main

Tech News

Idaho inmates hacked prison tablets and stole $225,000

July 27, 2018 — by Engadget.com0

Brendan McDermid / Reuters

Inmates in five Idaho prisons exploited a vulnerability on their JPay tablets to steal almost $225,000 worth of credits, according to officials. The Idaho Department of Correction said 364 prisoners boosted their JPay account balances, according to The Associated Press. The department unearthed the issue earlier this month, and noted taxpayer dollars were not affected.

Prisoners can use credits to buy music, ebooks, stamps (to pay for email and inbound video messages), games and even the JPay tablets themselves. They can use the tablets to catch up on the news, access educational materials and view photos and videos. Inmates’ loved ones can buy the tablets for them, and talk to the prisoners with a video chat visitation.

After prisoners seemingly communicated with each other on how to exploit the vulnerability, one inmate transferred almost $10,000 to their account, while 50 added more than $1,000. JPay has blocked inmates from downloading music and games until they pay back the company, though they can still use email. JPay has recovered over $65,000 worth of credits so far. Officials have disciplined the inmates who were allegedly involved; they may lose privileges and could be deemed a higher security risk.

Tech News

Microsoft detected Russian phishing attacks on three 2018 campaigns

July 19, 2018 — by Engadget.com0

Russia is still launching cyberattacks against the US, a Microsoft exec has revealed, contradicting what the President claimed just a few days ago. According to Microsoft VP for customer security and trust Tom Burt (shown above second from right, with his hand raised), his team discovered a spear-phishing campaign targeting three candidates running for office in 2018. Burt announced his team’s findings while speaking on a panel at the Aspen Security Forum, where he also revealed that they traced the new campaign to a group believed to be operated by the GRU, Russia’s largest foreign intelligence agency. In other words, those three candidates are being targeted by the same organization that infiltrated the DNC and Hillary Clinton’s Presidential campaign in 2016.

[embedded content]

The US recently indicted 12 Russian GRU officials, 11 of whom are accused of hacking the DNC and leaking the party’s emails with the purpose of influencing the 2016 elections. If you’ll recall, a “Guccifer 2.0” dumped names, phone numbers, emails and a bunch of other information stolen from the party, from Hillary Clinton and from the Clinton Foundation on the internet.

The last GRU official named in the indictment is accused of breaking into the state board of elections and the systems owned by companies making election software to steal half a million voters’ information.

While Burt divulged Microsoft’s findings to the public, he refused to name the targets and their parties due to security concerns. He did say, however, that they’re “candidates of note” who are “running for reelection.” Neither party would confirm whether their candidates are being targeted, but DNC rep Xochitl Hinojosa told BuzzFeed News: “We saw the Russians attack our democracy in 2016 and we know they’re a threat in 2018, 2020 and beyond.” He added that it’s unfortunate how the President isn’t taking the issue seriously and how House Republicans refuse to increase funding for election security.

Gaming News

How to Make Your Wifi Router as Secure as Possible

July 18, 2018 — by Kotaku.com0

Though more router manufacturers are making routers easier to set up and configure—even via handy little apps instead of annoying web-based interfaces—most people probably don’t tweak many options after purchasing a new router. They log in, change the name and passwords for their wifi networks, and call it a day.

While that gets you up and running with (hopefully) speedy wireless connectivity, and the odds are decent that your neighbor or some random evil Internet person isn’t trying to hack into your router, there’s still a lot more you can do to boost the security of your router (and home network).

Advertisement

Before we get into our tips, one quick caveat: Wireless routers all have different interfaces, different ways they name their settings, and different settings you can adjust. For this article, I’ll be poking around the interface of a TP-Link Archer C7. You’ll want to explore around your router’s web-based configuration screen (or app) to make sure you’ve adjusted all the right settings, but it’s possible you won’t be able to do everything we’ve detailed below.

Accessing your router’s settings

If your router doesn’t have an easy-to-use app for configuring its settings—like what you typically encounter when buying a mesh-networking system—you’ll probably access its settings by pulling up a web browser (on a device that’s connected to your router) and typing in your router’s IP address:

  • On a Windows system, pull up the command prompt and type in ipconfig. The IP address that’s listed as your default gateway is likely your router’s IP address.
  • If you’re on a Mac, pull up System Preferences > Network, and click on Advanced in the bottom-right corner. Click on the TCP/IP option toward the top of the next window and look for your router’s IP address.
  • If you’re on your iPhone, tap on Settings, then Wi-Fi, and tap on the “i” icon next to the wifi network you’re connected to. Your router’s IP address should be listed right there.

