One user lost $550 in a matter of minutes, his account auto-reloaded each time it was emptied by a hacker sending a series of $50 gift cards. Other users have also reported three-figure losses within a matter of seconds or minutes … expand full story
hack Stories May 14, 2015
hack Stories April 21, 2015
A former NSA staffer says that the OS X 10.10.3 update which Apple claims fixed a significant security vulnerability has failed to do so, reports Forbes. Patrick Wardle, who now heads up research at security firm Synack, demonstrated the vulnerability in a video (without revealing exactly how it was done) to allow Apple time to issue a further fix.
The Rootpipe vulnerability allows an attacker with local access to a Mac to escalate their privileges to root – allowing them full control of the machine – without further authentication. A second security researcher confirmed the flaw … expand full story
A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.
A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate … expand full story
hack Stories March 18, 2015
Black Box device can brute-force iOS 8.1 PINs, bypassing repeated attempts lockout & data-wipe
Security company MDSec has been testing a black box device that manages to gain access to iPhones running up to iOS 8.1 by brute-forcing the passcode over a USB connection to simulate keypad entry. Normally, trying every possible 4-digit PIN would be prevented by automated lockout or data wipe after ten incorrect attempts, but the IP Box manages to bypass this.
The IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory.
After each attempt, it measures light levels on the screen to see whether it got access to the homescreen; if not, it restarts the phone fast enough that the PIN counter doesn’t get updated.
It’s not a very practical means of attack in the real world. Restarting the phone after every single attempt means that testing every single PIN would take around 111 hours, and thus take an average of around 55 hours to get access. You need physical access to the phone for those 55 hours, and need to have stopped it from gaining any kind of network access in that time to prevent the owner using Find My iPhone to remotely wipe it. But it’s an interesting proof of concept.
Apple appears to have fixed the vulnerability in iOS 8.1.1, as companies selling the kit note that it is not compatible with this version of iOS.
Although this isn’t something to worry about, it’s still good practice to use a complex passcode–not a great hardship on a recent iPhone, where you’ll be using Touch ID most of the time. Just go into Settings > Touch ID & Passcode and slide off the Simple Passcode switch.
hack Stories March 4, 2015
Cryptographers have discovered that a security flaw dating back to the ’90s is placing OS X, iOS and Android users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.
The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site … expand full story
hack Stories February 22, 2015
Developer hacks Android Wear to show iPhone notifications (Video)
Android Wear is great, but if you’re an iOS user, it looks like the Apple Watch is going to be your only option for a while. Google has yet to make any of Android Wear’s functionality compatible with Apple’s operating system, and it doesn’t look like they plan to do so any time soon. But that’s not stopping one developer, Mohammad Abu-Garbeyyeh, from hacking Android Wear to at least support notifications from iOS devices.