Tag: hack

Vtech punters hit by hack

vtech-mobiogo2Half a million British families, including 750,000 kids, have been affected by the massive hack of kids computer tech outfit Vtech.

The VTech breach is one of the largest in history, including 5 million adults’ information. Its hacked database includes 560,487 accounts identified as belonging to people in the United Kingdom.

What is worrying the world is that a big chunk of the accounts were set up for children which makes for an all you can eat buffet for paedophiles.  The children’s data included their name, username, gender and date of birth.

A Vtech spokesperson did not answer press questions on the issue of the children’s data but it confirmed “an unauthorised party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015. Clearly those are the sort of unauthorised parties we never get invited to.

“The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future.”

The company said it immediately conducted a thorough investigation put in place measures to defend against further attacks.

 

Carphone Warehouse snuffled by watchdog over hack

watchdogThe UK’s data watchdog is “making inquiries” after Carphone Warehouse admitted that personal details of up to 2.4 million of its customers may have been accessed in a cyber-attack.

The attack was discovered on Wednesday, and made public on Saturday.
The encrypted credit card details of up to 90,000 people may have been accessed, the mobile phone firm said.

The Information Commissioner’s Office, which examines data breaches, confirmed it was aware of the incident.

Carphone Warehouse says the data could include names, addresses, dates of birth and bank details and it is contacting all those affected.

Carphone Warehouse claims it was the victim of a “sophisticated” cyber-attack, which was stopped “straight away” after it was discovered on Wednesday.

The affected division of the company operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.

The retailer’s owner, Dixons Carphone, has apologised for the attack and said additional security measures have been brought in. It has also taken the affected websites down.

The Information Commissioner will work out if Carphone Warehouse had done enough to protect customer data from hackers.

A spokesman for the Information Commissioner’s Office said: “We have been made aware of an incident at Carphone Warehouse and are making enquiries.”

The Metropolitan Police said its Cyber Crime Unit had been notified of the breach by Carphone Warehouse but no formal allegation of a crime had been made.

The Met said it had not had any reports of fraudulent banking activity.

Disconnected computers can be hacked

wargames-hackerFor years the most basic method of super security for a computer was to unplug it from the network or internet.

However a team of security experts from Ben-Gurion University of the Negev (BGU) have discovered a new method to breach air-gapped computer systems.

Dubbed “BitWhisper” the hack enables two-way communications between adjacent, unconnected PC computers using heat.

According to a paper penned by Mordechai Guri, computers and networks are air-gapped when they need to be kept highly secure and isolated from unsecured networks, such as the public Internet or an unsecured local area network. Typically, air-gapped computers are used in financial transactions, mission critical tasks or military applications.

According to the researchers, “The scenario is prevalent in many organisations where there are two computers on a single desk, one connected to the internal network and the other one connected to the Internet. BitWhisper can be used to steal small chunks of data (e.g. passwords) and for command and control.”

BGU’s BitWhisper bridges the air-gap between the two computers, approximately 15 inches (40 cm) apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.

By regulating the heat patterns, binary data is turned into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and converted into data.

“These properties enable the attacker to hack information from inside an air-gapped network, as well as transmit commands to it… Only eight signals per hour are sufficient to steal sensitive information such as passwords or secret keys. No additional hardware or software is required. Furthermore, the attacker can use BitWhisper to directly control malware actions inside the network and receive feedback.”

 

DLink routers vulnerable to Bulgarian exploit

khankrumA Bulgarian ethical hacker has found a hole in the firmware of DLink routers which make them vulnerable to remote changing of DNS settings and, effectively, traffic hijacking.

Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link’s DSL-2740R ADSL modem/wireless router.

The firmware is used in gear made by D-Link, TP-Link Technologies and ZTE.

The flaw allows attackers to access the device’s Web administration interface without authentication, and through it to modify the DNS settings, which could allow them to redirect users to malware-laden and phishing sites and prevent them to visit legitimate sites for OS and software updates (including security software).

