Posts with tag hack
iCloud lacked brute force detection
By now, you probably know that a number of celebrities have been the target of a nude photo leak that has said to have lead to the leak of potentially hundreds of photos and videos. Of course, this vehement violation of human privacy is a despicable act in and of itself – the thought that there are individuals out there who would go to any length to obtain such photos and violate women (and men) is nauseating. But where there’s a will, there’s a way – and unfortunately, Apple seems to be at the center of that way.
According to new reports, the leak stem from a security issue that was previously present in Apple’s iCloud cloud storage system. iCloud automatically backs up a user’s photos (among other data) into the cloud, which can then be downloaded to any authorized computer capable of logging into the iCloud account. Hackers claim that Apple had failed to implement any sort of brute force detection software into iCloud’s login authorization, a loophole that enterprising hackers worked around using software called iBrute, which “guessed” at password combinations at a dizzying speed.
Essentially, in layman’s terms, that means that anybody with the knowledge of a celebrity’s iCloud email address would be able to keep guessing at their password until they hit on the correct password by chance, forever. A simple loophole, which Apple has reportedly now implemented, stops users from trying passwords after a couple of incorrect guesses. The new protection is similar to how Apple’s iOS software locks users out of devices after a number of incorrect passcode guesses.
While there’s yet to be any confirmation from either Apple or the supposed hacker that this method was the one used to illegally obtain the celebrity’s passwords, Apple has confirmed that they are investigating their role in the issue, if any. Still, the fact that this loophole existed and had been easily exploitable up until just today indirectly implies it could have been the root cause.
Security at its finest
A German security team, Security Research Labs, was easily able to spoof the system due to the way it’s implemented in other devices which makes it a higher risk. The video, embedded after the break, not only shows the team gaining access to the device by using a fake fingerprint but it also shows them gaining access to PayPal which also supports the new sensor and is just as easily faked out as the rest of the phone.
Interestingly, Ars Technica reports that this spoofing method doesn’t work against Apple’s Touch ID system but does work on the S5. Given that the team acquired the fingerprint simply by taking a photo of a fingerprint left on a screen, it’s very easy to replicate this attack and gain access to everything, especially when you consider just how many smudges are often left on a phone screen.
The video showing off this spoofing attack is embedded after the break.
Source: Ars Technica
It's under attack!
It’s safe to say that Microsoft’s new year isn’t off to an exceptional start as reports are indicating that Microsoft’s official Skype accounts on both Facebook and Twitter have been hacked by none other than the hacker group known as the Syrian Electronic Army.
The hacks, which appeared to take place earlier this morning, involved no risk to consumers or customers – unlike a certain Snapchat hack that was released this morning – but they are troubling signs that Microsoft hasn’t quite been able to lock down their accounts satisfactorily. Hackers posted numerous messages on Skype’s social media accounts as well as on the official Skype Blog, which can be seen in the screenshot above.
Posts made by the Syrian Electronic Army warned Microsoft customers not to “use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to the governments.” While these accusations are far from new, we have no confirmed reports that this is absolutely the case – even if the NSA has been doing some pretty nasty dealings lately.
Having mined the leaked database themselves
After Adobe got hacked and 38 million accounts were leaked, Facebook is prompting its users to change their password if they used the same login details on Adobe’s website. Other services like Soap.com and Diapers.com have also done something similar.
But you may ask, how do these websites know? It appears that Facebook has gotten ahold of these 38 million entries and is mining through all of them, checking to see which details match with their own set of IDs. Despite the fact that Adobe used a single encryption key, thus allowing anyone who calculates it access to every password, I’m not entirely sure what to think of companies rolling through the leaks in the name of better security. That said, this notification does serve as a reminder to use a unique password for every website you register on.
That's quite the exploit
Ubisoft’s UPlay software, which allows is a DRM, game management, and multiplayer service for Ubisoft titles in a similar vein to parts of Origin, has been exploited today allowing hackers to download and play any game compatible with the service totally free of charge, and free of DRM. What’s most interesting is that the exploit also allows for users to download and play unreleased games, many of which have leaked to various public BitTorrent trackers and other forms of P2P software over the last couple of hours.
One only has to search for “Far Cry 3: Blood Dragon”, an unreleased and previously rumored Ubisoft game set in the Far Cry universe, to see the extent of the damage. Little was known about the game prior to this exploit; now we have full plot details, walkthroughs on YouTube, box art, and even the full game available for download free of charge.
Ubisoft has not yet commented on the exploit and sensitive data pertaining to UPlay users are reportedly safe from the exploit, however we will keep a close eye on the situation until we know more.
We love you too, Apple
It seems Apple hasn’t been very secure lately. First a few rounds of iOS lock screen bypasses, and now someone has figured out how to reset your Apple ID’s password with just your date of birth and your email address.
The exploit comes after Apple added two-step verification to their Apple ID and iCloud services. Unfortunately, the change also introduced said reset method for anyone who hasn’t yet migrated their account which at this point will be most people. To perform the reset, all one needs to do is use a malformed URL when visiting the iForgot page, and then entering your date of birth. That’s it.
Scary, right? We hope that this huge flaw will be fixed soon and will keep you up-to-date when it is.
Update 3:28PM CST – Engadget is now reporting that the password reset page has been taken offline. Hopefully when it returns, the hole will be patched.
Source: The Verge
As one vulnerability closes, another one opens
If you use Origin for whatever reason, we give our condolences. We also give you some rather important news about Origin and PC security: It turns out that if you use Origin, your PC is at risk for a remote execution exploit that apparently takes seconds to perform.
The exploit comes from the way Origin handles game launching; a hacker can give you a link with a remote hosted DLL containing malicious code, and Origin will execute it. A similar attack happened to Steam last October, according to ArsTechnica.
EA has said they are aware of the issue and will be investigating it. There was no mention of when, or even if, the exploit would be patched. Hopefully the exploit will be patched, but we will see.
In the meantime, we advise you not to use Origin. If you absolutely have to, take extreme caution in what links you click. Who knows what evils the black hat hackers might have in mind for your machine?
Protecting one’s digital identity is almost as important in today’s day and age as protecting one’s actual identity, but both seem to be becoming increasingly harder as hackers continue to figure out new and inventive ways to compromise even our most trusted company’s online databases, stealing large amounts of incredibly valuable information.
Today, both Blizzard and OMGPOP have fallen victim to such compromises as both companies announce that hackers have seemingly made their way into their secure databases and exported usernames, passwords, emails, and more. The attacks don’t seem to be related, however it’s far too early to tell for certain without any sort of investigation.
In regards to Blizzard, hackers have apparently compromised and collected usernames, passwords, e-mail addresses, and security questions relating to a user’s Blizzard account. If you’re wondering if you’ve got a Blizzard account or are at all unsure – if you play Starcraft, Diablo III, or World of Warcraft, you do – and you’re more than likely a victim. Luckily, hackers don’t appear to have had access to users’ payment information, but damage is damage.
Turning to OMGPOP, the company sent out an e-mail to all users of their forums today announcing that the database that stores user account information has been compromised. This doesn’t affect all users – only members of their online community – but does include your email address, though not your OMGPOP password.
We’d highly recommend that users of both communities do whatever they feel is appropriate to protect themselves, including changing their passwords or creating new e-mail addresses entirely.