Hacking, Security & Privacy - Page 52

Samsung has confirmed that they are working on a fix for a flaw that allows bypassing of the lock screen. The bug was posted to the internet today and shows a method for bypassing the lock screen, permanently, if you have enough time to download an app from the Play Store.

The steps to reproduce the bug are below:

The bug is only present on Samsung's implementation of Android. It doesn't seem to affect the stock build. In a statement, Samsung said, "We are aware of this issue and will release a fix at the earliest possibility. Samsung considers user privacy and the security of user data its top priority."

China has said that it is willing to cooperate with the US in an effort to curb future cyber-attacks allegedly coming from within its borders. The country said it is ready to open a "constructive dialogue" to help put a stop to internet related attacks.

In a report released by the Associated Press, a spokesperson for China's foreign ministry said that he condemned the recent attacks. "Cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States."

The response from China comes after White House national security adviser Tom Donilon released a statement saying "China should take serious steps to investigate and put a stop to these activities," and asked the country to "engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace."

At the Pwn2Own hacking competition currently running in Vancouver, Canada, two security researchers from MWR Labs have managed to exploit Google Chrome. As a result of this impressive feat, they have been awarded a $100,000 prize. The exploit relied on a bug in Chrome as well as a bug in the kernel of Windows 7.

By visiting a malicious webpage, users could be susceptible to the exploit, even if they are running fully patched software. The exploit allowed the researchers to run code in the sandboxed renderer process. They then utilized a kernel exploit in Windows 7, which granted them elevated privileges.

Reports surfaced today stating that a small number of Apple's systems were hacked through the same zero-day Java exploit that Facebook's systems fell victim to in January. The source of the exploit is said to be the same as the one that managed to infect some of Facebook's systems. In the case of Apple, there is no evidence that any data was transmitted from Apple's systems.

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers," the company said in a statement. "The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network."

Apple has released an update to Mac OS X that will help protect customers from the malware. The update can be installed from the Software Update panel in the Mac App Store or downloaded directly from Apple's website.

Security firm Mandiant has come out with quite the startling report titled "APT1: Exposing One of China's Cyber Espionage Units", which has tracked the alleged military-backed Chinese hacking group dubbed as Advanced Persistent Threat 1 all the way back to 2006.

Mandiant have written "Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors." The group is also believed to be the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department, otherwise known as Unit 61398.

The New York Times have written about it, where they worked off an advance copy of the report, which led them to buildings in Shanghai which they believe is where the unit is based. The Times then encountered persistent attacks from Chinese hackers last year, where they worked with Mandiant to monitor and block the intrusions into their network.

Aaron Swartz took his life a couple of weeks ago and we have now seen hacktivist collective Anonymous making a strategic move by hacking a US government website related to the justice system.

They posted on the site informing everyone they would begin leaking a cache of government documents if the justice system is not reformed. Anonymous hacked the website for the United States Sentencing Commission late Friday, where they posted a message about what they're calling "Operation Last Resort", which included a bunch of downloadable, but encrypted files that they say contain sensitive information.

Anonymous' statement reads:

Java seems to be one of the most exploited pieces of software running on a computer. Unfortunately, most computers are running Java for websites and other interactive features online. Just earlier this week, Oracle had to rush out a patch for Java that secured up a critical bug that allowed hackers to run code on a victim's machine.

An administrator for an exclusive cybercrime forum posted up Monday an offering for a new zero-day exploit that has yet to be patched by Oracle. It also has yet to be rolled into one of the exploit kits, some of which rent for upwards of $10,000 a month. The starting price for the exploit? $5,000.

Kaspersky of all companies have found something utterly shocking, an advanced cyber espionage network that makes last year's infamous Flame malware look like a joke. Dubbed Operation Red October, each attack is handcrafted for its victim in order to make sure it 100% works.

Red October has been hitting systems across the world since at least May 2007 and carefully chooses its victims spanning over two dozen countries who hold positions in government, military, aerospace, research, trade and commerce, nuclear, oil and other important, vital industries. Investigators aren't sure who is behind the attacks, but it is being reported that Chinese hackers may have created the exploit, while the various malware modules deployed seem to have been created by those who speak Russian.

Kaspersky can't put their finger on the source, as it is currently being run through at least two layers of proxy servers across Russia, Germany and Austria. Whoever is involved has some skill, as they've been silently sitting, unknown to the user, in major government and industry computers.

The tragic supposed suicide of digital activist, and co-founder of Reddit, Aaron Swartz happened just days ago and now Anonymous have stepped into the ring to play [hacking] ball. They leave a tribute message to Swartz, which says:

The link to see it is here, and at the time of writing wasn't loading. I'm sure MIT will have the site updated shortly.

Mobile security firm Lookout has found a botnet as of December 3, which it is calling SpamSoldier. The threat was detected with the help of one of Lookout's carrier partners, though which has not been said. The botnet spreads through text messages and has not been detected on any major app store.

Two, of many, spam campaigns are shown below:

The times are changing and what better way to illustrate this than by telling you how many cyber attacks the Navy sees every hour? The number, by the way, is 110,000, at least according to HP. HP should know, too, as they run the Navy Marine Corps Intranet (NMCI) and protect it from intruders.

The HP's Discover event in Frankfurt, Mike Nefkens, head of enterprise services at HP, told V3, "For the US Navy we provide the network for 800,000 men and woman in 2,000 locations around the world, protecting them against 110,000 cyber attacks every hour. This means the attacks average out at about 1,833 per minute or 30 every second."

Wow. Let me grab a calculator. 24 * 365 * 110,000 = 963,600,000. That works out to 963 million attacks every year. That's an incredible number and really illustrates that our nation needs to secure its IT infrastructure more than anything else.

