hacker
Latest
WhiteHat Security hacks into Chrome OS, exposes extension vulnerability at Black Hat
It's been a rough Black Hat conference for Google. First, FusionX used the company's homepage to pry into a host of SCADA systems, and now, a pair of experts have discovered a way to hack into Chrome OS. According to WhiteHat security researchers Matt Johansen and Kyle Osborn, one major issue is Google's vet-free app approval process, which leaves its Chrome Web Store susceptible to malicious extensions. But there are also vulnerabilities within native extensions, like ScratchPad -- a note-taking extension that stores data in Google Docs. Using a cross-site scripting injection, Johansen and Osborn were able to steal a user's contacts and cookies, which could give hackers access to other accounts, including Gmail. Big G quickly patched the hole after WhiteHat uncovered it earlier this year, but researchers told Black Hat's attendees that they've discovered similar vulnerabilities in other extensions, as well. In a statement, a Google spokesperson said, "This conversation is about the Web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels." The company went on to say that its laptops can ward off attacks better than most, thanks to "a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."
Microsoft offers 'mad loot' Bluehat prize to entice security developers (video)
Mere numbers aren't enough to describe cash prizes for Microsoft, it seems. The firm's inaugural Bluehat security competition's introduction video opted for a clearer term: "mad loot, lots of it." The big M hopes the hefty first prize of $200,000 will inspire the creation of the next generation of defensive computer security technology. The most innovative "novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities" (phew!) will take home the aforesaid mad loot, while second and third places will receive $50,000 and an MSDN Universal subscription, respectively. The winner won't be announced until Blackhat 2012, of course, and applicants have until April to submit their prototypes and technical descriptions. Hit the break for the official announcement video, complete with CG backgrounds and prize euphemisms.
Getting to know you: Comex, the boy behind iOS' JailbreakMe
See that kid above? That's Nicholas Allegra. He's the hackdom Harry Potter to Apple's Ye-Who-Shall-Not-Jailbreak-Our-Wares, and Forbes managed to sniff him out for a little bold-faced exposé. The 19-year old hero of the iOS community, better known as Comex, got his self-taught start with Visual Basic when he was still in single digits. After graduating through a venerable online forum education, the precocious coding lad set his smarts to homebrew Wii development, and the rest is JailbreakMe history. The self-described Apple fanboy admits his background is atyipcal of the cybersecurity industry, but with a former National Security Agency analyst praising his work as years ahead of his time, we don't think he should worry. For all the trouble his code has caused Cupertino, Allegra's not trying to be the embedded thorn in Jobs' side. Rather, the iPhone hacker claims "it's just about the challenge" and plans to keep on keeping ol' Steve on his billion dollar toes.
Forbes profiles Comex, the hacker behind JailbreakMe
The Apple world knows him as Comex, the person who developed JailbreakMe to let iPhone users quickly and easily jailbreak their devices. Now Forbes has outed Comex in a preview of an article that will be published in the magazine later this week. Comex is really Nicholas Allegra, a 19 year old student on leave from Brown University who lives with his parents in Chappaqua, NY -- not too far away from IBM's facilities in Armonk. Allegra is looking for an internship, and hopefully now that the world knows who he is, he'll be able to get a job with Apple or another electronics or Internet firm. Forbes writer Andy Greenberg cites security expert Dino Dai Zovi as comparing jailbreaking to "writing a ransom note out of magazine clippings," then goes on to say that last year's JailbreakMe 2 was more akin to "requiring an attacker to assemble a note out of a random magazine he's never read before, in the dark." Dai Zovi, co-author of the Mac Hacker's Handbook, notes that the level of sophistication in JailbreakMe is on a par with Stuxnet, the state-sponsored worm designed to attack Iran's nuclear facilities. He says that Allegra is probably "five years ahead" of the hackers who create persistent attacks on government and industrial targets. For all of his hacking skills, Allegra refers to himself as simply an "Apple fanboy" who likes the challenges of finding -- and exploiting -- security issues in iOS. Let's hope that Apple offers him a full-time job soon.
