The Hacker News

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Linux Foundation Launches 'Zephyr', a tiny OS for Internet of Things

samedi 20 février 2016 à 08:42

The 21st century is witnessing a great change over in the daily life of folks with the advent of IoT devices that are capable of talking to each other without any human intervention. Yeah! Now you do not have to individually cascade an instruction to each of your home devices to accomplish a task. All have gone automated with the actuators and sensors which are infused into the home

Now We Know — Apple Can Unlock iPhones, Here's How to Hack-Proof your Device

vendredi 19 février 2016 à 13:24

Here's How to Hack-Proof your iOS Device fro Unlock iPhone

Apple has been asked to comply with a federal court order to help the FBI unlock an iPhone 5C by one of the terrorists in the San Bernardino mass shootings that killed 14 and injured 24 in December.

The FBI knows that it can not bypass the encryption on the iPhone, but it very well knows that Apple can make a way out that could help them try more than 10 PINs on the dead shooter's iPhone without getting the device's data self-destructed.

Although Apple refused to comply with the court order and has always claimed its inability to unlock phones anymore, the FBI so cleverly proved that Apple does have a technical way to help feds access data on a locked iOS device.

And this is the first time when Apple has not denied that it can not unlock iPhones, rather it simply refused to build the FBI a Backdoor for the iPhone, in an attempt to maintain its users trust.

So, now we know that Apple is not doing so, but it has the ability to do so.

Now, when you know there are chances that your unlocked iPhone can be accessed by the government even if you have enabled "Auto-Destruct Mode" security feature on your device, you need to protect your iPhone beyond just 4/6-digit passcode.

How to Hack-Proof your iPhone?

Yes, it is possible for you to protect yourself from government snooping just by setting a strong passcode on your iPhone — passcode that the FBI or any government agency would not be able to crack even if they get iPhone backdoor from Apple.

Without wasting much of your time, here's one simple solution:

Simply Set at least random 11-digit numeric passcode for your iPhone.

Here's why (FBI Can't Crack It):

There is only one way, i.e. Brute Force attack, to crack your iPhone passcode. This is what the FBI is demanding from Apple to create a special version of iOS that increases the brute force attempts and ignores the data erasure setting.

iPhones intentionally encrypt its device's data in such a way that one attempt takes about 80 milliseconds, according to Apple.

So, if your iPhone is using a 6-digit passcode and there are 1 Million possible combinations as a whole, it would take maximum time of 22 hours or on average 11 hours to successfully unlock iPhone.

However, if you are using a longer passcode such as a random 11-digit passcode, it will take up to 253 years, and on average 127 years to unlock iPhone.

Doing so will make the FBI or any other agency unable to unlock your iPhone; not unless they have hundreds of years to spare.

To set a strong passcode, click 'Passcode options,' select 'Custom numeric code,' and then enter your new but random passcode.

Things to Avoid While Setting a Passcode

1. Do Not Use a Predictable Passcode: Avoid choosing a predictable string such as your birth dates, phone numbers, or social security numbers, as these are first priorities of attackers to try.

2. Do Not Use iCloud Backups: Avoid using an iCloud backup because doing so will enable the attacker to get a copy of all your iPhone’s data from Apple’s server, where your passcode no longer protects it. This will eliminate the need to guess your passcode.

3. Do Not Use Your Fingerprint: We have seen data breaches that had exposed fingerprints online and also, it is easy to bypass Apple Touch ID Fingerprint scanner. Even fingerprints can be collected from a suspect's corpse. So, using fingerprint security feature could also end up unlocking your iPhone in less time.

So, by choosing a strong passcode, the FBI or any other agency will not be able to unlock your encrypted iPhone, even if they install a vulnerable version of iOS on it.

Warning: You need to remember your passcode, whatever you set, because no one except you would be able to unlock your iPhone. Once you forgot your passcode, there is nothing you can do to get your important data and even access to your iPhone back.

15-year-old Teenage Hacker Arrested Over FBI Computer Hack

vendredi 19 février 2016 à 12:18

15-year-old British Hacker Arrested Over FBI Computer Hack

Another 15-year-old teenager got arrested from the land of cakes, Scotland, by British Police for breaking into the FBI Systems on 16th February.

Under the Britain’s anti-hacking law, Computer Misuse Act 1990, the boy has been arrested for his role in hacking and unauthorized access to the digital material.

Federal Agents had fled to Glasgow in an attempt to carry out a raid on his home before proceeding with the boy's arrest.

"He has since been released and is the subject of a report to the procurator fiscal," a Police Spokesman told a Scottish journal.

As with the present scenario, reports say that the boy could be extradited to the United States to face the Intrusion and hacking charges.

Second Member of the Hacking Group Arrested

The suspect is believed to be an active member of the notorious hacking group called "Crackas with Attitude" aka "CWA", Motherboard confirms.

Another member of the same group got arrested from the United Kingdom last week. The 16-year-old British teenager was suspected of hacking into the CIA and the FBI confidential.

The hacktivist group "Cracka with Attitude" is behind a series of hacks on the United States government and its high-level officials, including:

Leaked the personal and sensitive details of tens of thousands of FBI agents and the US Department of Homeland Security (DHS) employees.
Hacked into AOL emails of CIA director John Brennan.
Hacked into the personal phone accounts and emails of the US spy chief James Clapper.
Broke into AOL emails of the FBI Deputy Director Mark Giuliano.

