It seems Apple isn’t the only company working on fingerprint scanning technology. It looks like Samsung is also getting into the biometrics business with a solution of their own. Deep within the Galaxy S III file system, some images have been discovered that show off illustrated fingerprints, hinting to that possibility that Samsung may implement
Back in March, we heard rumors that Amazon was working on building a private cloud service for government agencies (specifically the CIA in that case), and it turns out that’s now getting the green light — sort of. Amazon and the US government signed a three-year deal that would see the government using Amazon Web
Another day, another cyberattack by the Syrian Electronic Army. This time the hacktivist collective targeted The Financial Times, making a nuisance of itself by taking over several of the company’s Twitter accounts, as well as changing the titles of posts on The Financial Times‘ blog posts to “Hacked by the Syrian Electronic Army.” While the actions themselves are annoying, one message in particular crossed the line when it sent readers to a video of an execution.
The Syrian Electronic Army has attacked a variety of media companies, including CBS, The Guardian, E! Online, and even The Onion. Often times, the hackers take control of the company’s Twitter account(s) and use it/them to post messages, some of them coming across as nonsense, others as fake news (such as Justin Bieber coming out of the closet), and sometimes things of a more serious nature, such as the link to a video execution on YouTube posted on one of the Financial Times’ Twitter accounts.
The Financial Times confirmed the hacks to The New York Times in an email, according to the latter company. While the company didn’t specify how the hackers gained access to their system, there’s a good chance it was accomplished the same way its other breaches have been achieved, which was detailed by The Onion earlier this month.
According to a blog post published on May 10, The Onion’s attack was the result of a rather conventional phishing scheme that involved sending links to a few of the company’s employees. The links purported to be of an interesting story, but instead took the recipient to a page requesting Google Apps login information. When someone falls for the ruse, their email is then used to try to message other workers for additional login information.
When someone in possession of the company’s social media accounts takes the bait, the hackers can then log into the account, change the password, and begin wrecking havoc. A similar attack was performed on The Associated Press, with one of the hackers revealing that 50 of the company’s employees had revealed their login information. Such attacks reaffirm that companies should train their employees on how to recognize phishing attempts, as well as taking measures to reduce the amount of damage that can result if someone does provide their credentials.
SOURCE: The New York Times
Syrian Electronic Army cyberattacks The Financial Times is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
Bank heists – they’re the subject of movies, books, and, in some cases, real-world news. While not every mission goes as planned, many have managed to gain ill-gotten wealth from lax security systems, prompting banks to step up their game and stay on top of ever-changing technologies. The best ways to find out you have a security vulnerability is to have someone exploit it, which is what one bank hired a security expert to do. Having successfully accomplished his mission, Nisha Bhalla has detailed how he managed to “steal” $14 million.
Bhalla is the CEO of security company Security Compass, which specializes in breaking into the security sytems of organizations and companies, exposing any vulnerabilities and issues that compromise data – or, in this case, allow someone to run off with millions of dollars. A bank located in the United States – name not provided – hired Bhalla’s company to test its system.
As we noted, the system wasn’t secure, and as a result Bhalla set himself up a checking account and funded it with $14 million that didn’t exist – money generated on the fly, so to speak. He then went over to the ATM machine and grabbed a receipt, which you can see an image of above, confirming that he was now – temporarily, at least – a multi-millionaire. Needless to say, such a massive infiltration “shocked” the bank, and it closed down his account before sprucing up its network security.
Not stopping there, he spoke to the folks over at CNN, detailing how the process of acquiring the funds went, and, in doing so, demonstrated how other stores, banks, and organizations could potentially suffer at the hands of the technically-inclined unscrupulous. The first step, as you likely guessed, was gaining access to the bank’s network, which Bhalla says it is simple to do by latching on to its wireless network – something many banks provide for its customers to use as a courtesy.
From there, it was only a matter of using freely available sniffer software to map the bank’s computer network, followed by flooding the network’s switches to gather data. He found log-in information for a teller’s computer, which didn’t use encryption when sending data to the bank’s main database. As such, Bhalla had free reign, and used it to create a bank account with $14 million in funds, something that would likely go undetected until well after he transferred the funds overseas and left the country.
Such a revelation comes only days after eight individuals were charged with swiping $45 million from ATM machines.
SOURCE: CNN Money
Security expert details how he nabbed millions of dollars from a bank is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
Media companies of all sorts enjoy tips from readers and others, some of them being small snippets of information that are more or less without consequence, and with others putting the tipster’s job – or worse – at stake. As such, privacy and anonymity are of the utmost importance, and conventional messaging methods often fall short of providing it. Because of this, The New Yorker has implemented StrongBox.
Strongbox was created by Kevin Poulsen and the late Aaron Swartz, who committed suicide earlier this year after intense legal pressure following his JSTOR hacking debacle. It is an extension of DeadDrop, the code of which will be made open source and released for other companies and individuals to use. Unlike traditional methods for submitting tips and information, Strongbox aims to keep the tipster anonymous, and makes it so the recipient won’t be able to determine from where the information comes.