Advertisement

Step One: Update your firmware

Some routers bury firmware updates deep in their settings menus; some might even notify you about a new firmware update the moment you log into their apps or web-based user interfaces. However you find the option, you’re going to want to make sure that your router is running the most up-to-date firmware.

If you’re lucky, your router will be able to download new firmware updates directly from its manufacturer. You might have to click on a button (or two) to start this process, or this might happen automatically—routers that do the latter are great, because most people don’t really think about “checking to see if my favorite tech gear has updated firmware” on a regular basis, if ever.

Advertisement

Screenshot: David Murphy

It’s also possible that your router will require you to upload new firmware yourself. If so, you’ll have to download the right firmware from the router’s manufacturer—likely on a support page for your router—and manually update the router by browsing for this firmware file and starting the update process yourself. You’ll have to do this each time you want to update your router with new firmware, which means you’ll have to check for new firmware fairly regularly, perhaps a few times a year. It’s a laborious process that’s easily forgotten, but it’s also important if you want to keep your router protected from external threats.

Change your router login and password

If you’re still using “admin / admin,” “admin / password,” or some variant of generic words to log into your router, change that. Even if your router manufacturer has given you a quirkier password that presumably differs for everybody, it’s important to use a login and password that’s tough to guess or brute-force.

Advertisement

Screenshot: David Murphy

Even if you’re stuck using “admin” as a user name to log in, make your password something complex, not something anyone can look up via a quick web search.

Use WPA2 to secure your wireless network

It almost goes without saying, but don’t use WEP when you’re setting up a password for your wifi network. Passwords “protected” with the WEP encryption are a lot easier to brute-force attack than those encrypted with WPA2. Even though you probably don’t have someone hanging out on your street corner, wardriving everyone’s wireless networks, there’s no reason to not use the stronger WPA2 protocol—unless you have an old device that simply can’t handle WPA2, which is unlikely. And whatever you do, don’t run an open (password-free) wifi network. My god.

Advertisement

Screenshot: David Murphy

Turn off WPS

On paper, WPS—or Wi-Fi Protected Setup—sounds great. Instead of having to type in a long, reasonably complex wifi password on a device, you can just type in a smaller PIN number, likely printed directly on your router.

Advertisement

Guess what? These PIN numbers are much easier to brute-force attack than a more complicated password or passphrase. While a number of routers will time out an attacker after they botch a certain number of password attempts, that hasn’t stopped more ingenious WPS attacks from surfacing. The easiest way to prevent these kinds of shenanigans is to just disable WPS entirely.

Yes, you’ll have to type in your password. Yes, it’ll be annoying. It’s an extra minute of your life. You’ll be fine. Or, if you truly cannot handle this process, check to see if your router allows you to use push-button WPS instead of PIN-based WPS. That way, you’ll have to physically press buttons on your router and any devices you want to connect, which will make it a lot trickier for someone to exploit WPS and break into your network.

Advertisement

Use a better DNS

Browse the web a little bit faster by switching away from your ISP’s DNS and using a service like Google DNS, Cloudflare, or OpenDNS. As an added bonus, you’ll also increase the likelihood that you actually make it to the websites you’re trying to visit without any man-in-the-middle attacks, popups, redirects, interstitials, or annoying “you made a typo in your web address so we’re going to redirect you to a webpage filled with spam and ads” that your ISP might use.

If you want to get really crafty, you can drop a service like OpenDNS on your kid’s laptop, enable parental controls to keep them off time-sucking websites like Tumblr and Reddit, and give yourself a different DNS provider (like Google DNS) to browse the web without any restrictions. Your child will hate you, but at least they’ll turn out to be a rocket scientist with 27 inventions instead of a Twitch streamer with 3 followers.

Advertisement

Screenshot: David Murphy

Consider using MAC filtering, annoying as it might get

While it’s easy for an attacker to spoof a MAC address, you can at least give yourself a little extra security by setting up your router to only allow devices to connect that appear on a whitelist. This filtering is based on each device’s MAC address—a long string of letters and numbers that looks something like “00-11-22-33-44-55.”