UK citizen Gary McKinnon hacked NASA, the US Army and US Navy systems to the point of effectively crippling the entire US Army's Military District of Washington network. This attack had their systems down for 24 hours and affected over 2000 computers across many states.

At the same time, he gained access to a US Army server which was responsible for managing 2455 accounts, causing the systems to reboot and become inoperable. McKinnon hacked these systems over ten years ago, and has British officials refusing to send the hacker overseas due to concerns he may commit suicide, based on evaluations of McKinnon who suffers from Asperger's Syndrome and "depressive illness".

Because McKinnon's sentence is estimated at 60 years, mixed with his depressive illness, this is something the UK officials are saying will force McKinnon to take matters into his own hands. It has gone as far as making the UK push this as a matter of human rights.

More proof of cyber espionage has surfaced with the discovery of miniFlame, a virus that is small and highly flexible. miniFlame is designed to control systems and steal data and was originally discovered in July 2012. When first discovered, it was thought that the virus was simply a module for the Flame virus.

However, further analysis has shown that the "module" is actually an "interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware." Kaspersky research suggests that there were several versions built during 2010 and 2011, some of which are still on infected machines.

The main findings:

US Secretary of Defense, Leon Panetta, has earned of cybersecurity on Thursday during a speech that the agency is aware of foreign hackers that have remotely gained access to control systems for vital American infrastructure. Examples of this would be chemical, electricity and water plants.

Panetta stated:

Users of the popular video chat and messaging application Skype are being targeted by a round of ransomware and click fraud that is being sent around as a message from contacts. The message reads "lol is this your new profile pic?" and is then followed by a link. The link downloads a zip file, which contains an executable that infects the system.

The executable opens up a Java exploit using BlackHole 2.0. The system is then locked down via the ransomware and displays a message requesting money. GFI, the company that first reported this latest wave, explains how it works:

We're here again, with another exploit to watch out - this time with security researcher Adam Gowdiak discovering a new zero-day vulnerability in Java. This new bug is said to be in currently-supported versions of Java, such as Java 5, Java 6, and Java 7 and has the ability to allow attackers to install malware on close to 1 billion systems (based on the installation numbers from Oracle themselves).

This exploit affects both Macs and PCs, meaning that any Java-powered PC is at risk. Right now, the exploit doesn't pose much threat to the general public, but Gowdiak who is known for finding similar issues within Java, has said that he isn't currently aware of any active attacks that exploit this particular vulnerability.

Gowdiak found the exploit last week and has spent the last few days testing a proof-of-concept before he revealed the exploit to Oracle. Oracle has since confirmed that the vulnerability with Gowdisk, and have said that it will be fixed in a future security update. Oracle haven't given a date on when this update will be pushed out, but the next scheduled update is a while way - October 16.

A member of Anonymous has claimed responsibility for the hacking of GoDaddy today, which has affected sites across the web. GoDaddy's site has been down today, along with sites hosted with the service. Other sites that use GoDaddy for DNS or other services have also been affected, though not all are down for everyone.

GoDaddy has acknowledged the problem with a Tweet:

A new leak has shown up on Pastbin. This latest showing comes from AntiSec and contains a list over 1 million Apple UDIDs, allegedly taken from a list of over 12 million that was on an FBI laptop. The UDIDs were supposedly in the file with other personally identifiable information such as zip codes, names, and other data, but that has been stripped out for the leak.

The file, according to the Pastebin post, came from the Dell laptop of Supervisor Special Agent Christopher K. Stangl which was exploited by a Java exploit back in March 2012. The details of the hack, along with information on how to get the data is available on Pastebin. Several tools have popped up to check if your UDID is on the list.

A new vulnerability has been found in the latest version of Java. The vulnerability is a rather massive hole and users with Java installed in their browser should likely disable it right now to prevent themselves from being infected. Have I scared you enough? But wait, I haven't even told you the problem!

The new security hole allows malicious people to break into users' computers and install nasty malware and viruses. This security hole fits into a category of security flaws known as a "zero-day" threat because it is the first time it has been found. Due to this, there currently exists no way to fix the problem or defend against it, other than disabling Java.

The vulnerabilities were actually found back in April, according to a few sources, and they reportedly told Oracle about the problem. However, Oracle had decided to hold off until the October patch release date to do anything about them. Now, the vulnerabilities have been integrated into BlackHole, a hacking tool.

Google have announced the second Pwnium hacking competition after widthdrawning from this TippingPoint's annual Pwn2Own which was previously held back in February. Google have thrown $2 million in rewards for anyone who can find bugs in their popular Chrome browser, exploit them and detail how they achieved the hack.

The first Pwnium that was held in March, in Vancouver, only had $1 million up for grabs, and only a slice of that was handed out. This was because there were only two submissions, requiring Google to sign over just $120,000 of the $1 million they had up for grabs. So, what are Google offering? $60,000 for a full Chrome exploit using only bugs found in the web browser itself. $50,000 for a partial Chrome exploit using Chrome itself, or other browser, or Windows flaws such as Webkit or kernel-level flaws.

Finally, $40,000 for a non-Chrome exploit for a bug found in Flash, Windows or a driver. In addition incomplete or unreliable exploits may be eligible for a prize, where Google have said "our rewards panel will judge any such works as generously as we can". Sounds like Google just want to give money away! Rules have changed from the annual Pwn2Own hacking competition, with TippingPoint no longer requiring entrants to reveal all the details about exploits used to compromise security. Google has said that this change is "worrisome" and decided to leave the competition, promoting their own Pwnium challenge instead.