hacker
Latest
Hackers charged with Xbox One, Valve, Call of Duty data theft
The United States has charged four members of an international hacking ring with stealing up to $200 million in intellectual property and other data from Microsoft, Epic Games, Valve, Zombie Studios and the US Army. The hackers are charged with stealing software related to Xbox Live, Xbox One, Call of Duty: Modern Warfare 3 and Gears of War 3. "Specifically, the data cyber-theft allegedly included source code, technical specifications and related information for Microsoft's then-unreleased Xbox One gaming console; intellectual property and proprietary data related to Xbox Live, Microsoft's online multi-player gaming and media-delivery system; Apache helicopter simulator software developed by Zombie Studios for the US Army; a pre-release version of Epic's video game, Gears of War 3; and a pre-release version of Activision's video game, Call of Duty: Modern Warfare 3. The defendants also allegedly conspired to use, share and sell the stolen information," the US Department of Justice says in a press release. The hacking group used SQL injection and stolen usernames and passwords to break into the targeted companies' networks. The men charged are Nathan Leroux, 20, of Bowie, Maryland; Sanadodeh Nesheiwat, 28, of Washington, New Jersey; David Pokora, 22, of Mississauga, Ontario, Canada; and Austin Alcala, 18, of McCordsville, Indiana. Pokora and Nesheiwat have pleaded guilty to conspiracy to commit computer fraud and copyright infringement, both scheduled for sentencing in January. "Pokora's plea is believed to be the first conviction of a foreign-based individual for hacking into US businesses to steal trade secret information," the Department of Justice says. Authorities in Australia have charged an Australian citizen in relation to this conspiracy. [Image: Microsoft]
If Secret isn't anonymous, we're all screwed
People have been airing their dirty laundry and slinging shade on Secret -- an anonymous sharing app -- for months now. Who could blame them? It's fun, it's freeing and accountability basically doesn't exist there... or so some may believe. Kevin Poulson at Wired spoke to a security researcher named Ben Caudill and the takeaway is clear: your secrets aren't necessarily as secret as you think. And the kicker? The process of tying real people to the things they said was a shockingly simple one if you understand how Secret finds and displays people's messages.
Report: League of Legends hacker made $1,000 a day
If being a jerk on the Internet is a competition, Shane "Jason" Duffy might be in the champion's running. Police raided the 21-year-old's room regarding a League of Legends security incident in 2011, which Riot eventually addressed in 2012, and Duffy's online activity while on bail earned another visit from police in 2013. In an interview with The Daily Dot, Duffy claimed involvement for brute forcing League accounts, selling character skins from accounts for $200-$800, leaking League of Legends: Supremacy through a Riot employee's Twitter account, and creating a service that could knock League players out of games in exchange for money. Duffy told The Daily Dot in November that his group had scored access to millions of accounts, which he claims were harvested via a senior Riot employee's account. Duffy says that despite Riot noticing a breach and telling staff members to change their passwords, this employee did not, allowing Duffy's group to set up backdoor software on Riot's servers. By the time Riot realized what was happening, Duffy claims they had grabbed information for 24.5 million accounts.
Australian Apple users held to ransom by Find My iPhone hacker (updated)
Some Australian Apple device owners today woke up not to the sound of their alarm, but the jingle of a "ransom" notification instead. The Sydney Morning Herald reports that a hacker (or a group of hackers) going by the name "Oleg Pliss" systematically froze iPhone, iPad and Mac users out of their own devices, holding them hostage until payments of between $50 and $100 were received. Threads on Apple's official support forums detail how the attacker (or attackers) used Apple's own Find My iPhone feature to remotely lock devices and send messages requiring payment via PayPal. Fortunately, those who had set passcodes were able to regain access, because you can't add or change a lock on a device that already has one in place, but those without the security measure weren't so lucky.
AT&T hacker Andrew 'Weev' Auernheimer's fraud conviction gets reversed
Like him or not, Andrew "Weev" Auernheimer has been at the center of a legal maelstrom ever since he helped collect email addresses of 114,000 iPad owners that AT&T left unsecured and shared the news with Gawker in 2010. In November 2012, he was found guilty of identity fraud and conspiracy to access a computer without authorization. In March 2013, he was ordered to pay $73,000 and was sentenced to 41 months in federal prison. And today, the verdict that put weev behind bars has been reversed. In his words, he was arrested for "arithmetic" -- all he claims to have done was fiddle with a URL and spilled the beans about what he found. Here's the thing though: Weev isn't free because his legal team artfully conveyed the distinction between hacking and incrementing a number at the end of a URL. He's free because the Third Circuit Court of Appeals decided he (who lived in Fayetteville, Arkansas at the time) wasn't tried in the right court.