Google TV hackers slide Honeycomb into the Logitech Revue
We're still waiting for Google to release updates that bring Honeycomb and Android Market apps to the Google TV platform, but the folks over at GTVHacker have apparently gone the DIY route. They haven't released the full details yet, but this does not apparently require a hardware mod like the first hack that added Market access, just a thumb drive to load the update onto an eager Logitech Revue. We don't expect the Revue to suddenly become a darling at retail even at $99, but once there's actually some potential of hackery and apps we'll see what the community is able to do with it.
Creepy profit-tracking Wario controlled by Mac
Tiburciod likes to keep track of sales of his game so he wrote a script that checks every minute for a new transaction. Instead of a simple alert, he and his daughter Helena grabbed a Wario character, a bike bell, a few spare LEDs and a smoke maker from a model train. He assembled them all together into a creepy-looking, part-toy, part-gadget figure. He then threw in a wireless Arduino microcontroller that talked to his Mac. Now when Tiburciod gets a sale, Mr. Wario goes off with a bell, some flashing and occasionally some smoke when sales are hot, hot, hot. Check out the video below and let us know what you think of weird, yet ingenious creation. [Via Make Magazine]
WiFi hacker lands 18-year prison sentence, sex offender status for campaign of cyber vengeance
Look, we understand that being accused of pedophilia is horrible but, if you're not keen on spending time in the pokey, it's probably not best to exact your revenge by hacking and framing your accusers for making terrorist threats or downloading child pornography. That was the unfortunate route chosen by Minnesotan Barry Ardolf, whose neighbors Matt and Bethany Kostolnik went to the police after he allegedly kissed their four-year-old son on the lips. Ardolf broke into the couple's Wi-Fi and e-mail accounts, and used them to post porn on MySpace, send threats to Joe Biden, and explicit come-ons to Matt's coworkers. Now the 46-year-old cyberbully is facing 18 years in prison, a tough sentence for a first time offender sure, but an investigation revealed the Kostolniks were not his first victims. In addition to his lengthy stay in jail Ardolf will also have to register as a sex offender -- an irony we're sure isn't lost on him. [Thanks, Alan] [Image courtesy Jason Morrison]
Sony exec says PSN hack was 'a great experience,' apparently means it
The following are what most humans would call "great experiences": eating gelato on a hot summer's day, riding a tandem bike with Anthony Hopkins, or, in the case of Sony executive Tim Schaaff, having your life's work nearly destroyed by a band of hackers. Because for Schaaff, president of Sony Network Entertainment, this spring's persistent PSN outage wasn't so much devastating as it was... enlightening. Here's how he described the hack (and ensuing epiphany) to VentureBeat's Dylan Tweney: "I think for people running network businesses, it's not just about improving your security, because I've never talked to a security expert who said, 'As long you do the following three things you'll be fine, because hackers won't get you... the question is how do you build your life so you're able to cope with those things. It's been a great experience." Phenomenal as it must've felt to get in touch with his inner defeatist, Schaaff admitted that he "would not like to do it again" -- probably because his mouth can only house one foot at a time.
Apple iOS 4.3.4 software update may fix iPhone hole, block PDF jailbreak
Remember that PDF exploit from last year that JailbreakMe 2.0 was using to unlock your iPhone with just a few taps? Well, Apple patched it. And now it's apparently back. According to the Wall Street Journal, Apple acknowledged the exploit, and is working on an update at this very moment. In addition to the JailbreakMe 3.0 hack that came to light last week, the hole can also be used for some not-so-noble efforts, like grabbing your contacts database, accessing saved passwords, or activating your iPad or iPhone's built-in camera. And nobody wants that. For one reason or another, German authorities have taken the lead on encouraging Apple to investigate, and have also warned all users to avoid opening PDF docs from untrusted sources. And we're happy to echo that rather solid advice, given the implications. Ironically, JailbreakMe includes a patch for the very hole that allows it to function in the first place, so if you're terrified that rogue PDFs will take over your devices, that's an option to consider in the meantime.
