage, users could be susceptible to the exploit, even if they are running fully patched software. The exploit allowed the researchers to run code in the sandboxed renderer process. They then utilized a kernel exploit in Windows 7, which granted them elevated privileges.

 

We were able to exploit the first vulnerability in multiple ways, allowing us to leak the addresses of several objects in memory, calculate the base address of certain system dlls, read arbitrary data, and gain code execution. This allowed us to bypass ALSR by leaking the base address of a dll, and to bypass DEP by reading that dll's .text segment into a javascript string, allowing us to dynamically calculate the addresses of ROP gadgets.

 

MWR Labs will not release details on the exploit until the vendors have a chance to patch the vulnerabilities. Chrome is generally seen as the most secure and was picked because of its wide use and perceived security.

Researchers discover freezing Android phones allows access to encrypted data

In one of those "why would anyone ever think to try something like this" moments, researchers have discovered that freezing encrypted Android devices will allow them to gain access to previously encrypted data. The encryption scheme used by Android has been a "nightmare" for law enforcement, though it looks like this won't be the case for much longer.

 

TweakTown image news/2/8/28967_1_researchers_discover_freezing_android_phones_allows_access_to_encrypted_data.jpg

 

Tilo Muller, Michael Spreitzenbarth and Felix Freiling, researchers at Erlangen's Friedrich-Alexander University, placed Android phones into a freezer until they were below -10C. For some reason, this allowed them to quickly connect and disconnect the battery, placing the phone into a vulnerable mode.

 

Once the phone was in this state, they could load custom software onto the device. Known as Forensic Recovery of Scrambled Telephones, or FROST for short, the software allowed the data to be copied off to a computer for analysis. Luckily for consumers, the group of researchers are now attempting to figure out a way to prevent this hack from working.

Bug found that allows bypassing Samsung Galaxy S3 lockscreen

Coming on the heels of a bug that allows partial access to the Galaxy Note II, a new bug has been discovered that provides full access to a device locked with a pin, password, or gesture. The bug was posted on the Full Disclosure mailing list by Sean McMillian and makes use of a variation on the original bug.

 

TweakTown image news/2/8/28943_1_bug_found_that_allows_bypassing_samsung_galaxy_s_iii_lockscreen.jpg

 

ZDNet verified the bug on their Galaxy S III running Android 4.1.2 and note that "the issue is very small and difficult to replicate at first." McMillian's instructions are as follows:

 

  1. On the code entry screen, press Emergency Call
  2. Press Emergency Contacts
  3. Press the Home button once
  4. Just after pressing the Home button, press the power button quickly
  5. If successful, pressing the power button again will bring you to the S3's home screen.

 

It seems like it's not just Apple that is having security issues stemming from the emergency call function. Samsung has not yet commented on the bug and there is not a current estimate for how long it will take for a fix to be released.

Continue reading 'Bug found that allows bypassing Samsung Galaxy S3 lockscreen' (full post)

Apple updates Java to patch zero-day vulnerability

Apple has released an update to Java 6 that patches a zero-day vulnerability discovered a few days ago. Mac OS X Lion and Mountain Lion users should download the Java for OS X 2013-002 update so that they aren't susceptible to the zero-day exploit that has been used in the wild. Mac OS X 10.6 Update 14 can be used for Snow Leopard users.

 

TweakTown image news/2/8/28876_1_apple_updates_java_to_patch_zero_day_vulnerability.jpg

 

Oddly enough, Oracle delivers updates for Java 7, while Apple is tasked with keeping Java 6 updated.

China point finger at US for majority of cyber-attacks on its military

In a release today, China's Defense Ministry unveiled new details about alleged cyber-attacks on its websites. The report points a finger at the US claiming that about two-thirds of the security breaches originated from the USA.

 

TweakTown image news/2/8/28829_1_china_point_finger_at_us_for_majority_of_cyberattacks_on_it_s_military.png

 

Chinese Defense Ministry spokesma, Geng Yansheng, said:

 

"The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established, and the number of hacks has risen steadily in recent years. According to the IP addresses, the Defense Ministry and China Military Online websites were, in 2012, hacked on average from overseas 144,000 times a month, of which attacks from the U.S. accounted for 62.9 percent."

 

China says that it received more than 144,000 cyber intrusions a month in 2012 and that the US government is responsible for the majority of said breaches. The report comes hot on the heels of a report last month from security firm Mandiant, which traced cyber-attacks on US media outlets back to China.

Another iOS 6.1 lockscreen vulnerability discovered, allows full access to contacts, pictures, and more

More and more bugs continue to be found in Apple's iOS 6.1 update. The latest to be found is another bug that allows people to bypass the lockscreen of a device secured with a pin. This exploit allows direct access to a device's contacts, pictures, videos, and more simply by executing a few easy steps.

