LulzSec hackers plead guilty to cyberattack charges

LulzSec, short for Lulz Security, is a hacker collective that has pulled quite a few grand cyberattacks, taking high-profile and big-name websites down whilst gathering up a plethora of passwords and account info, among other things. Last year, the FBI brought the group down with the aid of its leader, “Sabu,” arresting multiple individuals and charging them with a variety of breaches of the law. Now three members have plead guilty.

LULZSEC

According to The Guardian, Jake Davis (20-years-old), Mustafa al-Bassam (18-years-old), and Ryan Ackroyd (26-years-od), who had previously maintained his innocence, have plead guilty in London earlier today to attacking Sony, News International, and the NHS. For his part, Ackroyd plead guilty to plotting attacks on a variety of websites, among them being 20th Century Fox, as well as a single count of a computer hacking charge.

And for their parts, al-Bassam and Davis plead guilty to conspiracy to attack law enforcement agencies throughout the United Kingdom and the United States, as well as the cyberattacks against the aforementioned News International, 20th Century Fox, NHS, and Sony. This is al-Bassam’s (who is said to have gone by the name Tflow) first guilty plea in the cyberattacks.

Now the group is awaiting sentencing, which is slated to take place on May 14, about two-years after the attacks they plead guilty to took place. Also slated for sentencing on May 14 is another LulzSec hacker named Ryan Cleary (21-years-old), who had already plead guilty to six charges said to be related. Check out the timeline below for more info on the hacking group.

[via The Guardian]


LulzSec hackers plead guilty to cyberattack charges is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Apple’s iMessage encryption foils snooping, leaked DEA document reveals

iMessage is a convenient way for iOS users to swap messages, and it seems that extends to those engaging in less-than-honest dealings, particularly of the drug variety in this case. The folks over at CNET got their hands on an internal Drug Enforcement Administration memo that details an investigation and the difficulty suspects who use Apple‘s messaging system pose.

Dea_color_logo

Obviously this is good news for those who are hyper-conscious of their privacy and the snooping attempts of others, but not for government agencies trying to finger suspects for crimes. According to the DEA document, “it is impossible to intercept iMessages between two Apple devices.” iMessage uses end-to-end encryption, and is massively popular, with the service having been used to transmit billions of chat messages.

It seems that as part of the investigation discussed, DEA agents received court permission to grab suspects’ text message logs from Verizon, only to discover blocks of obviously missing content. That content, it turns out, was because the individuals under surveillance were intermittently using iMessage. According to the DEA, those messages can’t be grabbed using Title III interceptions, trace devices, or trap devices.

This is part of an ongoing problem for law enforcement, with various government agencies having pursued and actively pursuing measures to add ways for them to access these messages. The ACLU has another view of the issue, however, with its senior policy analyst Christopher Soghoian stating, “The real issue is why the phone companies in 2013 are still delivering an unencrypted audio and text service to users. It’s disgraceful.”

[via CNET]


Apple’s iMessage encryption foils snooping, leaked DEA document reveals is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Provision restricts US government Chinese purchases due to espionage worries

Late last year, there was quite a bit of hoopla over whether the Chinese government was using devices from Chinese manufacturers such as ZTE and Huawei to spy on other nations. The manufacturers denied the claims, but it set off a firestorm of debate, and Canada moved to ban the devices. Now the US has slipped a review process into law to help safeguard against such attacks.

zte_main-580x348

Congress slipped the review process into the appropriations bill that was just signed by President Obama, and with it comes new stipulations for certain government agencies. Per the language in the law, the agencies must initiate a formal review in conjunction with law enforcement that looks into the risk of espionage and sabotage before purchasing “information technology systems” that have a connection, whether through manufacturing or assembly, to China.

The Department of Justice, NASA, and the Department of Commerce are all bound by the language to perform risk assessments before potential purchases that look into “any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized [by China].”

This follows many alleged cyberattacks on American media companies, banks, and other systems by the Chinese government. Likewise, late last year the White House expressed concern that ZTE and Huawei could be used by the nation for spying purposes, with the government urging telecommunications companies to tread carefully. Backlash came from both ZTE and Huawei, and sources said soon after that the White House found no evidence of spying from the latter manufacturer.

