iPhone Passcode Hack

Just a few days ago, Dr Sergei Skorobogatov, who works at the University of Cambridge laboratory, was able to develop a method to crack an unknown pin code on an iPhone 5c.  He did it by removing the Nand chip, which is the main memory of the phone, studying how it communicated with the phone and successfully cloning it.

The purpose of this is to allow for an unlimited number of passcode attempts as usually an iPhone will lock up after a few incorrect tries. This directly contradicts a claim by the FBI that this method (called Name mirroring) would not work during the time they were attempting to access San Bernardino gunman Syed Rizwan Farook’s iPhone 5c.

Dr Skorobogatov made a YouTube video demonstrating his method of removing and replacing the Nand chip and the successful reset of the passcode lockout counter.

Using this method, he was able to crack a 4 digit code in about 40 hours and a 6 digit code could take hundreds of hours. In order to crack newer phones, Dr Skorobogatov said more information was needed about how Apple stored data in memory and he would need a more sophisticated set-up to extract the memory chip.

Apple has not responded to this yet.

Link to original article: http://www.bbc.com/news/technology-37407047

Hacking the US Voter Registration System


Every election season, a new discussion sparks up surrounding the security of voting machines and the handling of voter registration information. For the 2016 election cycle, the first victims of vulnerabilities in these systems were the states of Illinois and Arizona. CNN is reporting that both states have had their registration databases breached, but are claiming that their election systems are currently unaffected.

In Illinois it is apparent that roughly 200,000 unique voter registrations have been accessed, but are apparently unchanged. The attack was likely carried out in early June, but was not detected until late July. The database included voters’ names, addresses, sex and birthdays in addition to other information. The database comprises of 15,000,000 records, and some contain a social security number or drivers license number. It is still unclear who is responsible for the breach, or what their intentions with the data are.

In Arizona the attack is a little more clear, but have been going on much longer. The Arizona voter registration system had to be taken down in May after it was discovered that a local official’s username and password had been made publicly available on a forum online. The account used to post the information is linked to a prominent Russian hacker. After taking down the system the forensic analysts determined that it was more than likely the official who’s information had been made public was the victim of a malware attack. It is apparent that no data has been affected, but the severity of the breach is unknown.

You can read the full CNN article here.

-Max Maurin

Canadian Point of Sale company data breech

     The point of sale company Lightspeed has suffered a data breech, the email above was posted on twitter by Australian security expert Troy Hunt which was sent by Lightspeed to its customers. The hackers had gained access to systems related to its retail offering. Lightspeed confirmed the attackers accessed a central database containing information on sales, products, and customers. The database included encrypted passwords, electronic signatures, and API keys. Eventhough the database was accessed by hackers Lightspeed said there was no evidence that information was stolen.

      The company said that passwords created after January of 2015 where the safest having been stored with advanced encryption technology. They also said that the system that the hackers had accessed did not hold any private information such as credit card numbers. The company has informed customers that a third party security firm had been hired to investigate and that it’s systems should be only accessible by authorized users.


  • Gavin Millikan

New Rule 41 Allows FBI to Mass Hack


An amendment to Rule 41 would allow the FBI to obtain a warrant from any court to hack multiple computers rather than from one with jurisdiction over the target’s location. All the FBI would have to do in order to get the warrant would be to prove the target is obscuring their location.

Therefore, the FBI would theoretically only need one warrant from anywhere in America to hack multiple computers all over the world. This is scary to think about. Tor users should be aware of this.

Some people seem to be not as worried stating that the FBI would still need probable cause. They also point out the logic in that it is hard to get a warrant to hack a computer if you cannot determine the computer’s location.

This will go into effect starting December 1st unless Congress blocks it.

Source: https://news.bitcoin.com/update-bitcoiners-use-tor-warned

– jar311

Way to go VTech.

One month ago a hacker revealed that he had broken into the toymaker VTech and retrieved a lot of information that was disturbing. Apparently, VTech had been storing  images, chat logs, home addresses, emails, names, genders and even birthdays of every customer. This would include the parents and their children who the products were most likely being used by.  Around 4,000,000 parents and 200,000 of the children using the products information was readily available for anyone who knew what they were doing. The hacker did not relinquish the way he was able to break into VTech, probably in an attempt to keep this information secret from people who want it but do not know how to hack, but has commented that he retrieved 190GB worth of photos and shared 3832 images with motherboard, a blogging site, with all the faces blocked out.VTech has yet to concretely say what their exact reasoning was but the wording of their attempt to justify it was so that they can send the password to the user directly. You know because that is such a GREAT idea, instead of just having them reset their password every time they forgot it because the company made it entirely impossible for them to access it on their own and with ease, I will just send you it back. The person that thought this was a good idea should get fired, like, two years ago.