Over a Million Apple Device UDIDs Leaked by Hackers as Part of AntiSec

Back in August this year, NSA general Keith Alexander addressed the DefCon crowd for the first time and called upon hackers to join the NSA and strengthen the cyber-security infrastructure of America. However, on being asked whether the government keeps profiles of Americans and spies on them, he went into the usual denial mode. However, William Binney, a former Technical Director at the NSA (also present at DefCon) assured that this spying was indeed happening and that is the reason he left NSA back in 2001.


Now, hacker groups have gotten hold of clear proof that the FBI is spying on people. They have released a huge announcement, as part of the #AntiSec movement, and the FBI is trumped. This Pastebin announcement has a long rant and a list of doxes that were obtained from the FBI laptop.

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS  devices including Unique Device Identifiers (UDID), user names, name of device,  type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

The hack is so popular; it has become the most visited Pastebin paste ever, within 24 hours. However, it also raises questions. What is the FBI doing with 12 million Apple UDIDs? Why is the data lying on a laptop, unencrypted? There are too many unanswered questions here. Apple and the FBI should come out with a response.

Update: The FBI denied possessing any such file.

Another day, Another Java Vulnerability Discovered!

So you have read about the recent vulnerabilities discovered in Java that attackers used to spread malware? Have you installed the latest out-of-band update that Oracle released in order to close those vulnerabilities? Think it’s time to move on to other stories? Well, think again.

Computer World is reporting that another serious vulnerability in the latest update has been discovered that could allow an attacker to escape the Java security sandbox and run arbitrary code on your system. The vulnerability was discovered by a Polish security firm called Security Explorations and has been reported to Oracle, according to their CEO, Adam Gowdiak. He has also stated that they will not be releasing any technical details on the vulnerability until Oracle issues a fix.

In an email to IDG News Service, he states,

“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again,” Gowdiak said. “A new idea came, it was verified and it turned out that this was it.”

Oracle hasn’t hinted whether they will be releasing an out-of-band update like the previous one or just include the patch in the scheduled October update. With vulnerabilities being discovered at such a fast pace, it might be time for Oracle to re-consider their four month update cycle. With the time span for fixing these vulnerabilities increasing, the chances of these vulnerabilities being used to attack users also increase leaving users with greater risk.

At this moment, the best option for you is to disable Java if you don’t really use it. Alternately, you can disable Java in your primary browser and use a secondary browser only to use web apps that require Java (if you absolutely need to use those web apps and are sure that those are not rogue) so that you don’t wander into compromised websites that make use of Java vulnerabilities.

First Cross Platform Trojan Affecting Linux and Mac OS X Revealed

Russian security firm Dr.Web has identified a new Trojan named BackDoor.Wirenet.1 which runs on both Linux as well as Mac OS X. This is the first ever cross platform Trojan that has been discovered to affect both of the aforementioned operating systems.

At the moment, a lot of information is not available on this malware. But the research is going on and it is said to steal passwords from all of the popular browsers such as Safari, Chrome, Opera and Chromium. It also steals passwords from applications such as Thunderbird, SeaMonkey and Pidgin.

According to Dr.Web, when executed, the Trojan copies itself to the user’s home directory – that is % home%/WIFIADAPT.app.app in MAC OS X and ~/WIFIADAPT in Linux.

Cross platform Trojans are not rare. Trojans that affect Windows and Macs have been identified in the past. A recently discovered Trojan used to check which Operating System the affected user was running and downloaded the payload accordingly. Another one was discovered in May that used unpatched Java vulnerability to open backdoors in Windows and Mac. But as I mentioned before, this is the first time that a cross platform Trojan affecting Mac and Linux has been discovered.  We will be updating this article as more details are released.

Via : Hacker News

Critical Zero Day Java Vulnerability Wreaking Havoc

Critical zero-day vulnerability in Java has caused worldwide panic and unrest. The flaw is being exploited wildly, and there is an array of available code for this exploit. Metasploit was the first one to provide a proof-of-concept that works on a variety of browsers. The vulnerability is still unpatched, and although there are no reported criminal cases yet, there is no guarantee that it is not happening already. The safest way to go is to disable the Java plugin in your browser until Oracle releases a fix for the vulnerability.

JavaThis security hole affects all Java versions under the 7.X branch. It works across all browsers, including the touted as unbreakable and secure Google Chrome. Apparently, Google Chrome’s sandbox runs only Adobe Flash as sandboxed by default. The Java plugin is not part of the Chrome sandbox. Java is platform independent, and this exploit rides on this factor spreading to all popular platforms (Windows, Linux and Mac) with little effort. Though the most dangerous fact is that the vulnerability lets malicious code disable the Java Security Manager altogether.

The exploit has been successful in installing a variant of the Poison Ivy trojan. It is originating from servers in China and Oracle has not yet released any statement on fixing this exploit. The NakedSecurity blog at Sophos writes,

In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.

Security experts are working on an unofficial patch for this vulnerability, as Oracle has the next scheduled Java update on 16 October.


