Posts with tag hack

iCloud lacked brute force detection

Apple begins investigating nude celebrity photos leak, iCloud may be the cause


By now, you probably know that a number of celebrities have been the target of a nude photo leak that has said to have lead to the leak of potentially hundreds of photos and videos. Of course, this vehement violation of human privacy is a despicable act in and of itself – the thought that there are individuals out there who would go to any length to obtain such photos and violate women (and men) is nauseating. But where there’s a will, there’s a way – and unfortunately, Apple seems to be at the center of that way.

According to new reports, the leak stem from a security issue that was previously present in Apple’s iCloud cloud storage system. iCloud automatically backs up a user’s photos (among other data) into the cloud, which can then be downloaded to any authorized computer capable of logging into the iCloud account. Hackers claim that Apple had failed to implement any sort of brute force detection software into iCloud’s login authorization, a loophole that enterprising hackers worked around using software called iBrute, which “guessed” at password combinations at a dizzying speed.

Essentially, in layman’s terms, that means that anybody with the knowledge of a celebrity’s iCloud email address would be able to keep guessing at their password until they hit on the correct password by chance, forever. A simple loophole, which Apple has reportedly now implemented, stops users from trying passwords after a couple of incorrect guesses. The new protection is similar to how Apple’s iOS software locks users out of devices after a number of incorrect passcode guesses.

While there’s yet to be any confirmation from either Apple or the supposed hacker that this method was the one used to illegally obtain the celebrity’s passwords, Apple has confirmed that they are investigating their role in the issue, if any. Still, the fact that this loophole existed and had been easily exploitable up until just today indirectly implies it could have been the root cause.

Source: Re/code

Security at its finest

Samsung’s new fingerprint scanner easily spoofed

glam_galaxy-s5_groupThat fancy fingerprint scanner in your new Samsung Galaxy S5? Turns out, it’s easily spoofed from nothing more than a photograph of your fingerprint.

A German security team, Security Research Labs, was easily able to spoof the system due to the way it’s implemented in other devices which makes it a higher risk. The video, embedded after the break, not only shows the team gaining access to the device by using a fake fingerprint but it also shows them gaining access to PayPal which also supports the new sensor and is just as easily faked out as the rest of the phone.

Interestingly, Ars Technica reports that this spoofing method doesn’t work against Apple’s Touch ID system but does work on the S5. Given that the team acquired the fingerprint simply by taking a photo of a fingerprint left on a screen, it’s very easy to replicate this attack and gain access to everything, especially when you consider just how many smudges are often left on a phone screen.

The video showing off this spoofing attack is embedded after the break.
Source: Ars Technica

It's under attack!

Skype Facebook and Twitter accounts hacked by Syrian Electronic Army


It’s safe to say that Microsoft’s new year isn’t off to an exceptional start as reports are indicating that Microsoft’s official Skype accounts on both Facebook and Twitter have been hacked by none other than the hacker group known as the Syrian Electronic Army.

The hacks, which appeared to take place earlier this morning, involved no risk to consumers or customers – unlike a certain Snapchat hack that was released this morning – but they are troubling signs that Microsoft hasn’t quite been able to lock down their accounts satisfactorily. Hackers posted numerous messages on Skype’s social media accounts as well as on the official Skype Blog, which can be seen in the screenshot above.

Posts made by the Syrian Electronic Army warned Microsoft customers not to “use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to the governments.” While these accusations are far from new, we have no confirmed reports that this is absolutely the case – even if the NSA has been doing some pretty nasty dealings lately.

Via: ZDNet

Having mined the leaked database themselves

Facebook prompts you to change your password after Adobe hack

fbadobeAfter Adobe got hacked and 38 million accounts were leaked, Facebook is prompting its users to change their password if they used the same login details on Adobe’s website. Other services like and have also done something similar.

But you may ask, how do these websites know? It appears that Facebook has gotten ahold of these 38 million entries and is mining through all of them, checking to see which details match with their own set of IDs. Despite the fact that Adobe used a single encryption key, thus allowing anyone who calculates it access to every password, I’m not entirely sure what to think of companies rolling through the leaks in the name of better security. That said, this notification does serve as a reminder to use a unique password for every website you register on.

Source: Krebson Security
Via: Engadget

That's quite the exploit

Ubisoft UPlay gets hacked, outs numerous unreleased titles

Far Cry 3 Blood Dragon Logo

Ubisoft’s UPlay software, which allows is a DRM, game management, and multiplayer service for Ubisoft titles in a similar vein to parts of Origin, has been exploited today allowing hackers to download and play any game compatible with the service totally free of charge, and free of DRM. What’s most interesting is that the exploit also allows for users to download and play unreleased games, many of which have leaked to various public BitTorrent trackers and other forms of P2P software over the last couple of hours.

One only has to search for “Far Cry 3: Blood Dragon”, an unreleased and previously rumored Ubisoft game set in the Far Cry universe, to see the extent of the damage. Little was known about the game prior to this exploit; now we have full plot details, walkthroughs on YouTube, box art, and even the full game available for download free of charge.

Ubisoft has not yet commented on the exploit and sensitive data pertaining to UPlay users are reportedly safe from the exploit, however we will keep a close eye on the situation until we know more.