Last Member of Hacking Group Left

Additionally, it is assumed that only one more member (with a pseudonym "Thwarting Exploits") has been left in the CWA group to get busted, as this got evident from his tweet finalizing the fact that it is a the third member of the group.

Nowadays, the amateurish approach of teenage hackers are hunting down the world's greatest Crime solvers such as FBI and CIA.

The busted cyber criminals are liable to spend their rest of the life behind bars. The cyber laws are strict enough; that it would eat up your whole life years and even beyond your lifetime sometimes.

How Just Opening an MS Word Doc Can Hijack Every File On Your System

vendredi 19 février 2016 à 09:37

If you receive a mail masquerading as a company's invoice and containing a Microsoft Word file, think twice before clicking on it.

Doing so could cripple your system and could lead to a catastrophic destruction.

Hackers are believed to be carrying out social engineering hoaxes by adopting eye-catching subjects in the spam emails and compromised websites to lure the victims into installing a deadly ransomware, dubbed "Locky," into their systems.

So if you find .locky extension files on your network shares, Congratulations! You are infected and left with just two solutions: Rebuild your PC from scratch or Pay the ransom.

Locky ransomware is spreading at the rate of 4000 new infections per hour, which means approximately 100,000 new infections per day.

Microsoft MACROS are Back

It is hard to digest the fact that, in this 2016, even a single MS Word document could compromise your system by enabling 'Macros.'

This is where the point to appreciate hacker's sheer brilliance of tactics.

Locky ransomware is being distributed via Microsoft 365 or Outlook in the form of an Invoice email attachment (Word File that embeds vicious macro functions).

The concept of macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."

Now macros are back, as cyber criminals discover a new way to get internet users to open Microsoft Office documents, especially Word files that allow macros to run automatically.

How Does Locky Work?

Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states "enable macros".

Here comes the bad part:

Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.

Locky ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.

Once encrypted, the ransomware malware displays a message that instructs infected victims to download TOR and visit the attacker's website for further instructions and payments.

Locky ransomware asks victims to pay between 0.5 and 2 Bitcoins ($208 to $800) in order to get the decryption key.

One of the interesting note on Locky is that it is being translated into many languages, which heighten its attack beyond English boundaries to maximize the digital casualties.

Locky Encrypts Even Your Network-Based Backup Files

The new ransomware also has the capability to encrypt your network-based backup files. So it's time for you to keep you sensitive and important files in a third party storage as a backup plan in order to evade future-ransomware infections.

A researcher named Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus.

To check the impact of Locky, Kevin successfully intercepted the Locky traffic yesterday and realized that the cryptovirus is spreading out rapidly in the wild.

"I estimate by the end of the day well over 100,000 new endpoints will be infected with Locky, making this a genuine major cybersecurity incident — 3 days in, approximately a quarter of Million PCs will be infected," Kevin said in a blog post.

One hour of infection Statistics:

Among the highly impacted countries include Germany, Netherlands, United States, Croatia, Mali, Saudi Arabia, Mexico, Poland, Argentina and Serbia.

Using SimpliSafe Home Security? — You're Screwed! It's Easy to Hack & Can't be Patched

jeudi 18 février 2016 à 11:44

If you are using a SimpliSafe wireless home alarm system to improve your home security smartly, just throw it up and buy a new one. It is useless.

The so-called 'Smart' Technology, which is designed to make your Home Safer, is actually opening your house doors for hackers. The latest in this field is SimpliSafe Alarm.

SimpliSafe wireless home alarm systems – used by more than 300,000 customers in the United States – are Hell Easy to Hack, allowing an attacker to easily gain full access to the alarm and disable the security system, facilitating unauthorized intrusions and thefts.

…and the most interesting reality is: You Can Not Patch it!

As the Internet of Things (IoT) is growing at a great pace, it continues to widen the attack surface at the same time.

Just last month, a similar hack was discovered in Ring – a Smart doorbell that connects to the user's home WiFi network – that allowed researchers to hack WiFi password of the home user.

How to Hack SimpliSafe Alarms?

According to the senior security consultant at IOActive Andrew Zonenberg, who discovered this weakness, anyone with basic hardware and software, between $50 and $250, can harvest alarm's PIN and turn alarm OFF at a distance of up to 200 yards (30 meters) away.

Since SimpliSafe Alarm uses unencrypted communications over the air, thief loitering near a home with some radio equipment could sniff the unencrypted PIN messages transferred from a keypad to the alarm control box when the house owner deactivates the alarm.

The attacker then records the PIN code on the microcontroller board's memory (RAM) and later replay this PIN code to disable the compromised alarm and carry out burglaries when the owners are out of their homes.

Moreover, the attacker could also send spoofed sensor readings, like the back door closed, in an attempt to fool alarm into thinking no break-in is happening.

Video Demonstration of the Hack

You can watch the video demonstration that shows the hack in work:

"Unfortunately, there's no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Zonenberg explains.

Here's Why Your Smart Alarms are Unpatchable

Besides using the unencrypted channel, SimpliSafe also installs a one-time programmable chip in its wireless home alarm, leaving no option for an over-the-air update.

"Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol," Zonenberg adds. But, "this isn't an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable."

This means there is no patch coming to your SimpliSafe Alarm, leaving you as well as over 300,000 homeowners without a solution other than to stop using SimpliSafe alarms and buy another wireless alarm systems.

Zonenberg said he has already contacted Boston-based smart alarm provider several times since September 2015, but the manufacturer has not yet responded to this issue. So, he finally reported the issue to US-CERT.