Advertisement

Screenshot: David Murphy

While this means that you’ll need to go in and add any new devices you purchase whenever you want them to be able to connect to your router, it also means that devices you don’t authorize won’t be able to do squat. Like I said, though, MAC addresses are easy to spoof, so if this tip gets more annoying than practical, feel free to disable MAC filtering. You’ll be OK.

Consider scheduling your wifi

If you work a pretty normal schedule during the week and you have no reason to remotely connect to your home devices, consider using your router’s scheduling mechanism—if it has one—to just turn off your wifi when you aren’t home.

Advertisement

This isn’t the most practical tip if you have a bunch of smarthome devices that need the Internet, like if you want to be able to turn the lights on and off to piss off your cat or you want to be able to watch a delivery driver drop off the expensive package you ordered. If you live a relatively simple life—no harm there—and nothing really needs Internet connectivity when you aren’t around, then why power up your wifi for no reason? It’s hard to hack into a network that doesn’t exist.

Disable potentially sketchy services

You probably don’t need to mess with your router’s settings when you aren’t actively connected to your wireless network. If your router has some kind of an option for “remote management” or “remote administration” make sure it’s disabled.

Advertisement

Screenshot: David Murphy

You should also consider disabling UPnP on your router, although this might give you a little grief when you’re gaming or running BitTorrent—to name two examples. Still, when an entire website is dedicated to the various ways one can exploit UPnP for nefarious purposes … maybe it’s time to go back to manually forwarding ports, if needed.

Some routers also let you set up an FTP server so you can transfer files in and out of your network. However, we live in an era when it’s easy to use any number of cloud storage providers—or file-uploading services—to share your files. You probably don’t need to run an FTP at home, and it’s a lot safer to disable this feature entirely (if your router supports it).

Advertisement

You also likely don’t need to access your router over SSH or Telnet—turn either off, if offered—nor do you probably need to access any USB-connected printers or storage when you aren’t at home. In short, if your router lets you do something from afar, consider turning the feature off (if you can). The fewer ways you can access your home network when you aren’t in it, the harder it’ll be for someone else to take advantage of a vulnerability and access your router (or your home network).

If you can, consider disabling your router’s cloud functionality as well. While it might be useful to be able to edit your router’s settings by logging into the manufacturer’s cloud service, it’s just one more open door that an attacker could use to compromise your router (or network). While you have no choice with some routers—typically mesh routers—it’s always better, and safer, to log into a router’s web-based UI manually from a device that’s connected to your home network, even though it’s a lot less convenient.

Consider a separate wifi network for guests and smart-home devices

I’ve been playing, testing, and reviewing routers for more than a decade, and I still have yet to meet someone who uses their router’s guest network feature. Heck, I don’t think I’ve ever even connected to a friend’s “guest network” in their home or apartment.

Advertisement

Still, the premise of a guest network is great, security-wise: Your router automatically sets up a second SSID for friends to use, and any device connecting to it is walled off from other devices on your primary network, either plugged into your router directly or connected wirelessly. (Most routers let you adjust whether you want guests to see everything, each other, or nothing, if you need to customize your setup a bit.)

A guest network comes with an added bonus, too; you can use it for all of your less-secure smart-home devices. If someone takes advantage of a vulnerability in your smart lightbulb and breaks into your network, there will still be a layer of protection between your hacked device and your desktop PC, smartphone, and laptop—to name a few examples. While you can also get crazy and segment off your network with separate SSIDs and VLANs, if your router supports it, this is an easier method that won’t give you a weekend’s worth of headaches (if you don’t know what you’re doing).

Advertisement

Tech News

US indicts 12 Russian intel officers for hacking Democrats in 2016

July 13, 2018 — by Engadget.com0

Leah Millis / Reuters

Special counsel Robert Mueller and his team have received an indictment for 12 Russian intelligence for hacking Democrats leading up to the 2016 presidential election. The spies are accused of digitally infiltrating the Democratic National Committee and Hillary Clinton’s campaign, along with stealing information of 500,000 US voters, and releasing emails with the express purpose of influencing the election.

pic.twitter.com/0vZ6K5lcRX

— Laura Jarrett (@LauraAJarrett) July 13, 2018

Eleven of the 12 spies named in the indictment are charged with breaking into the DNC and Clinton’s campaign; The last is accused of hacking state boards of elections, secretaries of state and companies that provided election software, with the goal of stealing information about hundreds of thousands of voters. And yet, the Mueller team does not believe their efforts influenced the election.

