hacker
Latest
Hackers next target: your in-car navigation system
We hate to break it to you, but that oh-so-reliable GPS system that you simply obey each day could eventually lead you down a dark, perilous path. No, we're not referring to the blind faith drivers who throw caution common sense to the wind and drive directly into sandpiles and bodies of water, but a new discovery has found that the unencrypted data that's beamed to drivers everyday via RDS-TMC navigation systems could be undermined with relative ease. Andrea Barisani, chief security engineer with Italian consultancy Inverse Path, has claimed that the wireless signals could not only be intercepted, but incorrect directions could actually be used to lead motorists into a trap, direct traveling competitors away from a sales presentation, or create a massive gridlock by instructing the weary working crowd to all take the same "detour" home. It was noted that some firms are already looking into more secure methods of delivering such critical information, and considering the lessons we've already learned about GPS-addicted drivers, the updates can't come soon enough.[Thanks, Andrea B.]
Nike+iPod Serial-to-USB adapter tracks nearby runners
While not even the Nike+iPod was exempt from a bit of tinkering in its lifetime, this well-planned modification certainly takes the cake. In what's sure to drive privacy advocates unnecessarily mad, the crafty gurus over at Spark Fun Electronics have taken those widespread Nike+iPod tracking warnings and developed a product to exploit them, resulting in the Nike+iPod Serial-to-USB adapter. Deemed a "simple interface" to plug the Nike+iPod receiver into your USB port, the device then utilizes a VB program "to listen for all foot pods in range and display the raw data including foot pod IDs." Essentially, you can turn your PC into a spying machine for tracking nearby runners, but considering the range on this thing tops out around 60-feet, you're best option is to grab your laptop and camp out under the brush at a nearby running trail, but you didn't hear that from us. Of course, this creation could indeed be used for less devious matters, but regardless of your intentions, you'll be forced to buy at least ten units at $22.46 apiece, but we all know the truly voyeuristic will need a few dozen just to get started.[Via Podophile]
PSP hackers Dark Alex and Fanjita unmasked
Heroes. Villains. Homebrewers. Pirates. The hackers behind some of the most significant PSP security breaches to date have been called many things. A new BBC report does little to settle the ethical debate, but does demystify a pair of thorns in Sony's side.Fanjita, best known for his GTA: LCS eLoader exploit, is none other than mild-mannered David Court, a 34-year-old professional programmer who writes server software for telecommunications companies. Court, who spends an hour or so each night tinkering with his PSP, resides in Edinburgh, Scotland with his wife. He is also a martial arts enthusiast.In recent months, Fanjita's celebrity has been eclipsed by hacker Dark Alex, whose custom firmware has opened the PSP wide open. A student from Spain by day, Dark Alex derives his moniker from his real name Alejandro. He favors all things goth and finds comfort in manga and cats. "I think it is up to users to make the correct decisions about how to use my software," says Alejandro. "I believe in the presumption of innocence, unlike the media companies." [Thanks, Brian]
Unofficial patch for Treo vulnerability loosed
If you've been a bit paranoid of late after hearing that a blatant security hole was found in the now-deceased Palm OS, help has unofficially arrived. Reportedly discovered by Symantec, the vulnerability entailed a hole that allowed the operating system's Find functionality to be accessed even when the device was set to Locked, allowing ill-willed hackers to sift through text message history, calendar entries, tasks, etc. The hole had been confirmed on the Treo 650, 680, and 700p, but now users of the handsets can rest a bit easier after applying this patch. As expected, the update simply disables the Find feature, which essentially closes off the last remaining security loophole and protects prying eyes from seeing that backlog of steamy Valentine's Day texts. So if you're looking to unofficially patch things up with your Palm, be sure to hit the read link and get that install completed, but we're not the ones to come crying to if something goes awry.[Via PalmInfoCenter]
Chip & PIN Tetris hackers can steal credit card info, too
Hacking into sensitive machines and playing brain games on them certainly isn't new -- and a pair of researchers at Cambridge have already done just that on a "tamper-proof chip-and-PIN payment terminal," -- but in a recent (and more serious) development, they've extended the exploit to demonstrate how they can "compromise the system by relaying information between a genuine card and a fake one." Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, have not only played Tetris on a banking machine, but have devised a scenario where a terminal is actually connected to a thief's laptop (instead of a bank, for instance), thus passing through crucial information without throwing a red flag to the now-screwed customer. Through a series of RFID, WiFi, and SMS connections, the duo even explains how something so simple could be used to steal thousands of dollars in diamonds and jewelry if working with a trained crew. Still, it's noted that this kind of stunt would be "difficult to execute in practice," and of course, whoever tries it runs the risk of being imprisoned for quite some time, but if you're interested in an eerily detailed description of just how beautiful you life can become if you actually pull this off, the read link demands your attention.
