hackers
Latest
Xbox 360 mandatory update restores boot to disc, detains Call of Duty pirates for a tad
The story of the Trojan Horse must be a favorite among video game console manufacturers, because software updates these days often come with more than bargained for -- today, Microsoft issued a mandatory Xbox 360 update, reportedly for a single bugfix, but which seems to have coincidentally halted scores of pirates and hackers from playing Call of Duty: Black Ops and Modern Warfare 2 on the console. Members of the Xbox-Scene forums noted the update was taking suspiciously long to download, discovered that backup copies of these games ceased to work, and presently believe that Microsoft included a patch for these two games to enable an anti-piracy feature that specifically targets burned copies. What does the mandatory update do for you if you're not part of the hacking scene? It merely enables the console to automatically boot a pre-inserted game when you power it on, a feature that was accidentally disabled in November. [Thanks, Brian]
Feds charge two in June 2010 iPad 3G hacking
Two men have been charged with stealing the email addresses and personal data of over 120,000 iPad users last year. A 26-year-old from San Francisco and a 25-year-old from Fayetteville, Arkansas were charged with hacking into AT&T's servers and stealing the data, scraped from AT&T's website. Both were charged with one count of identity fraud and one count of conspiracy to access a computer without authorization. They were caught in part due to IRC chat logs in which the hackers bragged about the theft and talked about trying to spin it as a statement against AT&T's lax security. Prosecutors are scheduled to give a press conference about the case today, so the trial should be underway before long.
Two arrested for iPad security breach
Two arrests have been made connected to the security breach that exposed thousands of iPad users' email addresses and other info last year. Daniel Spitler and Andrew Auernheimer (yeah, that guy again) have been taken into custody and charged with conspiracy to access a computer without authorization and fraud, for allegedly using a custom script (built by Spitler) called iPad 3G Account Slurper to access AT&T's servers, mimic an iPad 3G, and try out random ICC identifiers. Once a valid ICC was found, one could harvest the user's name and email address. Of course, the hackers maintain that this was all done to force AT&T to close a major security flaw, and we'll be interested to see what exactly the company does to make things right.
Visualized: the glamorous lifestyles of WP7 jailbreakers (update: Geohot crashes the party)
To be a jailbreaker means different things depending on the device that you're busy hacking preinstalled walls from. If you're fiddling with consoles, a legal team would come highly recommended, but if you're tweaking mobile code, at least Windows Phone mobile code, you're in for a much sweeter ride. The ChevronWP7 guys that brought us the first jailbreak of Microsoft's Windows Phone 7 are currently in Redmond having a sitdown and a frank exchange of views with WP7 dev experience director Brandon Watson, and the amicable nature of their discourse has been evidenced by the image above. Microsoft is clearly taking a light-hearted and community-friendly approach to handling the (now inevitable) efforts at disabling limitations to its software and we can only congratulate its mobile team for doing so. [Thanks, Tasos] Update: Looks like Microsoft's softie approach really is working. Shortly after the jolly news, notorious hacker Geohot announced on his website that he's going to treat himself to a WP7 device; but before long, Redmond's already reached out to offer him a free handset. [Thanks to everyone who sent this in]
McAfee predicts Apple under threat in 2011 (again)
It happens around this time every year -- some company that makes its money from security computers claims that next year will finally be the year the Mac goes under attack from virus programmers. This year it's McAfee, who are claiming in a report that due to the popularity of iOS devices, Apple will become a "prime target" for hackers and virii in 2011. As you might expect from a company that sells anti-virus software, McAfee claims that its research shows "threats of data and identity exposure will become more pronounced," especially on the Mac. Go figure. That's not to say that you shouldn't be careful about your computer -- always stay away from sketchy websites and browse as securely as you can, always use secure passwords, and always keep your Mac up to date with the latest patches and fixes, just in case. I'm not even saying that all anti-virus software is a waste of money -- there are some good worthwhile solutions out there if you feel they're necessary. But the anti-virus folks have been predicting Macs will finally get threatened for years now, and Apple's platform is still much more secure than most others.
APB Reloaded blog talks hackers and cheaters
Bjorn Book-Larsson has a lot to say about APB Reloaded, the forthcoming reanimation of APB's corpse, courtesy of free-to-play publisher GamersFirst. Book-Larsson, the company's COO/CTO, has been blogging about the resurgent title for a few weeks now, and veteran players and prospective newbs alike will want to take a gander at his latest entry. The blog focuses on APB's anti-cheat protections and, while it doesn't go into great detail for obvious reasons, Book-Larsson does make a decent case for APB Reloaded's level playing field. First off, he points out that the server-driven game is "more resilient to cheaters than most other F2P MMOs" due to the fact that F2P titles generally don't spend the same kind of money on infrastructure in comparison to your average P2P title. "In APB we are going to run a giant experiment to basically determine if hardware costs/specs have progressed far enough to make F2P server-driven games financially viable," he says. Book-Larsson goes on to discuss the aim-bot problem, as well as various denial-of-service attacks that GamersFirst has dealt with over the past few years. It's an interesting read for anyone curious about APB Reloaded or MMO security, and also offers a humorous bit of insight relating to the over-reporting of cheaters.
Sega resets Sonic 4's leaderboards due to cheating
Look, Sonic the Hedgehog is fast. He can run faster than the speed of sound, but even if he ran full speed through Sonic the Hedgehog 4: Episode 1's shortest level, it would still take him longer than 0'00"00 to do it. That's just physically impossible, even for an improbably proportioned and colored hedgehog. And since some hackers have posted those times and impossible scores on the game's Xbox 360 leaderboards, Sega has decided to go through and reset the whole thing. That means you might have to go back and try to re-earn that record time you picked up on Lost Labyrinth Act 2 (no easy feat). But you might not want to grab that controller right yet -- Sega hasn't actually announced a fix, just reset the leaderboards. So there's a good chance the hackers will still hack, and there will be another reset to come. Thanks for nothing, cheaters. Can't we all just let the hedgehog run? (Also, cheating at Sonic? Where did our innocence go?)
Fanmade Thief 2 multiplayer released in beta form
Who needs a new version of Thief when you can just hack some multiplayer into the old one? A group of modders has painstakingly hacked the ten-year-old Thief 2 into a multiplayer game, and the beta is now available for download and testing. While it will supposedly run, it's not actually playable by laymen quite yet. You'll need a fair amount of networking code knowledge to actually get it working in any sensible way, and even then it will apparently crash and burn. But feel free to geek out at what's been done here -- these guys have gone back through, found unused code in the still closed-off game client, and then rebuilt and rewritten it to try and get it working on modern computers. And this was a game that was never actually designed for multiplayer! What they've done is like taking an old Model T and making it race the Indy 500. Sure, it won't actually win, but the fact it showed up running on four wheels is pretty amazing anyway.
New Xbox Dashboard adds updated piracy measures
The latest Xbox 360 Dashboard update didn't just make the Avatars taller and give you the ability to navigate its menus with your mind -- it also made the illicit enterprise of pirates just a little bit more difficult. According to Digital Foundry, the hardware now institutes a series of checks, which hackers refer to as "AP 2.5," that work in conjunction with "security sectors" embedded in the disc. If the checks come back negative, the player receives a "dirty disc" error and his or her console is flagged for permaban. Pirates can hypothetically avoid these checks by not updating to the new firmware, though this will prevent them from playing on Xbox Live ... which kind of defeats the purpose of avoiding the permaban. Man, it's hard out there for a buccaneer.
Blizzard announces automated account recovery form for hacked accounts
World of Warcraft accounts have been under siege for years, with hackers and gold-selling outlets stealing passwords, items and more to fill their coffers, selling that gold to unwitting buyers. Blizzard has fought back incessantly over the years to stem the tide of gold farming and account hacking, and as you can imagine, the scale at which this happens is very tasking on its customer support department. Blizzard has just announced a new, speedier way to get help and answered about your hacked account, stolen items, authenticator issues and more! Now, under the new system, you will not have to email or call Blizzard to get these matters into its queue -- simply use the Account Recovery Form.
Computer controlled Bayan from 1988 makes us want to go back to the past
Back in 1988, Russian engineer Vladimir Demin combined a bunch of solenoids (loops of copper wire) and a Bayan (a Russian accordian), to create a self-playable instrument controlled by his awesome, self-built computer. Yes, we're impressed, and you will be too, if you take a look at the video below.