“There is no allegation in this indictment that any American citizen committed a crime. There is no allegation that the conspiracy altered the vote count or changed any election result,” Deputy Attorney General Rod Rosenstein said in a prepared statement at a press conference.

The Wall Street Journal reported last November that Mueller’s team had identified six Russian government officials who were allegedly involved in hacking the DNC and releasing that information to harm the Clinton campaign. Then Mueller then indicted 13 Russian nationals involved with the government-associated Internet Research Agency for allegedly tampering with the election back in February.

Developing…

Tech News

Nintendo reportedly closes 'unpatchable' flaw in new Switch units

July 12, 2018 — by Engadget.com0

Katherine Temkin

Nintendo has been ramping up its anti-piracy measures ever since a Switch hacking team discovered a vulnerability that allow people to run arbitrary code on all current consoles. In fact, it already gave the Switch hardware an overhaul to get rid of the flaw. While the updated console (codenamed “Mariko”) hasn’t hit the market yet, the gaming giant might have released patched units in the interim. According to Switch hardware hacker SciresM, some retail units already come with Nvidia Tegra chips that are protected against the security exploit called fusée gelée or “frozen rocket.”

Bad News: Reports of new Switches in the wild not being vuln to f-g… probably updated ipatches.
Good news: they’re coming with 4.1.0 for now, which is vuln to deja vu.

Friendly reminder: if you want a hacked switch, don’t update. The lower the better. This is still very true.

— Michael (@SciresM) July 10, 2018

SciresM was the same person who warned users that playing pirated games online on the Switch can get users banned from the Nintendo network. He believes that Nintendo patched the console’s Nvidia chip with a system that prevents the USB recovery error hardware hackers were previously able to take advantage of.

Kate Temkin, who was part of the team that discovered fusée gelée, said the patched consoles are most likely different from Mariko, because they ship with firmware 4.1. The overhauled consoles support the newer firmware 5.0. That means these stopgap units aren’t truly unhackable unless users update their software, since firmware 4.1 is vulnerable to other exploits.

Tech News

Apple's new USB security feature has a major loophole

July 10, 2018 — by Engadget.com0

Apple’s new USB Restricted Mode, which dropped with the iOS 11.4.1 release yesterday, may not be as secure as previously thought. The feature is designed to protect iPhones against USB devices used by law enforcement to crack your passcode, and works by disabling USB access after the phone has been locked for an hour. Computer security company ElcomSoft, however, has found a loophole.

Researchers with the firm found that the one hour counter will be reset if you plug in a USB accessory within that window, and it doesn’t matter whether that accessory has ever been used with the phone in the past, either. Tests showed the bypass even works with Apple’s own Lightning to USB 3 camera adapter (which costs $39 in Apple’s online store). ElcomSoft is now in the process of performing more tests on other adaptors, although it notes the cheaper $9 Lightning to 3.5mm adaptor doesn’t work in the same way.

According to the company’s Oleg Afonin, “once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour.” He then questions the chances of a device being seized within an hour after its last unlock. “Quite high. We were not able to find any recent stats, but even two years ago an average user unlocked their iPhone at least 80 times a day.”

However, ElcomSoft says the ability to postpone Restricted Mode by connecting an iPhone to an untrusted USB accessory is “probably nothing more than an oversight.” Given that Apple introduced the Restricted Mode feature in the first place to ward off law enforcement access it seems unlikely that they’d purposefully include such a basic loophole. It’s not yet clear what action — if any — Apple will take on this, but it won’t be too difficult to rectify in subsequent versions of iOS.

Tech News

Timehop admits attacker stole 21 million users' data

July 9, 2018 — by Engadget.com0

Timehop

Timehop, a popular app that reminds you of your social media posts from the same day in past years, is the latest service to suffer a data breach. The attacker struck on July 4th, and grabbed a database which included names and/or usernames along with email addresses for around 21 million users. About 4.7 million of those accounts had phone numbers linked to them, which some people use to log in with instead of a Facebook account.

The attacker also grabbed access tokens and keys, which let Timehop access and display your posts from the likes of Twitter, Instagram and Facebook. While there was a window in which the attacker could have used those tokens to scrape data from social media profiles, Dropbox, Google Photos and iCloud, Timehop deactivated the tokens quickly and said it found no evidence that the attacker accessed anyone’s accounts — but that doesn’t mean it didn’t happen.