Facebook Likes, hires iPhone jailbreaker 'Geohot'
He's jailbroken the iPhone and been sued by Sony over alleged hacks, and now George "Geohot" Hotz is grappling with the biggest challenge of his young career: social networking. After about a week's worth of rumors surrounding his new employment arrangements, Facebook confirmed that it has indeed added the infamous young hacker to its payroll. No word on what Hotz will be doing at the site, but we expect big things, just so long as he doesn't come within 100 feet of a PS3.
Defcon Kids event invites hackers to bring their genetic back-up units
Apparently, kids aren't at all put off by the air of misadventure and notoriety that surrounds hacking. In fact, they're so eager to partake in lock-picking workshops, clue-deciphering seminars and social engineering round-tables, that Defcon in August will have a side event totally dedicated to proto-hackers aged 8-16. The focus will be strictly on well-intentioned hacking and cyber-security, so there's little risk that your progeny will be set on a life-path that ends in a lengthy jail term. Nevertheless, the organizers warn that the main adult event will be going on all around the kids' areas, leading to a risk of exposure to bad language, possible nudity and an "assortment of philosophies." And if that doesn't deter them, nothing will.
Hacker pleads guilty to AT&T iPad breach
Nearly six months after his arrest, one hacker pleaded guilty to charges that he exposed the email addresses of over 100,000 AT&T iPad 3G users. It's been a year since Daniel Spitler and his compatriot, Andrew Auernheimer, coaxed Ma-Bell servers into delivering the goods, with a brute force script they lovingly named the iPad 3G Account Slurper. The hacker's plea agreement suggests a 12 to 18-month sentence, which is a lot more lenient than the 10-year maximum we hear he could face. Spitler's collaborator is apparently still in plea negotiations with the prosecutor. Both men initially claimed they were just trying to draw attention to a security hole, but maybe next time they'll think twice before embarking on such altruistic endeavors.
Microsoft Wireless Desktop 2000 protects that sensitive area between your peripherals
Microsoft's new wireless keyboard-and-mouse duo aims to thwart keystroke spies with full AES 128-bit encryption on over-the-air data -- an improvement on older wireless models that have proven to be easy pickings for hacker-types. You can pick up the Wireless Desktop 2000 now for $40, but that won't buy you protection from more common threats like Shandong phishmongers, nor will it make up for security loopholes in your other peripherals. Speaking of which, are you still using that seemingly innocent USB coffee-cup warmer?
Google admits sensitive email accounts have been hacked, some users knew months ago (update: US says no government accounts compromised)
The Contagio security blog posted evidence back in February of targeted attacks against government and military officials on Gmail. Today, nearly four months later, Google has finally admitted this is true: hundreds of personal accounts have been compromised by hackers it believes to be working out of Jinan, the capital of China's Shandong province. The accounts include those of "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists." The hijackers' aim appears to have been to spy on their targets using Google's automatic forwarding function. But unlike the PSN fiasco, Google insists its internal systems "have not been affected." Instead it seems the hackers used a phishing scam, possibly directing users to a spoof Gmail website before requesting their credentials. Google says its own "abuse detection systems" disrupted the campaign -- but in a footnote right down at the bottom of their official blog page they also credit Contagio and user reports. Update: And in comes China's response, courtesy of Foreign Ministry spokesman, Hong Lei. "Allegations that the Chinese government supports hacking activities are completely unfounded and made with ulterior motives." Ok then, that settles that. Update 2: And the saga continues... According to an AP story published earlier today, the Obama administration has stated that the FBI is looking into allegations that hackers broke into Google's email system, but denied that any official government accounts were compromised. A White House spokesman went on to say that government employees are free to use Gmail for personal purposes, and can not be sure who in the administration might have been affected by the attack. Let's just hope they know how to leave the sensitive stuff at the office.