Gemalto intros USB smart card to curb phishing
The long, long list of uber-secure USB flash drives continues to grow as paranoid data carriers attempt to protect their lab reports and award-winning recipe books, but Gemalto has a slightly different kind of security in mind with its latest USB smart cards. The forthcoming keys will function much like the Mighty Key already does, as it offers up phishing protection by requiring that users have the USB stick plugged into their computer before being able to access files, online banking accounts, or your secret stash of 90's anime. While the company already provides such security measures for governmental / enterprise agencies, the Network Identity Manager is purportedly tailored for the average joe, won't require "any specialized software," and will play nice with standard browsers. Additionally, the system will utilize a token management system and support Verisign's VIP Network Identity federation framework, but won't require users to carry around a perpetually changing key fob as does PayPal. Gemalto hopes to "simplify" user security and curb the growing phishing problems in America, but there's currently no word on when we'll see these protection measures available for sale here in the States.
Hackers enable GPS on HTC Trinity
It seems like nowadays, a hacker's work is never done and with a little time and know-how, anything is possible. Does everyone remember when the HTC Trinity first appeared on our radar? It had all the makings of a great one less being shipped with the GPS receiver in a dormant state. Lucky for us all it took was a few well-skilled hackers and some determination to come up with how to enable it. Looking at the instructions, seems like a pretty simple procedure. If anyone is brave enough to try it, drop us a line and let us know the outcome. [Thanks, Chymmylt]
BackupHDDVD creator speaks out
Just about everyone and their respective grandmothers have now gotten a whiff of this whole "BackupHDDVD" thing that's been floating around, as muslix64 was able to break down the HD DVD content protection and allow folks to sidestep the AACS boundaries. The folks over at Slyck sat down to chat with the infamous hacker about his motives, his work, and the obligatory "hopes and dreams," and as we expected, he's simply yet another (albeit intelligent and determined) individual that's frustrated with the limitations that DRM presents. He refers to himself as simply an "upset customer" looking to "enforce fair use," further explaining that he wasn't able to appropriately play back an HD DVD film that he purchased "on a non-HDCP HD monitor." He also said that his success with HD DVD led to his shared efforts while taking down Blu-ray's content protection, and noted that any stronger protection to limit the abilities of purchased media would likely be "too costly to manufacture." Lastly, he showed a bit of humbleness by admitting that he "probably wasn't the first to do this," and suggested that the ones before him probably just kept quiet, but his overriding purpose with all of this is to simply "enforce fair use, not piracy" and to "benefit the consumers." Sure, there are certainly polarized camps when it comes to breaking down content protection, but before jumping to any conclusions, be sure to hit the read link and read the full dialogue.
A new anti-gamer tactic?
Folks who don't like the concept of video games are frequently willing to go to lengths to get the medium silenced. They're willing to knowingly pass unconstitutional laws -- to the expense of taxpayers -- and frequently call upon studies that employed questionable methods. Now, we may be seeing a new tactic. Recently, hackers have attacked three online gaming sites that are geared toward casual gamers. The site pages were replaced with the FBI's Anti-Piracy Warning label, making people think that the sites had violated some law. The FBI stated their surprise about how authentic the whole setup looked. The specific targeting of gaming sites does raise a questionable eyebrow. People vehemently opposed to an idea/medium/etc. frequently go to great lengths to destroy it (think the anti-Rock and Roll movement). The Internet Crime Complaint Center thinks this trend will move to other sites, but we shouldn't be surprised if this turns out to be a group of angry anti-gaming activists willing to take the law into their own hands.
