Tag Archives: hack

People are talking about hackers ‘ransoming’ Apple — here’s what’s actually going on

If you don’t want to be hacked, don’t use the same password across different services.

And if you’re an Apple user, it’s a good idea to check your Apple ID and iCloud account today to make sure it’s using a unique and long password.

On Wednesday, a hacking group calling itself the Turkish Crime Family told Business Insider that it had about 600 million iCloud passwords it would use to reset users’ accounts on April 7.

Apple told Business Insider in a statement that if the hackers had passwords, they did not come from a breach of Apple systems:

“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

“We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”

It is still possible that the group has some users’ passwords. Information from several large breaches, including those of Yahoo and LinkedIn, have spread across the internet in recent years. If an Apple user has the same password and email for, say, LinkedIn and iCloud, there’s a good chance that iCloud password is already publicly available.

Here’s what you can do to protect yourself:

Turn on two-factor authentication. That means when you log in to your iCloud account you’ll be asked to send a six-digit code to your phone. It’s annoying, but it’s the best way to ensure that your account remains your own.

Don’t use the same password for multiple services. If one of your accounts is hacked or breached, hackers can essentially access all your accounts that used the same password. Make sure to use a different password for your Apple ID and your email account — here’s how to change your Apple ID password and how to check if your password may already be public.

Make sure your password is long, random, and unique. Don’t use your name, birthday, or other common words.

  • Why this matters now

    Over the past few days, the Turkish Crime Family has contacted media outlets saying it has 200 million, 250 million, 519 million, or as many as 750 million Apple ID account credentials culled from breaches of other services.

    The hacking group also said it had been in contact with Apple and was demanding $75,000 in cryptocurrency like bitcoin or $100,000 in Apple gift cards.

    If Apple did nothing, it would “face really serious server issues and customer complaints” in an attack on April 7, a member of the hacking group told Business Insider in an email. They said they were carrying out the attack in support of the Yahoo hacking suspect.

    A report from Motherboard said the group had shown the outlet an email from one of the hackers to an Apple product-security specialist that discussed the ransom demands. That email is fake, a person with knowledge of Apple’s security operations told Business Insider.

    Apple is in contact with law enforcement about the ransom demand, the person said. Apple is unsure if the group’s claims are true, but people at the company say they doubt they are.

    There are other reasons to doubt the hackers’ claims, such as their thirst for publicity and their fluid story.

    But even if the hackers are telling the truth, Apple users can protect themselves by making sure their Apple ID password is unique and hasn’t been revealed in a previous breach.

    “A breach means nothing in 2017 when you can just pull the exact same user information in smaller scales through companies that aren’t as secure,” the group purportedly said in a post on Pastebin in response to Apple’s statement.

    Best thing to do to insure this does not happen to you is “Change Your Passwords”


Hackers take Remote Control of Tesla’s Brakes and Door locks from 12 Miles Away


Next time when you find yourself hooked up behind the wheel, make sure your car is actually in your control.

Hackers can remotely hijack your car and even control its brakes from 12 miles away.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and accelerator.

These auto-control electronic systems not only improve your driving experience but at the same time also increase the risk of getting hacked.

The most recent car hacking has been performed on Tesla Model S by a team of security researchers from Keen Security Lab, demonstrating how they were able to hijack the Tesla car by exploiting multiple flaws in the latest models running the most recent software.

The team said the hacks worked on multiple models of Tesla and believed they would work across all marques.

“We have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode,” Keen writes in a blog post. “We used an unmodified car with the latest firmware to demonstrate the attack.”
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars.”

In a YouTube video, the team of Chinese researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated how it could remotely take control of a Tesla’s brakes and apply the brakes from 12 miles away by compromising the CAN bus that controls many vehicle systems in the car.

The researchers were also able to remotely unlock the door of the car, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators and windscreen wipers, as well as fold in the wing mirrors while the vehicle was in motion.

The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car’s web browser is used.

The team demonstrated the hacks against a Tesla Model S P85 and Model 75D and said its attacks would work on multiple Tesla models. It was able to compromise the Tesla cars in both parking and driving modes at slow speed in a car park.

Tesla Releases Firmware v7.1 (2.36.31) To Patch It

“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.”

Thankfully, the vulnerabilities were privately disclosed to Tesla and the company addressed the issues worldwide with an over-the-air software update.

The Keen team said it is Tesla’s “proactive attitude” towards its vulnerability report that made the fix available to its customers within ten days when other automakers required much time and more complex procedures to update vehicles following the major bug exposures.

The team has planned to release details of its hacks in coming days, Keen said on Twitter.



Beware! Your iPhone Can Be Hacked Remotely With Just A Message

In Brief
Do you own an iPhone? Mac? Or any Apple device?
Just one specially-crafted message can expose your personal information, including your authentication credentials stored in your device’s memory, to a hacker.
The vulnerability is quite similar to the Stagefright vulnerabilities, discovered a year ago in Android, that allowed hackers to silently spy on almost a Billion phones with just one specially-crafted text message.

Cisco Talos senior researcher Tyler Bohan, who discovered this critical Stagefright-type bug in iOS, described the flaw as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.”

The critical bug (CVE-2016-4631) actually resides in ImageIO – API used to handle image data – and works across all widely-used Apple operating systems, including Mac OS X, tvOS, and watchOS.

All an attacker needs to do is create an exploit for the bug and send it via a multimedia message (MMS) or iMessage inside a Tagged Image File Format (TIFF).

Once the message received on the victim’s device, the hack would launch.

“The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism, so I can send the exploit today and you will receive it whenever your phone is online,” Bohan quoted as saying by Forbes.

The attack could also be delivered through Safari web browser. For this, the attacker needs to trick the victim into visiting a website that contains the malicious payload.

In both the cases, no explicit user interaction would be required to launch the attack since many applications (like iMessage) automatically attempt to render images when they are received in their default configurations.

It is quite difficult for the victim to detect the attack, which if executed, could leak victims’ authentication credentials stored in memory such as Wi-Fi passwords, website credentials, and email logins, to the attacker.

Since iOS include sandbox protection to prevent hackers exploiting one part of the OS to control the whole thing, a hacker would require a further iOS jailbreak or root exploit to take total control of the complete iPhone.

However, Mac OS X does not have sandbox protection that could allow an attacker to access the Mac computer remotely with the victim’s passwords, potentially making users of Apple’s PCs completely vulnerable to the attack.

Apple has patched this critical issue in iOS version 9.3.3, along with patches for other 42 vulnerabilities, including memory corruption bugs in iOS’ CoreGraphics that helps render 2D graphics across those OSes, according to Apple’s advisory.

Apple also addressed serious security vulnerabilities in FaceTime on both iOS and OS X platforms, allowing anyone on the same WiFi network as a user to eavesdrop on the audio transmission from FaceTime calls even after the user had ended the call.

“An attacker in a privileged network position [could] cause a relayed call to continue transmitting audio while appearing as if the call terminated,” reads Apple description.

The FaceTime vulnerability (CVE-2016-4635) was discovered and reported by Martin Vigo, a security engineer at Salesforce.

So users are advised to patch their devices as it would not take enough time for bad actors to take advantage of the vulnerabilities, which are now known.

Obama’s Call for Encryption ‘Compromise’ Is Hypocritical


Image: screengrab

During his keynote speech at South By Southwest, President Barack Obama addressed the ongoing debate over encryption. Although he declined to discuss the specifics of the San Bernardino case, in which Apple is currently fighting a court order to hack its own device, the president spoke in more general terms about privacy and security. Obama joined several other political figures in calling for the tech industry to enable expanded law enforcement access to encrypted data.

Obama also advocated for the use of encryption by the government, saying that the technology is crucial to preventing terrorism and protecting the financial and air traffic control systems. But the president argued argued that ordinary citizens also need to expect some intrusion into their phones in order to ensure a safe society. Obama compared the weakening of encryption to going through security at the airport—an intrusive process, but a necessary sacrifice for citizens to make. (Obama’s own devices are, of course, secured with strong encryption.) In his speech, Obama said:

So we’ve got two values, both of which are important. And the question we now have to ask is, if technologically it is possible to make an impenetrable device or system where the encryption is so strong that there’s no key. There’s no door at all. Then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available to even do simple things like tax enforcement? Because if, in fact, you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket. So there has to be some concession to the need to be able get into that information somehow.

Obama said the tech community should “balance these respective risks,” suggesting that the industry had not been proactive enough in compromising on encryption and that, if it failed to compromise, it risks being cut out of the conversation entirely by Congress. “I’m confident that this is something we can solve, but we’re going to need the tech community, software designers, people who care deeply about this stuff, to help us solve it,” Obama said. He added:

Because what will happen is, if everybody goes to their respective corners, and the tech community says, ‘You know what, either we have strong perfect encryption, or else it’s Big Brother and Orwellian world,’ what you’ll find is that after something really bad happens, the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that have not been thought through. And then you really will have dangers to our civil liberties, because the people who understand this best and who care most about privacy and civil liberties have disengaged, or have taken a position that is not sustainable for the general public as a whole over time.

In Obama’s telling, the tech industry is painted as a spoiled child who runs back to his corner and disengages with the debate, snatching up his toys and taking them back to his mansion when he realizes he doesn’t like the way the game is being played. It’s a compelling image, and one that the industry, which is widely perceived as elitist and uninclusive, will have a tough time combatting.

But the industry has compromised on this issue, collaborating with law enforcement to provide access to data for criminal prosecutions. In the San Bernardino case, Apple has provided access to iCloud backups of the shooter’s phone and offered suggestions on how to create additional backups before it was revealed that the shooter’s iCloud password had been reset at the behest of the FBI.

Tech companies also routinely provide unencrypted metadata to law enforcement, which can provide a detailed portrait of a suspect’s life: where he’s been, where he is currently, who he communicates with, how regularly he communicates with others and how long the conversations last.

The government also wields a powerful investigative tool in CALEA (the Communications Assistance for Law Enforcement Act). CALEA compels service providers like AT&T and Verizon to build backdoors into their systems to allow for real-time monitoring of suspects by law enforcement.

Yet another instance of compromise is Apple’s encryption of iCloud. As security expert Jonathan Zdziarski pointed out in post on his blog, iCloud offers an example of the type of “warrant-friendly” encryption that Obama called for in his SXSW keynote.

“I suspect that the answer is going to come down to how do we create a system where the encryption is as strong as possible. The key is as secure as possible. It is accessible by the smallest number of people possible for a subset of issues that we agree are important,” Obama said. His suggestion for solving the encryption debate mirrors the solution Apple has already developed for securing iCloud data: that data is encrypted, but Apple maintains access so that it can comply with warrants.

But, Zdziarski notes, the 2014 hack of celebrities’ iCloud accounts illustrates the dangers of “compromise” encryption.

“The iCloud’s design for ‘warrant friendliness’ is precisely why the security of the system was also weak enough to allow hackers to break into these women’s accounts and steal all of their most private information,” Zdziarski wrote. “The data stored in iCloud is stored in a weaker way that allows Apple to service law enforcement requests, and as direct result of this, hackers not only could get into the same data, but did. And they did it using a pirated copy of a law enforcement tool—Elcomsoft Phone Breaker.”

Obama mentioned this particular concern in his speech. “Now, what folks who are on the encryption side will argue, is any key, whatsoever, even if it starts off as just being directed at one device, could end up being used on every device. That’s just the nature of these systems,” he said. “That is a technical question. I am not a software engineer. It is, I think, technically true, but I think it can be overstated.”

Obama is right—it’s technically true that any key can end up being used on every device.

The president isn’t the only politician to call for compromise on encryption and he certainly won’t be the last, but what the FBI is asking for in the San Bernardino case (and beyond it) isn’t compromise—it’s total compliance. Compromise suggests that tech companies and law enforcement agencies will meet in the middle, each conceding some of their demands in order to find common ground. The industry has made an effort to do so by providing metadata, real-time surveillance, and data backups to law enforcement.

But Obama’s comments suggest that none of this information is enough—encryption needs to be completely backdoored in order for there to be “compromise.” If the government refuses to acknowledge the concessions that have been made and continues to demand universal access to encrypted data while clinging onto strong encryption for itself, there is no compromise at all. It’s just the government getting exactly what it wants, snatching up all its toys and heading back to its mansion.