iPhone ATM PIN code hack

There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.

5 Million Gmail Accounts Hacked

On September 10, 5 million Gmail accounts and passwords appeared on a forum on a Russian Bitcoin website. Luckily information about this news is still surfacing, like the fact that some of these account names and passwords aren’t very recent.  Some go back as far as three years, though considering most people don’t change their passwords very often, there is room for concern.

Google has since confirmed that there was no breach, though.  So how did all these accounts and passwords leak?  As it turns out, people have a bad habit of using one password for multiple accounts, including third party accounts separate from Google.  Most of these third party sites require an email in order to contact the user or send him or her updates.  Those third party sites are the ones that were hacked, and the account names and passwords were taken.

While many people are panicking about the situation, it is worth noting that most of the accounts are Russian, though there certainly are English ones on the list, and that 60% are actually active.  Even so, Google has told users to check their accounts and to strengthen their passwords.

-Jesse Provenzano

Sources:

http://www.sciencenewsdaily.org/internet-news/cluster631672260/

http://www.independent.co.uk/life-style/gadgets-and-tech/news/5-million-google-account-details-leaked-on-russian-bitcoin-forum-9725030.html

Smartphone Gyroscope Able to Record Some Recognizable Speech Without Permissions

  Stanford researchers have been investigating the possibility of using a smartphone’s gyroscope to record audio – without having microphone access permissions.  In other words, the gyroscope sensor in your phone that is used to detect angular velocity is sensitive enough to capture certain lower frequencies of sound.  This means that it could be used, without your knowledge, to record and analyze conversations.  From this, it is feasible that sensitive private information could be extracted such as social security numbers, credit card numbers, and more.  

  Using specially crafted algorithms to filter the sound captured by the gyroscope, which is normally incomprehensible to human ears, the researchers have managed to correctly interpret spoken digits with an alarming success rate (up to 65%).  This means that any sensitive information that is spoken out loud in the vicinity of a smartphone equipped with one of these sensors is susceptible to being recorded and correctly interpreted by a malicious application.  Since access to a phone’s gyroscope is not restricted in the way that the microphone is, these applications could operate and steal your information without you ever knowing.

 

by David Grzebinski

 

Sources:

http://phys.org/news/2014-08-snooping-gyroscope-usenix.html

http://crypto.stanford.edu/gyrophone/

https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/michalevsky

 

309,079 Records Breached in UMD Attack

The University of Maryland has sent out a notice to all faculty and staff alerting them of a recent attack on one of their databases. A total of 309,079 records were stolen as a result, this includes faculty, staff, and students. The records included names,social security numbers, date of births and university id numbers. This affects everyone affiliated with the College Park and Shady Grove campuses given an university ID since 1998. All of this information was stored on a single database which was managed by their IT division. The university is unsure of how the security breach happened. The incident is being investigated by federal and state law enforcement.

Recently the university has doubled the amount of IT security and analysis personnel working for them. Also stating that the doubled the amount of money invested into top-level security tools. Obviously this isn’t enough, or possibly too much? The more people that touch your system, the more people that know your system. I am sure we will find out how this occurs in a few weeks, or possibly never, but I wouldn’t doubt the possibility of an inside job. Credit Application
The University is offering free credit monitoring for a year. Is a year long enough? This data could take over a year to be used. If you look at the image above, this is all the data needed for a credit application, this one specifically for Amazon. With the data that was received from the hack, anyone that has access to it or whoever purchased it on the black market could easily get some free money. This is only one possibility for the data holder to accomplish, there are many others. All of which can be done a year from now.

Source: http://www.umd.edu/datasecurity/

 

Business and Enterprise Security Concerns with Remote Users/Workers

In this new modern age remote users are be becoming more and more popular.  It now only takes a few short clicks and you can be logged into a system anywhere in the world. But with new access and convince for employees comes new access and accessibility for attackers.  Having remote users effectively increases the “attack radius” and probability of being attacked as employees, information, and devices are spread across the globe requiring an increase in security policies, training and reviews to ensure maximum protection against threats.

Full Article:

http://smallbusiness.yahoo.com/advisor/addressing-enterprise-security-concerns-remote-workers-193011960.html