iCloud Hacked: Celebrity Photos Leaked to the World

On August 31 approximately 200 private pictures of various celebrities were posted to 4chan.  Users of 4chan spread the pictures to other social networks and websites such as Imgur, Reddit, and Tumblr. McKayla Maroney, the Olympic gold medalist is among the group of people who had their photos released to the public.  The pictures released of her are underage.  That is classified as possession and distribution of child pornography.  Twitter user @IgnacioGordo tweeted a link featuring a countdown clock that threatens to release photos of Emma Watson and at the bottom of the page it states, “Never forget, the biggest to come thus far.”  Apple’s iCloud service is believed to have been breached and that is how the hackers acquired personal videos and photos.  Apple later confirmed that the hackers gathered the photos from iCloud and reassured that the service itself is not vulnerable.  Very targeted attacks were used to steal account information such as passwords.  The gathered information along with time allowed the hackers to break in.  Apple has stated that they are working with the FBI to locate and charge those responsible for the leak.

Cross-Site Scripting at ebay.co.uk

Recently a cross-site scripting vulnerability at ebay.co.uk left users susceptible to an attack that attempted to steal their credentials when clicking on links within a listing offering. For such a big corporation to not be blocking this type of vulnerabilities is really appalling to some security experts as this is not a new type of vulnerability.

The XSS attack used JavaScript embedded within the listing, and if the user clicked on the malicious link and the script was able to execute (e.g. the user wasn’t using NoScript for example) it would redirect them to a site that looks like eBay requesting their login information. The site of course was a fake setup to harvest user credentials.

The BBC reports that it found at least three separate listings using the malicious JavaScript. Furthermore, it took eBay approximately 12 hours to take down the pages after first being alerted of the problem by one user. The number of affected users is undetermined but given the response time one might assume that the number could be quite high.

Source: http://www.databreachtoday.com/ebay-stumbles-over-old-school-attack-a-7333/op-1

iPhone ATM PIN code hack

There is now a way from people to steal your ATM PIN code. All it takes is a add on to your phone. What this add on does is that it makes your camera on your phone inferred. This means that you can now see the heat signature’s of things through your camera. How this is a problem is that after someone types their PIN in a ATM if you walk up and take a picture of the keypad with this inferred camera you can see what keys they pressed before they left. You can also tell for the most part in what order the keys where pressed by how bright the color that is left. There is only 2 ways that you can protect yourself from this. One thing that would make this difficult would be if the PIN had the same number in it 2 or more times. The other would be rub you hand on the keypad after you are done putting in you PIN so that the heat of your hand would get on all of the keys making it impossible to know which ones you really used. There is a 80% accuracy if the image was taken right after the PIN was typed in. After 1 minute there is about a 50% of getting the PIN right. The case that has the infrared camera on it is only about 200$ and you can get it at any Apple store. Also this does not work on metal keypads because it reflects and dissipates the heat to fast. Rubber and plastic keypads work the best for retaining the heat signature.

Adobe Breach

In 2013 Adobe experienced a breach that Adobe claimed affected over 38 million people in which large amounts of account information was compromised. Account information such as user names, passwords, and credit and debit card information was compromised during the break in. The credit and debit card information that was hacked, Adobe claims that it was encrypted information and they also claim that only 2.9 million people had their encrypted debit and/or credit card information stolen. For those people that had their information stolen, Adobe is offering a 1 year credit monitoring free of charge and is also notify banks to be cautious of strange purchases. The break in affected almost all adobe systems, including but not limited to: Reader, Photoshop, Acrobat, etc. The hack was not made aware to the public until October of 2013. The weekend following the public announcement a file was released that appeared to show that over 150 million Adobe user had had their information stolen. Adobe responded to this be emailing all active users of affected accounts with procedures on how to reset their passwords and reset passwords and notified the users of non-active accounts. Source codes from Acrobat, Reader, Cold Fusion, and Photoshop were also stolen during the breach. Ireland’s Office of Data Protection immediately began to aid Adobe and authorities in trying to trace this breach and find out exactly how many were affected and how much information was exactly compromised.

 

http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/

http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html

http://www.zdnet.com/adobe-investigated-by-data-watchdog-over-massive-security-breach-7000024973/

 

Steve Bochenski

Google to Begin Phasing Out SHA-1

On September 5th, Google announced that it will begin ‘sunsetting’ the SHA-1 cryptographic hash algorithm.  This algorithm was designed almost a decade ago in 2005 and Google is now telling the world that it has not withstood the test of time.  SHA-1 is currently used in SSL encrypted certificate signatures for HTTPS.  This allows a website to encrypt your connection to the site and verify that the site you are connecting to is genuine.

In its statement, Google cites the ease and affordability of collision attacks against SHA-1 for the decision to phase out the algorithm.  Basically, this means that Google is worried that nefarious individuals will engineer certificates that produce the same SHA-1 hash as the legitimate HTTPS certificates.  This would allow these individuals to pose as a legitimate site, such as facebook.com, in order to scam, phish, or infect users.

How will this problem be fixed?  In the short term, Google will soon be changing the visual security indicator for HTTPS in Chrome to alert users of the issue.  Additionally, Google is looking towards the successor of SHA-1, SHA-2, to replace the outdated cryptographic hash algorithm.  SHA-2 provides substantially more security and is supported by nearly every current operating system and browser.  Google also is not alone in this fight: both Microsoft and Mozilla have announced plans to move away from SHA-1 in the future.

-Tyler Zimmermann

Sources:

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1