hacking
Latest
UK court rules that modchips do not circumvent copyright protection
Here in the US, we've heard some pretty terrifying experiences about selling modchips, but it seems as if higher-ups in the UK are being a bit more reasonable about the whole thing. Reportedly, UK-based MrModchips was cleared of all 26 counts against him for his role in importing and selling console modchips, as the Court of Appeal Criminal Division (Judge Justice Jacobs, in particular) ruled that said chips do not circumvent copyright protection. Better still, the defendant was "awarded full costs as a result of his successful appeal," and we can only assume he was smiling all the way out of the crowded courtroom. Chalk one up for the little guy.[Via Slashdot]
McAfee report reveals the most dangerous web domains
In an era where clicking on the wrong link while browsing the web could mean your account will get hacked, and one of your guild members clicking on the wrong link means your guild bank could get emptied as well, it's always good to protect yourself and keep abreast of web security issues. In that vein, it's worth checking out a new report released by McAfee called Mapping the Mal Web Report Revisited. It tested 9.9 Million websites in 265 domains to find out which ones had a higher risk of exposing visitors to malware, spam, and malicious attacks via a red, yellow, and green system.
aTV Flash voluntarily pulled until further notice
Ah, bugger. Just days after Apple Core began offering its aTV Flash on a foolproof USB stick, the outfit has officially pulled the software. Apparently there have been a few "questions arising regarding the fair use of a particular file present on the aTV Flash, and conflicting opinions as to whether or not it falls under the fair use category." In order to keep itself off of the hot seat, it has "proactively" (and voluntarily) discontinued offering the product "until further notice." Not all hope is lost, however, as Apple Core is currently working with the party in question to resolve the dilemma, and it should be keeping us all in the loop as discussions progress. Oh, and in case you're curious -- all current orders were canceled and refunded.[Thanks to everyone who sent this in]
aTV Flash goes commercial: plug-and-play hacks for your Apple TV
Engineering souls have been hacking up the Apple TV for a good while now, but those too scared of completely ruining their box have had to sit patiently on the sidelines waiting for someone else to do their dirty work. Enter aTV Flash, a USB flash drive which enables your Apple TV (Take 2 included) to do all sorts of fancy new tricks without any fuss. Those with the drive simply plug it in and watch as new file formats become supported, UPnP media streaming opens up and Safari-based web browsing becomes a reality (among other things). Granted, the convenience will cost you $59.95, but that's the price you pay for making your life easier (and your Apple TV a little more useful).[Via TUAW]
Phlashing PDOS firmware attack could permanently disable hardware
You know all that network hardware that runs quietly 24 hours a day in server rooms around the world? What if black-hats could exploit remote firmware flashing utilities to take over -- or completely destroy -- vulnerable gear? Though still theoretical, PDOS -- permanent denial-of-service -- attacks will be demonstrated by researchers from HP Security Labs at the EUSecWest security conference in London this week. "Phlashing", as it's being referred to, focuses on exploiting network-enabled firmware updates, making use of a fuzzing tool that tricks hardware into flashing anything from back-door access to a corrupt image, causing complete and permanent hardware failure. There's no reason to panic just yet (especially not when it comes to consumer devices, which typically don't support remote firmware updates), but given the amount of unattended and relatively dormant enterprise network hardware out there, this could be something for admins to seriously think about. [Via Slashdot]
Koster writes "how to hack an MMO"
Have you ever wanted to walk through walls in MMO? How about telepathically sense the locations of all the good drops in a zone, or make invisible things very, very visible?A blog post by game designer Raph Koster (of Ultima Online and now Metaplace fame) will tell you how! Admittedly, Koster doesn't really go into much detail. Also, he's trying to help developers avoid hacking problems, not giving inside secret tips to hackers. It's still an interesting read, though!He lays out an overview of the various design choices developers make that are exploited by hackers. For example, some developers might choose to trust the client to handle collision detection to reduce lag and increase gameplay responsiveness. Well, a clever hacker can make the client report to the server with false collision information, allowing that hacker to move through walls. It turns out that most designers take a middle-of-the-road approach, meaning that, as Koster puts it: "only bad-ass hackers are cheating, instead of damn near everyone."
