Oracle pulls Java 6 plug, but Apple likely to keep patching OS X Snow Leopard
Apple on Monday patched Java 6 for OS X, following Oracle's lead and quashing a browser plug-in vulnerability that hackers have been exploiting.
Oracle issued the "out-of-band," or emergency, update for Java 6 and Java 7 to patch two critical vulnerabilities. One of those bugs -- designated CVE-2013-1493 -- has been exploited in the wild since at least Feb. 28, according to security firm FireEye, which discovered the attacks.
Because Apple maintains Java 6 for OS X -- unlike Java 7, which Oracle handles -- it followed with its own update, as usual. Read more...
Many companies likely affected by hack of popular iOS developer forum
The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. Security experts believe the site served as a gateway for the recent attacks against Twitter, Facebook, and Apple employees and that many other companies might be affected as well.
At the beginning of February, Twitter announced that it had been the target of an attack and that hackers might have accessed authentication data on 250,000 users.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said at the time. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked." Read more...
Hackers leak 1 million Apple UDIDs allegedly stolen from FBI laptop
A group of hackers released a file containing unique identification data for over 1 million Apple iOS devices and claim that the information is part of a larger database stolen from the compromised laptop of an FBI agent.
"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability in Java," the hackers, who claimed affiliation to Anonymous and its Operation Antisec campaign, said Monday in a statement published on Pastebin. Read more...
Macs at risk from ‘super dangerous’ Java zero-day
Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.
The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.
"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post. Read more...
Scary Apple, Twitter account hacks: How to protect your accounts
Wonder what it's like to have malicious hackers get into every corner of your digital life -- not only your Twitter account, broadcasting embarrassing tweets in your name, but also seizing control of your Apple account and remote wiping your laptop, tablet and phone? Tech journalist Mat Honan outlined in chilling detail how his digital life was hijacked, from racist tweets being sent from his account to losing 18 months of photos he hadn't backed up.
What's especially scary is that the attack didn't require any virus or other devious software; it was all social engineering. Honan managed to make contact with one of the attackers; and in return for not pressing charges, found out how it was done:
1) Hackers scouted out his Twitter account -- they liked the short 3-letter handle -- which linked to Honan's personal Web site. There, they found his Gmail address.
2) Hacker guessed that the Gmail address was also linked to his Twitter account.
3) Hacker went to Google "lost my password" page, entered Honan's email address and saw a partially obscured alternate email address: m••••n@me.com. Read more...
Over 450,000 emails and passwords allegedly stolen from Yahoo
A group of hackers on Thursday published a list of over 453,000 log-in credentials on the Internet that were allegedly stolen from a database associated with an unnamed Yahoo service.
The group of hackers calls itself "the D33Ds Company" and claims to have hacked into the database by exploiting an SQL injection vulnerability found on a Yahoo subdomain.
"The subdomain and vulnerable parameters have not been posted to avoid further damage," the hackers said in their release notes.
The leaked information includes MySQL server variables, names of database tables and columns, as well as a list of 453,492 email addresses and passwords in plain text.
The exposed log-in credentials don't only include yahoo.com email addresses, but also email addresses from other public and non-public email providers. Read more...
Finalists in Microsoft’s $250K contest take on ‘most-pressing’ exploit tactic
Microsoft yesterday announced that each of the three finalists in its $250,000 BlueHat Prize security contest came up with ways to detect and stymie one of the most effective exploit methods now being used by hackers.
The three finalists -- two from the U.S., the other from Croatia -- took different tacks to block return-oriented programming, or ROP, a technique often used to sidestep DEP, or data execution prevention, one of Windows' primary anti-exploit technologies.
"It's an obvious reflection on the most pressing attack vector hitting systems right now," said Andrew Storms, director of security operations at nCircle Security, commenting on the fact that the ROP technique was the subject of each of the finalists' entries. Read more...
British hackers get jail terms
Two separate and very different cases in the UK saw hackers receive jail terms of twelve and eighteen months. In one case a 21-year old British man, Gareth Crosskey of West Sussex, plead guilty to hacking into a US citizen's Facebook account and gaining access to that person's email account in January 2011. The Metropolitan Police Service's Police Central e-Crime Unit (PCeU) was informed of the breach via the FBI and arrested Crosskey in July 2011 under the Computer Misuse Act. The PCeU says that "By taking swift action" it was "able to quickly detain Crosskey thereby preventing further disruption to the victim", and says it hopes the prosecution acts as a deterrent. Read more...
