hijack
Latest
EA patched Origin security flaws that put millions of users at risk
EA patched flaws in its Origin platform that could have enabled hackers to hijack and exploit millions of users' accounts. The vulnerabilities were spotted by Check Point Research and CyberInt, and once exploited, they could have allowed player account takeover and identity theft. The cybersecurity companies alerted EA, which was quick to take action.
Government websites fall prey to cryptocurrency mining hijack
It's not just private companies' websites falling victim to cryptocurrency mining hijacks. Security consultant Scott Helme and the Register have discovered that intruders compromised over 4,200 sites with Coinhive's notorious Monero miner, many of them government websites from around the world. This includes the US court info system, the UK's National Health Service and Australian legislatures, among others. The intruders spread their JavaScript code by modifying an accessibility plugin for the blind, Texthelp's Browsealoud, to inject the miner wherever Browsealoud was in use.
$1.2 million in Bitcoins hijacked in 'social engineering' attack
So, you've amassed a fortune in Bitcoins, possibly ill-gotten. If you're storing them on a computer that's exposed to the internet, you may want to rethink that strategy thanks to a huge theft from a digital wallet service called Input.io. 4,100 Bitcoins worth $1.2 million were plundered through two separate attacks by a hacker that gained access through social engineering, according to "TradeFortress," the site's owner. The thief managed to reset the site's password through an email recovery scheme, routing the process through a proxy server near the Australian service's location to avoid suspicion. Unfortunately, Input.io is unable to return the lion's share of the theft, though TradeFortress told Wired he'd pay back 1,540 Bitcoins from his personal stash. The service is now dead and you may want to heed to rueful owner's parting words: "I don't recommend storing any Bitcoins accessible on computers connected to the internet."
Vulnerability lets attackers hijack iOS apps' web requests over WiFi (video)
Be careful which WiFi hotspots you use -- Skycure has just revealed a web-based exploit that lets attackers hijack a iOS device on the same network through its mobile apps. The technique intercepts some apps' attempts to cache a web status message, redirecting the request to a hostile server; after that, an intruder can stealthily inject malware from any location. Thankfully, there are already some solutions at hand. Victims can uninstall apps to scrub their devices clean, and Skycure has released app code that prevents the web caching from taking place. It may be a while before iOS users can assume that their apps are safe, but we wouldn't expect the vulnerability to remain for long.
Hacker claims he can remotely hijack airplanes using an Android app
Hugo Teso, a security consultant who also happens to be a trained commercial pilot, says he's developed an Android app that can make an airliner "dance to his tune" by attacking its flight management systems. The hack was demoed at this year's Hack In The Box conference in Amsterdam, where Teso showed how the app -- called PlaneSploit -- can seek out targets from the ground by infiltrating radio broadcasts between aircraft and air traffic control, and then use a second communication system to send malicious messages to that could "take full control of the plane" or indirectly affect the pilot's behavior. PlaneSploit is proof-of-concept software, designed to work in a closed virtual environment, so it's not like we're going to see it pop up on Google Play any time soon, but just the fact it exists will hopefully help to keep the puppet masters out of real-world planes. And no, there's no Windows Phone version.
