Archive for hack

Newer Entries »

Snapchat Responds To Hack & Fails To Make Anyone Feel Better

Posted in Commentary with tags , on January 3, 2014 by itnerd

It took them a couple of days, but Snapchat has finally responded to the hack that resulted in the user info and phone numbers of 4.7 users being exposed. They posted a entry on their blog late yesterday that among other things had this to say:

A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.

We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.

We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.

And to deal with the perception that Snapchat didn’t take what the security researchers said seriously, there’s this:

We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com.

However if you read through this post, the company never actually says the word sorry. They just say that there was a problem, they’re going to fix it, and if you find something here’s how you contact them. There’s nothing here that should make users feel any safer about using Snapchat. That is a #fail as user information and phone numbers were exposed. Sure the phone numbers were partially redacted. But I bet that if someone tries hard enough, they can make use of that info for evil purposes. Thus the company needs to step up and own that. Snapchat also needs to give their users the feeling that they take their privacy seriously and show some remorse over this hack.

We’ll see if Snapchat actually does that, or do they duck, cover, and hope this blows over.

Leave a comment »

Source Of Apple Device IDs Revealed: NBC

Posted in Commentary with tags , , , on September 10, 2012 by itnerd

You might recall that a ton of device IDs linked to Apple devices that threaten iDevice users everywhere. The FBI denied that they were the source for this leak. And it turns out that they were telling the truth. NBC has the source identified:

Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that technicians at his firm downloaded the data released by Anonymous and compared it to the company’s own database. The analysis found a 98 percent correlation between the two datasets.

“That’s 100 percent confidence level, it’s our data,” DeHart said. “As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

At least the company behind this is taking responsibility for this. But it also really goes to the heart of what Antisec said last week. Whatever. It’s still a clear and present danger to iDevice users out there. That’s something that still needs to be addressed.

Leave a comment »

Hacker Group antisec Claims Hack Of FBI Laptop Proves FBI Tracking Apple Users [UPDATED]

Posted in Commentary with tags , , , on September 4, 2012 by itnerd

Here’s something that will not make Apple users freak. I’ll let the Toronto Star tell you the details:

Internet activists claim to have hacked more than 12 million identification codes for Apple devices from an FBI agent’s laptop and have posted instructions on online bulletin board Pastebin on how to access one million of the user IDs.

Known as the Anti Security Movement, or Antisec, the group said on a Twitter account belonging to the Anonymous “hacktivist” collective that many of the IDs come complete with the device owner’s personal information.

In a blog post Tuesday that included attacks on security agencies, Antisec said it withheld information such as names, phone numbers and addresses, but left enough for “users to search for their devices.”

The group did not indicate that bank account numbers or passwords were included.

“During the second week of March 2012 a Dell Vostro notebook used by supervisor special agent Christopher K. Stangl from FBI regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” Antisec said in the post.

“Some files were downloaded from his desktop folder; one of them with the name of NCFTA_iOS_devices_intel.csv turned out to be a list of 12,367,232 Apple iOS devices including unique device identifiers (UDIDs), user names, name of device, type of device, Apple push notification service tokens, zipcodes, cellphone numbers, addresses, etc.”

Antisec said it published the alphanumeric IDs to call attention to the possibility that the FBI had used or was planning to use the information to track citizens.

The FBI was quick to deny this. Here’s what the CBC said:

“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed,” the agency said in a statement Tuesday afternoon.

“At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

So the question is, whom do you believe? It really doesn’t matter as even if this is half true, it’s something to be concerned about. If you want to see if you’re on the list, you may want to start here for what the group posted. Advance warning, it’s not for the average person. Hopefully someone will take this data and come up with an easy way to search it.

UPDATE: My wish has been granted. Here’s an easy way to see if you’ve been affected.

Leave a comment »

Citigroup Hacked…. 200,000 Accounts Exposed… And There’s More…..

Posted in Commentary with tags , on June 10, 2011 by itnerd

If you’re a Citigroup customer, you might have a reason to worry. You see Citigroup was the victim of a hack:

Citigroup said late on Wednesday that computer hackers breached the bank’s network and accessed the data of about 200,000 credit-card holders in North America. It would not discuss what new security measures Citi is taking.

If that’s not bad enough, this part will make you change banks:

The third-largest U.S. bank waited more than a month before making the full extent of the breach public, drawing criticism on Thursday from lawmakers and lawyers.

That’s just completely unacceptable.

Here’s what needs to happen. Laws need to be passed that force companies to publicly disclose when something like this happens. Those laws also have to have stiff penalties for not only failing to disclose events like this, but for not dealing with it in a rapid and effective manner. Companies cannot just pull stunts like this and think this is acceptable behavior.

So, what do you think are the odds of this happening?

1 Comment »

2000 Canadians May Have Been Victims Of Another Sony Data Breach

Posted in Commentary with tags , , on May 25, 2011 by itnerd

Gee. You have to wonder if Sony is actually capable of keeping your personal data private. This time 2000 Canadians are asking that question as Sony Ericsson is admitting to another data breach that makes you think of the Playstation Network hack:

A Sony spokesman said customers names, email and encrypted passwords may have been taken from a company website. Atsuo Omagari said no credit card information was taken.

Sony Ericsson is a mobile phone joint venture between L.M. Ericsson of Sweden and Sony.

The breach was discovered Tuesday, and there are no reports of damage from the breach.

Lovely. At least they got the news out quickly. But you’ll have to excuse me as my trust level with this company plummets as events like these keep happening. Sony really needs to step up and detail how they plan on securing their customer’s information so that customers actually have confidence in them. Otherwise, they may not have customers.

So, how about it Sony?