Iran admits expanded cyberattacks, claims it’s identified hackers
The Iranian government acknowledged today that authorities have found evidence of recent cyberattacks against several agencies, according to reports by state-sponsored media outlets.
A week ago, the country's oil ministry confirmed that it and other facilities in the energy industry had been targeted by malware attacks.
Today, the Mehr News Agency said that Esmaeil Ahmadi-Moqaddam, Iran's national police chief, had claimed that his office has "found clues about recent cyberattacks on a number of Iranian ministries and companies."
Mehr is a semi-official arm of the Iranian government. Read more...
Hacker leaks source code of old VMware software
EMC subsidiary VMware has acknowledged that a hacker has released some of the company's source code. The currently accessible code includes a file containing C macros for generating code on x86 platforms and a lightly documented Perl script that could be relevant for the processing of object code. VMware said that the files date back to 2003 and 2004 and are part of the ESX hypervisor, which has since been superseded by ESXi.
A post on the threatpost blog, run by security firm Kaspersky, shows a copy of an email which is nine years old and contains the subject line "code review: untruncating segments". The article continues by saying that a hacker who goes by the name of "Hardcore Charlie" downloaded 300MB of VMware sources. Read more...
Iran confirms cyberattacks against oil facilities
Iran's oil ministry today confirmed that it was the target of malware attacks over the weekend, adding to reports by state-run media that the country's oil industry was hit by hackers.
The Mehr News Agency, which is a semi-official arm of the Iranian government, reported Monday that the country's principal oil terminal on Kharg Island was disconnected from the Internet as part of the response to the attacks. Email systems associated with the targets were also pulled offline.
Kharg Island, which is in the Persian Gulf off the western coast of Iran, handles the bulk of the country's oil exports. Read more...
Hackers claim attack on UK Home Office website
Britain's Home Office confirmed Sunday that its website was attacked overnight after hackers claimed responsibility for shutting it down.
The hackers also claim they attacked the Justice Ministry website and warned of further attacks every Saturday on U.K. government websites.
The alleged hackers — who claim ties to Anonymous, the hacker collective — said on Twitter they launched Saturday's denial-of-service attacks and brought down the websites to protest "proposed draconian surveillance measures," Britain's extradition policies and "derogation of civil liberties." Read more...
Microsoft blames security info-sharing program for attack code leak
Microsoft on Friday confirmed that sample attack code created by the company had likely leaked to hackers from a program it runs with antivirus vendors.
"Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners," Yunsun Wee, a director with Microsoft's Trustworthy Computing group, said in a statement posted on the company's site.
"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee added. Read more...
Experts sound worm alarm for critical Windows bug
Microsoft today released six security updates that patched seven vulnerabilities, including a critical Windows bug that hackers will certainly try to exploit with a network worm, according to researchers.
"This is a pre-authentication, remote code bug," said Andrew Storms, director of security operations at nCircle Security, referring to MS12-020, the one critical bulletin today and the update that he, other researchers and even Microsoft urged users to patch as soon as possible.
"It will allow network execution without any authentication, and has all the ingredients for a class worm," said Storms.
"I'm particular spooked by this one," said Jason Miller, manager of research and development at VMware. "Hackers want [vulnerabilities] that don't require authentication and are in a part of Windows that's widely used. I guarantee that attackers are going to look at this closely." Read more...
Hacker on hacker: Zeus bot master dupes Anonymous backers into installing password stealer
Hackers have duped supporters of the Anonymous group into installing the Zeus botnet, which steals confidential information from PCs, including banking usernames and passwords, security researchers said last week.
According to Symantec, someone modified a link to a popular distributed denial-of-service (DDoS) attack tool to direct users to a Zeus bot Trojan instead.
The replacement of a Zeus client for the "Slowloris" DDoS tool took place on the day after Anonymous launched strikes against websites operated by the U.S. Department of Justice, the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), and others in retaliation for the arrest of four men associated with the popular Megaupload "cyberlocker" site on charges of copyright infringement, money laundering and racketeering. Read more...