T-Mobile hacker gets slap on the wrist
What better deterrent to breaking into T-Mobile's customer database, than a year of being forced to sit at home with nothing to do but screw around on the 'puter? We can't imagine, and apparently neither could U.S. District Judge George King, sentencing 23 year old Nicholas Lee Jacobsen to a whopping 365 days of home detention for the 2004 crime in which several hundred names and Social Security numbers were swiped (not to mention the Sidekick contents of a Secret Service agent, of all people). To be fair, the hoodlum was also ordered to pay T-Mobile ten grand -- and we have to believe the feds are doing what they can to keep Mr. Jacobsen away from technology for the time being -- but we wouldn't have minded seeing some hard time involved.
Janus Project PC can scan 300 WiFi networks at once
You've heard of black hat hackers and white hat hackers, but what about leather hat hackers? Meet the first: Kyle Williams. This creative genius has built the ultimate network hacking PC, the "Janus Project," which can focus its eight WiFi cards to break your standard WEP encryption in under five minutes. Beyond that, it can sniff 300 WiFi networks simultaneously, store and continuously encrypt all the data with AES 256-bit keys. In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will.[Via The Raw Feed]
MMS spam: a battery-killing attack?
Modern smartphones struggle to eke out a day or two of moderate use as it is without malicious folk tapping into your battery; sadly, researchers at UC Davis have apparently managed to do exactly that, exploiting fundamental flaws in the way most phones handle the MMS protocol to drain juice. It seems the trouble stems from "junk data" sent via MMS, which causes the phone to wake from standby, realize the data doesn't constitute a valid message, and discard it, all without any notification to the user. Rapidly repeat the process, and, well, you can see where this leads. All the attacker needs is the target phone's number, and before you know it, your battery's history (the researchers were able to do the deed at about 20 times the normal drain rate, to be exact). Their work wasn't all gloom and doom, though -- another MMS exploit allowed the wily grad students to fire off messages free of charge. Of course, with a dead battery, you won't be firing off much of anything.[Via textually.org]
Xbox 360 hacked for homebrew and bigger hard drive?
An anonymous yet trusted source in the Xbox hacker community just released a few sceenshots to show his rather impressive progress -- if it turns out to be legit. One shot displays an expansive 451GB of free space on the default hard drive -- implying he's managed to finagle a new 500GB drive into the 360 -- while the other two purport to be views of Xbox 1 homebrew running on the 360. Both capabilities would be pretty major developments, but they'd also make for a couple of rather easy Photoshop jobs, so we'll just have to wait to see what comes of all this. Even if they've managed to emulate Xbox 1 hardware, the development community will have just as much of an uphill battle as the backwards compatibility team at Microsoft does to get things like XBMC running full-on (total redevelopment notwithstanding). And that's a big if.
Korean Apple online store defaced
Last Thursday Silicon.com found out that Apple's Korean online store was hacked. The hacking was done by a dude going by the name 'Dinam.' He claims to be Turkish, but there is no way to confirm that. It seems he gained administrative control over the webserver (which was running Apache) that serves up the Apple store (in Korea) and he went ahead and defaced the website.
Xbox 360 H4xx0rz admit their hackjob is useless
After previously boasting about a DVD firmware hack that made it possible to run a backup copy of Project Gotham Racing 3 on a modified Xbox 360, one of the hackers behind the mod has joined Microsoft in calling it "useless". Apparently the mod is useless to the general public due to its complexity (the mod "requires that the flash chip is removed from the drive circuit board and inserted into a special flash programming device") and the fact that it could easily destroy an Xbox 360 in the wrong hands.However we must agree with one of the other members of the mod team when he said "given the complexity of the software it seems unlikely that there's no [other] way in." Did you know: Microsoft also make a popular operating system called Windows, an OS notorious for its backdoor vulnerabilities.[Thanks, striegs]
Security flaw found in iTunes and QuickTime
Apple has announced a security flaw has been found in the latest version of iTunes 6.0.1 and 6.0.2, as well as QuickTime 7.0.3 and 7.0.4 that affects both Mac OS X and Windows. The flaw could allow an attacker to run code as the currently logged in user, which is typically worse news for Windows users, but is still not something Mac user should take lightly.While Apple is working on a patch, I thought this sentence from a PC Pro article was somewhat interesting: "[Apple] will have around two months to issue a suitable fix before it comes under pressure, as the flaw is only at the initial report stage of the process." I wonder what exactly that means - is there some kind of industry consensus that has to be met? Or do they just mean that most people who exploit flaws like this don't use RSS readers and won't find out about the flaw for a month or two? Hopefully, we won't have to find out.[via MacMinute]