Exchange/iOS "meeting hijack" history goes back well before iOS 6
Yesterday, in discussing the new reports of meeting invitation issues between Microsoft Exchange and iOS 6 devices using ActiveSync, I mentioned that I recall having seen these sorts of problems in prior versions of iOS and OS X, albeit infrequently. The issue manifests as one recipient declining an invitation which mistakenly cancels the meeting for everyone, "hijacking" the meeting out from under the original organizer. My recollection was probably accurate, given the report below from a TUAW reader who prefers not to identify his former employer. The full rundown is worth reading, but here's the summary: iOS's implementation of ActiveSync, in iOS 6 and well before, may be doing some things (asserting ownership of meetings that in fact do not "belong" to the Exchange account on the iPhone) that theoretically should not be allowed under the protocol specification. Exchange, in turn, is not enforcing the spec and refusing these inappropriate requests as it ought; it's taking them at face value. The end result: meetings get dropped but neither vendor is apparently willing to take point on the issue. Our reader's story: The problem with iOS and Exchange is something that we discovered at my previous place of employment. It's a nasty bug and I'm sad to see that it persists. Before I sat down to write you, [I checked with] those folks to see if iOS 6.0 had made it better at all. They reported it was worse. With that in mind... We had a term for the problem. It was "meeting hijacking." It describes a scenario in which an iOS device could "hijack" a Microsoft Exchange meeting. The hijacking would make an attendee the organizer of the meeting and if they declined or deleted the meeting, Exchange would then send a decline to [all the other invitees] and cause fairly major issues. We first witnessed this problem around iOS 4.3, if I remember correctly. We were running Exchange 2007 for tens of thousands of users. We had the latest service packs and cumulative updates installed. (The problem also occurred in iOS 5.0 and higher, and apparently it's not fixed in iOS 6.0 either. It has also been verified against Exchange 2010, but more on that in a minute). To reproduce the issue, here's what we did: Using Outlook for Windows, create a meeting and add attendees. Make one of the attendees an email list that is EXTERNAL to the Exchange organization. That means it cannot be a distribution group in Active Directory. It needs to be a Mailman or majordomo list that is outside the Exchange org. The members of the external email list receive the invitation and accept it. The acceptance is written back to Exchange and put on the calendar. The iOS device owned by a member of the email list picks up the meeting and places it on the calendar. All is happy. At some point, the iOS device syncs the calendar via ActiveSync and suddenly becomes confused about who the owner of the meeting should be (the organizer, in Exchange-speak). The iPhone decides that its owner should become the organizer, since it has no idea who the real owner is, and syncs this property change back to the Exchange server. Exchange 2007 now has a disconnected copy of the meeting with a different owner. Exchange is agnostic about this. Now the iPhone owner declines the meeting for whatever reason. Exchange automatically generates a cancellation or decline notice and sends it out to everyone since the disconnected copy of the meeting has a different owner. This results in mass confusion and sometimes will delete the meeting from the other calendars. We verified this problem against iOS 4, 5 and 6 with Exchange 2007 and 2010. In Exchange 2010, Microsoft introduced a "calendar repair agent" that is supposed to detect this problem and resolve it. This calendar repair agent is a daily timer job. Microsoft did release patches on Exchange 2007 SP2 and up to correct some of the issues that are similar to this, but this particular problem was never resolved. Now for the dirty laundry. We worked for about two years with Microsoft and Apple on this issue. It may have been longer, I don't recall. We had a major support contract with Microsoft and reported this issue to them. I'll spare you the gory details. But the end result was this: The root cause is that iOS is able to convince ActiveSync to manipulate properties on meetings that it should not be able to manipulate (namely, the organizer of the meeting). Sometimes, it will make these decisions because for whatever reason it believes [these changes are] in the best interest of the user. Microsoft has an ActiveSync specification that calls out what properties should and should not be used during EAS communication. In our troubleshooting it was determined that Apple's manipulation of the organizer field is against the ActiveSync specification. However, ActiveSync will not stop iOS from doing this regardless of the fact that it is "against the specification." ActiveSync will happily accept the change and write the properties from the mobile device even if the ActiveSync spec says that Exchange explicitly should not do this. The end result: Apple claims that it's Microsoft's bug because ActiveSync lets it happen. Microsoft claims it's Apple's bug because they wrote code that makes it happen. Microsoft says they "told Apple not to do this but they did it anyway." Ultimately, we were of the opinion that it was Microsoft's bug to fix since the specification laid down rules of this nature yet is unwilling to enforce them. We pointed out to them that this seemed to be a security issue. They disagreed. Like I said, I spoke to my old colleagues and they confirmed that the problem still exists and with iOS 6, the meeting hijacks appear to have worsened. They are still in the planning stages of Exchange 2010 so I cannot comment on whether or not the calendar repair agent helps this issue in that particular environment. Thanks to our reader for contributing his experience. If you've got specific details on troubleshooting this issue or have run into it yourself, please let us know.
