Hackers from the notorious group “Anonymous Operations” claim to have taken down the United States Central Intelligence Agency’s website shortly after 3:00 p.m. EST on Friday. “CIA TANGO DOWN: cia.gov,” a member of Anonymous posted to one of the group’s Twitter accounts. Anonymous’s motivation for this most recent cyberattack on the CIA is unclear, but this high-profile hit could be one of the group’s most significant attacks yet. As of the time of this writing, cia.gov was still offline.

Read

A new exploit has been discovered that allows unauthorized access to a user’s Google Wallet account with a simple hack that can be performed by anyone in a matter of minutes. A security firm recently exposed a Google Wallet vulnerability that allowed hackers to bypass PIN protection, but the vulnerability is only present on rooted Galaxy Nexus handsets. This new exploit, however, does not require a handset to be rooted, which leaves all Google Wallet users exposed. Read on for more.

As mobile blog The Smartphone Champ explains, the newly exposed security hole allows someone to simply reset a user’s Google Wallet password by clearing the Google Wallet application data from within the phone’s settings menu. A user’s Google Wallet PIN is not required to wipe this data and once the information has been cleared, the handset will prompt the user for a new PIN without first requiring that the old PIN be entered. Anyone who performs this simple procedure will be able to access funds on the original user’s Google prepaid card.

A Google spokesperson acknowledged the vulnerability and gave the following statement to Android and Me: “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

A video demonstration of the simple hack follows below.

[Via Android and Me]

Read

Zappos on Sunday confirmed that hackers breached the company’s servers and accessed personal data belonging to many of its customers. The Amazon-owned shoe retailer known for top-notch service and surprising customers with express shipping at no extra cost confirmed that personal data from 24 million accounts was accessed during a recent security breach. The hackers gained access to range of sensitive data including user names, encrypted passwords, customer names, email addresses, phone numbers and the last four digits of credit card numbers. The company stated that full credit card numbers were not compromised. As a security measure, Zappos reset the passwords of all affected customers and sent out emails alerting them to the situation. The company’s full email to customers follows below.

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

Amazon’s Silk Web browser has received mixed reviews from the media and from consumers. In our review of the Amazon Kindle Fire, we noted that loading Web pages in the cloud-assisted browser on the tablet seemed to stall at first but once content finally began downloading, it indeed seemed to move very quickly. Other reviews found Silk to be much slower than other comparable browsers, however. Curious Android device owners who aren’t among the millions who purchased the Kindle Fire ahead of the holidays can now install Amazon’s Silk browser on a variety of rooted handsets and tablets thanks to the work of an xda-developers forum member. Results are mixed so far, and the port will not work on the Galaxy Nexus, among other handsets. Many users have successfully installed the browser on a variety of devices including the Motorola ATRIX and the Samsung Galaxy Tab, however.

Read

Research In Motion’s BlackBerry PlayBook tablet became the first BlackBerry device to be rooted this past November, granting users access to the device’s file system and allowing a level of customization that BlackBerry users have not had in the past. As RIM enters into the cat and mouse game Apple knows all too well, PlayBook owners willing to root their devices now have access to the Android Market as well as the apps contained within. CrackBerry has published a complete how-to guide that details all of the software and steps required in order to install Google’s Android Market on a PlayBook tablet. While an upcoming PlayBook software update will soon bring official Android app support to the tablet, apps will need to be repackaged and made available in BlackBerry App World in order to function in RIM’s app player. Using the guide linked below, no such tweaks are necessary from developers, and users can have Android apps running on the PlayBook immediately.

Read

Amazon’s popular Kindle Fire tablet now has access to an unofficial Android 4.0 Ice Cream Sandwich update. Members of the xda-developers forum recently managed to get a “pre-alpha” version of Android 4.0 running on Amazon’s new slate. The installation is based on the popular CyanogenMod 9 and while the ROM is working well in this early stage, there are still a number of bugs that need to be ironed out. It should also be clarified that this custom Ice Cream Sandwich ROM will remove all of Amazon’s customization features from the tablet, such as its user interface and deep integration with Amazon services. Hit the break for a video of Android 4.0 in action on the Kindle Fire and provided you understand the risks involved, follow the read link for all the tools you’ll need to install Android 4.0 on your Kindle Fire.