[via Reuters]


Provision restricts US government Chinese purchases due to espionage worries is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Sony Xperia Z bug allows anyone to bypass the lock screen

Joining the likes of Apple and Samsung, Sony has had some issues with bugs providing various levels of security vulnerability, with another one surfacing today. Unfortunately for Sony Xperia Z owners, the method for bypassing its lockscreen is simple and straight-forward, and is another reminder not to presume lockscreens are always secure enough to keep sensitive data safe.

sony_xperia_z_review_sg_6-580x374

Unlike the latest iPhone security issue, the Xperia Z’s method doesn’t involve any fiddling with the SIM card or other physical parts of the phone. Instead, demonstrated in the video attached below by Scott Reed, who found the issue, you can see the method at work, which involves using the emergency dialer.

After pulling up the emergency dial pad, the user only needs to type in *#*#7378423#*#*, which then brings up the service menu. Via the service menu, the user then needs to use the NFC > NFC Diag Test, at which point the home button can be pressed and the home screen accessed. The bypass is easy enough for anyone to replicate.

This follows shortly after a new bug has surfaced with the iOS 6.1.3 update that fixes one security bypass issue while introducing a new one, which involves using voice command and ejecting the SIM card at a certain time. Likewise, Samsung has had issues with some of its Galaxy devices providing lock screen bypass vulnerabilities.

[via GSM Arena]


Sony Xperia Z bug allows anyone to bypass the lock screen is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Microsoft publishes 2012 Law Enforcement Requests Report

Microsoft‘s Legal & Corporate Affairs Executive Vice President Brad Smith announced on Microsoft’s Tech Net blog that the company has released its first Law Enforcement Requests Report. The report details law enforcement data requests worldwide for information from the company’s cloud and online services, including how it responded to the requests.

orange

According to the announcement, Microsoft’s first report includes information about data requests and responses for its various services, including Xbox LIVE, Outlook.com and Hotmail, Microsoft Account, and Office 365. It will continue to update this report twice a year (every six months) with new information. In addition, the company is also releasing data related to Skype, which it acquired a little over a year ago.

This move is to provide the public with information on consumer data requests and how they are responded to, providing transparency and contributing to the information on the topic already provided by other companies in the industry. The information is split by country, and shows how often the requests for each country are responded to with the data being handed over.

The report shows that Microsoft received 75,378 requests from various law enforcement agencies in 2012 concerning 137,424 accounts. Out of this large number, 2.1-percent of them resulted in Microsoft providing the requested information, a total of 1,558. Specifically, that 2.1-percent represents instances when the company provided content stored in/on the customer’s account, but not what it calls “non-consumer” data, which includes things like email addresses.

[via TechNet]


Microsoft publishes 2012 Law Enforcement Requests Report is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Apple iCloud now comes with two-step verification

Two-step verification (also known as two-factor authentication) is becoming all the rage now. After the recent influx of security breaches and hacks on major services, companies are starting to implement two-step verification to prevent social engineers from gaining access to your personal data. Today, Apple is beginning to roll out its own two-step verification process for iCloud.

screen-shot-2013-03-21-at-2-31-03-pm copy

The process works similarly to other services with the feature. Users first need to enable two-step verification on the Apple ID website. After that, you can use your mobile device to receive verification codes either through a text message or using the Find my iPhone app in order to sign into Apple services.

This new feature for iCloud comes months after technology journalist Mat Honan was hacked and all of his iOS and Mac devices were erased, thanks to some clever social engineering by the hacker. Apple promised to beef up its security, and has introduced two-step verification today to prevent such things from happening again.

Currently, several companies support two-step verification, including Google, Dropbox, Facebook, Amazon, and Yahoo. Essentially the feature requires two types of verification in order to log into services, one of which is a virtual verification (like a password), and the other is a physical verification (a mobile phone in this case). This prevents anyone from accessing your account, even if they know the password.

[via 9to5Mac]


Apple iCloud now comes with two-step verification is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

T-Mobile’s “Wi-Fi Calling” security vulnerability leaves subscribers at risk

It seems to be a bad week for cell phone safety, with another vulnerability coming to light, this time concerning T-Mobile‘s Wi-Fi Calling feature. While the feature is handy for those who want to save minutes and utilize the Internet connection they already have available, it is also a potential hazard when it comes to keeping your personal texts and calls secret. Researchers at the University of California, Berkley are credited with finding the problem.

wifi calling

This information comes from SecurityWeek, which interviewed the two researchers – Jethro Beekman and Christopher Thompson – about their discovery. When Android handsets utilize Wi-Fi Calling, they fail to properly validate the security certificate for the server, which leaves them open to MiTM (man-in-the-middle) attacks. This vulnerability was discovered by reverse engineering the T-Mobile feature.

