Hacking, Security & Privacy - Page 54

This year, so far, has not exactly been a stunning display for Macs. Between the Flashback malware and now this, it really shows just how weak the security of Mac OSX is. The latest blunder by Apple and its security team is that they turned on a debug log file which stores the user's password outside of the encrypted area.

If you were using FileVault prior to upgrading to Lion, it may be time to think about changing your passwords as this would affect you. FileValut 2 users (whole drive encryption) are not affected by this accident. Additionally, if you have Time Machine backups, the plaintext log file has stored your password for the long term.

Security researcher David Emery explains:

I'm sure there will be plenty of people who get up in arms over this, but I tend to agree. Apple is years behind Microsoft in terms of security because they have never had to worry about it since no one ever bothered to write malware or viruses for Macs due to their small market share. As it has increased, Macs has become a more attractive target.

Eugene Kaspersky, CEO of the influential Kaspersky security firm said:

Most people think Macs are safe, and it's definitely a decision that sways some people when purchasing their latest kit. But, according to Sophos, one in five Macs actually harbors some kind of Windows-orientated malware.

The company looked at results over seven days from 100,000 Apple machines using its free anti-virus program, with 20-percent having one or more instances of Windows-based malware. Sophos have warned of this before, where last year they tested 50 USB drives lost in public. To their surprise, as well as mine, two thirds of these were infected. That's 33-percent! Seven of these owners of lost USB flash drives owned a Mac.

In their latest study, Sophos found that just 2.7-percent of the infected Macs actually contained harmful malware, with 75-percent of it being Flashback variants. Of the 20-percent harboring Windows malware, 12.2-percent carried Bredo, a three-year-old Trojan. Sophos does note that some machines contain malware samples that go back to 2007. Sophos have said the following:

A second Mac OSX Trojan has been discovered, but is likely not to be as widespread as the Flashback Trojan due to the process by which it infects the computer. As opposed to the Flashback Trojan which could be caught simply by surfing the internet, this new Trojan requires users to download a malformed Word doc.

Similar to the Flashback Trojan, this new Trojan requires no entering of a username and password so it could catch Mac users off guard. This Trojan should be less widespread due to the fact that users have to download a malformed Word document file. Once opened, it exploits Word and opens a backdoor for hackers to steal information or install further code.

The security vulnerability is actually pretty old. It comes from June 2009, so as long as you keep your Microsoft software up to date, you should be safe from this Trojan. With all of the recent outbreaks of Trojans, it won't surprise me if they start coming more frequently with more capabilities to do destructive things.

Once again, I get to be the bearer of bad news just to keep you, our reader, safe. Facebook's Mobile app for iOS and Android store your login information in a plaintext file that doesn't expire until the year 4001. The Facebook .plist file where your login data is stored could easily be swiped by a USB connection or via malicious apps.

Gareth Wright, a U.K.-based app developer for Android and iOS, is the discoverer of this bug. He discovered it after poking around in the application directories using the free tool iexplorer. He first found a plaintext Facebook Access token that was stored by DrawSomething and was able to query all of his data.

He then took a look at Facebook's directory where he found the .plist in question. He passed this file over to his friend and fellow blogger who, in the next few minutes, started posting status updates, sending private messages, and even liking websites. In other words, he had full control over the account.

The group that everyone has secretly been cheering for has a new branch in China. An Anonymous China Twitter account was created late last month and endorsed by the official Anonymous account. Shortly after all of this, they went to work. Now hundreds of Chinese government, corporation, and other websites have been hacked.

A Pastebin post explains why they are doing this:

Collective hacking group Anonymous are at it again, this time threatening more than just SOPA, PIPA or Facebook. This time they're threatening to take down the entire Internet. This is said to be as a protest to SOPA, Wall Street, the world's irresponsible leaders, and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun.

While I agree with most of those points, why threaten if you can't go through with it? I shouldn't laugh, but I'd cry if the Internet went down on March 31st. So, Anonymous are now saying they "will shut the Internet down" on March 31st. They go into detail, where "in order to shut the Internet down, one thing is to be done. Down the 13 root DNS servers of the Internet, those servers are as follows:"

A 198.41.0.4

A report was released last fall that claimed using a single repeating digit was a stronger pin code for your iPhone than using unique digits. All bets are off, however, when you are dealing with Micro Systemation, a Swedish security firm that helps police and military around the world crack digital security systems.

Just last week, the company released a video showing just how simple it is to crack an iPhone or Android device that is password protected. The video, which you can see below, documents a process where the company spokesperson uses an application called XRY and accesses the contents of the mobile phone in less than two minutes.

Immediately, all user information becomes available. This information includes GPS location, call history, contacts, and messages. The software doesn't use a flaw put there by the manufacturer. Instead it uses a brute-force method to try all of the combinations to guess the correct password. It's more akin to jailbreaking than hacking.

Instead of just sitting around waiting for the police to take action against online crime, Microsoft filed a civil suit in order to gain a warrant to sweep two office buildings in Pennsylvania and Illinois. The sweeps occurred Friday and resulted in a bunch of evidence, deactivated servers, and Microsoft seizing control of hundreds of Web addresses.

Why would Microsoft waste their money filing these civil suits and attacking cyber crime? Well, as it stands, Microsoft has a vested interest in taking down these cyber criminals. Many computers are powered by Windows, and since it has such a large market share, it is a main target for hackers. If Microsoft can make Windows more secure, they can combat Apple's main claim that OSX is more secure and stop losing market share.

Additionally, they can provide a better end-user experience, which Microsoft's customers would appreciate. "Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed," said Richard Perlotto, director at the Shadowserver Foundation.

This is a cautionary story for all of those iOS 5 users out there, including the new iPad 3 users. Germany security firm MajorSecurity discovered a bug earlier this month that can be used to trick you into visiting potentially malicious Web sites. The bug was first discovered in iOS 5 and was replicated in iOS 5.1. Apple was informed of the bug by MajorSecurity on March 3, but has not yet issued a patch.

"The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method," explained David Vieira-Kurz of MajorSecurity. "This can be exploited to potentially trick users into supplying sensitive information to a malicious Web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site."

Apple has acknowledged the bug, so they should be able to produce a patch, and I would encourage you to upgrade when it becomes available. Until then, watch the sites you go to, as it may not be where the URL bar is telling you you are at. If you would like to see for yourself, go here on your mobile device, select Demo in the upper left corner. This will open a new page that says Apple and looks like Apple but is still on MajorSecurity's server.

We live in a modern age where technology seems to be taking over everything we do, from e-mails taking over for letters, to Turbo Tax taking over handwritten taxes. But, where do we draw the line? Can all of this technology be bad? Well, in one man's case, it is. A bug in the Norwegian's tax web portal has allowed anyone who went there to see his, his wife's, and his employer's information.

Users hoping to get an early start on their taxes went to the site, which resulted in a crash. When the servers were brought back up, everybody was inexplicably logged in as Kennith, the man in question. It seems that his login details were stored in the server's cache when the system went down, and after it was brought back up, logged everyone in as him.

The bug lasted only 15 minutes because they brought the servers back down, however, during that time period, anyone was able to log on and see his very private tax information. This isn't the first time the service has had issues. In response to the recent issues, the managing company has admitted that there were bugs when the system first launched and that they lacked the expertise to properly manage it.

No, I'm not trying to use scare tactics. No, I don't want you to rip out your link to the internet. I just want you to beware: Microsoft may have had a hand in leaking executable code that was used in a proof-of-concept (PoC). The data packet that was used was the same that Luigi Auriemma, an Italian security researcher, discovered and reported way back in May of 2011. Last Tuesday, Microsoft updated all flavors of Windows to patch the critical RDP vulnerability. Both Microsoft, and I, strongly recommend that you update and patch all of your machines running Windows.

Auriemma has stated:

Sony are having a bad time with this hacking news, it just feels like a bad smell that won't go away for them. The latest news is Michael Jackson's entire music catalog was stolen during the hack, which reportedly accounts for some 50,000 individual tracks and a wide variety of unreleased material.

This was known in May of last year, in the aftermath of the hack which left the PlayStation Network and Qriocity (which is now known as Sony Entertainment Network Music Unlimited) users without a server for nearly an entire month. There were two men based in the UK who were arrested with the theft, and have appeared in court where they denied the charges.

The two men were released on bail and are now due to stand trial in January 2013. Sony had originally paid $250 million to the Jackson estate back in 2010 for the rights to literally everything that Michael had recorded, and whilst Sony haven't told us how widespread the theft is, multiple 'sources' have reported that the entire collection was taken.