techBASIC 2.0 brings sensor data collection, analysis and visualization to iOS
Scientists and hobbyists who want to use their iOS devices as tricorders now have a new tool to help them to bring that dream to life. Byte Works has released version 2.0 of techBASIC, a US$14.99 scientific and educational programming environment for iOS that can be used to pull in data from internal (accelerometer, magnetometer, and gyroscope) and external sensors. In case the name Byte Works sounds familiar to some of you, the company has been around for a long time. Mike and Patty Westerfield started the company in the early 1980s, developing the ORCA computer languages for the 8-bit Apple II. ORCA/M became the standard development system for the Apple IIGS under the names Cortland Programmer's Workshop (CPW) and Apple Programmer's Workshop (APW). techBASIC has its roots in another Byte Works product, GSoft Basic for the Apple IIGS. techBASIC 2.0 is a universal app, so any program you develop on your iPhone can easily be run on your iPad or vice-versa. Launching the app on the iPhone displays a list of included example programs -- the source code for these programs is a nice place to pick up some tips on how to access and use readings from the sensors built into iOS devices. The iPad version shows the list of programs and also provides a window showing the graphical output of your programming efforts. %Gallery-153474% Of course, you cannot create apps for sale in the app store with techBASIC. However, you can send your code to others through email. I'd personally like to see techBASIC work with Dropbox or iCloud for storing self-created apps online for backup and sharing. A tap on any one of the program names displays its source code. The example programs are not only useful, but well-commented for educational purposes. In both the iPhone and iPad flavors, techBASIC includes buttons to display the source code, show a console, see graphics being generated by your program, etc... If you need to, it's possible to step through a program to see how it works or to debug an issue. The documentation for techBASIC is available online, consisting of a reference manual and individual Quick Start guides for iPhone and iPad. There's also a built-in help system with full details of statements, functions, events, graphics classes, GUI classes, sensor classes, and system classes. Perhaps one of the coolest features of techBASIC 2.0 is the ability to tap into the sensors of your favorite iOS devices. The language provides a way to tap into the accelerometer, magnetometer, and gyroscope, and also to grab your current latitude-longitude, altitude, and more. There's a separate sensor class for the HiJack hardware, a University of Michigan project to add small sensor packages to iOS devices. The techBASIC blog features an example app showing how to grab readings from a HiJack-connected potentiometer. The potential here is huge -- imagine being able to connect HiJack to a thermocouple to grab a temperature log through techBASIC, or to an anemometer to measure and track wind velocity on an iPad or iPhone. One of the reviewers listed on the Byte Works website notes that she feels that techBASIC is a "mini-MATLAB in my pocket." I have to agree. While techBASIC isn't nearly as high-powered as MATLAB, it's more amenable and affordable to those who want a lot of the same capabilities to analyze and visualize data. I won't go into a huge, detailed description of the techBASIC language here, since the documentation is readily available. But I will say that this is an excellent development environment for researchers or anyone with an iOS device who enjoys tinkering with hardware. For students, techBASIC is an inexpensive way to learn about programming. Be sure to check out the gallery to see screenshots from both the iPhone and iPad, and watch the video below for a look at techBASIC in action.
Report: French delivery truck hijacked, 6,000 copies of Modern Warfare 3 stolen
A delivery truck in Créteil, France carrying 6,000 copies of Modern Warfare 3 was hijacked and stolen on Saturday by two masked people, French news outlets TFI and Ultimate PS3 reported. The truck crashed with a car, and when the truck's drivers exited, two people in masks tear-gassed them before taking off with the games, TFI said. The shipment was reported to be worth 400,000 euros ($551,000). If you're in the Créteil area and happen to see two people in a delivery truck grinning like maniacs and most likely high-fiving a lot, you may want to contact the authorities. And everyone -- let's settle down. Modern Warfare 3 comes out on Tuesday. It's not worth jail time to play this one a few hours early.