The Strongbox system is both fairly simple and quite involved, with several steps happening between the sharing of the tip and access of the information on the receiving end. Tipsters have to access Tor in order to upload a file or message (which are encrypted using PGP), and will receive a randomly generated alias. The files are then shuttled off to a server that is isolated from the recipient’s network and checked regularly by those with access.
If information has been received, the recipient downloads it via a VPN-connected laptop onto a flash drive, then decrypts the files on a secondary laptop running a live CD that is wiped with every restart using a second thumb drive containing the decryption keys. From there, the recipient can then return a message if desired via Strongbox, and the tipster can receive it by accessing the system using the randomly-generated alias that was assigned.
Poulsen talks about the project in his own write up, detailing how it was initiated and the work that went into it, mixed it with a personal perspective on the man himself and the weeks leading up to his untimely passing days after a launch date for the project had been set.
SOURCE: The New Yorker
The New Yorker unveils Strongbox for anonymous tip sharing is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
Software engineer Moxie Marlinspike over at Thought Crime says he’s no stranger to unsolicited emails from individuals seeking help with surveillance efforts, due to some of the software he has created. While the programmer says he ignores most of them, one he received earlier this month caught his eye, and a short while later he discovered that Saudi Arabia telecom Mobily is working on a project to intercept mobile traffic.
The email, says Marlinspike, appeared in his inbox one day with the alluring subject line: Solution for monitoring encrypted data on telecom. Though he wasn’t interested in helping, he did respond to the agent’s email, initiating a correspondence that the programmer says lasted for a week. The end result was revelation of telecommunication company Mobily’s current project for intercepting data from mobile applications, with particular emphasis on Line, Viber, Twitter, and WhatsApp.
Reportedly, Mobily’s Executive Manager of Network & Information Security Yasser D. Alruhaily is at the helm of the project, which was initiated by someone referred to as “the initiator.” Marlinspike believes “the initiator” to be the Saudi government, but it doesn’t sound like that information was ever explicitly provided.
In one of the emails from Mobily that were published, it is revealed the telecom company is looking for information on how to go about intercepting traffic from mobile apps, whether a workaround exists for accomplishing that task, and if there are any other places it could approach in regards to the project. Marlinspike goes on to specify that one document they provided indicates using SSL certificates for interception, as well as SSL exploits and vulnerabilities.
Word has it a WhatsApp interception prototype is up and working.
So, what is compelling such an action? Terrorism, according to a message Marlinspike posted from Mobily. The telecom company, after being informed that he wouldn’t help them, said that Saudi Arabia has a “big terrorist problem” with those responsible using the aforementioned mobile apps – and others – to transmit information. The telecom company then goes on to say that because of this its actions are not only necessary, but Marlinspike’s refusal to help is indirectly aiding terrorist activities.
SOURCE: Thought Crime
Saudi telecom Mobily working on project to intercept mobile data is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
Over the last several weeks the Syrian Electronic Army has made a nuisance of itself (again), serving as a sort of annoying prankster who is repeatedly ordered to go stand in the corner. The organization is reportedly responsible for quite a number of hacks, with The Onion having been one of its unlucky victims. The humor website pinpointed the source of its infiltration and has revealed precisely how it happened, adding in a few pieces of advice for other media outlets to help combat the attacks.
Last month, the Syrian Electronic Army claimed credit for a few different compromised accounts. On April 21, the organization said it was responsible for the hacking of several CBS Twitter accounts, and a week later it went after The Guardian’s Twitter accounts, sending out tweets in its own favor. It didn’t take long for another compromised account to surface, this time being E! Online’s Twitter account, where the hackers spread false information about singer Justin Bieber before proclaiming in another tweet that fans had been trolled.
Its latest target was The Onion, which was digitally infiltrated this past Monday by the SEA, something that was originally suspected to be a joke given the nature of the company. That notion was laid to rest on Wednesday when The Onion posted a series of screenshots and URLs detailing precisely how the organization compromised its Twitter account, revealing that the hack – as with previous ones – had been accomplished via a few different phishing methods.
The attack was initiated via emails sent to The Onion employees containing a link that, with a quick glance, appeared to be from The Washington Post on content about The Onion. When clicked, however, the link took the recipient to the URL “hackwordpresssite.com/theonion.php,” which then redirected again to one requesting Google App login information, after which point it took the victim full circle back to Gmail. Only a few employees received the emails, and at least one was fooled by it, resulting in the second phase of the attack.
Using the employee’s compromised email, the SEA sent messages to other The Onion employees early in the morning containing another link that again requested Google login information. Of those targeted, one of the individuals who fell for it had the login information for The Onion’s social media accounts, including Twitter.