Donev released exploit code for the flaw in a security advisory and said that it could be  exploited remotely if the device’s interface is exposed to the Internet.

It is not the first time that the firmware has been found a little holey. In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.

 

Turkish security expert kebabs VLC

3313108041_e74acb5429A Turkish security expert found two zero-day vulnerabilities in library code used by the popular VLC media player around Christmas and is amazed they still have not been fixed.

Veysel Hatas found the data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities in VLC and warned the outfit it could lead to arbitrary code execution.

“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV” or M2V file”, Hatas wrote in his blog 

“This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.”

Despite the fact that the flaw was discovered on Boxing day and VLC was about to release a new stable version on January 9, the flaw was never fixed.

The flaws lie within libavcodec, a core component of the video player and VLC is not the only one to use the library. MPlayer and other open-source software also use it.

It has been estimated that there are more than 1.5 billion downloads of the open saucy VLC thanks mostly to the fact it will play anything – including viruses apparently.

Skeleton Key exposes password flaws

skeletonsSecureWorks, the security arm of Dell, has found malware which it has dubbed “Skeleton Key” which shows up weaknesses in the password system.

The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.

It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.

But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.

Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.

In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.

There’s no fall out from Sony hack

2000px-United_States_Fallout_Shelter_Sign.svgDespite a storm in a teacup over the Sony hack, which saw high level political involvement, Sony insists that there will be no financial fallout for the company.

Sony Chief Executive Kazuo Hirai said he does not expect the November cyber attack on the company’s film studio to have a significant financial impact.

Apparently the film which North Korea wanted blocked “The Interview,” has generated revenue of $36 million. It earned another $5 million at 580 independent theatres showing the movie in North America.

The flick cost $44 million to make but given that it was a rubbish film, Sony probably was relieved that hack meant that it did not have to spend much marketing it. Most of the sales have been online. It will probably make a little more when it goes to DVD and Sony will get its cash back on a film that it otherwise probably would not have. Some have said that Sony spent $30 million marketing the flick which would mean that the film would come in at a loss.

“We are still reviewing the effects of the cyber-attack,” Hirai told reporters. “However, I do not see it as something that will cause a material upheaval on Sony Pictures business operations, basically, in terms of results for the current fiscal year.”

Sony Pictures may need several more weeks to rebuild its computer network after what has been deemed as the most destructive cyber-attack on a company on US soil. North Korea has denied it is behind it.

 

Hollywood makes up settlement figures

1910-carl-laemmleFor years Hollywood has been claiming that it has made giant settlement figures with those it considered pirates, to use fear to drag the IT industry into doing its bidding.

But now, thanks to the Sony hack, those figures are being questioned.

At the end of 2013, Hollywood claimed it managed to get  IsoHunt to ‘pay’ $110 million and Hotfile agreeing to ‘pay’ $80 million. In both cases, we noted that there was no chance that those sums would ever get paid.

TorrentFreak has been combing through the Sony emails and found that the Hotfile settlement was really just for $4 million, and the $80 million was just a bogus number agreed to for the sake of a press release that the MPAA could use to scare others.

“The studios and Hotfile have reached agreement on settlement, a week before trial was to start. Hotfile has agreed to pay us $4 million, and has entered into a stipulation to have an $80 million judgment entered and the website shut down,” the email from Sony’s SVP Legal reads.

The $4 million was paid out, in three separate payments, but Hollywood would have lost a fortune bringing the case.

It is also unlikely that any of the $4 million went back to any content creators, it would have been used to fund MPAA’s vast “anti-piracy” machine, allowing it to be used for other lawsuits and funding investigations by state Attorneys General.

It makes you wonder if anything they say involving money has any shred of truth.

 

Anonymous prepares to launch banned Sony movie

o-ANONYMOUS-facebookAfter Sony refused to release “The Interview” because of pressure from a hacker group, it seems Anonymous is furious.

The hacker group has decided that since Sony is bowing to the will of hackers to pull the film, it will release it, itself.