Google admits sensitive email accounts have been hacked, some users knew months ago (update: US says no government accounts compromised)
The Contagio security blog posted evidence back in February of targeted attacks against government and military officials on Gmail. Today, nearly four months later, Google has finally admitted this is true: hundreds of personal accounts have been compromised by hackers it believes to be working out of Jinan, the capital of China's Shandong province. The accounts include those of "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists." The hijackers' aim appears to have been to spy on their targets using Google's automatic forwarding function. But unlike the PSN fiasco, Google insists its internal systems "have not been affected." Instead it seems the hackers used a phishing scam, possibly directing users to a spoof Gmail website before requesting their credentials. Google says its own "abuse detection systems" disrupted the campaign -- but in a footnote right down at the bottom of their official blog page they also credit Contagio and user reports. Update: And in comes China's response, courtesy of Foreign Ministry spokesman, Hong Lei. "Allegations that the Chinese government supports hacking activities are completely unfounded and made with ulterior motives." Ok then, that settles that. Update 2: And the saga continues... According to an AP story published earlier today, the Obama administration has stated that the FBI is looking into allegations that hackers broke into Google's email system, but denied that any official government accounts were compromised. A White House spokesman went on to say that government employees are free to use Gmail for personal purposes, and can not be sure who in the administration might have been affected by the attack. Let's just hope they know how to leave the sensitive stuff at the office.
Adobe finds 'critical' security hole in Flash Player, won't fix it before next week
Oh, here we go again. Adobe's kicked out a security bulletin for users of its Flash Player on "all platforms" -- that'll be the entire population of the internet, then -- warning them that a new critical vulnerability has been discovered that may cause crashes and potentially permit the hijacking of systems. The issue also affects the company's Reader and Acrobat software products. Even better news is that Adobe has found it's being actively exploited "in the wild" via a .swf file embedded in an Excel spreadsheet, but a fix won't be forthcoming until the beginning of next week. So, erm, enjoy your full web experience until then!
The Game Archaeologist goes PlanetSide: Your journeys
While war itself is a hellish, nasty activity that we'd be better off without, there's always been something compelling about playing war as both kids and adults. When you strip war of death and suffering, the play version can become downright compelling as we get engrossed in tales of heroics, deep strategies, risky gambits, and clear-cut victories. It's why we invest so much time in simulating war throughout our lives -- in snowball fights, toy soldiers, laser tag, and MMOs. For the soldiers of PlanetSide, the war has been raging for over eight years now with no end in sight, and that's just fine with everyone involved. The game was designed to be a perpetual struggle between military forces -- not due to politics or prejudice but simply for the love of the fight. In the year or so I've been writing this column, I've never seen so many people come forward when asked to share their experiences with an MMO as have done for PlanetSide. There's definitely something compelling and unique about this MMOFPS that's become a dear part of many gamers' memories, and I'm pleased to be sharing those stories with you today. Hit the jump for the glory, trooper!
Anarchy Online player hijacks GM account, runs amok in game
Many of us have mused from time to time what we would do if we happened to get our hands on coveted GM powers in our MMOs. While it may be tantalizing to think of slaughtering raid bosses with a single command, it's probably best that these virtual god-like powers are kept out of the public's reach. Unfortunately for the Anarchy Online team, this scenario went from hypothetical to chaotically real this past week. AO Game Director Colin Cragg labeled it an "unplanned and unwanted volunteer event" when a player managed to access a GM account and ran amok for over two hours in the game last Tuesday. Surprisingly, the player in question did try to "put on a spectacular show with special guest stars," as Cragg put it, although the event ended up causing a huge mess. Some players became unable to fight due to fear effects while others unwittingly received special items in their inventory. The team spent over 30 hours cleaning up the situation, and Funcom had to suspend over 140 accounts until these items could be removed. It is unclear if they caught the person responsible. Surprisingly, Cragg says that this wasn't the first time that someone took a GM account for a joyride in the game, due to the company's policy of trusting volunteers with this access. Even so, he had a few strong words for anyone who would do this: "If anyone is reading this who is responsible for these attacks GIVE US A BREAK. All we are trying to do here is trying to continue to develop a game we all enjoy. If you are mad about your accounts being banned, or something like that, please try to grow up and accept the fact that you very likely deserved it." You can read Cragg's full account of this event at Anarchy Online.