Read

We were able to successfully get Google Wallet running on the HSPA+ version of the Samsung Galaxy Nexus without too much trouble, but the big news over the past few weeks was that Verizon would be blocking the app from its version of the hotly anticipated handset. Well, if you don’t mind rooting your phone and following a relatively simple guide, there’s now a way to get Google Wallet functioning just fine on Verizon’s Galaxy Nexus. It’s going to most likely violate Google Wallet’s terms of service, but we got it up and running on our review unit with no problems. There is also the complimentary $10 Google prepaid card, so it looks like we’ll be off to CVS for some of those peach rings in a few minutes. Images of Google Wallet running on Verizon Wireless’s Samsung Galaxy Nexus follow below.

The Carrier IQ scandal has shifted attention from malicious mobile threats to carrier-sourced spyware over the past month, but a new report suggests the threat of more serious mobile malware continues to intensify. More than $1 million was stolen from Android smartphones alone in 2011 according to Lookout Mobile Security, which pulled data from more than a million apps and 15 million handsets around the world to compile its 2012 Mobile Threat Predictions report. The likelihood of an Android user encountering malware grew from 1% to 4% in 2011, and Lookout expects the trend to continue in 2012. Read on for more.

“2011 was a watershed year in terms of the types threats we saw emerging,” Lookout co-founder and CTO Kevin Mahaffey said in a statement. “Threats had greater sophistication and were deployed using more innovative and efficient distribution methods. In 2012, we expect to see the mobile malware business turn profitable. What took 15 years on the PC platform has only taken the mobile ecosystem two years.”

The firm highlights mobile pickpocketing — malware that steals money by making unauthorized use of carrier billing features — mobile botnets and browser attacks as specific threats that will intensify in 2012. Android users in particular now have a 36% chance globally of clicking an unsafe link, and those odds increase to 40% in the U.S. according to Lookout. The firm’s full press release follows below.

Lookout Unveils 2012 Mobile Threat Predictions: Mobile Pickpocketing, Botnets and Automated Repacking Will Be On the Rise

More than $1 Million Stolen from Android Users in 2011; Likelihood of Annual Malware Infection Rises to 4%

San Francisco – December 14, 2011 – Lookout Mobile Security, the global leader in mobile security, today unveiled its 2012 Mobile Malware Predictions, based on data collected from its Mobile Threat Network, which includes more than one million apps and 15 million user devices worldwide. Mobile threats are on the rise – Lookout estimates that mobile threats successfully stole more than one million dollars from Android users in 2011. In 2012, Lookout predicts that the criminal business of malware will be more profitable than ever before as the possibility of monetizing mobile devices grows and the cost of infecting devices lessens.

In the report, Lookout reveals that the annual likelihood of an Android user encountering malware today has increased to 4% up from a 1% likelihood measured at the beginning of 2011. Web-based mobile threats are also an important component of Lookout’s research, and the company found Android users worldwide have a 36% chance of clicking on an unsafe link in 2011. In the United States, the likelihood of encountering an unsafe link is higher than the global average at 40%. Additionally in the report, Lookout anticipates the methods that would-be thieves will use to target mobile users directly and discusses tips for consumers to protect themselves.

“2011 was a watershed year in terms of the types threats we saw emerging. Threats had greater sophistication and were deployed using more innovative and efficient distribution methods,” said Kevin Mahaffey, co-founder and chief technology officer at Lookout. “In 2012, we expect to see the mobile malware business turn profitable. What took 15 years on the PC platform has only taken the mobile ecosystem two years.”

Mobile Malware Monetization Trends

Mobile Pickpocketing (SMS/call fraud). In 2012, Malware writers will continue to steal money directly from consumers by accessing their mobile devices’ ability to charge phone bills via SMS billing and phone calls. Earlier this year, Lookout identified GGTracker, the first mobile malware that steals money from users in the U.S and earlier this week Lookout identified another Android Trojan, RuFraud, targeting Eastern European users.

Botnets. To date, Lookout notes botnet networks have yet to be used at scale. In 2012, Lookout anticipates malware writers could secretly integrate thousands of mobile devices into extensive botnet-like networks to distribute spam, steal private info, and install other malware. DroidDream and Geimini are examples of botnets.

Vulnerable Phones. Due to the difficulty of updating software and patching vulnerabilities on mobile phones, malware writers will continue to exploit iOS and Android OS at a pace greater than vulnerabilities can be resolved.

Mobile Malware Distribution Trends

Automated Repackaging. Malware writers will develop tools that enable the automatic repackaging of malicious applications. Lookout has seen instances where several infected apps were packaged by the same developer within a matter of seconds – quicker than someone could do manually – so the means for automated repackaging may already be in existence.

