Smartphones are great for texting and surfing the
web, but many of those applications have absolutely no security
according to security researchers at the recently completed Defcon
computer security conference. Volunteers at the Wall of Sheep told TG
Daily that mobile application developers are emphasizing usability over
security. They add that many secure desktop applications become
unsecure when ported over to the smartphone environment.
Court cases are a wonderful thing because almost all
the evidence and filings become public record. The Massachusetts Bay
Transit Authority is suing MIT University and three students for
hacking its fare system. The three students, Zack Anderson, 21,
Alessandro Chiesa, 20 and Russell”RJ” Ryan, 22, were also hit with a
temporary restraining order that forbids them from giving their
scheduled speech at Defcon on Sunday afternoon. But unfortunately for
the MBTA, its attorneys included a confidential white paper about the
hack … a paper that was supposed to be, well, confidential. Of course,
we’ve included that document below.
The Massachusetts Bay Transit Authority has been
granted a temporary restraining order against three MIT hackers who
were scheduled to give a Defcon talk. Zack Anderson, RJ Ryan and
Alessandro Chiesa were scheduled for a Sunday talk about hacking the
Boston subway card in order to get free rides, obviously the Transit
Authority doesn’t want this information made public, but in getting the
TRO, the authority’s attorneys have ineptly released much more
information than perhaps they originally intended.
Three MIT students probably won’t be giving their scheduled Defcon
speech on getting free subway rides. The Massachusetts Bay Transit
Authority – the agency in charge of the Boston T subway – sued the trio
for computer fraud and requested a temporary restraining order to
prevent them from presenting the talk.
The Apple iPhone is great for phone calls and viewing
YouTube videos, but it can also be turned into one heck of a wireless
hacking tool capable of wrecking havoc on almost any company or government
organization from the inside. In a talk at the Defcon security
convention, Robert Graham and David Maynor of Errata Security explained
how they could defeat firewalls, intrusion detection systems and even
armed security guards by Fedexing a modified iPhone to a fictitious
employee. The phone calls home every hour and can then be instructed
to sniff network traffic, discover nearby wireless devices and even
download information.
The three French reporters who were banned for
sniffing traffic in the Black Hat press room have skipped out on a
scheduled press conference at Defcon. The trio captured the login data
of other reporters, but say the whole thing was done as a joke and
wanted to explain their position at 2PM today. Well, it’s now almost 3
PM and they haven’t shown up.
An iPhone enthusiast discovered a kill switch that enables Apple to
wipe a malicious or unauthorized iPhone application even after it has
been paid for and installed on a user's iPhone. It did not take long
for the information to spread and questions over the secrecy and
purpose of the feature are being asked. While some argue that the
blacklisting feature isn't in best interest of iPhone users, others
believe it is effective weapon that can quickly kill potential malware
and viruses hidden in legitimate applications. And yes, you guessed it
right, Apple has not said anything yet.
Three French reporters attending the Black Hat computer security
conference have been banned for life for sniffing the press room
network. The hackers worked for a French security publication called
Global Security Magazine and admitted to capturing login information of
two other reporters covering the convention. Our legal sources tell us
the three could face federal charges for wiretapping.
The security pros at Black Hat got a little surprise
this year with the appearance of the infamous Wall of Sheep. Run by a
loose group of volunteers, the wall displays usernames, passwords
(partially obscured) and services sniffed from the wireless network.
This is all done in the name of security awareness and several security
pros have already been caught.
The press at the Black Hat and Defcon conventions have
always been somewhat exempt from hacking, but today we saw journalist
on journalist hacking with editors from Eweek and News.com as the
victims. Traditionally, the press room network has been relatively
secure because the Wall of Sheep team promised to not sniff the
reporters, but that promise didn’t extend to another reporter who fired up Cain and began scanning traffic. He
quickly found two of his competitors on the network, logging into their
respective administrator panels.
Consumer Reports has published its annual State of the Net survey and
found that one of the most common “online blunders” is to believe that
a Mac will shield you from malware threats, such as phishing scams. The
magazine zeroed in on Apple’s web browser and said that users should
use Firefox or Opera until Apple improves the security features of its
web browser.
The Internet relies on trust, but what if all that
trust comes tumbling down? That’s exactly the problem noted security
researcher Dan Kaminsky described today in his Black Hat talk about DNS
cache poisoning. Several months ago, Kaminsky discovered a
vulnerability in the DNS protoctol that allowed bogus name information
to be sent to other servers and desktop computers – in essence hackers
could redirect web surfers, chat clients and even email servers to
machines of their choosing. Specific details about the vulnerability
and the ways to exploit it have been kept secret until today …
For the next week, the brightest computer security
minds are meeting in Las Vegas to drum up new ways of breaking into and
protecting networks. The annual pilgrimage can be described as a
temporary truce between the forces of good and evil as federal agents
and corporate security officers try to learn the most from their black
hat cousins. Of course, like in previous years, TG Daily will be
covering the event.
Newly disclosed Department of Homeland Security rules
are instructing border agents to seize laptops and other data carrying
instruments without probable cause. An internal memo dated July 16th
and disclosed by the Washington Post, tells officers of the Customs and
Border Protection agency that they can examine and detain any
traveler’s documents and electronic devices. Furthermore the material
can be shipped off for examination and even shared with other
government agencies. According to the memo, affected travelers will
receive their property back in a “reasonable” amount of time.
Apple has issued a security patch that promises to fix
a DNS vulnerability recently discovered by security researcher Dan
Kaminsky, but it appears the fix doesn’t actually fix anything. This
leaves Apple computers still vulnerable to DNS spoofing attacks which
can redirect web surfers to malware-laden or phishing sites.
Scrabble Beta, the official Hasbro-licensed online game made by
Electronic Arts, has been shut down by hackers. Barely a week old, the
official version of the game was meant to legally replace the immensely
popular Scrabulous game which was taken down by legal action from
Hasbro. However, most players couldn’t access the replacement game
yesterday and today. Electronic Arts has released a statement blaming
the problems on a “malicious attack” that resulted in the “disabling of
Scrabble on Facebook”. EA promises that its working hard to resolve
the issue.