Leave a comment »

Smartphones Escaped Unharmed In Pwn2Own Contest

Posted in Commentary with tags , on March 25, 2009 by itnerd

Seeing that every major browser got hacked in this contest, it was kind of surprising to read that all 5 smartphone platforms escaped without being hacked. So the stuff on your Blackberry, iPhone, Symbian OS phone, Windows Mobile Phone and Android phones is totally safe…. At least until next year:

Even though there were no winners last week, Forslof said TippingPoint is planning to include a mobile component in next year’s PWN2OWN contest, which is held at the CanSecWest security conference in Vancouver, British Columbia, each March. “Where there is an opportunity, our [security] community finds a way,” she said. “I am expecting, absolutely, that the research community will find ways around the limitations of mobile.

Lovely. What’s even better is that the iPhone might have been hacked, if the prize money was better:

Even though none of the phones was hacked, one could have fallen if a researcher had wanted to part with the vulnerability, Forslof maintained. “There was an exploit at the show that could have broken the iPhone,” said. “But the researcher said that the $10,000 wasn’t enough to part with that level of vulnerability.”

I guess they need to up the prize money to account for the greedy.

Expect to see phones get hacked next year. I’m calling it now.

Leave a comment »

New Threat Targets Routers And Dumb People

Posted in Security, Tips with tags , on March 24, 2009 by itnerd

A new bit of nasty code called “psyb0t” is making the rounds today. It’s a piece of marware that is backed up by a rather large botnet that is designed to attack Linux-embedded routers. Here’s the kicker, it then tries to take over routers that the default user name and password has not yet been changed, or was changed to something too simple.

In other words, it targets users who are too dumb to have a reasonably secure password on their router.

I’ve reported on an explot like this previously, and the advice that I had then still applies now. So if you haven’t already changed the password on your router (or hopped through a few extra hoops if you’ve got WiFi), now would be a good time to do that.

Otherwise, you’ll join the ranks of dumb people.

1 Comment »

Palin E-mail “Hacking” Trial Delayed

Posted in Commentary with tags , on November 18, 2008 by itnerd

The trial of David Kernell who is accused of “hacking” ex-VP candidate and MILF Sarah Palin has been delayed until next May. The trial was originally slated to start on December 16, but due to the need to to carry out computer forensics analysis that are relevant to the case.

Perhaps this will give his father who is Tennessee Democrat legislator Mike Kernell time to bail his ass out of trouble come to an agreement that makes everybody happy.

Leave a comment »

Comcast.net Hackers Speak…. This Is Too Funny – NSFW

Posted in Commentary with tags , on May 30, 2008 by itnerd

If you want some cheap entertainment, take a look at this Wired article which has an interview with the guys who hacked Comcast.net (as I reported here yesterday). This interview absolutely had me laughing my head off.

Some observations.

  1. According to the hackers, they warned Comcast first but were blown off: “If he wasn’t such a prick, he could have avoided all of that,” says EBK.
  2. There’s a picture of one of the hackers (apparently from his MySpace account) using a bong. The fact that a someone actually set up a camera in his (or his parents) bathroom to take a picture of himself using a bong, and then posted it on his MySpace account is just sad.
  3. They’re no strangers to law enforcement: “I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit,” says Defiant.
  4. They did it because they hate Comcast’s service (Comcast has bad service? That can’t be true!): “I wasn’t even really thinking. Plus, I’m just so mad at Comcast. I’m tired of their shitty service.”
  5. They could have done more damage than they did: “Nobody was listening in on the ports to try and get usernames and password,” says Defiant. “We could have, but we didn’t.”
  6. The hackers apparently used a social engineering attack. Network Solutions says that’s bogus: “There was no breach in our system or social engineering situation on our end.”

So, I expect the following will happen:

  • They’ll be arrested and perp walked.
  • These hackers 15 minutes of fame will turn into 15 months of prison time. Then they will become “consultants” when they get out.
  • Network Solutions will quietly fix their social engineering issues before someone sues them.
  • Comcast will go on with business as usual.
  • Someone else will do something to Comcast because of their Comcastic service.

Let’s see what happens next.

Leave a comment »

Your Router May Not Be Safe From Hackers

Posted in Security, Tips with tags , on April 8, 2008 by itnerd

If you’ve got a router on your home computer network made by D-Link or Linksys among others, then you need to read this story where researcher Dan Kaminsky (who will give the details of his hack tomorrow at the RSA Conference) has discovered a way to take over a router using a specially crafted web page. Here’s how PC World describes the hack:

“The victim would visit a malicious Web page that would use JavaScript code to trick the browser into making changes on the Web-based router configuration page. The JavaScript could tell the router to let the bad guys remotely administer the device, or it could force the router to download new firmware, again putting the router under the hacker’s control.”

This hack relies on the fact that the administrative passwords are rarely changed on most consumer routers by the people who own them, or are easily guessed. So the best way to protect yourself from this type of hack is to do two things:

  1. Disable remote administration: This feature allows you to remotely administer the router from OUTSIDE your network. That’s a major security risk. Most routers have this feature turned off by default and you should ensure it stays that way.
  2. Change the administrative password of the router when you install it: I can’t stress this enough. You wouldn’t leave your front door open on your home. Why do the same with your router? Pick a password that is not easily guessed or has special characters in it (for example, you could pick the word “password” but type “pa$$word” instead). While you’re at it, you should do the same thing for any wireless access you may have so that you stop the bad guys from using your Internet connection behind your back.

If you’re not sure how to do either of those items, consult your manual or check the support section of the company who makes your router. They often have “how to” guides that can be of assistance.

Leave a comment »

Newer Entries »