Portable N64 mod boasts internal memory, analog stick, real cartridges
Whether you harbor fond memories of the Nintendo 64 or despise its baffling controller and chunky, untextured polygons, one thing everyone can agree on is that the system was not very portable. At least, until a hacker calling his or herself "Bungle" got a hold of the machine. According to a description Bungle wrote on the Bacman retro console modding forums, this modified Nintendo 64 features support for both Expansion and Rumble Packs, custom buttons, a legitimate N64 analog stick, internal memory and a 3.5" screen. As you can see, it accepts actual cartridges, and Bungle claims that the device's 4400mAh battery offers about four hours of juice. That's not quite on par with the Nintendo 3DS or Sony's Vita handheld, but is respectable for hardware that was never intended to fit in your pocket. Best of all, this isn't some hyper-rare one-off project. Bungle claims that this is the fourth such device he or she has created to date, and that more are on the way. It's unknown if these things will ever be available for purchase, but we're keeping our fingers crossed. [Image: Bacman]
Aura Kingdom hacked and emails stolen... or maybe not [Updated]
Recent hacking of Aura Kingdom apparently resulted in stolen email addresses that are being used to pester users players are reporting that they're getting invitations sent to their Aeria Games email address from an individual asking them to join an Aura Kingdom private server. Fortunately Aeria Games does not store credit card information, so it seems as though that information is safe. An Aeria Games GM responded to the claims by saying that the company is investigating the issue: "Thanks for reporting this. We'll look closely into this reports. We will let you know if we need more information. Also note, we do not process any payments, this is done through the service you utilize to buy AP. So this is not something we store." [Thanks to Thomas for the tip!] [Update: Aeria has contacted us to update us about the situation and provide an official statement: "We have investigated this issue and would like to confirm that we have found no evidence of our servers or players' account information being compromised. This includes the email addresses that were reported to have been affected in this article. We have, however, found potential security vulnerabilities through third parties unaffiliated with Aeria Games. We caution against providing contact information to these unaffiliated entities and encourage all players to change their passwords on a regular basis to maintain account security."]
Kickstarter hacked, customer information accessed
If you've logged in to use Kickstarter, perhaps to support an up-and-coming MMO, then pay attention: earlier today, the site reported to users that it was hacked this past week and customer data was accessed. In a security notice posted on the site, Kickstarter said that it was notified by authorities this past Wednesday that hackers gained access to the site. The company has since closed the breach, bolstered its security, and notified customers to change their passwords. Credit card information was not part of the accessed information, but user names, email addresses, and encrypted passwords were. "We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come," the company posted.
Blizzard update on dangerous Trojan
WoW Insider reported recently on a dangerous Trojan that was, at the time, not removable by any known antivirus program. Vigilance was advised by the Customer Support agents, and logs from anyone who was affected by the Disker trojan were requested. Thanks to the hard work of the Blizzard Support MVPs, a solution has been found. Kaltonis Our pleasure! To summarize for those of you that haven't read the green posts: -The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there. -At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread. -Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this. -If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do). -For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe! source
Cheaters prosper in Double Fine's puzzler Hack 'n' Slash
Double Fine has announced a new hacking-themed puzzle game called Hack 'n' Slash, due in the first half of 2014 for PC, Mac and Linux on Steam. Hack 'N' Slash started out as an idea during Amnesia Fortnight, Double Fine's internal game jam, and was then chosen by the public to become a fully-realized game. It stars a young elf who uses her hacking skills to cheat at an action/adventure game. We're also told there are algorithms, which we hope is shorthand for dancing alligators. Funding for Hack 'n' Slash was achieved through a joint effort between Double Fine, Indie Fund, Humble Bundle, Hemisphere Games, make all, AppAbove Games, Adam Saltsman, The Behemoth, Morgan Webb, and Rob Reid. It's part of a two-game financing deal that also includes Spacebase DF-9, Double Fine's Early Access space station management sim.