FBI Arrests 24 Cyber Criminals in an International Cyber Crime Takedown

FBI has released details of an international operation directed at curbing card crimes. The operation, which is said to be the largest aimed at curbing card crimes, lead to the arrest of 24 individuals in 13 countries among which, 11 are from US.

Carding crimes include stealing of personal information such as credit card details, social security numbers, bank account details etc. and using them or selling them in order to make money.

The operation was a result of a two year undercover operation lead by the FBI. Of the 13 arrested outside US, 6 are from United Kingdom, 2 from Bosnia and 1 each from Bulgaria, Norway and Germany, Italy and Japan.

Preet Bharara, Manhattan Attorney explained the crime in a press release,

“The allegations unsealed today chronicle a breath-taking spectrum of cyber schemes and scams. As described in the charging documents, individuals sold credit cards by the thousands and took the private information of untold numbers of people. As alleged, the defendants casually offered every stripe of malware and virus to fellow fraudsters, even including software-enabling cyber voyeurs to hijack an unsuspecting consumer’s personal computer camera. To expose and prosecute individuals like the alleged cyber criminals charged today will continue to require exactly the kind of coordinated response and international cooperation that made today’s arrests possible.”

Janice K. Fedaryck, FBI Assistant Director in Charge also commented on the operation as follows,

“From New York to Norway and Japan to Australia, Operation Card Shop targeted sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools. Spanning four continents, the two-year undercover FBI investigation is the latest example of our commitment to rooting out rampant criminal behavior on the Internet.”

FBI also conducted more than 30 searches and interviews as a part of the operation. The case is currently handled by the Complex Fraud’s Unit.

Blizzard Addresses Diablo III Account Hack Complaints

It’s not been a good launch week for Blizzard’s newest game, Diablo III. First, the servers melted completely with the onslaught of users trying to release 12-years worth of click-click-clicking. Then, there was a game breaking bug involving the Demon Hunter and Templar early on into the game, which left many users kicked out of the game and unable to enter. Then, there were problems with the game not being able to recognize quest  trigger points, leaving users(including me) losing achievements.

The latest egg in the face quite possibly be the most serious one – Blizzard forums are full of complaints from users about their accounts being hacked into, the items and loot being stolen. Rock Paper Shotgun mentions that Eurogamer’s Christian Donlan had a first-hand experience of this hack. The reason for this is not very clear, but some speculation on Reddit suggests that the battle.net sessions are being hijacked, giving the hacker full control of the accounts.

Diablo III

Even though Blizzard had two-factor authentication for Battle.net logins, reports around the forums suggest that even people with two-factor authentication enabled have had their accounts broken into. I took a quick glance into my account this morning and thankfully, as of now, there has been no break-in.

Bashiok makes it clear that there have been no session-hijacking exploits that are in the wild:

We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password.

Though that still doesn’t say about how people with two-factor authentication have had their accounts accessed. Another speculation is that the two-factor authentication was enabled after the break-in.

Blizzard’s response has been fairly generic, attributing it to new game release. Quoting Lylirra, the community manager:

Historically, the release of a new game — such as a World of Warcraft® expansion — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their Battle.net accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well.

We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever unusual activity is detected on your account, keeping you aware of important (and possibly unwanted) changes.

For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect

Blizzard also mentioned that users may be prompted with additional security questions, if the user is logging in from a previously unknown location

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

Blizzard has asked the users to contact them via their “I’ve Been Hacked!” tool, if the user believes they have been a victim of an account compromise.

If you have had an account compromise in Diablo III, do leave a comment mentioning the details and the extent of losses.

[Updated] Anonymous Takes Down Congress and Supreme Court Website

UPDATE: A recent tweet by @opindia_revenge reveals that Anonymous has successfully managed to take down the Department of Telecom’s website – dot.gov.in

UPDATE: Looks like both the sites – supremecourtofindia.nic.in and aicc.org.in are back in action again! However, @opindia_revenge has tweeted with the following message:

Anonymous Takes Down Indian Govt. Websites

Anonymous group has successfully taken down the website of Supreme Court of India (supremecourtofindia.nic.in) and the official website of the All India Congress Committee (aicc.org.in). The reason being due to the fact that the Indian Government is taking Internet Censorship quite seriously, and has ordered most of the Indian ISPs to block websites including, Vimeo, ThePirateBay, Pastebin, Dailymotion, and many others.

Since yesterday, many users on Twitter were reporting that popular file sharing and torrent sites were blocked by major ISPs like Airtel, Reliance, MTNL and You Broadband ISP. Upon visiting the blocked sites, the following message is displayed – “Access to this site has been blocked as per Court Orders.”


Within hours, the government websites were taken down by Anonymous, an act of revenge, due to the very fact that the Indian Government had ordered ISPs to block ThePirateBay and other sites.

