Tech News

Security researcher bypasses iPhone's limit on passcode attempts

June 23, 2018 — by Engadget.com0

Shutterstock / ymgerman

It’s not easy breaking into a locked iPhone. Try too many times and you can get locked out for years, even decades, or lose the device’s data altogether. That’s why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter’s iPhone, and why cops across the country are buying an affordable iPhone cracker called GrayKey. Hacker House cybersecurity firm co-founder Matthew Hickey, however, has discovered a way to bypass the device’s security measures, even if it’s running the latest version of Apple’s mobile platform. Apparently, a hacker will only need “a turned on, locked phone and a Lightning cable.”

Hickey said that when an iPhone is plugged in and a hacker sends it passcode guesses using keyboard input (as opposed to typing on the screen), the action triggers an interrupt request that takes precedence over everything else. That means the iPhone would be too busy to erase the device if the attacker sends it one passcode guess after another. As a result, they can guess as many times as they want instead of being limited to 10 guesses.

Hickey said he already reported the vulnerability to Apple, noting that the bug isn’t difficult to identify and that there are probably other people who’d already found it before he did. Companies like Cellebrite, which unlocked the San Bernardino shooter’s phone for the feds, and GrayKey’s maker might even be using a similar brute force technique and taking advantage of the same bug to break into iPhones.

Cupertino might also be already aware of the vulnerability, which is why iOS 12 will feature a Restricted mode that will cut off an iPhone’s ability to connect to a USB accessory plugged into it after an hour. Since it takes much more than an hour to send a device every passcode combination possible, the new feature could prevent hackers and cracking devices from force unlocking iPhones.

Check out Hickey’s method in action below:

[embedded content]

Tech News

Olympic hackers may be attacking chemical warfare prevention labs

June 19, 2018 — by Engadget.com0

Reuters/Pawel Kopczynski

The team behind the 2018 Winter Olympics hack is still active, according to security researchers — in fact, it’s switching to more serious targets. Kaspersky has discovered that the group, nicknamed Olympic Destroyer, has been launching email phishing attacks against biochemical warfare prevention labs in Europe and Ukraine as well as financial organizations in Russia. The methodology is extremely familiar, including the same rogue macros embedded in decoy documents as well as extensive efforts to avoid typical detection methods.

While Kaspersky didn’t directly point fingers, it brought up a number of clues suggesting that Russia was responsible. Most of the lab targets were people associated with an upcoming biochemical threat conference run by Spiez Laboratory, which just happened to be involved in the investigation of the nerve agent poisoning of former Russian double agent Sergei Skripal and his daughter Yulia. Also, Kaspersky noted that the custom images and messages in the documents were in “perfect” Russian, and one of them specifically references the Skripal attack (conveniently, a piece where scientists couldn’t definitively came from Russia).

So why target Russian financial outfits, then? Kaspersky acknowledged that there could be multiple parties involved (say, profit-oriented crooks in addition to state-sponsored attackers). However, it’s generally accepted that Russia tried to frame North Korea for the Olympic hack. It’s entirely possible that the Russian targets amounted to a false flag meant to cast doubt on the true origins of the attack. The focus on labs and the Skripal connection may have been meant to rattle the West for daring to attribute assassination attempts to Russia.

It may be difficult to completely prevent campaigns like this when political tensions are so high. Kaspersky believes the labs can curb this in the future, however, such as tightening their overall security and running impromptu security audits. It’s also a reminder to be cautious — a seemingly innocuous attachment can have dire consequences.

Tech News

Fraudster caught using OPM hack data from 2015

June 19, 2018 — by Engadget.com0

Andrew Brookes via Getty Images

Way back in 2015, the US Office of Personnel Management (OPM) was electronically burgled, with hackers making off with 21.5 million records. That data included social security numbers, fingerprints, usernames, passwords and data from interviews conducted for background checks. Now, a woman from Maryland has admitted to using data from that breach to secure fraudulent loans through a credit union.

The US DoJ says that Karvia Cross “participated in and recruited others to engage in a fraudulent identity-theft scheme targeting” the Langley Federal Credit Union (LFCU). In 2015 – 2016, LFCU was inundated with loan applications that used the personal details of the individuals from the OPM database. The loans were approved, and paid out the money to the respective perpetrators of the fraud.