How the breach went down is a little troubling, because a basic security measure was not enabled. Back in December, an unauthorized person used an admin’s credentials to log into Timehop’s cloud computing servers and create a new admin account. Over the next two days and again in March and June, that person snooped on Timehop’s data before launching the attack last Wednesday. Surprisingly, the account the attacker initially used to access the servers was not secured with two-factor authentication (i.e. when you need to authorize a login in a second way, typically with a code or app on your phone). Timehop is now enabling multifactor authentication for all accounts.

Timehop says it discovered and halted the breach around two hours after it started. The company claims that no private messages, financial information or Timehop data (such as streaks) were compromised, and it deletes its copies of your old posts and photos once you’ve seen them. It doesn’t store data like credit card information, location data or users’ IP addresses either.

There’s an ongoing investigation into the incident, and Timehop has brought in cybersecurity experts to shore up security. The breach follows in the wake of recent attacks on Ticketfly and MyHeritage — tens of millions of users’ data were affected in those incidents too.

Tech News

Security researcher bypasses iPhone's limit on passcode attempts

June 23, 2018 — by Engadget.com0

Shutterstock / ymgerman

It’s not easy breaking into a locked iPhone. Try too many times and you can get locked out for years, even decades, or lose the device’s data altogether. That’s why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter’s iPhone, and why cops across the country are buying an affordable iPhone cracker called GrayKey. Hacker House cybersecurity firm co-founder Matthew Hickey, however, has discovered a way to bypass the device’s security measures, even if it’s running the latest version of Apple’s mobile platform. Apparently, a hacker will only need “a turned on, locked phone and a Lightning cable.”

Hickey said that when an iPhone is plugged in and a hacker sends it passcode guesses using keyboard input (as opposed to typing on the screen), the action triggers an interrupt request that takes precedence over everything else. That means the iPhone would be too busy to erase the device if the attacker sends it one passcode guess after another. As a result, they can guess as many times as they want instead of being limited to 10 guesses.

Hickey said he already reported the vulnerability to Apple, noting that the bug isn’t difficult to identify and that there are probably other people who’d already found it before he did. Companies like Cellebrite, which unlocked the San Bernardino shooter’s phone for the feds, and GrayKey’s maker might even be using a similar brute force technique and taking advantage of the same bug to break into iPhones.

Cupertino might also be already aware of the vulnerability, which is why iOS 12 will feature a Restricted mode that will cut off an iPhone’s ability to connect to a USB accessory plugged into it after an hour. Since it takes much more than an hour to send a device every passcode combination possible, the new feature could prevent hackers and cracking devices from force unlocking iPhones.

Check out Hickey’s method in action below:

[embedded content]

Tech News

Olympic hackers may be attacking chemical warfare prevention labs

June 19, 2018 — by Engadget.com0

Reuters/Pawel Kopczynski

The team behind the 2018 Winter Olympics hack is still active, according to security researchers — in fact, it’s switching to more serious targets. Kaspersky has discovered that the group, nicknamed Olympic Destroyer, has been launching email phishing attacks against biochemical warfare prevention labs in Europe and Ukraine as well as financial organizations in Russia. The methodology is extremely familiar, including the same rogue macros embedded in decoy documents as well as extensive efforts to avoid typical detection methods.

While Kaspersky didn’t directly point fingers, it brought up a number of clues suggesting that Russia was responsible. Most of the lab targets were people associated with an upcoming biochemical threat conference run by Spiez Laboratory, which just happened to be involved in the investigation of the nerve agent poisoning of former Russian double agent Sergei Skripal and his daughter Yulia. Also, Kaspersky noted that the custom images and messages in the documents were in “perfect” Russian, and one of them specifically references the Skripal attack (conveniently, a piece where scientists couldn’t definitively came from Russia).

So why target Russian financial outfits, then? Kaspersky acknowledged that there could be multiple parties involved (say, profit-oriented crooks in addition to state-sponsored attackers). However, it’s generally accepted that Russia tried to frame North Korea for the Olympic hack. It’s entirely possible that the Russian targets amounted to a false flag meant to cast doubt on the true origins of the attack. The focus on labs and the Skripal connection may have been meant to rattle the West for daring to attribute assassination attempts to Russia.

It may be difficult to completely prevent campaigns like this when political tensions are so high. Kaspersky believes the labs can curb this in the future, however, such as tightening their overall security and running impromptu security audits. It’s also a reminder to be cautious — a seemingly innocuous attachment can have dire consequences.