Last Friday, a group of purportedly Gazan hackers defaced Israel's Fire and Rescue Services website. They didn't just do any old hack, but added a "death to Israel" message on the website and a tweaked picture of Israel's Deputy Foreign Minister, Danny Ayalon, where they superimposed foot prints over his face.

Ayalon is the public official responsible for a strongly worded statement denouncing hacking, likening it to terrorism and threatening (bad move) that:

First up - this does not surprise me. I've thought for a very long time that this happens, as with most things, right under our noses and no one even knows. I'm sure it goes much deeper than this, and we'll never find out just how deep the rabbit hole goes, but on with the news. A group of Indian hackers known as "The Lords of Dharmaraja" had posted documents that were pillaged during the hack of an Indian military network. It was removed, but thanks to Google Cache, you can see an image of it below, and if that's not good enough, click here to read it directly.

Slashdot had reported on it too, and unveils some more info:

Anonymous don't rest during the holidays like most people, they've donned their Santa hats and hacked their way into thousands of credit card numbers and other personal information belonging to clients of a U.S.-based security think tank, Stratfor.

One of the hackers said their goal was to take the funds from individuals' accounts to give away as Christmas donations. Anonymous boasted of stealing Stratfor's confidential client list, which includes entities including Apple, the U.S. Air Force, and even where Dexter Morgan works, the Miami Police Department. They mined it for more than 4,000 credit card numbers, passwords and home addresses.

Stratfor is an Austin, Texas-based company which provides political, economic and military analysis to help clients reduce risk, according to their YouTube page. They charge subscribers for its reports and analysis, which are delivered through the web, e-mail and videos.

U.S. cyber security analysts and experts are reporting that fewer than 12 different Chinese groups are responsible for most of the China-based cyber attacks that have resulted in critical data being stolen from U.S. companies and government agencies. The analysts spoke to The Associated press where they've said the intrusions have resulted in the loss of billions of dollars of intellectual property and other critical data.

The attacks may have been stealthy, agressive and somewhat ninja, but the distinct signatures the hackers leave behind make it possible for U.S. cyber security investigators to more or less accurately identify which teams were responsible for the attacks. According to the report, the U.S. gives unique names or numbers to the attackers, and at times can tell where the hackers are and even who they may be.

It's virtually impossible, however, to prosecute hackers based in China due to the lack of any form of agreement between the two countries. Even if it were 100-percent possible to provide definitive proof of where and who the attacks came from, China would most likely not even bat an eyelid. Given that at least a handful of the groups are believed to have financial backing from the Chinese government or military.

Teampoison are reportedly behind an intrusion into the United Nations, in which they gained access to at least one of the UN's servers, where they stole over 1,000 e-mail addresses, usernames and passwords during the hack.

Teampoison posted their hacked goodies online through Pastebin, along with messages explaining the reasoning behind the attack, where they've said:

Airport body scanners that use X-ray technology have been banned across Europe. Officials have said in a press release that the X-ray technology is now deemed off-limits in order to not risk jeopardizing citizens' health and safety.

Tiny bits of radiation emits from X-rays and have long since been connected to cancer in rare instances by physically damaging DNA. In a letter to ProPublica from the FDA, the agency claims that the risk of fatal cancer from scanners is 1 in 400 million.

Another report from ProPublica says that anywhere between six and 100 US airline passengers could develop cancer each year from walking through the machines. The TSA has responded to the EU's decision to ban the X-ray scanners, revealing that 300 dangerous or illegal items have been found on passengers by using the X-ray scanners. One would think that over the entire course of years using the scanners that finding 300 dangerous or illegal items, is worth the better chance of not getting cancer from the scanners?

Intel and MasterCard have just shaken hands on a new deal for a multi-year strategic collaboration to further enhance the security and consumer payment experience for online shopping. The new collaboration is set to combine MasterCard's expertise in payment processing and commerce with Intel's strengths in silicon innovation and chip-based security.

The deal will provide more options for a safer and simpler checkout process for online merchants and consumers using Ultrabook devices and future generations of Intel-based PCs. Intel and MasterCard are working together to optimize a variety of emerging payments technologies which include MasterCard's PayPass and Intel Identity Protection Technology (IPT). IPT can enable consumers to use strong two-factor authentication and hardware-based display protection.

What this does is provide increased online security against malware, and additionally, when used with an Intel Identity Protection Technology-enabled reader, consumers will be able to pay for online purchases with a simple tap of their PayPass-enabled card, tag or smartphone on an Ultrabook device. The idea is for simplicity-meets-security.