Conspiracy to commit bank fraud and aggravated identity theft are the two crimes that Cross has copped to, and faces a jail term of between two and 30 years. Another member of the group, Marlon McKnight, pleaded guilty to the same charges on June 11th and, like Cross, sentencing has still to be determined.

Reuters asked the obvious question: how did the pair get hold of this raft of stolen data, but the DoJ has yet to comment. If they committed the hack that grabbed all of this information, then they must also have the rest stored somewhere. If, however, they purchased it on the black market, then perhaps they can point us to those who did commit the act in the first place.

Tech News

Cortana can be used to hack Windows 10 PCs

June 13, 2018 — by Engadget.com0


Cortana might be super helpful at keeping track of your shopping lists, but it turns out it’s not so great at keeping your PC secure. Researchers from McAfee have discovered that by activating Cortana on a locked Windows 10 machine, you can trick it into opening up a contextual menu which can then be used for code execution. This could deploy malicious software, or even reset a Windows account password.

The vulnerability stems from Cortana’s ability to listen for commands even while the PC is locked, combined with regular indexing that makes files accessible in the search function that Cortana uses. Even though potential hackers would need physical access to your PC to do any damage, this could feasibly take place in an office or shared environment. Microsoft dealt with the issue in yesterday’s “Patch Tuesday” update, but many machines won’t have that yet, so McAfee suggests turning off Cortana on the lock screen to prevent any attacks.

Tech News

UK privacy watchdog slaps Yahoo with another fine over 2014 hack

June 12, 2018 — by Engadget.com0

Karen Bleier/AFP/Getty Images

Yahoo still isn’t done facing the consequences for its handling of a massive 2014 data breach. The UK’s Information Commissioner’s Office has slapped Yahoo UK Services Ltd with a £250,000 (about $334,300) fine under the country’s Data Protection Act. The ICO determined that Yahoo didn’t take “appropriate” steps to protect the data of 515,121 UK users against hacks, including meeting protection standards and monitoring the credentials of staff with access to the information.

Verizon’s Oath (the brand that subsumed Yahoo, and owns Engadget) stressed in a response that it had taken efforts to strengthen its security systems since the carrier acquired Yahoo, and that this had nothing to do with the European Union’s GDPR (which only just took effect).

The fine is minuscule compared to the US Securities and Exchange Commission’s $35 million fine, and it’s unlikely to have significant ramifications for the company. However, it does illustrate the scope of the problem. When a hack compromises sensitive information for 500 million people, there will be numerous countries that want restitution.

Engadget’s parent company, Verizon, now owns Yahoo. Engadget remains editorially independent.

Tech News

Chinese hackers stole undersea warfare data from US Navy contractor

June 9, 2018 — by Engadget.com0

China Stringer Network / Reuters

Hackers associated with the Chinese government have broken into a US Navy contractor’s systems and stolen data about undersea warfare. According to The Washington Post, these include secret plans to create a new anti-ship missile usable on US submarines by 2020.

The contractor had been working for the Naval Undersea Warfare Center, an R&D organization dedicated to submarines and underwater weaponry based in Newport, Rhode Island. The Chinese hackers breached the contractor’s systems in January and February and made off with 614GB of data on signals, sensor data, cryptographic info, the Navy’s electronic warfare library and material on a project known as Sea Dragon. The latter remains secretive: The only information released by the DoD is that it will integrate an existing weapon system with an existing Navy platform.

The data was highly sensitive despite being located on the contractor’s unclassified network; When aggregated, it could be considered classified, sources told The Washington Post. The Navy is reportedly investigating the breach with help from the FBI.

This is the latest in a string of attempts by Chinese hackers to US data. The last big government breaches were in 2015, when cyberattacks from that country targeted the Office of Personnel Management and Woods Hole Institute, an oceanographic research organization that sometimes partners with the US Navy. A report last month indicated that a long series of seemingly-unrelated cybersecurity incidents were actually part of a Chinese hacking campaign stretching back to 2009 that mainly targeted US companies. All in all, this successful raid secured yet more information for China, this time on US underwater warfare, potentially chipping away at an advantage America’s military has over the East Asian country.

Tech News

Ticketfly is finally back online after hack

June 7, 2018 — by Engadget.com0

Getty Images

Ticketfly’s site is back online after a hack last week which forced the company to take the site down while it investigated the incident. The iOS app, along with the Promoter and Fanbase functions, are still down, as Ticketfly prioritized “bringing up the most critical parts of the platform first.” It’s also rolling out promoter and venue websites that the platform powers.