Microsoft treats kid hacker with kid gloves in wake of PSN debacle
Soon after Sony's aggressive pursuit of hacker George Hotz -- and potentially in an act of retaliation -- other hackers shut the whole PlayStation Network down and made off with millions of users' data. Microsoft seems to have learned a valuable lesson from that ("don't incite hackers"). During a keynote presentation at the Bank of Ireland Business Week, MS's Ireland General Manager Paul Rellis revealed that the company is dealing with a 14-year-old who hacked Modern Warfare 2 not by suing him, but by working with him. According to the Herald, Rellis said that Microsoft was helping the youngster "use his skills for legitimate purposes." It's a happy ending in this case, but we doubt this will work every time. If you get all up in big companies' systems, you're still a lot more likely to end up with police confiscating your computer than with a cool internship.
Sony Ericsson's Canadian online store hacked, more than 2,000 customers' data taken
The hackers just won't give poor Sony a break, will they? Following the infamous PSN breach last month and an attack on the company's Greek online music service earlier this week, Sony Ericsson has now seen another intrusion that extracted personal data of more than 2,000 Canadian Eshop customers. Fortunately, the company claims that passwords taken were encrypted and no credit card details were lost, but this is still worrisome nevertheless. Right now, the Eshop service has been taken off line -- for the sake of Sir Howard and his Japanese chums, let's just hope that this will be the last Sony breach we hear about. [Thanks to everyone who sent this in]
StreakDroid 2.0.0 gives the gift of Gingerbread to Streak hackers
If you've been following along, you know that a phone enthusiast named DJ_Steve has kept the Dell Streak fresh, thanks to a series of hacked ROMs, dubbed StreakDroid. The latest version, 2.0.0 (or GingerStreak, if you're feeling cute) brings Gingerbread to the 5-inch smartphone -- expanding on the last ROM, which gave hackers the option of selecting Gingerbread's app launcher. As always, though, dear Steve has noted a handful of bugs in the ROM's early stages, including issues with the Superuser app, less-than-stellar graphics performance, and the fact that both GPS and 720p video recording require an engineering baseband and DSP to be flashed. As of this writing, all of the comments are from Streak owners eager to download this for themselves. We assume you are, too, so let us know how the new ROM works out for ya.
Random Hacks of Kindness brings hackers together for the greater good next month
What could possibly bring hackers in 18 cities around the world together for a weekend next month? Potentially a lot of things, but on June 4th and 5th it'll be the third annual Random Hacks of Kindness (or RHoK), a globally-linked conference that's centered on the idea of "Hacking for Humanity." As with the two previous conferences, this one is community-driven from the ground up, with anyone able to suggest a problem that could have a technological solution of some sort, and everyone welcome to join in helping to solve it (some of the suggestions so far are things like tornado notification and brush fire command systems). Those interested in participating can find all the information they need at the source link below -- and don't worry about not being 1337 enough to make the grade, the definition of "hacker" in this case is a fairly loose one. It seems anyone with a laptop and some ideas is welcome. [Thanks, Rachel; image: RHoK/Flickr]
HTC Sensation looks to have signed bootloader, custom ROMs look to be bummed
Did you think maybe HTC would change its ways after locking down the bootloader on the Thunderbolt and Incredible S? Sorry, no. The upcoming Sensation looks to have been similarly afflicted, with Android Police bringing the bad news that its internals are protected by HTC's private key. This will definitely prove to be an issue for those looking to run custom ROMs that are clean as a whistle, but something tells us the hackers shall overcome. They usually do. [Thanks, Foo]
Google's Arduino-based ADK powers robots, home gardens and giant Labyrinth (video)
Sure, it looks just about like every other Arduino board found at Maker Faire, but this one's special. How so? It's Google-branded, and not only that, but Google-endorsed. Shortly after the search giant introduced its Android Open Accessory standard and ADK reference hardware, a smattering of companies were already demonstrating wares created around it. Remote-control robots? Check. Nexus S-controlled gardens? Check. A laughably large Labyrinth? Double check. It's already clear that the sky's the limit with this thing, and we're as eager as anyone to see 'em start floating out to more developers. Have a look in the gallery for close-ups of the guts, and peek past the break for a video of the aforementioned Xoom-dictated Labyrinth. %Gallery-123306%