Incgamers.com malware mixup fixed
Yesterday, I reported to you that Google (via Stopbadware.org) had marked wowui.incgamers.com (which redirects to wowui.worldofwar.net) as a bad site. Today, the site is reported as clean according to the same report (you can check it out here). Rushter of Incgamers.com explained to us on the comments of the previous article that the problem was with a seperate attack on a different hosted site (which was quickly dealt with, and unrelated to worldofwar.net, says Rushster), but Google marked the whole site as bad. The worldofwar.net UI database was unaffected, he says, and after some back and forth, Google has now dropped the warning. Of course, it's still always a good idea to check your computer for viruses, trojans, and keyloggers regularly, and realize that no website is completely safe (though having a good defense always helps). That said, at the moment it looks like wowui.incgamers.com, also known as wowui.worldofwar.net, is a safe spot to grab your addons from.
Wowui.incgamers.com invaded by malware?
Here at WoW Insider, we've noticed an unusual and disturbing glut of people having trouble with being keylogged or otherwise hacked soon after installing new addons lately (which wouldn't be a surprise -- lots of people were grabbing addons after patch 2.4, so that makes them a likely route for attackers). While it's too early to make any definite connections, It seems like there's one new lead that's just popped up: popular addon site wowui.incgamers.com (not linked for obvious reasons) is apparently passing off bad files, according to reports from Stopbadware.org and other anonymous sources. If you've been using the site for your addons, especially in the past week or so, it might be a good idea to exercise some caution and run your favorite anti-virus or anti-malware program. The site has already been in trouble recently with reports that their UICentral addon updater (now discontinued) was using copyrighted code, and now it looks like there's more trouble abrewing for them. Update: Wowui.incgamers not infested with malware. Full story here.
Anti Keylogger Shield may offer some protection for your account
Hackers are getting more and more brazen lately, hiding various trojans and keyloggers not only in random forum links, but in ad banners and even in electronic devices. Even common sense avoidance of suspicious links and websites doesn't always seem to work anymore. Luckily, there are other tools you can use, such as the Noscript extension for the Firefox browser. Lifehacker reported on a new one yesterday as well: Anti Keylogger Shield for Windows. This freeware program purports to work not by blocking installation of keyloggers, but by preventing them from logging your keys once installed. Lifehacker tested it by loading a keylogger and reported that it seemed to work, at least in that case, as the keylogger's log file was completely empty. Of course, you probably shouldn't just install this program and go off clicking strange links willy nilly, but it does look like it could be one more line of defense in the ever escalating battle to protect your computer and your account from those who would steal it. Plus, it's free, so that's even better. [Thanks for the forward, DrDiesel!]
Liveblog with the iPhone Dev Team: iPwnage
Yep, iPwnage was released today by the iPhone Dev Team, allowing the installation and loading of arbitrary firmware onto the iPhone and iPod touch. Great, but what does that buy you? Let's take a few minutes to chat with iPwnage developers Pytey, NerveGas and more to get a sense of the possibilities and promise of iPwnage.If you'd like to replay the chat below, click the 'replay' button. Note that (ironically) the CoverItLive widget does not work on MobileSafari.
Linux becomes only OS to escape PWN 2 OWN unscathed
After a week full of Red Bulls, Fruit by the Foot and dreams of In-N-Out, the mighty Sony VAIO loaded with Linux stood as the only machine unhacked by the end of the PWN 2 OWN hacking contest at CanSecWest. As you're well aware by now, the MacBook Air on display was seized in two minutes by the presumably well prepared Charlie Miller, and after two full days of work, Shane Macaulay and a few of his 1337 associates managed to crack the Vista rig on Friday. Reportedly, Shane and his pals weren't expecting to do battle with the extra protected SP1 version of Vista, and while the exact loophole won't be divulged, we are told that it was a cross-platform bug that "took advantage of Java to circumvent Vista's security." In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."[Image courtesy of TippingPoint]
CanSecWest offers another Mac hacking challenge
If you fondly remember last year's CanSecWest hacking challenge -- won by researcher Dino Dai Zovi with a Java/QuickTime exploit that allowed him to take over the target MacBook Pro, thereby claiming it as his own -- you'll want to keep your ears open for results of the current challenge, now underway for the 2nd day in Vancouver. This year's PWN2OWN competition extends the target space to three road warrior laptops: a MacBook Air, a Sony VAIO running Ubuntu and a Fujitsu machine running Vista.No winners were declared on the first day; that's no surprise to contest organizers, as the initial set of rules were the most restrictive. Today the ruleset allows for browser and other built-in application exploits by visiting a malicious URL, so it could get more exciting in a hurry.Update: The MacBook Air has been claimed, per Macworld.[via Macworld]
