itwbennett writes: "Highlighting the potential for abuse of poorly configured embedded systems, an anonymous researcher created a massive botnet by hijacking about 420,000 Internet-accessible embedded devices with default or no login passwords and used it to map the entire Internet. On a website dedicated to the project, the researcher called it 'the largest and most comprehensive IPv4 [Internet Protocol version 4] census ever.'"
itwbennett writes: "A website that provides consumers with a free annual credit report appears to have been the source used by hackers to download reports on celebrities, including former Secretary of State Hillary Clinton, Beyoncé and Jay Z, Michelle Obama, Vice President Joe Biden, Hulk Hogan, Donald Trump, U.S. Attorney General Eric Holder, and FBI Director Robert Mueller, among others."
itwbennett writes: "No sooner does Oracle issue a patch for one Java hole, then a new one (or in this case 5) is discovered. On Monday, Adam Gowdiak of the Polish security firm Security Exploration claimed in a post on the Full-Disclosure security discussion list that he has found five new Java vulnerabilities. When combined, the five vulnerabilities can be used to 'gain a complete Java security sandbox bypass' in the environment running the vulnerable version of Java."
itwbennett writes: "One interesting footnote to the report on Chinese Army hackers, discussed on Slashdot and elsewhere, is that Mandiant tracked them on their own social media accounts. 'Of course, services like Facebook, Twitter, and Google are prohibited by the Great Chinese Firewall. But the army hackers working within the Datong Road compound just outside Shanghai are not encumbered by China’s Internet censors. So they used Gmail and Facebook and Twitter to communicate, which helped Mandiant track down their identities,' writes privacy blogger Dan Tynan."
itwbennett writes: "Two years ago, Peter Sunde, who once ran the world's largest bittorrent site, was sentenced to 8 months in prison. Today, he lives a quiet life in southern Sweden trying not to get the attention of police, who, he says may have a warrant for his arrest. In fact, there is a room waiting for him at the Västervik prison, but Sunde is doing his best to stay out of it. In an interview with the IDG News Service, Sunde says there's only one thing he regrets: 'I should have told Gottfrid to encrypt his hard drive. That's where the evidence came from. Even though he works professionally with security, I should have told him,' he says."
itwbennett writes: "If someone steals your identity on Facebook, here's what Facebook wants you to do: 'Go to the imposter’s Timeline, click the downward arrow in the settings box, and select Report/Block,' writes privacy blogger Dan Tynan. Sounds reasonable, except that smart faker's have discovered a foolproof workaround: Block the real user. If you can't get to the page, you can't report it. Oh, and there's one other tool Facebook has given you to report fakes, says Tynan: A webform that only works if you don't have a Facebook account."
itwbennett writes: "Now working at IBM, 41-year-old Tao Wan, who was once a member of the Green Army hacker group, is dismissive of today's young Chinese hackers. Wan told the audience at the Power of Community security conference in Seoul that 'this generation of hackers are not that technically capable, they just like to show off — young kids with a low technical ability.' Wan went on to say that China's 'overall hacking ability is still less sophisticated that other countries' and that 'they need to become more competitive.' For himself, however, Wan said government work was to boring to pursue."
itwbennett writes: "'It's easy to find a vulnerability in WinCC. You can just point at it,' said Sergey Gordeychik, CTO of Moscow-based Positive Technologies, referring to the more than 50 vulnerabilities he and his team have found in WinCC, a type of SCADA system. At Siemens's request, Gordeychik had canceled a Defcon presentation this summer to give the company time to patch WinCC. On Thursday, however, Gordeychik, along with colleague Gleb Gritsai, presented an overview of the research: 'Gritsai showed how, when an industrial system operator is using the same browser to access both the open Internet and WinCC's web interface, a vulnerability can be exploited to obtain login credentials for the back-end SCADA network.'"
itwbennett writes: "French security company Vupen posted a 'for sale' notice on Twitter Wednesday, advertising its 'first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed).' Vupen didn't publish a price tag for the vulnerability, but 'the value of the bug will only increase with time, of course, the longer Vupen sits on it and if no one else stumbles upon it,' says Jody Melbourne, a penetration tester and senior consultant with the Sydney-based Australian security company HackLabs."
itwbennett writes: "At the Breakpoint security conference on Wednesday, Roelof Temmingh showed how his company's open source application collects publicly available online information to analyze individuals and organizations. In the demonstration, Temmingh used the software to locate a Twitter user in the NSA's parking lot, and then search across other social sites to dig up a full profile, including a photo, mail address, date of birth, travel history, employment and education history."
itwbennett writes: "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."
itwbennett writes: "The 1 million Apple device UDIDs that were leaked last week were stolen from digital publisher Bluetoad, the company's CEO Paul DeHart in wrote in a blog post Monday. In describing the theft from its servers, BlueToad downplayed the risk to information types other than UDIDs: 'BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information,' DeHart said."