Steam hacked

Valve has just recently confirmed that Steam has been hacked. The extent of damage done is unknown at the moment, however “The company is certain the hackers gained access to a database with this encrypted information, but don’t know if they took it or will be able to crack its encryption.”

The breach supposedly happened when Steam forums were taken offline due to some vandalization by a website named “fkn0wned”. The database that the hackers had access to contained “information such as user names, hashed and salted passwords, game purchases, e-mail addresses, billing addresses and encrypted credit card information”.

All we can hope now is that the hackers didn’t steal any sensitive personal information. And maybe this will teach a lesson to everyone that no company (including tech companies) is completely protected from hacks because one of the largest gaming industries just got hit hard. And to all the gamers out there, be sure to think of this breach when buying any new games (like Skyrim and Modern Warfare 3).

http://arstechnica.com/gaming/news/2011/11/valve-confirms-steam-hack-credit-cards-personal-info-may-be-stolen.ars

Security researcher removed from Apple’s developer program

Charlie Miller, a security researcher that worked with Apple’s developer program, recently lost his license with working with Apple for creating an app that showed that unapproved code could run on iPads and iPhones. “Miller had, admittedly, created a proof-of-concept application to demonstrate his security exploit, and even gotten Apple to approve it for distribution in Apple’s App Store by hiding it inside a fake stock ticker program, a trick that Apple wrote violated the developer agreement that forbid him to ‘hide, misrepresent or obscure’ any part of his app.” According to this article company, Apple used Miller as an example to send a message to all malicious hackers and security researchers alike- stay away from the App Store.

Miller states- “I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.” Apple is definitely hurting their security here.They should be thanking anyone who finds a bug and reports it to them rather than actually using the exploit. Miller has found and reported dozens of bugs to Apple for years and, out of nowhere, they just revoke his license for a harmless exploitative app.

I feel like Apple went a bit overboard with the threat message to hackers. In my opinion, Apple exaggerated the severity of this harmless demo app when much worse has happened. Apparently an actual hacker had repeatedly invented new techniques of breaking the iPhone’s and iPad’s security measures and, rather than pressing charging against him, they hired him. Miller, again, states: “[Apple] went out of their way to let researchers in, and now they’re kicking me out for doing research… I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

http://www.forbes.com/sites/andygreenberg/2011/11/07/apple-exiles-a-security-researcher-from-its-developer-program-for-proof-of-concept-exploit-app/

The Gaddafi Virus?

A recent discovery has found that a global computer virus is hiding in the photos of Gaddafi’s death. This virus was detected by Internet Security firm, Sophos. Hackers are sending out spam emails that had pictures of Gaddafi’s body and when the user downloaded the picture, it would install malware onto their machine. The hackers appear to be imitating an official email from newswire service AFP. This is the email:

Subject: “Fw: AFP Photo News: Bloody Photos: Libya dictator Moammar Gadhafi’s Death”
Message body:
“Libya dictator Moammar Gadhafi’s Death
Libyan dictator Moammar Gadhafi, the most wanted man in the world, has been killed, the country’s rebel government claimed Oct. 20. The flamboyant tyrant who terrorized his country and much of the world during his 42 years of despotic rule was cornered by insurgents in the town of Sirte, where Gadhafi had been born and a stronghold of his supporters.”

People are just too interested to ignore the chance of interesting information. So the hacker(s) who came up with this fake email/pictures are actually being quite successful. It seems that hackers will use literally anything to get information from people, which just makes them look pathetic and desperate.

http://www.huffingtonpost.co.uk/2011/10/21/global-computer-virus-hid_n_1023590.html?ref=cybersecurity

Massive hack affects 760 major companies

A massive cyber attack that exploited a vulnerability in RSA’s SecurID tags occured earlier this year may have also victimized other big-named companies. According to this article, 760 organizations were affected by this hack on the RSA. Companies such as Amazon, IBM, Intel, Yahoo, Cisco, Google, Facebook, and Microsoft were victimized by this attack. Government agencies were affect as well, like the European Space Agency, the IRS, and the General Services Administration.

“The list [of affected companies] is the first glimpse into the pervasiveness of the attack that brought RSA to its knees. Those in the security industry have long suspected that RSA was not the hack’s only victim, but no other companies have been willing to talk publicly about whether they had also been compromised…The list of affected companies was obtained from a breached ‘command and control’ server, the name for a machine that hackers use to direct the fleets of compromised PCs that they have gained control over.”

It is unclear how far the hackers were able to penetrate each compromised business’ systems. But the RSA definitely got in huge trouble for not catching this vulnerability earlier. The hackers used a breached server to plant malware that gave them access to RSA’s systems. Certain companies that were willing to talk about the hack, like Microsoft and Wells Fargo, said they haven’t seen any evidence of attacks on their systems. Experts say that companies should still be concerned even though they haven’t actually been attacked. We have yet to see if the affected companies that  will be further attacked by this large hack.

http://money.cnn.com/2011/10/27/technology/rsa_hack_widespread/index.htm

Newest supercomputer (made in China)…

China has recently created a purely Chinese supercomputer called the “Sunway BlueLight MPP supercomputer” which uses less power than any supercomputer in the world. The Sunway BlueLight MMP produces one petaflop of processing power while only using one megawatt of power. This supercomputer consists of “a total of 8,700 ShenWei SW1600 processors that feature 16 cores apiece. Combined with an advanced water-cooling system – the specific details of which are currently unknown – the supercomputer is expected to reach a total processing power of around one petaflop.”

This is a major achievement for China because while the specs of this supercomputer will place the Sunway BlueLight MMP supercomputer in the top-20 of the worlds fastest supercomputers, it is the most efficient supercomputer based on the power consumption. One of China’s other supercomputers, “Tianhe-1A”, was the worlds fastest supercomputer at the time of its released, with a processing speed of 2.5-petaflops and using 4.04 metawatts of power. The Tianhe-1A supercomputer was built using chips from both Intel and Nvidia, while the Sunway BlueLight MMP was built purely Chinese-based products. “The fastest U.S. supercomputer at the moment – Jaguar – eats up about seven megawatts to output roughly 1.7 petaflops of processing performance.”

This power-saving, cooling, and petaflop performance in key to reach the next world achievement. There is now an international race to hit an exaflop, aka one thousand petaflops, within the next decade. This will process “a thousand trillion calculations per second, we note”. China believes it will achieve this by 2020. The US estimates it will reach this goal by upgrading its Jaguar into – soon-to-be “Titan” – by 2019. And Europe expects to reach its exaflop around the same time.

http://www.pcmag.com/article2/0,2817,2395554,00.asp#fbid=nhhPXTm9pgQ

How often Facebook is attacked and how effective hackers are

A recent UK article has estimated that Facebook gets about 600,000 attacks daily by hackers all over the world. They do it by gaining/stealing user names and passwords. They then use these to log onto the victim’s account and sending malicious links to their friends, family, and coworkers. And usually after that, they get even more accounts to hack into because the friends, family, or coworkers had given the hacker even more accounts to hack into. Hackers also try brute forcing into accounts as well, finding out a person’s username and trying thousands of different passwords to break into their account as proven successful apparently. Another way hackers gain even more information is by phishing; if they find out someone’s email, they can send that person several phishing emails to try to get the victim to provide the hacker with their Facebook credentials.

Even Facebook’s newest security technique “Trusted Friends” password restoration is failing to hackers. This security feature makes users identify their friends rather than asking them personal questions when they log-on from a new device, but even this technique seems to be flawed. “Many of the hackers are caught out by additional authentication questions, such as asking users to identify friends in pictures, but many attempts are [still] successful.”

But while Facebook is getting pounded thousands of attacks daily, this gives us something to be proud of. The fact that we are able to stop at least 600,000 attacks against Facebook accounts is still somewhat impressive because if hackers were successfully hacking that many account daily, the Facebook community would have died out a long time ago. So, obviously, Facebook and other security companies are doing something right.

http://www.dailymail.co.uk/sciencetech/article-2054994/Facebook-hackers-attempting-crack-600-000-accounts-day.html?ITO=1490

Can court force you to decrypt self-incriminating information?

A few months ago, a woman named Ramona Fricosu was charged with fraudulent real estate transactions in a mortgage scam. Police confiscated a laptop they found in her bedroom and believed there was potentially incriminating evidence residing in encrypted files.

Courts can certainly raid your computer and search it for evidence of criminal activity; they can force you to open encrypted files if you’re a suspected terrorist (stated by The Patriot Act); but if you plead the Fifth, they may not be able to make you give them passwords for encrypted data, or can they?

Because the police were unable to access the encrypted data, they needed Fricosu to enter the passwords to give them access. Fricosu’s attorney, Philip Dubois, insisted that “she can’t be constitutionally obligated to help the government open files that may be self-incrimination. In essence, she has a right to plead the Fifth.” The Electronic Frontier Foundation (EFF- an organization that defends people’s digital rights) agreed.

Hanni Fakhoury, staff attorney at the Electionic Fraontier Foundation, stated “If the government had the computer and it was not encrypted, they would have the right to it under lawful possession, they have the right to search it. They can’t break into the computer, so they want to force her to break into it. They can’t force you to give up the evidence necessary to incriminate you. Forcing her to de-encrypt it would do that.”

While this case got the EFF’s support behind it, not all access to evidence that is potentially self-incriminating is protected by the Fifth Amendment. Sometimes the degree of self-incrimination is defined by the defendant and sometimes the defendant has no rights under the Fifth at all. So what do you think- should the government have the right to force people to provide passwords for encrypted data that may be self-incriminating?

There is no longer a need to hide your kids and your wife

Are you worried about a rapist climbin’ in your windows and snatching your people up? Well worry no longer, this article lists several phone apps that can keep those “really dumb” rapists away (“fo real”).

The first app listed is the “BullGaurd Mobile Security” app. This app enables parents to monitor their child’s internet activity, track where they are, and provide anti-virus protection for their phones. This can be extremely beneficial for parents because they can also blacklist any unwanted contacts and websites from the phone. And if the child happens to lose his/her phone, the guardian will be able to remotely lock and wipe out the device data; the data is also stored on a server, so the parent can still recover all the contacts onto a new phone.

The second app is called “Glympse” and is basically a shared calendar between multiple phones. This is useful for families because all the family can coordinate drop-off,pick-up, and meet-up times and locations easily. This app also shows the GPS location for each member of the group, so the parents can make sure their child successfully got to school or wherever safely.

The last app sponsored by Fox is “iChildAlert”. This app is just a back up plan in case a child is to go missing. Before the child goes missing, a parent can enter an up-to-date picture of their kid and all the information about him/her. Then, when the child goes missing, the parents can conveniently use this app to send this information to the police, neighbors, and social networks. Using this app ahead of time will also allow the parent to create an iChildAlert Poster to print out (which can be physically posted around the city). Whats also interesting is that this app can also store the kid’s fingerprints and dental x-rays for more information for the police.

With these apps, even Antoine Dodson can feel safe in Lincoln Park. But in all seriousness, these apps can really protect a child and other family members. It’s these kinds of apps that will save hundreds of lives in the future.

http://www.foxnews.com/scitech/2011/10/07/protect-your-kids-with-these-cybersecurity-apps/

How long phone carriers retain your information

The Department of Justice (DoJ) has recently released a document that informed the public about how much information phone carriers keep stored and for how long. All major phone companies keep people’s cell phone information for security and data analysis. Cell phones are “a window into what information would be available from any given company to law enforcement agencies looking to track suspects or confirm alibis using phone records, tracking devices, Web-browsing habits or past text messages.” Police uses this key information to catch cyber criminals or other illicit activity.

Although phone companies have clearly stated that they keep personal information take from cell phones for several years, the amount of data and length of time is new information for their customers. Verizon keeps a list of who a customer has shared text messages with for one year, Sprint- 18 months, T-Mobile- 5 years, and AT&T- 7 years. However, although Verizon keeps this information the shortest time, they also keep the content of the messages for 5 days where the other providers just have records of which contacts the messages went to.

“Cell-site data”, aka tracking information, is also newly released information by the DoJ. This type of data lists a phone’s connection to what websites it has been to and what other connections it’s made. Companies were less clear about how long they keep this kind of data because this is what authorities use to find cyber criminals. Verizon states that it keeps cell-site data for a one-year “rolling” basis, T-Mobile says it retains it for “a year or more”, Sprint stores it for up to 2 years, and AT&T- indefinitely.

Because these companies have publicly announced that they store this much data, they are now a huge target to hackers. It is just a matter of time before one of these companies are hacked because of all this announced information. It is extremely important to limit the amount of data you put on your phone- especially smart phones which have access to email accounts, banks accounts, social networking accounts, etc. A phone with just a bunch of numbers is a lot less valuable than a phone with saved bank information.

http://www.technewsworld.com/story/73400.html

Smart phones AND security?!?! Good joke…

Smart phones can do amazing things- access the internet, unlock and turn on cars, manage bank accounts, change who has access to devices such as printers and servers, etc, etc. With all these available tools for smart phones, there has to be great security on them right? Haha, wrong… Smart phones are extremely vulnerable to viruses almost just as much as regular computers; not to mention they generally have no anti-virus scanners on them.

Smart phones are now becoming huge threats to security because of what they can do 400 miles away from the actual target. If a hacker was to gain access to just a simple printer, they could make the printer inaccessible to users or even read what documents were printed. That is just a printer; now imagine what would happen if an admin from a bank lost his smart phone and he had his email and bank account available on his phone… This type of access to devices poses a threat to all companies that allow their employees to enable devices on their smart phones (even though it makes their jobs much easier to manage).

While there is not a huge probability that your phone will get hacked, there is definitely a possibility. The bigger problem is that you will lose your phone. Imagine you did. What’s on your smart phone? Perhaps access to your Facebook account, bank account, your token authenticator to login to websites, your email account, your contacts…?

According to this article, we should all just be careful of what devices we enable smart phones, what websites we visit, and obviously where we leave our phones. Other than that, we can just hope that smart phone vendors improve the security on their phones.

http://www.technewsworld.com/story/73338.html