Hacker cracks indie's PayPal account, orders PS4s with crowdfunded cash
With three days left in the Secrets of Rætikon Indiegogo campaign, developer Broken Rules discovered its PayPal account had been hacked and someone had spent $2,500, in part to order three PS4 consoles, studio co-founder Martin Pichlmair told Joystiq. Broken Rules contacted PayPal and put a stop to the spending, and PayPal assured the studio that all of its money would be returned. Pichlmair said he believed the account's password was cracked. Broken Rules since regained full control over its own account, making it safe for backers to continue donating. "This feels like someone breaking into your house and we were super-stressed out for a whole day," Pichlmair says. "We're on the last stretch of our crowdfunding campaign and this incident is really taxing .... Gladly there wasn't too much money on our PayPal account at that point." Secrets of Rætikon has a $40,000 campaign on Indiegogo and has raised $10,900 with three days to go – but it's a Flexible Funding project, meaning Broken Rules gets to keep whatever money it makes, regardless of reaching its goal. Secrets of Rætikon was a stylish exploration and puzzle game that we dug at GDC Europe this year. All that Broken Rules had to identify the hacker was a "dodgy Gmail address," so there wasn't much chance of catching anyone, Pichlrmair said. As for the return of its stolen money, he said he'd believe it when he saw it. Pichlmair planned to update backers no matter how the hack shook out. "We try to be honest even if it is to our detriment," he said. "That's us."
TUG suffers from DDOS attack
"Relentless" attacks against fledgling sandbox TUG are being addressed by the team and its security measures, Nerd Kingdom wrote in a forum post yesterday. Players noticed something wrong when they couldn't log into the game yesterday, and a developer confirmed that a DDOS attack was in the works and was being combated. She said that there is no ETA for a fix but that players who have applied for testing keys need not worry about losing theirs due to the issue. "Yeah, the attacks started during the weekend and they've been pretty relentless. Luckily our security measures are working. We just need to do some tweaking now," developer Dee posted. "While it sucks that it's happening, it's better to have these things happen now, while we're in the alpha stage when stuff's supposed to break, than later when it might've been much more of a problem to iron out." [Thanks to Sounder for the tip!]
Adobe says attackers compromised 2.9 million accounts, stole source code
If you've recently bought an Adobe product, you'll want to keep an eye out for suspicious financial transactions in the near future. The company says that attackers have compromised 2.9 million customer accounts, including their (thankfully encrypted) credit and debit card numbers. Hackers also took source code for certain apps, including Acrobat and ColdFusion. The two attacks might be related, according to Adobe. While the firm doesn't believe that the culprits have any unencrypted banking info, it's not taking chances: it's resetting passwords for affected users, warning them of financial risks and offering free credit monitoring. The breach won't necessarily hurt customers in the long run, but it isn't going to help Adobe's attempts to move its user base to subscription services.
Automotive takeover schemes to be detailed at Defcon hacker conference
It's not like Toyota hasn't already faced its fair share of Prius braking issues, but it appears that even more headaches are headed its way at Defcon this week. Famed white hats Charlie Miller and Chris Valasek are preparing to unleash a 100-page paper at the annual hacker conference in Las Vegas, and notably, hacks that overtake both Toyota and Ford automotive systems will be positioned front and center. The information was gathered as part of a multi-month project that was funded by the US government, so it's important to note that the specifics of the exploits will not be revealed to the masses; they'll be given to the automakers so that they can patch things up before any ill-willed individuals discover it on their own. Using laptops patched into vehicular systems, the two were able to force a Prius to "brake suddenly at 80 miles an hour, jerk its steering wheel, and accelerate the engine," while they were also able to "disable the brakes of a Ford Escape traveling at very slow speeds." Of course, given just how computerized vehicles have become, it's hardly shocking to hear that they're now easier than ever to hack into. And look, if you're really freaked out, you could just invest in Google Glass and walk everywhere.
This Arduino hackaphone was never going to be pretty, but it does the job
Okay, we'll admit that it looks a bit like a baby monitor. But in contrast to those over-engineered pieces of parenting paraphernalia, this DIY cellphone can actually make calls and send texts over GPRS. More importantly, Hackaday claims it was put together by a lone hacker ("Victorzie") from an assortment of off-the-shelf and modded parts, including a TFT touchscreen, lithium ion battery, charging circuit, GPRS module and shield. These components were hooked up to an Arduino Uno microcontroller running a barebones UI and then jammed into a 3D printed case, which makes the device look far more pocketable than some previous hackaphone efforts. The end result inspires big respect for the creator, but also, more grudgingly, for the pro engineers at places like Nokia, who can pull all this stuff together and even get it FCC-approved for just a few dollars.