Says the researchers, T-Mobile uses regular VoIP for Wi-Fi Calling instead of a connection that encrypted, something that aids in its vulnerability. An attacker can take advantage of the victim if he is using the same wifi network the call is being placed over, intercepting calls and doing with them as he pleases. Mention was also given of the possibilty for setting up a malcious network to get callers to connect and use it.

Said the researchers: “Without this proper verification, hackers could have created a fake certificate and pretend to be the T-Mobile server. This would have allowed attackers to listen to and modify traffic between a phone and the server, letting them intercept and decrypt voice calls and text messages sent over Wi-Fi Calling.”

[via Security Week]


T-Mobile’s “Wi-Fi Calling” security vulnerability leaves subscribers at risk is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Microsoft confirms LIVE accounts hacked, pulls Xbox Entertainment Award app

Microsoft has issued a statement confirming that some of its “high-profile” Xbox LIVE accounts that are said to belong to both former and current employees have been hacked, reports the folks over at ars technica, which was cyberattacked yesterday by the same hacking group. Known as Team Hype, the hackers are suspected to have caused a host of grief, including having possibly caused a police raid on Brian Krebs, a security reporter.

xbox live

Said Microsoft to ars technica: “We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees. We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use.”

In addition, Team Hype is said to use stolen Social Security numbers and credit information to take over Xbox LIVE accounts, according to Krebs, who has also linked one of the hackers with ordering DoS attacks on both his own and ars technica’s websites. The hackers made public videos of them holding account hijacking sessions, with some of those hijacked accounts then being sold to LIVE users.

Earlier today, Microsoft also confirmed that Xbox LIVE users who had used the Xbox Entertainment Award app were compromised, with the Entertainment website having displayed approximately 3,000 instances of gamertags and private information, such as addresses and names. As a result, Microsoft has temporarily pulled the app while it sorts out the issue, directing concerned customers to its Xbox Security Web page.

[via ars technica]


Microsoft confirms LIVE accounts hacked, pulls Xbox Entertainment Award app is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

iOS 6.1.3 lock-screen bypass bug provides access to Contacts and Camera Roll

Yesterday, Apple rolled out iOS 6.1.3, patching up the popular Evasi0n jailbreak and, as a video we have available after the jump shows, introducing a security vulnerability that allows the lock screen to be bypassed. This is despite the fact that the latest iOS release contains fixes to previous vulnerabilities that allowed anyone to skip the lock screen.

Screenshot from 2013-03-20 20:10:39

The newest security issue isn’t terribly easy to pull off, although anyone with a bit of dedication could manage it. The problem was surfaced by YouTube user videosdebarraquito, who posted a video showing the entire method using an iPhone 4. This was followed up by others confirming that they managed to reproduce the bug, including the folks over at The Next Web.

As you can see on the video above, the bug is exploited by removing the SIM card at a certain moment while initiating a call via voice commands. Doing this provides access to the handset’s Contacts and Camera Roll, which can be fully browsed and edited. The obvious solution until Apple rolls out a fix for this lock screen bypass is to shut off the voice dialing feature.

Some user reports are coming in that this exploit does not work when using Siri, but some have published that they’ve managed to get it to work on the iPhone 5. The full effect of the bug will only be known as word spreads and more variations of the iPhone are tested, but for now it would seem those operating pre-Siri are vulnerable to the issue.

[via The Next Web]


iOS 6.1.3 lock-screen bypass bug provides access to Contacts and Camera Roll is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Samsung details Knox and HomeSync sharing system

We’re here live at Samsung’s GALAXY S 4 unveil event in New York City, and the company has unveiled a new feature called HomeSync, which is essentially a home-based cloud storage solution for you and your family. Up to eight family members (or just general users) can push content to a storage box at home, and phones pair with it using NFC. Samsung also unveiled Knox, which is a new feature that keeps your personal life and work life separate on the GALAXY S 4.

homesync

HomeSync is basically a home server, and it has 1TB of storage, which is plenty to store all store all sorts of media that you can access on the go. Although, rather than being an actual cloud storage service, the storage is in your home rather than somewhere in a server farm.

The system allows content thats played on a TV to be viewed by the GALAXY S 4 in full 1080p if the video file is rocking it. The big kicker here, though, is the NFC capability. All you have to do is tap the device on the home box and content appears on the S 4. It’s a pretty nifty system, and quite a unique one at that.

knox

As for Knox, it’s essentially a service that allows for enterprise-level security on the phone, as well as the ability to store all of your personal content, which is very similar to BlackBerry Balance. Knox keeps all of your business files and personal files separate, that way you don’t mix the two accidentally.


Samsung details Knox and HomeSync sharing system is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.