Anonymous Takes Down Govt. Sites

The first tweet came in from @opindia_revenge indicating that they’re going to “paralyze” the two websites. An hour later, a confirmation tweet followed stating – “We have successfully taken down our main enemy –>> http://dot.gov.in Department of telecom +1 for #opindia”

Although they mentioned that they had managed to take down the Department of Telecom’s websites (dot.gov.in), but at the time of writing this article, the website was fully functional.

The government websites are reportedly down since 17th May 2012, 15:30 IST

Back in June 2011, Anonymous has successfully hacked the National Informatics Centre’s (NIC) websites due to the action taken against Baba Ramdev’s anti-corruption campaign by the Delhi Police. They also managed to hack the Indian Army’s website, which was down for an hour or so.

In response to this, the Indian Twitter and Facebook account of Anonymous were suspended and all videos from its YouTube account were removed completely.

Adobe Hits Undo on TIFF Vulnerability Issue, Will Release Security Fix for CS5 After All

Until a few days ago, Adobe had decided not to fix one of its security vulnerabilities. Instead, it tried pushing the next release of its Creative Studio, CS6 as a solution to a critical security issue. This was wrong on multiple levels and was downright unacceptable. The intellectuals and Adobe received thumbs down for this decision. Finally seeing the wrong it has done, now Adobe has decided to retract its decision, and has announced that it is releasing a security fix for the CS5 after all.

Adobe is notorious for having security vulnerability in its products. For a company that is known for having poor security and releasing numerous fixes every few days, Adobe should take extra care when handling matters like these. Now that Adobe has come out in support of a security fix, it is being given the benefit of doubt by The Verge.

The confusion seemingly came from the original wording of the Adobe product security bulletin, which stated, “Adobe Photoshop CS6 addresses these vulnerabilities” without mentioning that a security patch for older versions was being worked on.

However, the security fix is not a complete one. Adobe is supposed to support all versions of its Creative Suite. However, the fix is appearing only on the CS5 for now. This means, CS4, which is also a supported version still remains vulnerable. This lax attitude from Adobe in time when hacks are the order of the day is appalling.

Adobe Photoshop: Need a Security Fix? Upgrade to a Later Version and Don’t Forget to Pay for It!

Adobe has posted a security bulletin for Adobe Photoshop recently, where it addressed a security vulnerability regarding TFF files. The vulnerability allows arbitrary code execution resulting in a system wide control for a cracker. This vulnerability affects all versions of Photoshop prior to and including CS5, on both Windows and Mac.

The vulnerability is specified on Symantec’s Security Focus as:

Adobe Photoshop is prone to a use-after-free memory-corruption vulnerability.
Attackers may exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Photoshop CS5.1 (version 12.1) is vulnerable; other versions may also be affected.

The only solution, which in reality is a non-solution, is to update to Adobe Photoshop CS6 and just in case you were wondering, no, it will not come for free if you already have CS5. With this shoddy decision, Adobe is creating a new trend in the world of security fixes, where a later paid version can be called as a fix for an existing vulnerability in an earlier version. In a way, it will force users to upgrade and while they are at it, Adobe will earn some free cash out of its own fault.

Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Whenever we install software, we agree to an EULA. The same EULA statement has liability provisions as well, and now that Adobe is (probably) psych testing its users for this new liability based business model, someone might just go ahead and file a class action lawsuit in the coming days.

If you want to see this vulnerability in action, proof-of-concept apps are available at this page.

(Via: Slashdot)

WhatsApp Security Woes; Hardcoded AES Key Used For Message Storage

It seems security is still an issue with WhatsApp. Previously, it was a vulnerability that allowed users to remotely change status names on other accounts simply by entering the mobile phone number tied to their account.

The newest issue has to do with the message storage database that WhatsApp uses to keep a log of incoming and outgoing messages. While the SQLite database is stored in a directory that is only accessible through jailbreaking or rooting a device, and the database is encrypted using AES-192, it’s unfortunately crypted with a hard-coded and static key.

The entire contents of the database can be decrypted using the known key. The database, which is stored in /com.whatsapp/databases/msgstore.db on Android phones and ~/Documents/ChatStorage.sqlite on iOS devices, can be decrypted by supplying the key and requesting that openssl revert the database to plaintext;

openssl enc -d  -aes-192-ecb -in msgstore-1.db.crypt -out msgstore.db.sqlite -K346a23652a46392b4d73257c67317e352e3372482177652c

In order to make it easier for decryption, an online portal was created for doing the deed. Of course you’ll need a jailbroken or rooted device in order to get the crypted database, then you can simply upload the file to http://www2.unsec.net/whatsapp/ and it will be decrypted.

Last time, it took WhatsApp just under a week to patch the hole. In order for them to fix this issue, an update to the client will be required, in order to add a new key – hopefully one that is generated using device-specific information or something the user can input to create a strong key, and then encrypt the database again.

UPDATE: As pointed out by a reader, the original research and analysis conducted on the database can be found in a PDF and there is also a WhatsApp Xtract application posted on XDA-Developers. Thanks Martina!