Is You Smartphone Spying On You?

Reference:

'Oleg Pliss' Hack Makes for A Perfect Teachable IT Moment

Computerworld - Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.

The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)

Read more...

Board Declares NSA Data Sweep Illegal

An independent board tasked with reviewing National Security Agency surveillance called Thursday for the government to end its mass data collection program and "purge" its files, declaring the program illegal in a major challenge to President Obama.

The president did not go nearly as far when he called last week for ending government control of phone data collected from hundreds of millions of Americans. In its report, obtained by Fox News and scheduled for release Thursday afternoon, The Privacy and Civil Liberties Oversight Board (PCLOB) said the program ran afoul of the law on several fronts.

"The ... bulk telephone records program lacks a viable legal foundation," the board's report said, adding that it raises "serious threats to privacy and civil liberties" and has "only limited value."

"As a result, the Board recommends that the government end the program," the panel wrote.

It remains to be seen whether Obama will accept all or part of the recommendations, but the findings could nevertheless be used as leverage in federal lawsuits against NSA spying.

The report concluded that the NSA collection raises "constitutional concerns" with regard to U.S. citizens' rights of speech, association and privacy.

Read more:

Guccifer Unmasked!

• Romanian authorities announced Wednesday the arrest of Marcel Lazar Lehel, 40, a hacker believed to work under the name 'Guccifer'.
• Guccifer became known in the U.S. a year ago after releasing personal Bush family pictures.
• In Romania his hacking dates as far back as 2010. 
• He was found guilty in his home country of a dozen hacking-related charges in February 2012.

The hacker who goes by the alias Guccifer and is known for releasing pictures of former President George W Bush's paintings has been captured in Romania.

Romanian authorities announced Wednesday that they arrested 40-year-old Marcel Lazar Lehel in the town of Arad.

The raid was organized by Romania's Directorate of Investigating Organized Crime and Terrorism (DIICOT) who said that they were cooperating with U.S. authorities.

Guccifer became known in the U.S. last year when he released pictures of former President George H.W. Bush in the hospital along with other former president George W Bush's hobby paintings.

While Bush II's paintings turned out to be more of a lighthearted hack, Guccifer eventually went on to expose the more serious secrets of America's powerful.

Guccifer hacked into the website of Colin Powell, revealing an affair between the former secretary of state and Romanian European Parliament member Corina Cretu - an affair the married man continues to deny.

Read more: 

Mark Zuckerberg’s Facebook Page Was Hacked by an Unemployed Web Developer

An unemployed Palestinian developer named Khalil Shreateh tried several times to report a bug to Facebook’s security team. When no one got back to him, he took the (dubiously) logical next step: He exploited the bug to leave a public comment on Facebook CEO Mark Zuckerberg’s wall.

“First sorry for breaking your privacy and post to your wall,” an apparent screenshot of the hack reads. “I has [sic] no other choice to make after all the reports i sent to Facebook team.”

The break-in, detailed on Shreateh’s blog (and in several agitated posts from Facebook developers on Hacker News), has been more than a little embarrassing for Facebook.

But it’s not exactly newsworthy that Shreateh found a bug — that happens all the time. In fact, Facebook runs a program that encourages white hat hackers to find and report bugs in Facebook infrastructure in exchange for a cash reward. What is unusual is that Facebook didn’t respond to Shreateh’s initial reports about the bug, and that Shreateh then exploited it in violation of Facebook’s policies for white hat hackers.

“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” insisted Matt Jones, a Facebook software engineer, on the forum Hacker News. “Exploiting bugs to impact real users is not acceptable behavior for a white hat.”

The High Cost Of Cybercrime

Every enterprise has high-value information vital to its success. As cyber-attack techniques become more sophisticated, this “digital gold” is increasingly vulnerable.

A study by the Ponemon Institute found that the average annualized cost of cybercrime in 2012 is $8.9 million per year, with a range of $1.4 million to $46 million.* The cost of cybercrime includes more than the value of the stolen information. It includes the costs of business disruption, lost opportunity, damage to brand, and recovery efforts.

• Sony estimated their costs from 2011 data breaches were at least $171 million.
• A competing manufacturer stole source code from a control-system supplier the supplier’s stock dropped 83%.
• A metallurgical company lost to cyber espionage technology built over 20 years at a cost of $1 billion.
• The Canadian government stopped a $38.6 billion takeover bid when attacks compromised sensitive information at government agencies and law firms.
• Civil penalties for ePHI breaches can be up to $250,000, with repeat/uncorrected violations reaching $1.5 million per violation, per year

Reference:

Massive Android flaw allows hackers to ‘take over’ and ‘control’ 99% of Android devices

Mobile security company Bluebox said today that it recently discovered a vulnerability in Android that makes any Android device released in the last four years vulnerable to hackers who can read your data, get your passwords, and control any function of your phone, including sending texts, making phone calls, or turning on the camera.

That’s almost 900 million Android devices globally.

“A Trojan application … has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords,” Bluebox CTO Jeff Forristal posted. “It can essentially take over the normal functioning of the phone and control any function.”

The vulnerability is due to “discrepancies” in how Android apps are approved and verified, Bluebox says, allowing hackers to tamper with application code without changing the app’s cryptographic signatures. That means that an app — any app — which looks perfectly safe and legitimate to an app store, a device, an engineer, or a user actually could actually have malicious code embedded within it.

Reference:

Everyone's Trying to Track What You Do on the Web: Here's How to Stop Them

It's no secret that there's big money to be made in violating your privacy. Companies will pay big bucks to learn more about you, and service providers on the web are eager to get their hands on as much information about you as possible.

So what do you do? How do you keep your information out of everyone else's hands? Here's a guide to surfing the web while keeping your privacy intact.

The adage goes, "If you're not paying for a service, you're the product, not the customer," and it's never been more true. Every day more news breaks about a new company that uploads your address book to their servers, skirts in-browser privacy protection, and tracks your every move on the web to learn as much about your browsing habits and activities as possible. In this post, we'll explain why you should care, and help you lock down your surfing so you can browse in peace

Reference:

Car Thieves Using New Wireless Technology To Break Into Cars

As cars become more and more like rolling computers, they're facing a new kind of threat formerly reserved for laptops and the like: They're being hacked.

Police in Long Beach, Calif., are looking for two men who used some sort of wireless device to unlock cars. They were caught on video holding something in their hands. As they approach the car, the interior lights came on and the doors simply opened. Police are baffled by how the thieves hacked into the car's wireless system.

It wasn't the first time thieves used technology to rob cars. In Chicago, a similar theft was caught on camera in 2012. Chicago police theorized that code-cracking software sent the same unlock signal to the car that the vehicle's key fob transmitter uses.

But you might not need special software to break into cars -- all you need is a cellphone.

New System Uses Low-Power Wi-Fi Signal To Track Moving Humans — Even Behind Walls

...so much for "I told you so".

The comic-book hero Superman uses his X-ray vision to spot bad guys lurking behind walls and other objects. Now we could all have X-ray vision, thanks to researchers at MIT’s Computer Science and Artificial Intelligence Laboratory.

Researchers have long attempted to build a device capable of seeing people through walls. However, previous efforts to develop such a system have involved the use of expensive and bulky radar technology that uses a part of the electromagnetic spectrum only available to the military.

Now a system being developed by Dina Katabi, a professor in MIT’s Department of Electrical Engineering and Computer Science, and her graduate student Fadel Adib, could give all of us the ability to spot people in different rooms using low-cost Wi-Fi technology. “We wanted to create a device that is low-power, portable and simple enough for anyone to use, to give people the ability to see through walls and closed doors,” Katabi says.

Reference: