Notorious hacker group “Anonymous” on Thursday claimed responsibility for attacks on several government Web sites in China. The group has launched various Internet attacks on the country over the past week in response to what it believes to be strict and unfair laws. “All these years, the Chinese Communist government has subjected its People to unfair laws and unhealthy processes,” the group wrote on one Chinese website. “Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall.” The group goes on to warn that further attacks are on the horizon. “So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. Nothing will stop us, nor your anger nor your weapons. You do not scare us, because you cannot afraid an idea.” Anonymous also acknowledged the Chinese people directly, telling them to remain optimistic, “Don’t loose hope, the revolution begins in the heart.”

Read

A report emerged last week from a security researcher claiming Microsoft’s Xbox lacked important security features that might protect owners who sell used consoles from having personal information stolen. Ashley Podhradsky of Drexel University claimed to have purchased a used Xbox console and used readily available hacking tools to recover the prior owner’s credit card number and other personal information. “Microsoft does a great job of protecting their proprietary information, but they don’t do a great job of protecting the user’s data,” Podhradsky said at the time.

Microsoft has since responded to the researcher’s claims, stating that they are likely inaccurate.

“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims,” Microsoft’s Jim Alkove, General Manager, Security, Interactive Entertainment Business, told BGR in an emailed statement.

Alkove continued, “Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described.”

The executive also clarified that Microsoft does take measures to protect user data, even though no credit card details are stored locally. “When Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data,” Alkove said. ”We can assure Xbox owners we take the privacy and security of their personal data very seriously.”

Podhradsky has not responded to Microsoft’s statement.

Hackers stole credit card numbers belonging to as many as 1.5 million MasterCard and Visa customers, Global Payments, Inc. confirmed on Sunday. The international credit card processor was blocked by Visa after it reported the possibility of a major security breach on Friday. The company did not indicate how the hackers gained access to its system or who might be responsible for the attack. ”Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” the firm told The Wall Street Journal while noting that cardholder names, addresses and Social Security numbers were not compromised. The company did say that the credit card numbers were downloaded during the attack rather than just being accessed, however, indicating that the perpetrators may intend to use the information to create counterfeit credit cards. Affected Visa and MasterCard customers have not yet been notified that their account information was stolen.

The world’s two largest credit card processors have notified U.S. banks of a potential security breach that may affect more than 10 million cardholders, Reuters reported on Friday. MasterCard and Visa have said that the issue was the result of a third-party vendor and not their own internal systems. MasterCard said it has taken the proper steps by alerting law enforcement officials and hiring an independent data-security organization to review the possible breach. “MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information,” the company said in a statement. “If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.” Visa made sure to emphasize that its customers are not responsible for any potential fraudulent charges.

Read

Android users who are looking to sell their old devices should be wary of the possible consequences. McAfee identity theft researcher Robert Siciliano warned that personal data from Android devices is not completely removed after a user activates the built-in wipe option, The Los Angeles Times reported on Friday. “What’s really scary is even if you follow protocol, the data is still there,” Siciliano said. If you have a BlackBerry or Apple device, Siciliano said your data can be fully deleted by following the manufacturer’s directions. As for smartphones running the Android operating system and computers running Windows XP, Siciliano recommends that people don’t bother with selling them at all. “Put it in the back of a closet, or put it in a vise and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it,” he said. “You don’t want to sell your identity for 50 bucks.” To test the security of various platforms, Siciliano purchased 30 smartphones and computers from Craigslist. The researcher was able to access personal data from 15 of the 30 devices through his own hacking efforts and the help of a forensic expert. The data obtained included bank account information, Social Security numbers, child support documents and credit card account log-ins.

Read

Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. ”Microsoft does a great job of protecting their proprietary information,” researcher Ashley Podhradsky told Kotaku in an interview. “But they don’t do a great job of protecting the user’s data.” In order to avoid potential data theft, Podhradsky recommends users remove the hard drives from their consoles and wipe them while connected to a PC using special software. The Drexel researcher warns that not taking this precaution could have serious consequences. ”A lot of [modders and hackers] already know how to do all this,” she said. “Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone’s identity.”

UPDATE: Microsoft contacted BGR via email with a statement regarding Kotaku’s report, which can be read below in its entirety.

“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.

“Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.” – Jim Alkove, General Manager, Security, Interactive Entertainment Business at Microsoft

Read

A new study suggests that more than half of all Internet traffic is generated by non-human sources such as hacking software, scrapers and automated spam mechanisms. The majority of this non-human traffic, according to cloud service provider Incapsula, is potentially malicious. The study is based on data collected from 1,000 websites that utilize Incapsula’s services, and it determined that just 49% of Web traffic is human browsing. 20% is benign non-human search engine traffic, but 31% of all Internet traffic is tied to malicious activities. 19% is from ” ‘spies’ collecting competitive intelligence,” 5% is from automated hacking tools seeking out vulnerabilities, 5% is from scrapers and 2% is from content spammers. ”Few people realize how much of their traffic is non-human, and that much of it is potentially harmful,” Incapsula co-founder Marc Gaffan told ZDNet. Incapsula, coincidentally, offers services aimed at securing small and medium businesses.

Read

On Wednesday, a Russian hacker discovered a vulnerability in Google’s Chrome web browser during CanSecWest’s Pwnium hacker contest. It was the first time in four years at the competition that Chrome was hacked, and for his efforts, Sergey Glazunov was rewarded with $60,000. Less than 24 hours after the exploit was brought to Google’s attention, the search giant released an update fixing the vulnerability. “The Chrome Stable channel has been updated to 17.0.963.78 on Windows, Mac, Linux and Chrome Frame,” Google wrote on its Chrome update blog. “This release fixes issues with Flash games and videos, along with the security fix listed below.” Glazunov’s vulnerability is described as an “UXSS and bad history navigation” issue, however no other details were given.

Read

Russian university student Sergey Glazunov was able to hack into a secure Windows 7 machine using a remote code execution exploit in Google’s Chrome web browser in five minutes, ZDNet reported Wednesday. The exploit was found during CanSecWest’s Pwnium hacker contest, a competition similar to the popular Pwn2Own contest. Google offered a total of $1 million dollar in prize money to hackers who could exploit the company’s Chrome web browser. Glazunov was rewarded $60,000 for his exploit, which found a way around Chrome’s sandbox using vulnerabilities in the extension system. “It didn’t break out of the sandbox [but] it avoided the sandbox,” said Justin Schuh, a member of the Chrome security team. “It was an impressive exploit. It required a deep understanding of how Chrome works. This is not a trivial thing to do.” At Pwn2Own, the VUPEN team was able to hack all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — with Chrome, which was hacked within five minutes, being the first to fall. This is the first time in four years at the competition that Google’s web browser has been hacked. The company is already working on an update that will fix the vulnerabilities uncovered at Pwnium and Pwn2Own.

Read

Members from the notorious hacktivist collective “Anonymous Operations” have reportedly claimed responsibility for hacking two more government websites following the takedown of the Central Intelligence Agency’s website last week. The Associated Press on Friday reported that Anonymous had breached the United States Federal Trade Commission’s consumer protection business center website as well as a National Consumer Protection Week website. Both sites were temporarily replaced by a “violent German-language video” focused on the Anti-Counterfeiting Trade Agreement. ACTA, which has been signed by a number of countries including the U.S. and Canada, aims to put forth international legal guidelines for fighting piracy. Neither affected agency has confirmed the attacks, but both the FTC business center website and the National Consumer Protection Week website were offline at the time of this writing.

Read

Two recently uncovered security exploits concerning Google Wallet have left users questioning just how safe the product really is. A security firm exposed a vulnerability last week that allowed hackers to bypass PIN protection, but it was only present on rooted devices. A second exploit, however, did not require a handset to be rooted, leaving all Google Wallet users exposed. By wiping stored Google Wallet data from within a device’s settings, an unauthorized user will be able to access a user’s prepaid funds without needing to know his or her Google Wallet pin. The company has acknowledged both security exploits, and it now says Google Wallet is safe and “offers advantages over the plastic cards and folded wallets in use today.” Read on for more.

Google has suggested that users who are interested in Wallet do not root their devices because the feature is not supported on rooted phones. “That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device,” said Osama Bedier, vice president of Google Wallet and Payments. To address the second issue, the Mountain View-based company has temporarily disabled provisioning of prepaid cards as a precautionary measure. The service will remain disabled until a permanent fix is available.

“We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card,” Google said in a statement. “We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

Read

Hackers from the notorious group “Anonymous Operations” claim to have taken down the United States Central Intelligence Agency’s website shortly after 3:00 p.m. EST on Friday. “CIA TANGO DOWN: cia.gov,” a member of Anonymous posted to one of the group’s Twitter accounts. Anonymous’s motivation for this most recent cyberattack on the CIA is unclear, but this high-profile hit could be one of the group’s most significant attacks yet. As of the time of this writing, cia.gov was still offline.

Read

A new exploit has been discovered that allows unauthorized access to a user’s Google Wallet account with a simple hack that can be performed by anyone in a matter of minutes. A security firm recently exposed a Google Wallet vulnerability that allowed hackers to bypass PIN protection, but the vulnerability is only present on rooted Galaxy Nexus handsets. This new exploit, however, does not require a handset to be rooted, which leaves all Google Wallet users exposed. Read on for more.

As mobile blog The Smartphone Champ explains, the newly exposed security hole allows someone to simply reset a user’s Google Wallet password by clearing the Google Wallet application data from within the phone’s settings menu. A user’s Google Wallet PIN is not required to wipe this data and once the information has been cleared, the handset will prompt the user for a new PIN without first requiring that the old PIN be entered. Anyone who performs this simple procedure will be able to access funds on the original user’s Google prepaid card.

A Google spokesperson acknowledged the vulnerability and gave the following statement to Android and Me: “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

A video demonstration of the simple hack follows below.

[Via Android and Me]

Read

Zappos on Sunday confirmed that hackers breached the company’s servers and accessed personal data belonging to many of its customers. The Amazon-owned shoe retailer known for top-notch service and surprising customers with express shipping at no extra cost confirmed that personal data from 24 million accounts was accessed during a recent security breach. The hackers gained access to range of sensitive data including user names, encrypted passwords, customer names, email addresses, phone numbers and the last four digits of credit card numbers. The company stated that full credit card numbers were not compromised. As a security measure, Zappos reset the passwords of all affected customers and sent out emails alerting them to the situation. The company’s full email to customers follows below.

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

Amazon’s Silk Web browser has received mixed reviews from the media and from consumers. In our review of the Amazon Kindle Fire, we noted that loading Web pages in the cloud-assisted browser on the tablet seemed to stall at first but once content finally began downloading, it indeed seemed to move very quickly. Other reviews found Silk to be much slower than other comparable browsers, however. Curious Android device owners who aren’t among the millions who purchased the Kindle Fire ahead of the holidays can now install Amazon’s Silk browser on a variety of rooted handsets and tablets thanks to the work of an xda-developers forum member. Results are mixed so far, and the port will not work on the Galaxy Nexus, among other handsets. Many users have successfully installed the browser on a variety of devices including the Motorola ATRIX and the Samsung Galaxy Tab, however.

Read