DenialOfService
Latest
Xbox Live and PlayStation Network both down due to an apparent attack
Merry Christmas, game fans: Both Xbox Live and PlayStation Network are down this morning, apparently due to a denial-of-service attack. The notorious hacking group Lizard Squad -- which already carried out earlier attacks on Microsoft and Sony -- has claimed responsibility on Twitter for these latest outages. While Lizard Squad's role in all of this remains unconfirmed, the group did threaten last week to take down Xbox Live and PSN, according to Business Insider. Regardless of who's behind this, the timing is obviously terrible: Plenty of people surely received one of the two consoles as Christmas presents today, while many more gamers would have happily spent the afternoon in front of the TV. In the meantime, both Sony and Microsoft have acknowledged the problem, with Sony issuing a tweet and Microsoft posting a message on its website: "We're working to address this as quickly as we possibly can," reads its status website. "Thanks for your patience, Xbox members." In an email, a Microsoft spokesperson declined to comment further or say when the company expects to restore service. We've also asked Sony to comment and will update this post if and when it does.
PlayStation Network goes down following cyberattacks (update 2: Xbox as well)
Sony may be experiencing a few unpleasant flashbacks this weekend. Both the PlayStation Network and Sony Online Entertainment (SOE) are slowly recovering from a denial of service attack that flooded their server connections, kicking many gamers offline. The group claiming responsibility, Lizard Squad, reportedly started out bombarding servers run by Blizzard (World of Warcraft), Grinding Gear Games (Path of Exile) and Riot Games (League of Legends) before swinging its attention Sony's way.
Text message exploit can force your Nexus phone to reboot (updated)
Watch out if someone sends a flood of text messages to your Nexus phone -- they may be trying to break in or otherwise cause havoc. IT administrator Bogdan Alecu has discovered an Android bug that triggers exploitable behavior in the Galaxy Nexus, Nexus 4 and Nexus 5 whenever they're hit by a large volume of Class 0 SMS messages, or texts that aren't automatically stored on the phone. The denial of service attack usually forces the handset to reboot, but it can also disable the network connection (if temporarily) or crash the messaging app. Non-Nexus hardware appears to be safe, although Alecu notes that he hasn't had a chance to test a wide variety of gadgets. Regardless of the problem's scale, affected users will have to be cautious for a while; Google tells PCWorld that it's looking into the exploit, but there's no word on just when we can expect a patch. Update: There's already a firewall app in Google Play that protects against the exploit. Thanks, Chipsy4!
Prank crashes iMessages
Late last week, several iOS developers were hit with a denial of service attack that used Apple iMessages as the vector. According to a report in The Next Web, Grant Paul (chpawn), iH8sn0w and a half-dozen other developers were flooded with text messages that crashed the iMessages app on iOS. The person or group behind the attack is not known, but The Next Web believes it originated with a Twitter account that sells UDIDs and provisioning profiles to iOS owners who want to sideload pirated apps. The attacker likely used the OS X Messages app and Applescript to automate the sending of text messages. When the attack was in full swing, the recipient is forced to clear a non-stop stream of notifications and messages. Unforunately, there is no way for a user to stop an influx of messages destined for their inbox. Once your iMessage ID is known publicly, anyone can send you an iMessage. Because there is no option to block messages from a specific iMessage sender, you are forced to either read every incoming message or turn off iMessages completely. This problem is compounded in iOS 6 and OS X Mountain Lion as Apple allows you to associate both your phone number and your email address with your iMessage ID. Phone numbers are usually kept private, but an email address can be easy to find with just a bit of Googling. If a malicious person discovers your iMessages email, there is no way to stop him or her from clogging your inbox with messages. Hopefully, Apple reads these reports and develops a way to detect and shut off this bulk spamming before it hits the recipient's devices. For a user, the best way to avoid this type of attack is to keep your iMessage email and phone number out of the public realm. If possible, use a public email address for your website and a private one for your iMessage ID. If your iMessage email is already out there, you can always disable receiving iMessages to that email address. On iOS, you can go to Settings > Messages > Send & Receive to change the numbers and email addresses that can receive a message. On OS X, open the Messages app and select "Messages" from the menu. Then select Preferences and click on the Accounts tab. Click on your iMessage ID and make sure your email address is not selected under the "You can be reached for messages at:" heading.
