comp527

Three hackers were indicted on Friday for a hack of Comcast’s website in May 2008. According to CNN’s article, “The prank took down the cable giant’s homepage and Web mail service for more than five hours and allegedly cost the company over $128,000.” Customers were left without access to webmail and digital voicemail during the outage.

The attackers were able to gain access to the Network Solutions DNS control panel for all of Comcast’s sites and altered the records to point at their own site with a taunting message. Their method? Phone calls.

The hackers were able to call one or more Comcast employees at home and ask them questions which gave them access to “a specific Comcast e-mail account”, according to the indictment. Through the email account, they were able to communicate with Network Solutions and obtain access to the DNS control panel.

It seems that the weak point in the security was less technological and more a human factor. The attackers simply made anonymous phone calls to Comcast employees who answered their questions, and it was this information that enabled them to obtain access. Comcast (and other companies, no doubt) would be wise to further educate its employees on information security.

CNN article: http://www.cnn.com/2009/TECH/11/20/comcast.hacking.charge/index.html
Indictment: http://www.wired.com/images_blogs/threatlevel/2009/11/comcast_indictment.pdf

It has been talked of how a jailborken iPhone has been hacked here and here

But although the problem was publicly advertised so has the manner of using it to hack such iPhones.
The guy from the Netherlands published the source code he used. Was this a good choice?
Since the first incident, several malicious programs have appeared which take advantage of the default root password.

Two of them can be found: here (worm – “harmless yet annoying prank”) and here (a “truly malicious iPhone malware” which extracts personal data)

The Jail broken iphone have been hacked again this time in Australia.
This Australian guy used the same technique posted before here, but the previous hacker help the iphone hostage for €5; this time he published the source code for the Hack. It is just people forgetting to change the root password for SSH!!

The problem now, is that the source code is out to the public and there may be more harmful ways pop up to kill all jail broken iphones.

Bottom line: Want to hack … be smart not to be hacked :D

Story link here, and here

Here is a remainder that if you want to escape Apple’s security, you’d better know what you’re doing and enforce your own.

A hacker from Netherlands used port scanning to find jailbroken iPhones running SSH and who’s users were careless enough to leave the default root password after jailbreaking their phones. His initial demands for fixing a hacked iPhone were 5 euros and has now published the solution for undoing what he did.

Personal opinion: Those who got their iPhones hacked should have at least said thank you for uncovering how insecure their phones were instead of accepting his apologizes for what he has done.

Ryan Harris, an expert on cable modem hacking who has been selling unlocked cable modems through a small company, is facing criminal charges of wire fraud and computer fraud.
In his defence he claims that: “arresting every firearms dealer, because handguns can be used to commit murder.”

Read more here

A/N: If the fact that one of his programs is called “Coax Thief” puts him in a bad light than a note for all those hacking: Make sure you name all of your software things like “Safe Program Thingy” or “Well Behaved Program”. More importantly, don’t you dare use user or socket messages like: “It’s hacked” or “Hack in place” nor variable or function names with similar connotations!

As if worrying about security on your computer wasn’t enough, your smartphone is increasingly becoming a significant target.

Besides the standard virus and worm attacks via email attachments, one recent attack used the phone’s bluetooth capabilities to spread between other nearby bluetooth-enabled devices.

Research indicates that a significant amount of the problem is that, while many users know to be careful on their home computer, many people feel their phone is more immune to security threats. Not so. The article’s suggestion – “treat your smartphone like a computer, not a telephone.”

Unfortunately, there are many people who don’t treat their home computer security properly, much less their smartphone security. People need to continue to be educated about internet security. If you’re going to fall for a phishing attack on your home computer, you’re probably going to fall for anything on your smartphone. Awareness is key.

News article: http://www.cnn.com/2009/TECH/10/25/smartphone.security/index.html

A recent bug in Times Warner cable modem had caused the wireless admin site exposed to a potential hacker. About 65,000 users are affected by this. More details can be found here

The most amazing part of this is that the administrative portion was guarded off by JavaScript code. A simple toggling of JavaScript option exposed this vulnerability.

I admire David Chen for reporting this issue to the concerned authorities. His ethics would go a long way.

A question which always seems to pop off is ” How secure is wireless access?”. Ever since the first draft of 802.11 specifications, people have been able to exploit wireless networks easily.

A classic paper which uncovered the lame security aspects was “Intercepting Mobile Communications: The Insecurity of 802.11″ (link) . This paper showed some very simple tricks to attack wireless medium. It was an eye opener to the 802.11 committee who formed the very basis of the protocol.

In my opinion, we require a new framework to test these vulnerabilities. Even if the protocol is safe, there is some implementation problem. If the implementation is right, there is an issue with hardware and this chain keeps going on…

It seems that there has been a major Phishing attack on Hotmail accounts ( more than 10,000 accounts affected).

Furthermore, the passwords of users were posted online.

Beware, Be secure and avoid unwanted mails.

Read more of the news here.

Some security researchers have published an article detailing a vulnerability in the Flickr API that allows an attacker to forge requests on behalf of third-party applications. It’s very simple, and based on the fact that signed API calls are constructed in a dumb manner: If the function call is f(a=1,b=2,c=3) and the secret shared key is DONUTS, then the application computes md5(DONUTS || a1b2c3)=<hash> and appends the argument value api_sig=<hash>. This is bad for a couple of reasons:

• There are no delimiters to separate the argument names from values, so the signature is the same if you have (for example) the argument/value pairs a1b=2, c=3.
• More importantly, this is NOT the right way to compute a MAC. This scheme uses hash(secret || message). Instead, the standard way to do this (the HMAC spec) is hash(secret || hash(secret || message)).

Using this design flaw, plus a length-extension attack on md5 which has been around since prehistoric times, an attacker who obtains a single signed API call can generate arbitrary calls from that API key without having the secret. The authors also list a few malicious ways to abuse this.

Interestingly, Facebook uses a very similar scheme but appends the secret to the end rather than the beginning. This prevents this length-extension attack from working but may still be open to other MAC attacks.

Check out the paper; it’s short and very easy to understand.

Most of us would take for granted that the * marked field was enough to avoid onlookers reveal our passwords.

Well, Think again. Your next door neighbor could learn your password without even coming close to you. A recent research work gets hold of passwords through keyboard clicks. They do this by simply decoding the electromagnetic radiations emitted by keyboards.

Hard to believe. Take a look at the video posted here along-with other comments.

This paper received the outstanding student paper award at the recent USENIX forum.
(Thinking point??) How would we transition from all the legacy password systems to any new authentication system?