On Friday afternoon, the Department of Homeland Security and Office of the Director of National Intelligence on Election Security issued a joint statement confirming that the Russian government was behind “the recent compromises of e-mails from US persons and institutions, including from US political organizations.”
The Ashley Madison hack made headlines across the world and exposed the private information of upwards of 33 million users. Some of the individuals discovered to have signed up for an Ashley Madison account include politicians, religious figures, and according to some outlets, a high-profile athlete or two. Sadly, the fallout from the hack has reportedly resulted in two suicides as well.
And now we might know who was behind it.
A security researcher has recently uncovered a worrisome new Android exploit which allows hackers to compromise a device simply by sending either an MMS message or a multimedia file. Once a device has been targeted and infected, hackers can access a user’s microphone, camera, external storage, and in some cases (depending on the device in question), even gain root access.
Initially discovered by Joshua Drake from the security firm Zimperium, the exploit takes advantage of a number of vulnerabilities found within the software framework Android uses to “process, play and record multimedia files.”
The holidays are over, but if you find yourself the owner of an iOS device with Siri and a Raspberry Pi computer, you can combine the two to automatically open up your garage door with this cool little hack by “DarkTherapy.” Using “SiriProxy running on the Raspberry Pi, along with wiringPi to access the Pi’s GPIO pins and turn a relay on/off,” DarkTherapy was able to upgrade his iPhone 5’s personal assistant with a nifty new skill — the ability to open garage doors. Brave geeks can head over to DarkTherapy’s forum post for instructions on the hack and a video of Siri the butler opening a garage door follows below.
Anyone who has ever used Kinect to control an Xbox 360’s dashboard knows that it can get tiring thanks to all the air swiping involved. Hacker extraordinaire Ben Heck took on the challenge of creating a Minority Report inspired “power glove” made from an accelerometer, gyroscope and Arduino controller to make gesture controls even more precise. With the leather glove on, button presses can be replaced with a finger pressing the palm. Various finger presses and twists can also be used to control the dashboard UI and video playback. “I wanted a glove to make the Xbox Kinect work the way we thought it would when it was announced,” Heck told Wired. Heck’s video describing how he made the power glove and how it works follows below, and it might make some readers wish this was the tech Microsoft (MSFT) introduced with the Kinect.
Notorious hacker group “Anonymous” on Thursday claimed responsibility for attacks on several government Web sites in China. The group has launched various Internet attacks on the country over the past week in response to what it believes to be strict and unfair laws. “All these years, the Chinese Communist government has subjected its People to unfair laws and unhealthy processes,” the group wrote on one Chinese website. “Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall.” The group goes on to warn that further attacks are on the horizon. “So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. Nothing will stop us, nor your anger nor your weapons. You do not scare us, because you cannot afraid an idea.” Anonymous also acknowledged the Chinese people directly, telling them to remain optimistic, “Don’t loose hope, the revolution begins in the heart.” More →
A report emerged last week from a security researcher claiming Microsoft’s Xbox lacked important security features that might protect owners who sell used consoles from having personal information stolen. Ashley Podhradsky of Drexel University claimed to have purchased a used Xbox console and used readily available hacking tools to recover the prior owner’s credit card number and other personal information. “Microsoft does a great job of protecting their proprietary information, but they don’t do a great job of protecting the user’s data,” Podhradsky said at the time. More →
Hackers stole credit card numbers belonging to as many as 1.5 million MasterCard and Visa customers, Global Payments, Inc. confirmed on Sunday. The international credit card processor was blocked by Visa after it reported the possibility of a major security breach on Friday. The company did not indicate how the hackers gained access to its system or who might be responsible for the attack. “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” the firm told The Wall Street Journal while noting that cardholder names, addresses and Social Security numbers were not compromised. The company did say that the credit card numbers were downloaded during the attack rather than just being accessed, however, indicating that the perpetrators may intend to use the information to create counterfeit credit cards. Affected Visa and MasterCard customers have not yet been notified that their account information was stolen.
The world’s two largest credit card processors have notified U.S. banks of a potential security breach that may affect more than 10 million cardholders, Reuters reported on Friday. MasterCard and Visa have said that the issue was the result of a third-party vendor and not their own internal systems. MasterCard said it has taken the proper steps by alerting law enforcement officials and hiring an independent data-security organization to review the possible breach. “MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information,” the company said in a statement. “If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.” Visa made sure to emphasize that its customers are not responsible for any potential fraudulent charges. More →
Android users who are looking to sell their old devices should be wary of the possible consequences. McAfee identity theft researcher Robert Siciliano warned that personal data from Android devices is not completely removed after a user activates the built-in wipe option, The Los Angeles Times reported on Friday. “What’s really scary is even if you follow protocol, the data is still there,” Siciliano said. If you have a BlackBerry or Apple device, Siciliano said your data can be fully deleted by following the manufacturer’s directions. As for smartphones running the Android operating system and computers running Windows XP, Siciliano recommends that people don’t bother with selling them at all. “Put it in the back of a closet, or put it in a vise and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it,” he said. “You don’t want to sell your identity for 50 bucks.” To test the security of various platforms, Siciliano purchased 30 smartphones and computers from Craigslist. The researcher was able to access personal data from 15 of the 30 devices through his own hacking efforts and the help of a forensic expert. The data obtained included bank account information, Social Security numbers, child support documents and credit card account log-ins. More →
Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. “Microsoft does a great job of protecting their proprietary information,” researcher Ashley Podhradsky told Kotaku in an interview. “But they don’t do a great job of protecting the user’s data.” In order to avoid potential data theft, Podhradsky recommends users remove the hard drives from their consoles and wipe them while connected to a PC using special software. The Drexel researcher warns that not taking this precaution could have serious consequences. “A lot of [modders and hackers] already know how to do all this,” she said. “Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone’s identity.”
UPDATE: Microsoft contacted BGR via email with a statement regarding Kotaku’s report, which can be read below in its entirety. More →
A new study suggests that more than half of all Internet traffic is generated by non-human sources such as hacking software, scrapers and automated spam mechanisms. The majority of this non-human traffic, according to cloud service provider Incapsula, is potentially malicious. The study is based on data collected from 1,000 websites that utilize Incapsula’s services, and it determined that just 49% of Web traffic is human browsing. 20% is benign non-human search engine traffic, but 31% of all Internet traffic is tied to malicious activities. 19% is from ” ‘spies’ collecting competitive intelligence,” 5% is from automated hacking tools seeking out vulnerabilities, 5% is from scrapers and 2% is from content spammers. “Few people realize how much of their traffic is non-human, and that much of it is potentially harmful,” Incapsula co-founder Marc Gaffan told ZDNet. Incapsula, coincidentally, offers services aimed at securing small and medium businesses. More →
On Wednesday, a Russian hacker discovered a vulnerability in Google’s Chrome web browser during CanSecWest’s Pwnium hacker contest. It was the first time in four years at the competition that Chrome was hacked, and for his efforts, Sergey Glazunov was rewarded with $60,000. Less than 24 hours after the exploit was brought to Google’s attention, the search giant released an update fixing the vulnerability. “The Chrome Stable channel has been updated to 17.0.963.78 on Windows, Mac, Linux and Chrome Frame,” Google wrote on its Chrome update blog. “This release fixes issues with Flash games and videos, along with the security fix listed below.” Glazunov’s vulnerability is described as an “UXSS and bad history navigation” issue, however no other details were given. More →