Of course Sony is not happy about this, which Anonymous will be pleased about, but the question is why would one hacker collective rain on another’s parade.

Part of this appears to be because Anonymous does not think that “Guardians of Peace” who managed the Sony raid are true hackers.  They believe that the hacker group is a tool of the North Korean government.

Hackivism is one thing, but when you are hacking on behalf of a government you have broken the rules.  But according to the tweets, Anonymous is cross that Sony caved in so easily to the GoP demands and banned the film.

“Okay, for real though. @SonyPictures is a little bitch for giving in so easily. Then again, what do you expect from Sony other than that?”

“You’re gonna let Kim Junk Uno and his minions boss you, a multimillion dollar corporation responsible for billions of dollars in revenue?”

Anonymous claims that it infiltrated Sony’s systems long before North Korea and it was going to release the film “as a Christmas present.”

“We’re not with either side, we just want to watch the movie too…and soon you too will be joining us,” the group tweeted.

 

Sony sued by former employees

sony_logo_720Sony has been sued by two former employees for failing to protect their personal data during the recent mega-hack of the company.

The former employees say the movie studio of failed to protect Social Security numbers, healthcare records, salaries and other data from computer hackers.

A proposed class action lawsuit against Sony was filed in Los Angeles. It alleges that the company failed to secure its computer network and protect confidential information.

Sony is already reeling from the disclosures in documents released by the hackers, which have exposed internal discussions to the great unwashed.

The lawsuit seeks class action status on behalf of all former and current employees of Sony in the United States whose personally identifiable information was compromised in the breach.

Sony “knew or should have known that such a security breach was likely” given a 2011 hack of its PlayStation video game network and recent data breaches at retailers, the lawsuit said.

Sony agreed to pay $15 million to  make the PlayStation case go away.  The plaintiffs are asking for compensation for any damages as well as credit monitoring services, identity theft insurance and other assistance.

Sony gets grumpy at newspapers

GodSilenceThe movie and music maker Sony has decided that the best way to stop people talking about the hack of its networks is to ask news organisations to stop reporting it.

Sony told some news organisations to stop publishing information contained in documents stolen by hackers who attacked the movie studio’s computer network last month.

The New York Times, The Hollywood Reporter and Variety published stories reporting that they had each received a letter from David Boies, a lawyer for Sony, demanding that the outlets stop reporting information contained in the documents and immediately destroy them.

The studio “does not consent to your possession, review, copying,  dissemination, publication, uploading, downloading or making any use” of the information, Boies wrote in the letter.

New York Times spokeswoman Eileen Murphy told Reuters that : “Any decisions about whether or how to use any of the information will take into account both the significance of the news and the questions of how the information emerged and who has access to it.”

The unidentified hackers have released troves of documents that include employee salaries and financial information, marketing plans and contracts with business partners. Newspapers have obtained some mileage from an exchange in which Co-Chairman Amy Pascal joked about President Barack Obama’s race.

Pascal is meeting civil rights leader Reverend Al Sharpton, whose spokeswoman says he is weighing whether to call for her resignation.

Sony co-chair says sorry for Obama emails

Obama BarackThe Sony hack is causing more collateral damage than just a few movies leaked onto the internet.

Amongst a batch of emails made public by the hackers were several racially tinged emails about President Obama’s imagined movie tastes.

The comments were made by film producer Scott Rudin in private email banter with Amy Pascal, Sony’s co-chairwoman.

Pascal was on her way to a breakfast for Obama that was organised by Jeffrey Katzenberg, chief executive of DreamWorks Animation.

“What should I ask the president at this stupid Jeffrey breakfast?” Ms. Pascal asked Rudin in an opening query. She then speculated that she might ask if Mr. Obama liked “Django Unchained,” about a former slave. Rudin countered with a suggestion about “12 Years a Slave,” while Ms. Pascal suggested other films involving African-Americans.