Charlie Miller and Kim Jong-Il could pwn the Internet with two years, $100 million
Well there's one thing we can say about Charlie Miller -- he sure is an ambitious rascal. When not busy exposing security holes in OS X, our fave security expert (aside from Angelina Jolie in Hackers, of course) has laid out a shocking expose based on the following premise: if Kim Jong-Il had a budget of $100 million and a timeline of two years could North Korea's de facto leader (and sunglasses model) take down the United States in a cyberwar? It seems that the answer is yes. Using a thousand or so hackers, "ranging from elite computer commandos to basic college trained geeks," according to AFP, the country could target specific elements of a country's infrastructure (including smart grids, banks, and communications) and create "beacheads" by compromising systems up to two years before they pulled the trigger. Speaking at DEFCON this weekend, Miller mentioned that such an attack could be carried out by anyone, although North Korea has a few advantages, including the fact that its infrastructure is so low tech that even destroying the entire Internet would leave it pretty much unscathed. That said, we're not worried in the least bit: if the diminutive despot brings down the entire Internet, how is he ever going to see Twilight: Eclipse?
100 million Facebook pages leaked to a torrent site, creating the world's least exciting torrent
Hacker Ron Bowes from Skull Security has created a 2.8GB torrent file which contains the Facebook account details of roughly 100 million users. That's about 1 in 5 of the half billion accounts the social networking site has, and the torrent contains URLs for each account, with other personal details contained in the profiles such as phone numbers and email addresses. Bowes created a crawler to troll Facebook's open access directory, where all the information is kept. There's nothing illegal about any of this, of course -- we put our information out there into the public forum that Facebook is, after all -- but there's still something creepy about the idea of someone torrenting our profile. Then again, we have some pretty amazing shots from the Bronx Zoo in there, so we can't really blame them.
Email confirmation added to authenticator setup to foil hackers
For a while now, account thieves have been putting authenticators on their stolen accounts to buy more time for their scumbaggery. Blizzard has recently made that more difficult by requiring email confirmation when an authenticator is added to a Battle.net account. Rather than just logging in and putting in the appropriate information, you now have to follow the steps in a confirmation email sent to the address registered in your Battle.net account. Note: Changing the email address on the account requires not only your password (which the account thieves already have at this point) but also the answer to your security question. So make sure the answer to your security question is not guessable or obtainable by any phishing information. As I have suggested before, if you use a password for your security answer rather than an actual answer, you are adding a very thick level of security. Make it a separate password you use just for security questions, like p45sw0rd (don't use that one). We don't know how long ago Blizzard added email confirmation The email confirmation has been active since July 27 and we believe it will reduce the workload of Blizzard's customer service. More importantly, this will make getting your account back less painful. Of course, the best way to prevent someone from stealing your account and then adding an authenticator to it is to put an authenticator on it yourself. There are keyfob and mobile versions available. [Thanks for the tip, Joel!]
Attractive, non-existent woman on internet easily makes inroads in military, intel, and hacker circles
Thomas Ryan of Provide Security's making it public knowledge that social networking sites aren't just annoying: they're also potentially major security threats. Ryan set up a fake Facebook, LinkedIn and Twitter account for "Robin Sage," a person who doesn't exist and never has -- but we can assure you she's really, really hot. Robin billed herself as a graduate of MIT and a prestigious New Hampshire prep school, and quickly made hundreds of connections across all three sites, without ever offering any proof of her existence or the connections she espoused. Even more stunning, "Robin" was befriending military, government and intel people on Facebook and Linked In (where she dubbed herself a "hacker"), and hackers on Twitter. Ryan's findings state that the military and intel "friends" Robin made freely share information and documents with her, as well as inviting her to various conferences. Interestingly, it turns out the only group that was in anyway resistant to Robin were the MIT-associated people... but we knew they were all whip-smart already. Moral? Next time you accept the request of a beautiful, intelligent hacker who wants to come over and view your secret dossiers, you should probably think twice.
iPad still has a major browser vulnerability, says group behind AT&T security breach
You know that tiny little security snafu that allowed over a hundred thousand iPad users' email addresses out? The one that the FBI felt compelled to investigate? Well, Goatse Security -- the group that discovered that particular hole (stop laughing) -- isn't best pleased to be described as malicious by AT&T's response to the matter, and has requited with its own missive to the world. Letting us know that the breach in question took "a single hour of labor," the GS crew argues that AT&T is glossing over the fact it neglected to address the threat promptly and is using the hackers' (supposedly altruistic) efforts at identifying bugs as a scapegoat. As illustration, they remind us that the iPad is still wide open to hijacking thanks to a bug in the mobile version of Safari. Identified back in March, this exploit allows hackers to jack in via unprotected ports, and although it was fixed on the desktop that same month, the mobile browser remains delicately poised for a backdoor entry -- should malevolent forces decide to utilize it. This casts quite the unfavorable light on Apple as well, with both corporations seemingly failing to communicate problematic news with their users in a timely manner.