Spilled coffee in 777 cockpit leads to inadvertent hijack warning, FAA-mandated sippy cups look likely
If you've ever spilled coffee on a piece of electronics, maybe a keyboard or even a laptop, spare a thought for the pilot of United Airlines flight 940, outbound from Chicago and heading to Frankfurt. Not long after takeoff the pilot apparently dumped a cup of Joe onto the communications panel in the cockpit and things rapidly went downhill from there. The crew inadvertently sent a code 7500, which indicates that the plane is being hijacked and, as you can imagine, that led to a lot of unwanted attention. It's not clear whether the equipment malfunctioned and sent the code or the pilot, likely struggling with a scalded lap, fat-fingered things on the panel. Either way, the flight diverted to Toronto and, rather tragically, the passengers were all sent back to Chicago to try again the next day.
G1's browser getting hijacked like a cab in Liberty City?
There's already been a G1 firmware pushed out to patch up a browser security issue, but you know how it goes with those -- two flaws seem to magically sprout up in place of every one that's snuffed out. It's unclear exactly what's going on here, but some G1 users are reporting that attempting to visit Yahoo!'s home page is intermittently redirecting them to a totally legit-looking page imploring them to download some bogus Microsoft AntiSpyware crap -- and while we're thinking that this fake site was intended to target slightly larger computers of the Windows variety, it's disturbing that this redirect somehow managed to filter down to Android. It could be a DNS hack or a problem with T-Mobile's proxies, in which case the G1's own defenses are absolved for the time being, but that's not much comfort for Joe Yahoo-User, now is it?[Via Android Community, thanks Dooosthy]
Thieves steal a truckload of Rock Band
The LA Times reports today that a truck with over 1,000 boxes of Rock Band was hijacked last weekend. The robbers kidnapped the truck driver, held him at gunpoint while they unloaded the truck and then released him after the deed was done. For those interested in the math, the thieves got away with $170,000 worth of merchandise.According to authorities the circumstances of this hijack are very rare, as the thieves actually kidnapped the driver and drove around for an hour -- the kidnapping charges carry a life sentence. Our big question: How do you inconspicuously store and fence 1,000 Rock Band boxes? May we suggest checking the Canadian border? We hear they're getting a little desperate up there.[Thanks to all who sent this in]
Truckload of 360s hijacked in England
The holidays are upon us, the Wii and PS3 are sold out, but now we're hearing echoes of the 360's launch. British website, Reg Hardware, is reporting that a truckload (lorryload for the Brits our there) of 360s was recently hijacked in Staffordshire, England. At least three men in two cars (believed to be Range Rovers) flagged the truck driver down by signaling that there was something stuck under his tires. After he stopped, the men attacked the driver and stole his vehicle, containing £500,000 ($950,000) worth of WWE: SmackDown Vs. RAW 2007 Xbox 360 bundles. The driver has been treated for minor injuries and the truck was found emptied later that day. The police suspect that the owner of a red Subaru had been casing the distribution center that morning. What's more, this is the second attack on Xbox shipments in the last five days. The distribution center is now conducting internal investigations.Reading this story of hijacking and violence, we can't help but remember that it's Black Friday. Whatever system you're out there to purchase today, remember that it's just a console folks. Oh, and be on the look out for mysteriously cheap WWE: SmackDown Vs. RAW 2007 bundles.[Thanks, gib786]
Airfoil, Audio Hijack Pro can now "Minimize to Menu Bar"
Airfoil and Audio Hijack Pro, the slick Mac OS X audio broadcasting and recording (respectively) software from Rogue Amoeba, have just been updated with a handy new feature: minimize to menubar. It's a new preference that (you guessed it) will allow these apps to minimize into the menubar, with some features still accessible without having the entire app open on your desktop. Rogue Amoeba has provided a demonstration video to show off this small but functional new feature.
Truck carrying HDTV components hijacked in the Phillippines
Apparently some of you guys are really excited about higher quality images on your high definition TV's. I don't know if it was because of our mention, but a truck full Maxim's parts (possibly including some of their "true" high definition amplifiers) was hijacked recently. I'm not sure what you could do with $565,000 worth of amplifiers, but I'm sure it wouldn't include MNF at your place now would it? Cuz you'd leave us a note in the tips form right? right?