Browser Attacks. As with PC-based threats in the past, malware writers will attempt to profit via Web-based distribution like email, text messages and fraudulent websites. Even iOS devices have been targeted by websites designed to jailbreak them. In 2012, Lookout expects a continued increase in mobile phishing and messages linked to websites that automatically install malware.

Malvertising. Instances of malvertising (genuine-looking advertisements that link back to fraudulent sites) will continue to increase. Given this method has been successful with Trojans like GGTracker, we expect other malware writers to try similar distribution tactics.

For the in-depth predictions, data and accompanying graphics, please see Lookout’s Mobile Malware Predictions: http://blog.mylookout.com/blog/2011/12/12/2012-mobile-threat-predictions.

Research In Motion, for the first time ever, suffered an exploit in which root access was gained on one of their devices, the PlayBook. While RIM initially downplayed the significance of the jailbreak, the exploit tool created by a few hackers was recently released to the public and it indeed gave users root access to the BlackBerry PlayBook, bypassing RIM’s security measures. After the jailbreak was released, RIM made an OTA update available that fixed the jailbreak. RIM’s fix has already been jailbroken however, leaving the company’s only tablet exposed, again. This cat and mouse game is something that RIM has not had to deal with in the past due to the enhanced security of the BlackBerry platform.

Read

A group of iOS hackers have managed to successfully port Apple’s virtual assistant software Siri to the iPhone 4 and fourth-generation iPod touch, and the software needed to perform the port is now available to the public. Tech blog InTech-BB posted the necessary links on Sunday along with a how-to guide, and a number of users have reported successfully installing Siri on their devices using the tools and steps provided within the guide. Several users note problems with their cameras after installing the ported Siri software, but a fix is apparently now available. IPhone 4 and fourth-generation iPod touch owners who understand the risks involved with jailbreaking and installing unauthorized software can follow the read link below for a step-by-step tutorial along with a video of Siri in action on an iPhone 4.

[Via The Tech Erra]

Read

During a recent speech to delivered at the City University in London, Wikileaks founder Julian Assange said that most smartphones can be hacked remotely with ease. “Who here has an iPhone? Who here has a BlackBerry? Who here uses Gmail? Well, you’re all screwed,” Assange said during his talk, which followed the release of 287 documents related to mass surveillance. Assange explained to the crowd that more than 150 private organizations in 25 countries can easily track phones and intercept messages, browsing history, email accounts, phone calls and more remotely, ZDNET said. Several organizations are even capable of sending fake text messages from a user’s phone, Assange said. Read on for more.

The documents addressed “the reality of the international surveillance industry” and explained the tech used to spy on mobile users was developed in the United States, Canada, Australia and the United Kingdom. ZDNET explained that the technology may have been sold to several of the regimes in North Africa and the Middle East, and Wikileaks said the technology has been used in Bahrain to track human rights activists.

SS8, a U.S. firm, Hacking Team and Vupen were all named as companies who have created the malware that’s capable of hijacking smartphones. The software can “record every use, movement and even sights and sounds of the room [a phone] is in,” Wikileaks said.

The Wikileaks documents are particularly compelling given the recent revelation that millions of smartphones have spyware called Carrier IQ installed, an application that is capable of allowing wireless carriers to spy on their customers.

A group of security researchers recently demonstrated on video that they have successfully gained root access to the QNX-based operating system found on Research In Motion’s BlackBerry PlayBook tablet. The PlayBook jailbreak and related “mack truck” security hole these hackers identified could have some serious implications for future BlackBerry devices, but RIM says users should not get ahead of themselves. “Research In Motion (RIM) is aware of a claim made on Twitter by security researchers working together that suggests the ability to ‘jailbreak’ a BlackBerry PlayBook tablet,” RIM said in a statement, noting that no BlackBerry smartphone users are affected. RIM also said it will begin working on a patch for the claimed security hole if its investigation determines the hackers’ claims are genuine, and it will also investigate any PlayBook jailbreaking tool released to the public. RIM’s full statement follows below, along with a video demonstration of security researcher “neuralic” gaining root access to a BlackBerry PlayBook.

Research In Motion (RIM) is aware of a claim made on Twitter by security researchers working together that suggests the ability to “jailbreak” a BlackBerry PlayBook tablet. The term “jailbreaking” is commonly used to describe altering the software on a smartphone or tablet in order to obtain access to systems or applications not officially authorized or distributed by the manufacturer. BlackBerry smartphone users are not affected. RIM is currently investigating this claim and has been in contact with one of the security researchers to discuss it.