Mortal Online busting out tremendous banhammer on hackers
Hackers beware. The team at Star Vault have their eyes on you, and it's time to stop any and all shenanigans you've got going on in Mortal Online. Or else, you say? Or else the banhammer awaits you -- and according to their most recent update, it means an instant, permanent ban that could leave you staring at the login screen in frustration. According to a post by Maerlyn on the Mortal Online forums, there is currently no set date on when software monitoring will come into play, or even what method they'll use to monitor for third-party applications or changes in the game files that are being reported. A follow-up posting by Tazaterra in the same thread indicates that anyone who has modified game files needs to stop at this time. With the game still being tweaked pending release, we're glad to see the team at Star Vault is taking a proactive stance on this before the floodgates officially open. In a game where PvP is everything, players need to know that anyone using exploits, hacks, bots or the like to tip the game balance will be dealt with swiftly and before it causes game imbalances. [via TTH]
Ubisoft 'always on' DRM hated, hacked - circle of life continues
Ah, the circle of life. Here's how it works: Game developers claim they've created some sort of unbreakable DRM that will lock pirates out, and then the pirates break their way in, leading to even more repressive forms of DRM. The snake has eaten its own tail once again, as Ubisoft's "Online Services Network" – also known as the obnoxious "always on" DRM that's already caused problems for paying customers – has reportedly been hacked. The hack, by a group named Skid Row allows users to circumvent the DRM entirely and play the affected games without connecting to Ubisoft's authentication servers. In a statement attached to the crack's release, Skid Row proclaims that their crack "can't be compared" to other ways of hacking the games (which include having the software check in with an unofficial server), and that Ubisoft should "next time focus on the game and not on the DRM. It was probably horrible for all legit users. We just make their lifes [sic] easier." This crack is specifically for Assassin's Creed II but if the method works, it could theoretically be tweaked to include all of the games protected in this manner, including the upcoming Splinter Cell: Conviction. And thus, the circle, the circle of life continues on.
iPhone SMS database hacked in 20 seconds, news at 11
It's a story tailor-made for the fear-mongering subset of news media. This week, a pair of gentlemen lured an unsuspecting virgin iPhone to a malicious website and -- with no other input from the user -- stole the phone's entire database of sent, received and even deleted text messages in under 20 seconds, boasting that they could easily lift personal contacts, emails and your naughty, naughty photos as well. Thankfully for us level-headed souls, those gentlemen were Vincenzo Iozzo and Ralf-Philipp Weinmann, security researchers performing for the 2010 Pwn2Own hacking contest, and their $15,000 first prize ensures that the winning formula will go to Apple (and only Apple) for further study. Last year, smartphones emerged from Pwn2Own unscathed even as their desktop counterparts took a beating, but this makes the third year in a row that Safari's gotten its host machines pwned. That said, there's no need for fear -- just a healthy reminder that the Apple logo doesn't give you free license to click links in those oh-so-tempting "beta-test the new iPad!" emails.
Ubisoft's PC DRM verification was out because 'servers were attacked'
Ubisoft today offered up a bit of an explanation to those of you on PCs yesterday who were desperately trying to play the publisher's games with the cumbersome new DRM (Assassin's Creed 2 and Silent Hunter 5), only to find yourselves unable to authenticate said DRM because of the outage. Apparently it was (gasp!) ... hackers! "Servers were attacked which limited service from 2:30PM to 9:00PM Paris time [8:30AM to 3:00PM ET]," the company announced via Twitter. It also noted that most folks were unaffected by the outage, saying "95% of players were not affected, but a small group of players attempting to open a game session did receive denial of service errors." Needless to say, the company of course apologized to anyone who wasn't able to play its games yesterday. We would once again like to point out that this situation would never have occurred if such a poor DRM system weren't in place to begin with.
