WordPress.com Servers Hacked; Data/Code Compromised

Earlier today, WordPress.com had a low-level (root) access break-in on several of their servers which hosted WordPress.com websites. According, to a note posted on the WordPress blog, some user data on those servers might have been revealed.

WordPress Logo

In the post, the founder of WordPress; Matt Mullenweg said that the extent of data breach is not known yet, but they are actively investigating the logs to determine the extent of the breach.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Matt did not clearly mention whether user data was compromised, however, he did post suggestions on creating secure passwords (Read our guide on creating secure passwords, creating strong passwords to avoid getting hacked or unique tools to create secure passwords). As an advice, just make sure to changed your WordPress.com password though.

The WordPress developers have already patched the problem, however, the damage might already have been done. We’ll keep you updated with further information on this.

The Tor Network is Flawed

The 27th Chaos Communication Congress (27C3) has found a rather important flaw in the Tor anonymity network. The Tor (short for The Onion Router) has long been a faithful companion of whistleblowers, hackers and other people for whom anonymity on their network is of prime importance. In its simplest form the Tor network consists of a large number of volunteer nodes that know only the location of the next node in a large routing queue. The data is encrypted from your computer and sent to the first node, from which it is sent to the next in the queue and eventually to the server you want to information from, and then the data is sent back in a similar fashion. Thus, if someone is trying to spy on your web browsing habits, they will essentially be sent for a toss as they will never know where the data is exactly being sent to.

Tor

However, security researchers at the 27C3 have shown that, with a carefully executed attack, the surfer’s browsing habits can be revealed. If the attacker is on the same local network (such as the same Wi-Fi network or ISP regime) then they can coax out the path of the Tor routing process and can eventually find out the main server that the surfer is accessing.

The process requires a bit of preparation and has a sequence of steps attached to it:-

  1. The attacker will have to know a series of sites that the target is known to visit, either through network logs gained before the target used Tor, or by other surveillance means.
  2. Next, the attacker will run Tor on their own system for the potential sites, seeing how Tor routes the net and developing a fingerprint-like profile for the target’s Tor routing.
  3. When the target next goes online, the attacker can use the packet streams captured on the local network (thus it is imperative that the attacker be on the same network) and associate the data streams with the fingerprint using a pattern matching technology (akin to Bioinformatics applications).

Dominik Herrmann, a PhD student at Regensburg said that this pattern matching would only provide 55 to 60% chances of a correct guess which is not enough as a legal evidence, but enough for privacy paranoid people to be edgy.

Solving this issue might be a little difficult for the Tor project, but only time will tell how much they can solve.

[via Ars Technica]

The Sony PlayStation 3 Finally Hacked

The Chaos Communication Congress is an international hacker conference organized every year by the Chaos Computer Club of Germany. Every year, hacker teams and security analysts discuss the latest vulnerabilities, exploits and security enhancements for a variety of devices and networks. The 27th Congress, (27C3) dubbed We Come in Peacehas been going on in full flow and has attracted the best minds in the field of computer security.

One of the biggest announcements came today from the hacker group fail 0verflowwho, in effect, have completely taken control of the unhackable(until a few months ago) Sony PlayStation 3.   While many alternatives exist to hack the PS3, the hackers at the conference dropped a bomb on Sony by showing how botched up the security detail on the PS3 actually is and how anyone can exploit this vulnerability with ease.

The Specifics: Apparently the randomnumber used to create every private key on the system is actually a constant number on all retail PS3s. In coding, random numbers are usually seededfor the random number generation algorith, i.e. the origin of any random value can be anything from the current time and date to the position of the mouse pointer in the X and Y coordinate system. Thus, it is well nigh impossible to calculate any randomly generated number simply because of its chaotic origin. However the (rather hippy) fail 0verflow hacker showed that, through complex math, the private key can be calculated from the static number.

What this means: The most promising consequence is dongle-less jailbreaking, similar to the PSP’s homebrew enabling software, as a coding exploit can utilize this piece of information and give the use complete control of the console.

What the future holds: Fail 0verflow have said that their primary goal is to make all PS3s run Linux. While the legacy (80GB) PS3s had this functionality, it was since withdrawn by Sony. Fail 0verflow have said that their project in no way involves piracy. Nevertheless, it is very likely that their exploit will be used for pirating games eventually. Since this breach of security is huge and so intricately lined with the innards of the PS3 firmware, it will be difficult for Sony to patch this up.

The three video presentations by fail 0verflow are embedded below.

[via PSGroove]

Facebook and Twitter are Easy to Hack on Public Wifi

Have you ever used your Facebook or Twitter accounts on a public wifi? The next time you do, you’d better be prepared. It’s now easier than ever to hack into online accounts on unsecured wifi networks. I found out by reading an article recommended by Linda Lawrey.