RIM is currently not aware of a jailbreak being leveraged by anyone other than the researchers, who claim to have performed a jailbreak on their own BlackBerry PlayBook tablets only. If it is determined that the claim is accurate, RIM will follow its standard response process to develop and release a software update that is designed to minimize adverse impact to our customers or carrier partners. RIM is aware that the security researchers have stated they intend to release a tool to jailbreak the BlackBerry PlayBook tablet. If such a tool is released, RIM will investigate it.

The security of mobile devices and major networked systems is tested by third-party security researchers every day. RIM also continually tests the security of its own products, and volunteers its products to recognized industry experts for security testing and certification to help identify possible issues. RIM is committed to the BlackBerry PlayBook tablet and to working with researchers to continue to protect our customers.

There has been word for the past few days that Research In Motion’s PlayBook has been jailbroken. What this means is that, for the first time ever in RIM’s history, root access has been gained into a BlackBerry operating system. Why is this a big deal? Well, of RIM’s few remaining strengths, one of them was security, both in terms of encrypting and securing the messages you send over the RIM network, and device security. It’s why BlackBerry products became so popular with enterprises and governments — security. That device is so secure, that even the President of the United States uses one. Read on for more.

RIM’s new operating system, however, is a different beast. It’s more powerful and it is certainly capable, but it also looks like it’s been hacked, broken into, and manipulated by a few individuals who have demonstrated that they have access to something that no one outside of RIM has ever had access to.

Guess what operating system RIM’s BlackBerry smartphones are going to run? The same one that was jailbroken, opening up the possibility that forthcoming smartphones and tablets from Research In Motion will be subject to the same cat and mouse game that jailbreakers play with Apple. This means that the security of a BlackBerry will not ever be the same as long as someone out there is able to exploit a vulnerability in RIM’s BBX operating system, and as far as I know, apps aren’t sandboxed at all like they are on iOS. Not all apps are encrypted (aside from what, Password Keeper?), so once you root the device, you have access to all of the data on that BlackBerry product — a concept that enterprise and government BlackBerry clients will not be happy about. In fact, I’d venture on to say that this is probably the biggest threat to RIM right now if this turns out to be true. For RIM’s enterprise and government customers to be thinking about the fact that the upcoming phones and devices could be unsecure, is a big, big deal.

Many of us wondered why Google’s new flagship Galaxy Nexus doesn’t support Google Wallet, an NFC-based payment service that the company introduced a few months back. Since Google Wallet is only available in the United States at the moment, it makes sense that it isn’t supported on the HSPA+ Galaxy Nexus. Google Wallet also will not be supported on Verizon Wireless’ version of the smartphone, however, which is set to launch early next month. While Verizon wouldn’t comment specifically on the Galaxy Nexus’ lack of support, the carrier did tell BGR that it is working toward some kind of mobile wallet service as Verizon is a member of ISIS along with T-Mobile and AT&T. Hit the break for more.

“We’re working to provide expanded services that will provide the best security and user experience in the market around m-commerce,” A Verizon Wireless spokesperson told BGR via email. “We expect to provide access to an open wallet when those goals are achieved.”

If you’re not up for waiting, however, it is indeed possible to get Google Wallet up and running on the Galaxy Nexus thanks to the Android community on Modaco’s forum. We’ve given it a go on our Samsung Galaxy Nexus and it works perfectly. In fact, not only did we floor the cashier when we paid for our purchase at CVS with our phone, but we also have a boatload of candy thanks to a $10 prepaid card from Google.

Note: installing Google Wallet on an unsupported device may violate Google Wallet’s term of service.

Are pornographic images invading your Facebook news feed? We have yet to see it here at BGR, but ZDNET recently reported that “gory, violent pictures” and “hardcore pornography” are spreading across the social network. Facebook says it is getting to the bottom of the problem, but hasn’t yet revealed a solution or how the fiasco started. “Protecting the people who use Facebook from spam and malicious content is a top priority for us and we are always working to improve our systems to isolate and remove material that violates our terms,” Facebook spokesperson Andrew Noyes said. “We have recently experienced an increase in reports and we are investigating and addressing the issue.” It is unclear who is behind the attack. As The Washington Post points out, the flood could be a trick played by the now infamous hacker group Anonymous, in celebration of Guy Fawkes Day, which occurred on November 5th, but the group typically stakes its claim on major attacks. The images, which are apparently spreading like a wild fire, could also be the result of unsuspecting users having been tricked into clicking malicious links. Updated with statement from Facebook. 

Facebook’s official statement on the matter is as follows:

“Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible. During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”

Read [ZDNET] Read [The Washington Post]