The company said earlier that users’ email addresses, phone numbers and home and billing addresses were included in the compromised data. A researcher suggested Monday that more than 26 million users were affected; more than 27 million accounts were actually compromised, Ticketfly now admits. However, it points out that customers often use various email addresses to order tickets, so the number of actual people affected is likely lower than that figure.

Ticketfly confirmed payment information and customer passwords were not compromised in the attack. However, it’s possible that the hacker grabbed hashed (or scrambled) passwords for venue and promoter accounts. To stay on the safe side, Ticketfly has reset all passwords.

Check out for more information.

— Ticketfly (@ticketfly) June 7, 2018

Tech News

Atlanta ransomware attack may cost another $9.5 million to fix

June 6, 2018 — by Engadget.com0

Tami Chappell/AFP/Getty Images

The effects of the ransomware attack against Atlanta’s government were much worse than it seemed at first glance. To start, city Information Management head Daphney Rackley revealed at a meeting that more than a third of Atlanta’s 424 necessary programs were knocked offline or partly disabled, and close to 30 percent of those affected apps were “mission critical” — that is, vital elements like the court system and police. The government initially reckoned that essential programs were safe.

Department leaders had elaborated on the damage earlier in the week. The City Attorney’s office lost all but six of its 77 computers and 10 years’ worth of documents, while the police lost their dash cam recordings.

Crucially, the cost of cleaning up the attack is likely to balloon as well. Rackley estimated that Atlanta would need another $9.5 million in the next year to recover, or well past the $2 million it had spent as of April. There’s a good chance the figures could keep growing, too. Deputy CFO John Gaffney warned that the city was still in the “response phase” and had yet to determine the final costs. While Atlanta may have avoiding paying the initial ransom, it could spend a long, long time dealing with the aftermath of its no-compromise approach.

Tech News

'WannaCry hero' faces more federal malware charges

June 6, 2018 — by Engadget.com0

Bloomberg via Getty Images

Marcus Hutchins, the cybersecurity researcher credited with helping stop last year’s WannaCry virus, is facing four new charges related to malware he allegedly created to steal financial information. Now, the FBI says Hutchins lied about creating the malware called Kronos, and that he conspired with others to promote it online, including via YouTube.

The researcher, also known as MalwareTech, is now facing ten charges following a revised grand jury indictment in the Eastern District of Wisconsin. After it was filed, Hutchins asked his Twitter followers to consider donating to help with legal fees and called the charges “bullshit.” One of his attorneys said the new charges were “meritless,” and insisted they “highlight the serious flaws in this prosecution.” Hutchins has pleaded not guilty, though prosecutors say he admitted creating Kronos.

The latest indictment includes the aliases of people he’s accused of conspiring with to sell Kronos. According to prosecutors, Hutchins and another person known as “VinnyK” appeared in a YouTube video in 2014 showing how Kronos worked. They also allegedly used the video “to promote the sale of Kronos.” The indictment notes that the alleged crimes took place between July 2014 and July 2015. It also claims Hutchins created and distributed other malware called UPAS Kit in 2012; that was also designed to steal personal information and credit card details, prosecutors say.

Journalist Marcy Wheeler, who has been following the case, broke down the new indictment and some potential issues with it. Wheeler suggested that the alleged 2012 crimes both fall outside a five-year statute of limitations and were carried out while Hutchins was a minor. She added that VinnyK allegedly sold UPAS Kit to someone in July 2012, and Kronos to someone else in 2015. Prosecutors claim Hutchins provided Kronos to VinnyK and another person known as “Randy” (or “Individual B” in the indictment).

Wheeler wrote that prosecutors should be pursuing VinnyK as the true perpetrator of the crimes, but instead are targeting Hutchins. Additionally, “in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins,” she said. Wheeler also pointed out that Kronos does not have any known US victims.

Defense attorneys have urged a federal judge to suppress statements Hutchins made to the FBI when he was detained on August 2nd, claiming that he wasn’t correctly advised of his rights. The FBI apprehended him as he was headed home to England from the DefCon security conference in Las Vegas — Hutchins’ attorneys said the timing of his arrest was designed “to create confusion and mislead Mr. Hutchins.” Agents said he spoke with them voluntarily but lied about his part in Kronos’ creation.