Iran claims to have been hit by 'heavy' cyber attack, pins slowdowns on coordinated hacking campaign
Whatever you think of Iran's politics, it's hard to deny that the country has frequently been the target of internet-based attacks that sometimes go beyond the originator's plans. If you believe High Council of Cyberspace secretary Mehdi Akhavan Behabadi, the pressure is only getting worse. He tells Iranian media that the nation is under "constant" digital bombardment and was just hit with a major assault on Tuesday that bogged down local internet access. Behabadi unsurprisingly contends that the attacks are deliberate efforts to undermine Iran's data, nuclear and oil infrastructures, with a finger implicitly pointed westward. While it's no secret that the country's enemies want to slow down what they see as a rush towards nuclear weapons, it's difficult to know how much of the accusation is serious versus bluster: we've seen individual smartphone users who consume more than the "several gigabytes" of traffic that reportedly caused national chaos in the most recent incident. No matter the exact nature, it's likely that residents stand to lose as Iran fences off the internet to keep outside influences, hostile and otherwise, from getting in. [Image credit: Amir1140, Wikipedia]
Microsoft decides to pass on WebGL over security concerns (Update: iOS 5 supports WebGL, sort of))
Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn't be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system's GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole -- with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won't necessarily kill WebGL and, as it matures, Microsoft may change its tune -- but it's still a pretty big blow for all us of hoping the next edition of Crysis would be browser-based. Update: As is usually the case Apple and the Windows folks are on opposite sides of this one. In fact, the Cupertino crew plans to bring WebGL to iOS 5 with one very strange restriction -- it will only be available to iAd developers. Now, chances are it will eventually be opened up in mobile Safari for everyone, but for the moment it seems browser-based 3D graphics will be limited to advertisements on the iPhone. Still, that's another big name throwing its support behind the burgeoning standard. [Thanks, Greg]
WebGL flaw leaves GPU exposed to hackers
Google spent a lot of time yesterday talking up WebGL, but UK security firm Context seems to think users should disable the feature because it poses a serious security threat, and the US Computer Emergency Readiness Team (CERT) is encouraging people to heed that advice. According to Context, a malicious site could pass code directly to a computer's GPU and trigger a denial of service attack or simply crash the machine. Ne'er-do-wells could also use WebGL and the Canvas element to pull image data from another domain, which could then be used as part of a more elaborate attack. Khronos, the group that organizes the standard, responded by pointing out that there is an extension available to graphics card manufacturers that can detect and protect against DoS attacks, but it did little to satisfy Context -- the firm argues that inherent flaws in the design of WebGL make it very difficult to secure. Now, we're far from experts on the intricacies of low-level hardware security but, for the moment at least, there seems to be little reason for the average user to panic. There's even a good chance that you're not vulnerable at all since WebGL won't run on many Intel and ATI graphics chips (you can check by clicking here). If you're inclined to err on the side of caution you can find instructions for disabling WebGL at the more coverage link -- but come on, living on the cutting edge wouldn't be anywhere near as fun if it didn't involve a bit of danger. [Thanks, Tony]
Security experts unearth unpleasant flaws in webOS
Researchers from security firm SecTheory have described a handful of flaws in webOS, saying that the platform -- by its very nature -- is more prone to these sorts of things than its major competitors because Palm puts web technologies like JavaScript closer to webOS' core where system functions are readily accessible. At least one of the flaws, involving a data field in the Contacts app that can be exploited to run arbitrary code, has already been fixed in webOS 2.0 -- but the others are apparently still open, including a cross-site scripting problem, some sort of floating-point overflow issue, and a denial-of-service vector. We imagine Palm will get these all patched up sooner or later, but as SecTheory's guys point out, how long is it until mobile malware becomes a PC-sized problem?
New iPhone and iPod touch Safari exploit discovered
It's difficult to tell if this is just a little fear-mongering, or cause for real concern, but it looks like there's another iPhone / touch exploit out there lurking on the unseen horizons of those device's browsers. According to reports, a memory exploit -- similar to the previously-patched TIFF exploit -- has been discovered which affects units with firmware 1.0.2 all the way up to 1.1.3, thus carrying over to new 16GB iPhones and 32GB touches. Apparently, all you have to do is browse over to a site containing the malicious code, and it triggers a memory-exhausting script which causes the phone or iPod to crash. At this point, it doesn't appear to be anything more than a nuisance which can be easily circumvented by disabling JavaScript for Safari, though that hardly qualifies as a fix. To date, Apple hasn't issued a patch for the problem, but keep in mind it's only been a known issue since January 24th.[Via iPhone World]
Did a DoS Attack Bring Down the Warcraft Servers?
If you attempted to play this weekend, chances are you had trouble logging in, were repeatedly disconnected, or were plagued with server lag. But while Blizzard claimed it was an ISP issue, some wonder if it wasn't a targeted DoS attack. Traffic logs from Netcraft show patterns similar to such an attack, though there's no official word on it, either way.