Blizzard loses a round in the fight against botting
In Blizzard's attempts to get rid of gold farmers and hackers, one of their most annoyingly persistent enemies has been the WoWGlider bot, now known as MMOGlider. They've been throwing suits and countersuits at each other for a few years now, but the latest salvo seems to have gone against Blizzard, the Game Activist reports. Blizzard was trying to subpoena Joe Thaler, owner of Lavish Software LLC, maker of programs such as EQPlayNice. While Lavish Software's programs do not appear to be cheat programs on their own, they did make a deal with MDY Industries, maker of MMOGlider, to use the programs within MMOGlider. According the judge's decision, Blizzard was hoping to obtain all documentation related to the deal, all communication between Thaler and Lavish and MDY and its owner, Michael Donnelly. They also wanted a list of all WoW accounts owned by Thaler and Lavish, as well as the contents of the WTF folders of every installation of WOW used by Thaler and Lavish Entertainment. Unfortunately, the Judge ruled that Blizzard was demanding information that could compromise Lavish's trade secrets and client confidentiality, and that the demand for the information within 9 days did not give Thaler and Lavish enough time to respond an gather information. It's worth noting that the judge did specifically say that Blizzard could file another subpoena that would be more narrow in scope and allow more time for Lavish and Mr. Thaler to respond, so this is probably not a fatal blow to Blizzard by any means. I personally hope not. I've never had much patience for bots, or people who feel they have a civil right to cheat at games, so I'm rooting for the big bad corporation on this one. What about you? Thanks for the link, Tyrsenus.
Researchers warn of hacking risks to heart devices
While it should hardly come as a surprise given the near constant stream of hacking fears we hear about these days, researchers are now warning about a possible vulnerability to an especially important bit of technology: medical devices that control the human heart. As The Wall Street Journal reports, the concerns are mostly centered around so-called "programmers," which are devices used to wirelessly communicate with the implanted defibrillator or pacemaker. Those devices are obviously only sold directly to physicians by a select group of companies but, as the researchers warn, it is at least conceivable that hackers could transmit the same radio signals using another device, allowing them to shut down the defibrillator or deliver a shock, or possibly even obtain a patient's medical information. The researchers are quick to point out, however, that this is "theoretical risk, not an actual risk," and they're not recommending that anyone consider deferring an implantation or removing a defibrillator. [Image courtesy of Medtronic]
Why hasn't the PS3 been hacked?
Where is the PS3 homebrew scene? Considering how active the PSP scene, one would think that Sony's other console would get the same kind of attention from hackers. It's not that people aren't trying -- rather, it appears that Sony has learned from their mistakes with the PSP.PSP was rather insecure from the start. A primer from "nikkelitous" explains that "the PSP didn't have any security protections in the first version: Thats right! It essentially ran anything that you put on it." In spite of Sony's continued attempts at fixing PSP security through firmware revisions, the damage has already been done. "The PSP now has a very powerful security system, but like the Greeks, we had people inside. Once a system is hacked and understood, very little can be used to continue to protect it."Not only has Sony made the PS3 much more secure, but its use of Blu-ray makes it significantly more difficult to hack. "It's not using a DVD drive it's using a custom Blu-ray drive, we can't simply copy the disks, and we don't know enough about the firmware on the drive to accomplish a 'debug mode' even if it's on there." Of course, all of these hindrances aren't stopping the hacking community. They're going to keep on trying, and will probably one day succeed. However, it's clear that this time around, Sony isn't going to be taken off-guard.
Gold sellers hold account hostage
We all deal with them. Their annoying spam, their flooding of the general channels. Those gold sellers deserve the kiss of death. Wouldn't it be nice if their industry just went and slept with the fishes?In a tactic that even Don Corleone himself would be angry at, gold sellers have sunken to a new low. John M. wrote in to tell us the tale of a fellow guild mate who fell under the gaze of a gold seller who took his account hostage, demanding payment from his guild. Sit back, open up a new window with this Godfather music, and read on after the break. I'm gonna make you an offer you can't refuse.