The Onion notified employees of the breech and sent emails instructing workers to reset their passwords, unaware that one of their accounts was still compromised. Via that account, the SEA sent an email to all but those involved in the IT department with a link said to be a password-reset URL. A couple people fell for the second link, with both of their accounts then being used by the hackers to take control of The Onion’s Twitter account. Because of this, the company required all Google Apps passwords to be reset company wide, but not before posting a humorous jab at the SEA.
In summary, The Onion advises other media companies to avoid such attacks by taking such steps as employee education on phishing, isolating social media account logins, feeding tweets through a third-party application, and having access to all employees outside of corporate email accounts.
SOURCE: The Onion
The Onion pegs Syrian Electronic Army hacks on phishing schemes is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
While passwords are the way of the land on the internet, PayPal’s chief information security officer Michael Barrett says that passwords and PINs are obsolete and we need a new standard for security on computers and the internet. Barrett thinks that the next step is fingerprint scanners, which he believes will debut on smartphones at some point this year.
Speaking at the Interop IT conference, Barrett was quite positive that passwords will die sometime this year, even going as far as putting an image of a tombstone up on the screen that gave an “R.I.P.” to passwords. He says that passwords “are starting to fail us,” and that there are better, more secure ways to easily log into accounts in a secure manner.
On top of PayPal, Barrett is the president of the Fast IdentityOnline Alliance (FIDO), which is an organization that aims to change online authentication with an open standard that’s both secure and convenient to use. Barrett thinks that fingerprint scanners will be the wave of the future, and he even brought up rumors about the next iPhone coming equipped with a fingerprint scanner, as well as a handful of other new smartphones.
We can certainly see where Barrett is coming from. Passwords can be really easy to crack, especially if people use the same password for all of their accounts, which is inexcusable, but it makes sense, as many people don’t want to take the time to remember 20 different complex passwords. Two-factor authentication has been making the rounds, requiring users to log in using a password as well confirming their identity through a hardware device, but it’s inconvenient. Barrett thinks that biometrics is not only convenient, but also much more secure than passwords.
However, he noted that passwords simply won’t go away after biometrics are introduced. It’ll certainly take a while before a new standard can completely take over, especially considering that passwords have been the standard for so many years. So while we could see smartphones with integrated fingerprint scanners, it could be a few years before a new security standard takes over full-time.
VIA: Macworld
PayPal wants to get rid of passwords in favor of biometric security is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
On Monday, Anonymous and various extremist Islamic hacking collectives announced their OpUSA mission, which was a planned cyberattack against nine big-name US agencies/institutions that the hackers wanted to take down. The attack was announced in a manifesto of sorts on Pastebin, which you can read here if poor grammar is of no bother to you. Not surprisingly, the attack appears to have fizzled out with little effect.
The OpUSA cyberattack was set to take place on May 7, which has come and gone for most of those in the US, and thus far no reports have surfaced regarding cyberattacks against the intended targets, among which was the Pentagon, NSA, FBI, the White House’s website, Capital One, Bank of America, and many more banks. A YouTube video was also specified as a target.
YouTube hosted a video titled “Innocence of Muslims,” which Islamist hacking collective Izz al-Din Qassam Cyber Fighters would remove from the website, said Anonymous. Several other Islamic hacking collectives were also specified in the cyberattack’s announcement. For all the grand talk, however, little came of it and websites were by-and-large unaffected.
The Department of Homeland Security issued a statement earlier this week akin to an amused pat on the head, stating that the attack, at the most, would temporarily disrupt websites and nothing else. According to Mashable, the Honolulu Police Department and one hundred or so obscure small businesses had their websites hacked. That took place on May 6, however, and may have been unrelated.
[via Mashable]
Anonymous OpUSA cyberattack plan goes out with a fizzle is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
LivingSocial, a website that provides users with deals on a daily basis, has been hacked, it revealed in a memo to employees and later on with a public statement to users. According to a spokesperson, hackers breached the system and pulled quite a bit of user data, including usernames, encrypted passwords, birth dates, and email addresses of potentially 50 million users. Fortunately, financial information was not accessed.
As a result of the breach, LivingSocial has begun resetting users’ passwords, and is also sending off emails to customers advising them of the situation, with the exception of users located in South Korea, Thailand, the Philippines, and Indonesia because those systems weren’t harmed. Fortunately, while the hackers got some information, the passwords were encrypted.
Users will need to create a new password now that their current one has been reset. Said LivingSocial in a memo to its employees: “We recently experienced a cyberattack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.”
Although the passwords were encrypted, the possibility exists that they could be cracked, and because of this LivingSocial is encouraging its users to create new passwords on their other online accounts, such as banking, social networking, and email accounts, that use the same password or one close to it. In addition, LivingSocial is also advising users that any emails they may receive requesting password information is a phishing attempt and should be deleted.
[via New York]
LivingSocial breach leaves 50 million customers vulnerable is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.
This is site is run by Sascha Endlicher, M.A., during ungodly late night hours. Wanna know more about him? Connect via Social Media by jumping to about.me/sascha.endlicher.