 

 

The steps are similar to the previous lockscreen bug that was discovered and involves the same process of making a call to an emergency number. The process relies heavily on the earlier exploit, though this one allows hackers to pull data from the device directly through a USB cable, useful if you want to transfer large amounts of data (read: numerous pictures).

 

Apple has a fix for the first passcode bug already included in the iOS 6.1.3 beta 2 update, though it's not clear if that patch will fix this latest bug to be discovered.

Continue reading 'Another iOS 6.1 lockscreen vulnerability discovered, allows full access to contacts, pictures, and more' (full post)

Anonymous hack the US State Department, hours after their Twitter account was hacked

It was only hours ago that Anonymous' Twitter account was hacked, and now it seems that the hacking collective have taken down, or at least infiltrated yet another federal government website.

 

TweakTown image news/2/8/28701_06_anonymous_hack_the_us_state_department_hours_after_their_twitter_account_was_hacked.jpg

 

The latest target is the US State Department, and on top of hacking the site itself, they were able to acquire personal data on hundreds of State department employees, posting it all online. The personal data includes private and work e-mails, phone numbers and addresses that Anonymous dumped on the ZeroBin website.

 

Anonymous have said that the hack on the US State Department is in retaliation for the arresting of members from LulzSec. Anonymous said within their data post to ZeroBin:

 

Our reasons for this attack are very simple. You've imprisoned or either censored our people. We will not tolerate things as such. You don't see us going around censoring everything that is inappropriate or we do not like. Basically, you tried to put an end to us and you got owned, there's nothing more you can say or do. You took away Topiary, Avunit, Neuron, Pwnsauce, lolspoon, Aaron Swartz shall we go on?

Anonymous' Twitter account hacked, people LOL at the irony

It looks like Burger King and Donald Trump aren't the only ones having trouble with Twitter hacks this week. Ironically, one of Anonymous' Twitter accounts was the target of a hack. Rustle League, a little-known hacking group, has taken responsibility for compromising the @Anon_Central Twitter account.

 

TweakTown image news/2/8/28694_1_anonymous_twitter_account_hacked_people_lol_at_the_irony.jpg

 

"The reason Anonymous fell victim is probably human weakness," said Graham Cluley, senior consultant at security firm Sophos. "Chances are that they followed poor password practices, like using the same password in multiple places or choosing a password that was easy to crack."

 

We didn't capture any screenshots of tweets sent out while the account was out of Anonymous' control. If you managed to see some of the tweets--if there were any--let us know what they said!

Donald Trump joins a growing list of people who have had their Twitter accounts hacked this week

Donald Trump can now count himself among an exclusive group of high-profile users who had their Twitter accounts hacked during the past week. We started out this week with Burger King's Twitter being hijacked and tweeting that they had been bought by McDonalds.

 

TweakTown image news/2/8/28685_1_donald_trump_joins_a_growing_list_of_people_who_have_had_their_tiwtter_accounts_hacked_this_week.png

 

Jeep joined the party a bit later in the week and Donald Trump has joined the ranks today, though he regained his account much quicker than the others. Just before 12p.m. EST, Trump's account tweeted lyrics from Will.I.Am's "Scream & Shout (Remix)" song, as seen in the picture above.

 

Within 15 minutes, the tweet was deleted, but not before being retweeted by over 1,000 people. Trump has probably said "You're Fired!" to the people in charge of keeping his Twitter account safe and has tweeted that he is looking for the perpetrators.

 

MTV and BET attempted to jump on the Twitter hacking bandwagon by pretending to hack each other. The stunt failed to pay off and the two companies have received negative feedback over it.

Apple hacked by same people who hacked Facebook, issues Mac software update

Reports surfaced today stating that a small number of Apple's systems were hacked through the same zero-day Java exploit that Facebook's systems fell victim to in January. The source of the exploit is said to be the same as the one that managed to infect some of Facebook's systems. In the case of Apple, there is no evidence that any data was transmitted from Apple's systems.

 

TweakTown image news/2/8/28640_1_apple_hacked_by_same_people_who_hacked_facebook_issues_mac_software_update.png

 

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers," the company said in a statement. "The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network."

 

Apple has released an update to Mac OS X that will help protect customers from the malware. The update can be installed from the Software Update panel in the Mac App Store or downloaded directly from Apple's website.

 

The source of the Facebook and Apple hacks is said to be a mobile development website known as iPhoneDevSDK. It's likely that the site didn't know that they were infected as it is a fairly reputable site when it comes to mobile development.

Continue reading 'Apple hacked by same people who hacked Facebook, issues Mac software update' (full post)

Latest Tech News Posts

View More News Posts

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases