iCloud Hacked: Celebrity Photos Leaked to the World

On August 31 approximately 200 private pictures of various celebrities were posted to 4chan.  Users of 4chan spread the pictures to other social networks and websites such as Imgur, Reddit, and Tumblr. McKayla Maroney, the Olympic gold medalist is among the group of people who had their photos released to the public.  The pictures released of her are underage.  That is classified as possession and distribution of child pornography.  Twitter user @IgnacioGordo tweeted a link featuring a countdown clock that threatens to release photos of Emma Watson and at the bottom of the page it states, “Never forget, the biggest to come thus far.”  Apple’s iCloud service is believed to have been breached and that is how the hackers acquired personal videos and photos.  Apple later confirmed that the hackers gathered the photos from iCloud and reassured that the service itself is not vulnerable.  Very targeted attacks were used to steal account information such as passwords.  The gathered information along with time allowed the hackers to break in.  Apple has stated that they are working with the FBI to locate and charge those responsible for the leak.

Cross-Site Scripting at ebay.co.uk

Recently a cross-site scripting vulnerability at ebay.co.uk left users susceptible to an attack that attempted to steal their credentials when clicking on links within a listing offering. For such a big corporation to not be blocking this type of vulnerabilities is really appalling to some security experts as this is not a new type of vulnerability.

The XSS attack used JavaScript embedded within the listing, and if the user clicked on the malicious link and the script was able to execute (e.g. the user wasn’t using NoScript for example) it would redirect them to a site that looks like eBay requesting their login information. The site of course was a fake setup to harvest user credentials.

The BBC reports that it found at least three separate listings using the malicious JavaScript. Furthermore, it took eBay approximately 12 hours to take down the pages after first being alerted of the problem by one user. The number of affected users is undetermined but given the response time one might assume that the number could be quite high.

Source: http://www.databreachtoday.com/ebay-stumbles-over-old-school-attack-a-7333/op-1

iPhone ATM PIN code hack

There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.

Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Anti-anti virus malware

The FBI has arrested six eastern European hackers for infecting numerous computers across the world with a sophisticated form on malware. The group known as The Rove Group, was actually hired and paid by advertising companies to increase traffic to specific sites. They did this by using a class of malware called DNSChanger which redirected traffic from legitimate sites to bogus sites instead. Some of the websites were iTunes, Netflix And even NASA and the IRS. The malware worked by redirecting a user that would click on a legitimate link to a site like iTunes to a site that pretended to sell Apple software or music.  Much like an online phishing attack except they would not steal your identity but rather the customer would pay them directly. Sometimes the customer would receive black-market good or pirated software and often they would get nothing at all. The scheme was discovered and brought down by a FBI investigation known as Operation Ghost but not before making 14 million dollars over four years. The rest of the story is here…

http://www.fbi.gov/news/stories/2011/november/malware