How is this possible?

firesheep-logoThere’s a new Firefox addon called FireSheep. This new addon makes it very easy to hack into many online services, such as Facebook and Twitter. However, it only works on unsecured networks, like most public wifi hotspots. It can also be defeated by using other methods that I’ll mention below.

Here’s a quick video showing how easy it is to capture accounts using Firesheep.

Wifi Safety Tips:

I don’t think you need to take the video’s advice and stop using public wifi. You just need to be more aware of the danger. If you always use HTTPS (Secure logins) when you sign onto a website, you’ll be able to defeat the majority of attacks like these. Look for a lock in your web browser’s address bar before you login.

https.facebook.login.chrome

Below are links to plugins for Firefox and Chrome that can help you stay secured while surfing.

Firefox browser

arrow-down-double-3 Force-TLS or HTTPS Everywhere

Google Chrome browser

arrow-down-double-3 KB SSL enforcer

Conclusion:

Be careful when using public or unsecured wifi hotspots. Always use HTTPS whenever possible. Another good method is to use VPN tunneling. There are some good tips from Ask-Leo for staying safe on public wifi.

Thinking about hacking in Starcraft 2? Think Again. Blizzard files lawsuit against hackers.

You don’t mess with Blizzard. Earlier this month, about five thousand Starcraft 2 cheaters players were handed permanent bans from Battle.net because they were found using hacks to cheat through the game. Battle.net said over 5,000 StarCraft 2 players who were in violation of the Battle.net Terms of Use for cheating and/or using hack programs while playing.WoW-ie (pardon the pun here).

blizzard

Now, Blizzard took it one step further by actually filing a lawsuit against the developers of the hack. Three hackers from the Los Angeles district were accused of copyright infringement:-

Just days after the release of Starcraft II, Defendants already had developed, marketed, and distributed to the public a variety of hacks and cheats designed to modify (and in fact destroy) the Starcraft II online game experience. In fact, on the very day that Starcraft II was released, representatives of the hacks Web site advised members of the public that our staff is already planning new releases for this game’

When users of the Hacks download, install, and use the Hacks, they copy StarCraft II copyrighted content into their computer’s RAM in excess of the scope of their limited license, as set forth in the EULA and ToU, and create derivative works of StarCraft II

Not only is Blizzard accusing them of infringement, it’s also demanding payment for damages caused. Ouch, hackers.

Google Nexus One Gets 720p HD Video Recording Capability!

Rejoice HTC-made-Google-branded Nexus One owners! Now you can record 720p HD videos on your Nexus One! This is not an official Google release though! The modding community has been working hard on bringing 720p HDclip_image001 video recording to the Nexus one, and they have been finally met with success.

The modder who made this possible is Cyanogen and charnsingh_online. Earlier, it was Cyanogen who had brought Wi-Fi n support to the Nexus One with his CyanogenMod. Users who want 720p HD videos recording capability must use the CyanogenMod firmware on their device.   Modder charnsingh_onlinehas made a patch, which enables HD video recording capability on the Nexus One. The only requirement to get the HD video recording capability on your handset is to use the latest CM4.0.8test3 CyanogenMod on your Nexus One.

Sadly, this patch does not work with the latest Android version Froyo. It is expected that with future updates – Froyo support, higher fps, and better audio quality will be made possible.

Here is the download link to the patch. You can also find some videos shot from the Nexus One at 720p HD resolution here.

(Source)

Hackers Breached Into 2,500 Companies and 10 US Govt Agencies

The hacking attack issue Google mentioned around a month ago has taken a much more serious turn. Wall Street Journal reports that the attack is much wider and has probably affected computers at 2,500 corporations and 10 US government agencies. At least two large companies that had been infiltrated are Merck and Cardinal Health, even though they claim to have isolated the incident.

The far reaching effects of this attack came in to notice when an employee of NetWitness –a cyber security firm– tried to install protective software on a client’s machine. The attack apparently started by enticing company employees to click on false anti-virus advertisement. Hackers used that information to get into corporate databases and in one case might even have gotten in to a soldier’s military email account. NetWitness –still closely involved in the investigations– says the full implication of the attack has still not been estimated.

The global attack started back in 2008 from a command center in Germany and has been operated from Europe and China. Some accounts state that nearly 75,000 computers in 196 countries have been effected. There is also speculation that an eastern European criminal group is behind the attack and a commonly used spyware called ZeuS was used to initially infect the computers. A full fledged investigation has been launched by the FBI to look into the matter.