EVE Evolved: Archaeology and Hacking in Odyssey
EVE Online's Odyssey expansion is set to land in just over a week's time, kicking off the game's second decade with a focus on exploration, immersion, and resource rebalancing. Developers plan to shake up nullsec by redistributing the value of various moon minerals and buffing player-owned outposts, and lowsec will become a more tempting place to visit with the addition of valuable new tags to asteroid belt NPCs. But what's in it for highsec players? In addition to new navy issue battlecruisers and immersive new jump and death sequences, players from all corners of EVE will find new exploration content in their back yards. A big part of the new exploration system is a complete redesign of the Hacking and Archaeology mini-professions, which have been in EVE for as long as I can remember and have remained relatively unchanged. Odyssey will add new sites for both professions and replace the boring old chance-based system with a new minigame that emphasises co-operation with other players. In this week's EVE Evolved, I look at the history of Hacking and Archaeology in EVE and what the new system brings to the table.
Captain's Log: The day my Star Trek Online fleet died
This week I was looking forward to writing about all of the wonderful stuff coming out about the coming this May in the Legacy of Romulus expansion in Star Trek Online. Unfortunately for me, that subject has been swept under the rug while I write about what happened to my fleet during this past week and expose our failures in order to provide valuable lessons to others. This week my fleet was "stolen." Everything that we have worked so hard in building over the past 14 months was taken away by one person, a person none of us knows, and we were forced to begin anew. The lessons here are hard, bitter, and frankly embarrassing to discuss, but they are important to learn from, and I hope others use the advice to avoid our fate, regardless of whether you're in a fleet in Star Trek Online or a guild in some other game.
Hacker turns Kindle Paperwhite into wireless Raspberry Pi terminal
The Raspberry Pi is all about low-cost computing, which makes this particular hack quite fitting, as it allows you to make a terminal for your lil' Linux machine out of something you may already have at home: a Kindle Paperwhite. Displeased with the glare from his laptop's screen on a sunny day, Max Ogden was inspired to find something better and ended up with this Paperwhite hack. It builds on the original "Kindleberry Pi" method for the Kindle Keyboard, although Ogden had to massage it for the newer model and added some extra hardware to make the setup as wireless as possible. You wouldn't call the end result a monitor, as such -- the Paperwhite logs into an SSH session running on the Pi, so it "pretty much only works for terminals." That's probably for the best, as Ogden guesses the lag between wireless keyboard and e-ink screen is around 200ms, but at least it has portability, battery life and sunlight readability in the 'pros' column. Details of the project can be found at the source below, meaning only time (and probably, a few peripherals) stands between you and the ultimate hipster coffee shop machine.
Hacker sentenced to 41 months for exploiting AT&T iPad security flaw
Hacker Andrew "Weev" Auernheimer was found guilty last year of spoofing iPad user IDs to gain access to an AT&T email database, and he's now been sentenced to 41 months in prison. The time was chalked up to one count of identity fraud and one count of conspiracy to access a computer without authorization. In addition to the nearly three and a half years behind bars, Auernheimer also faces another three years of supervised release, and restitution payments of $73,000 to AT&T. Prosecutors in the case were asking for a four-year sentence, and reports say that they used both a Reddit Ask Me Anything post that Auernheimer did as well as quotes from the Encyclopedia Dramatica wiki. Auernheimer did give a statement before the sentencing, where he both read out a John Keats poem, and said that he was "going to jail for doing arithmetic." Auernheimer has promised that he will appeal the sentencing, so this may not be the last we've heard of "Weev" just yet.
Galaxy Note II vulnerability lets attackers (briefly) access home screen apps (updated)
A security flaw discovered by Terence Eden on the Galaxy Note II with Android 4.1.2 may make that device less secure than you think when it's locked by a code or other method. He discovered that the homescreen can be accessed, albeit it just for a split second, by pressing the "Emergency Call" icon, then the ICE button and finally pressing the physical home key for several seconds. While brief, it's still enough time to click on any of your homescreen apps, which normally wouldn't present a problem since access goes away when the home page disappears again. However, if one of your apps is a "direct dial" widget, for instance, a call can actually be placed by a hacker, and many other programs that perform an action at launch could also leave the device vulnerable. We've confirmed the flaw on our own handsets and the individual who discovered it says that after reporting it five days ago, Samsung has yet to respond. We've reached out to the Korean company ourselves and will let you know about any further developments. Update: Samsung's emailed us to say it's aware of the matter and is working on a fix (see below). Samsung is aware of the consumer inquiries regarding the pattern lock feature embedded on some of the Galaxy devices and plans to provide a software update to address it as quickly as possible.