Rudin wrote: “Ride-along. I bet he likes Kevin Hart.” The email referred to a broad comedy, from Universal Pictures, that starred Hart and Ice Cube.

Rudin, who has been a producer of films like “Captain Phillips” and “The Social Network” for Sony, wrote a long apology on Deadline.com that “private emails between friends and colleagues written in haste and without much thought or sensitivity, even when the content of them is meant to be in jest, can result in offence where none was intended.”

“To anybody I’ve offended, I’m profoundly and deeply sorry, and I regret and apologise for any injury they might have caused… I made a series of remarks that were meant only to be funny, but in the cold light of day, they are in fact thoughtless and insensitive — and not funny at all.”

Pascal added: “The content of my emails to Scott were insensitive and inappropriate but are not an accurate reflection of who I am. Although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologise to everyone who was offended.”

Another Sony executive, Clint Culpepper, used harsh language in suggesting that the studio rebuff a salary demand from Hart, who has starred in several films for the company’s Screen Gems unit, including a coming movie, “The Wedding Ringe”.

“I’m not saying he’s a whore, but he’s a whore,” Mr. Culpepper wrote.

Hart is a little upset. He wrote on his Instagram account. “I will never allow myself to be taken advantage of… I refuse to be broken.”

All these things are the sort of stuff which most corporate networks have, they just prefer they were not made public, which is exactly why the Sony hack was so embarrassing.

Sony expects to face further unauthorised disclosures in the days ahead.

 

Sony gets hacked again

wargames-hackerReports said that Sony has come under a fresh cyber attack following the break in which crippled Sony Pictures two weeks ago.

The Financial Times reported that the PlayStation store was downed earlier today for a couple of hours.

A gang that dubs itself the Lizard Squad has claimed that it is responsible for the hack – and the attack may be nothing to do with the Sony Pictures incident – blamed by some on North Korean hackers.

The Lizard Squad made a similar attack on Microsoft’s Xbox Live service last week, according to the FT.

North Korea said yesterday that it wasn’t responsible for the attack on Sony Pictures, as we reported elsewhere today.

Sony is so far unable to say whether the latest hack attack has resulted in personal or corporate information being stolen.

Syrian Electronic Army hijacks analytics

syrian-electronic-armyOnline users  visiting some websites are being shown popups and being redirected to the Syrian Electronic Army’s website as the hacker group has managed to hijack an online analytics system.

News websites such as The Independent and The Telegraph were the first to show signs of hijacking when popups started to appear for visitors. Many websites such as PC World, Forbes and Dell were later reported by users across the web to have been affected by SEA’s hack as well. Similar popups on Logitech’s website.

What appears to have happened is that the SEA hijacked the DNS of Gigya, which is an online analytics system, used to track user behaviour for marketing purposes. No personal data was taken from Gigya’s own system or the affected websites, some companies have turned off the feature while the issues are resolved.

This hijacking has given the group access to more sites to spread their messages due to the use of the Gigya platform by various outlets.

 

Medical gear hacked

hacking-medical-devicesThe US Department of Homeland Security is investigating two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment.

Under investigation is an infusion pump from Hospira , implantable heart devices from Medtronic and St Jude Medica.

There is no indication that hackers have been attacking patients through these devices, but the agency is concerned that malicious people may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity.

The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment.

Hospira, Medtronic and St Jude Medical declined to comment on the DHS investigations. All three companies said they take cybersecurity seriously and have made changes to improve product safety, but declined to give details.

The agency started examining healthcare equipment about two years ago, when cybersecurity researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity, making them more susceptible to hacking.

The US Food and Drug Administration, which regulates the sale of medical devices, recently issued  guidelines for manufacturers and healthcare providers telling them to better secure medical gear.

The DHS review does not imply the government thinks a company has done anything wrong – it means the agency is looking into a suspected vulnerability to fix it.

This is not the first time that medical gear has fallen under the security microscope. In 2007, then US Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns. Unfortunately, this was done and Cheney was not bumped off by hackers sabotaging his defibrillator.