Via: The Verge
Source: Gameranx

We love you too, Apple

Security hole allows Apple ID to be hacked with DOB and email address

applelogoIt seems Apple hasn’t been very secure lately. First a few rounds of iOS lock screen bypasses, and now someone has figured out how to reset your Apple ID’s password with just your date of birth and your email address.

The exploit comes after Apple added two-step verification to their Apple ID and iCloud services. Unfortunately, the change also introduced said reset method for anyone who hasn’t yet migrated their account which at this point will be most people. To perform the reset, all one needs to do is use a malformed URL when visiting the iForgot page, and then entering your date of birth. That’s it.

Scary, right? We hope that this huge flaw will be fixed soon and will keep you up-to-date when it is.

Update 3:28PM CSTEngadget is now reporting that the password reset page has been taken offline. Hopefully when it returns, the hole will be patched.

Source: The Verge

This is illegal, you know

Security researcher scans the Internet, gains 9TB in IP scans

In what is perhaps one of the biggest botnet reports ever, an anonymous hacker/security researcher made a botnet of over 420,000 Internet-enabled devices. What did he do with this botnet? He scanned the Internet, of course.

In this search, there were 420 million IPv4 addresses that were scanned, and 36 million of those had ports open. According to the report, most of those devices were things like broadband modems, routers and other embedded devices that shouldn’t be accessible to the outside world.

This botnet wasn’t a “dumb” botnet, which relies on an unsuspecting victim to install the botnet software; once this botnet was started it began searching the Internet for these small embedded devices and then it tried to log into the device by using no credentials or device defaults of “root” and “admin” and if it succeeded, then it would try to install itself. This type of “zombification” has been used by other hackers before, but they normally targeted platforms such as Windows.

Once the botnet was started, its growth was like that of a virus – hitting 100,000 clients within a day of the activation. According to the report, about 4,000 clients could scan for one single port on 3.6 million IP addresses per day. And, you may be wondering just how much data all these clients gathered. After the research was done, the hacker says he collected more than nine terabytes worth of data. Nine terabytes.

The program also performed 52 billion ICMP pings and 2.8 billion SYN scans. The hacker says that the program took special care not to disrupt the normal operation of the devices it infected. After all, the only way to tell if you’re infected is when you start seeing symptoms of it.

The legality of such a scan is a grey area, however. The program used to perform this scan, as was mentioned earlier, scanned for weakly secured devices, broke into them and installed itself, allowing the hacker to do as he pleased with them. At the same time, the scan appears to have been done not to harm people but to learn just how secure the Internet really is.

So, what have we learned here? We have learned that embedded devices are really not that secure – most people don’t change the default credentials in their router, or there may be fundamental flaws in the device’s OS that makes it so easy to exploit. And the worst part is, I’ve done some research into embedded device security and for the most part, the manufacturers do not care about embedded security.

And now I’d like to link you to the original article. It contains a lot of great information if you’re interested in computer security.

Source: ArsTechnica

As one vulnerability closes, another one opens

EA’s Origin gets hit with a major remote execution exploit

If you use Origin for whatever reason, we give our condolences. We also give you some rather important news about Origin and PC security: It turns out that if you use Origin, your PC is at risk for a remote execution exploit that apparently takes seconds to perform.

The exploit comes from the way Origin handles game launching; a hacker can give you a link with a remote hosted DLL containing malicious code, and Origin will execute it. A similar attack happened to Steam last October, according to ArsTechnica.

EA has said they are aware of the issue and will be investigating it. There was no mention of when, or even if, the exploit would be patched. Hopefully the exploit will be patched, but we will see.

In the meantime, we advise you not to use Origin. If you absolutely have to, take extreme caution in what links you click. Who knows what evils the black hat hackers might have in mind for your machine?

Source: ArsTechnica
Via: The Verge

Blizzard, OMGPOP both get compromised in database hacks

Protecting one’s digital identity is almost as important in today’s day and age as protecting one’s actual identity, but both seem to be becoming increasingly harder as hackers continue to figure out new and inventive ways to compromise even our most trusted company’s online databases, stealing large amounts of incredibly valuable information.

Today, both Blizzard and OMGPOP have fallen victim to such compromises as both companies announce that hackers have seemingly made their way into their secure databases and exported usernames, passwords, emails, and more. The attacks don’t seem to be related, however it’s far too early to tell for certain without any sort of investigation.

In regards to Blizzard, hackers have apparently compromised and collected usernames, passwords, e-mail addresses, and security questions relating to a user’s Blizzard account. If you’re wondering if you’ve got a Blizzard account or are at all unsure – if you play Starcraft, Diablo III, or World of Warcraft, you do – and you’re more than likely a victim. Luckily, hackers don’t appear to have had access to users’ payment information, but damage is damage.

Turning to OMGPOP, the company sent out an e-mail to all users of their forums today announcing that the database that stores user account information has been compromised. This doesn’t affect all users – only members of their online community – but does include your email address, though not your OMGPOP password.

We’d highly recommend that users of both communities do whatever they feel is appropriate to protect themselves, including changing their passwords or creating new e-mail addresses entirely.

Via: ArsTechnica