GoDaddy invades WoW Armory
In one of the most bizarre things I've seen happen to the World of Warcraft in my three years playing, the WoW Armory site today is pointing to a generic GoDaddy.com domain parking page. The screenshot above was taken at 1:08 p.m. CST on March 2nd, 2008. WoW Insider has received numerous reports of this. It seems to be a DNS related issue. The domain name wowarmory.com expires today, and it appears as if a registrant has grabbed the wowarmory.com domain name as soon as it expired.DNS entries for blizzard.com and worldofwarcraft.com point to cerf.net, while the DNS servers for wowarmory.com are currently pointing to domaincontrol.com. While some of you might be seeing wowarmory.com work correctly, others are not. The ISPs of people who are seeing it work have not had their DNS records updated yet, however within the next 48 hours they will see wowarmoy.com go down as well; unless Blizzard fixes this before then (I am sure they are already aware, or becoming aware of it).Stay tuned to WoW Insider for the latest on this story.Thanks to Matthew Rossi and his wife for contributing to the technical sleuthing in this post.Updated 2:34 p.m. EST: You can access the armory using a sub-domain of worldofwarcraft.com by going to http://armory.worldofwarcraft.com/Updated 3:03 p.m. EST: http://www.wowarmory.com/ is now working again. It looks like Blizzard really jumped on the issue and fixed it.
Hacked and robbed blind, one guild's cautionary tale
Our Guild had been going downhill for a while now. At the beginning of the year, key officers and members, cornerstones of our raiding team, quit the game for one reason or another. Some of our members got hacked, just like WoW Insider's Amanda Dean. This took the wind out from under our sails, despite great success in Serpentshrine Cavern and Tempest Keep. As 2007 closed, I envisioned us taking down Vashj and Kael within the first quarter of 2008. I was stoked. There were good times when we'd take down two new bosses a week. Of course, Murphy's Law happens. While key team members quit the game, others took extended (sometimes unannounced) leaves of absence, and with diminishing raid attendance and obviously performance, other members looked elsewhere for better raiding opportunities. And when it rains, it pours.A little over a week ago our Guild bank was robbed. It was cleaned out -- so empty I could almost imagine the sound of flies buzzing about -- well, okay, it wasn't that empty. On the third tab, the robber was kind enough to leave us ten stacks of Roasted Clefthooves. At first it struck me as odd because we had fixed our Guild permissions somewhat after our GM left the game to take a shot at a relationship and play with his Nintendo Wii. In what order exactly, I can't be sure. He passed the mantle off to one officer who passed it to another officer who later passed it on to me. So for a while, I was GM of a Guild that wasn't quite doing anything but waiting on people to come back to the game. So imagine my shock (more like anesthetized indifference, to be honest) when I was going to deposit items into the Guild bank only to find that it had nothing. Well, nothing but those clefthooves.
Found Footage: iPhone restore screen hacked
Looks like the iPhone hacking teams are at it again. This time they have created a custom image where the normal "Connect to iTunes" image should be on a normal iPhone. This image, used when you restore your iPhone or iPod touch, was a yellow triangle and has been updated to the iPod connector and iTunes icon in recent iPhone/touch firmware versions. Thanks to roxfan, Turbo, wizdaz, bgm, and pumpkin
Fear of hackers may make me play WoW on a Mac full-time
I use a Mac as my production machine. I don't want to get this too much into a Mac v. PC war, so lets just leave it with this: I find I am more productive with my workflows in OS X, and I have the added bonus of not worrying too much about what nasties are included in my downloads. I've been drinking Apple Kool-Aid from a sippy cup for over 10 years, so for me playing WoW on the Mac isn't some life-altering decision. My PC is nothing more than a game/media conversion console. But this whole hacking thing is making me think seriously of playing WoW on the Mac full-time. Sure, I've had WoW sessions of a decent length on my Mac, but not complete PC abstinence. In full disclosure mode, I've worked in IT for over ten years, and many of those years with a dotted-line relationship helping out our Security group. So, I've got a decent understanding of How Not Do Stupid Things On Your PC.Back in my EverQuest days, we had "hacking" problems, but usually those could be traced back to someone doing stupid with his or her account: they used a powerleveling service or gave their password to a brother or guildie who then did something bad. With WoW, though, it seems much more nefarious. Sure, you give your password away you don't have much of a leg to stand on; I'm not going to say anyone deserves anything, but you've got no moral right to get indignant. Am I just reacting to this with a "oh noes, the sky is falling!" paranoia. Maybe. But when you hear of guild websites getting hacked to install keyloggers, peripherals shipping with keyloggers/viruses installed, it's tough to blame the user. There are always two sides to every story, but I'm getting the feeling there are a lot more true innocents in this battle, including our own Amanda Dean.
