A new exploit has been discovered that allows unauthorized access to a user’s Google Wallet account with a simple hack that can be performed by anyone in a matter of minutes. A security firm recently exposed a Google Wallet vulnerability that allowed hackers to bypass PIN protection, but the vulnerability is only present on rooted Galaxy Nexus handsets. This new exploit, however, does not require a handset to be rooted, which leaves all Google Wallet users exposed. Read on for more.

As mobile blog The Smartphone Champ explains, the newly exposed security hole allows someone to simply reset a user’s Google Wallet password by clearing the Google Wallet application data from within the phone’s settings menu. A user’s Google Wallet PIN is not required to wipe this data and once the information has been cleared, the handset will prompt the user for a new PIN without first requiring that the old PIN be entered. Anyone who performs this simple procedure will be able to access funds on the original user’s Google prepaid card.

A Google spokesperson acknowledged the vulnerability and gave the following statement to Android and Me: “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

A video demonstration of the simple hack follows below.

[Via Android and Me]

Read

Amazon’s Silk Web browser has received mixed reviews from the media and from consumers. In our review of the Amazon Kindle Fire, we noted that loading Web pages in the cloud-assisted browser on the tablet seemed to stall at first but once content finally began downloading, it indeed seemed to move very quickly. Other reviews found Silk to be much slower than other comparable browsers, however. Curious Android device owners who aren’t among the millions who purchased the Kindle Fire ahead of the holidays can now install Amazon’s Silk browser on a variety of rooted handsets and tablets thanks to the work of an xda-developers forum member. Results are mixed so far, and the port will not work on the Galaxy Nexus, among other handsets. Many users have successfully installed the browser on a variety of devices including the Motorola ATRIX and the Samsung Galaxy Tab, however.

Read

All GSM phones, such as those that run on T-Mobile and AT&T in the United States, are vulnerable to a major security flaw that could allow hackers to send text messages or place phone calls remotely using a new security flaw, one hacker said recently. Speaking to Reuters ahead of a hacking convention in Berlin, Karsten Nohl, the head of Germany’s Security Research Labs, said the attack could be initiated on a large scale, too. ”We can do it to hundreds of thousands of phones in a short timeframe,” Nohl explained. “None of the networks protects users very well.” Nohl didn’t provide details on how hackers could take advantage of the flaw, although Reuters said it’s likely that those attending the conference will try to recreate it themselves. Nohl also explained that carriers can easily patch the security hole and that some simply need to update their software. “Mobile network is by far the weakest part of the mobile ecosystem, even when compared to a lot attacked Android or iOS devices,” Nohl said, noting that Germany’s T-Mobile and France’s SFR wireless carriers are the most secure against hackers.

Read

New York University’s Polytechnic Institute has discovered a Skype security flaw that leaves Skype users’ locations and P2P sharing activity accessible to hackers. The security hole was discovered while NYU scientists monitored 10,000 Skype users and 20 volunteers during a two-week period. “A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud,” professor Keith Ross from computer science NYU-Poly’s computer science program said. Hackers can also keep track of a Skype user’s movements as he or she places calls from various locations. The scientists were able to follow a Skype user during a vacation from New York to Chicago and then all the way home to France, Financial Post explained. “A fairly straightforward and inexpensive fix would prevent hackers from taking the critical first step in this security breach – that of obtaining users’ IP addresses through inconspicuous calling,” the scientists said. Skype chief information officer Adrian Asher said his company will work to improve the security of Skype’s software. 

Read

Apple has addressed a major security vulnerability with the latest version of its iOS software. Just released on Thursday afternoon, iOS 5.0.1 was welcomed with open arms by iPhone users plagued by poor battery life. Apple promised that this new build addresses issues causing the lackluster battery performance — though its effectiveness remains in question — and it also addresses a much more serious problem. Security expert Charlie Miller revealed a major security flaw in iOS last week that allowed developers to sneak malicious apps past Apple’s App Store review process. Once installed by an end user, a hacker was able to use the vulnerability to steal data or perform any number of other unauthorized functions. IOS 5.0.1 addresses the vulnerability, Forbes reports, preventing apps from receiving malicious payloads. Apple credits Miller with having discovered the bug — he reported it to Apple nearly a month before going public — though the company has yet to restore his developer account, having banned him from its developer program after he planted an app in the App Store in order to demonstrate the vulnerability.

[Via Forbes]

Read

A major security flaw in Apple’s iOS operating system that could allow hackers to remotely gain unauthorized access to an iPhone, iPod touch or iPad has been uncovered by a security expert. Described by Forbes as a “serial Mac hacker,” Accuvant LABS computer security researcher Charlie Miller has uncovered a security flaw that allows hackers to build apps that look legitimate and pass through Apple’s App Store approval process. Using a code-signing vulnerability, however, the malicious apps will automatically connect to a remote server following installation and download new unapproved code that might grant hackers access to system files, personal data and a host of unauthorized functionality. Read on for more.

Apple’s closed App Store approval process has been touted by security experts and pundits alike as a much more secure option than an open system like Google’s Android Market. While Apple has been largely successful in keeping malicious software out of its iOS App Store, this newly revealed vulnerability illustrates that no system is ever fully secure. “Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller told Forbes in an interview. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Miller isn’t just talking the talk, either. The security expert actually planted an app in Apple’s App Store that utilizes the exploit he detailed. Miller submitted the app to Apple for approval using his developer account and, following Apple’s standard testing and approval process, the app became available in the App Store. Miller then recorded a video illustrating some of the many functions a hacker would be able to perform using this exploit, which include executing a payload that will give the hacker complete control of an iOS device from a remote terminal.

The security expert’s app has since been removed from the App Store and his developer account has been suspended. Miller’s video follows below.

Anonymous, the “hacktivist” group that waged war on the U.S. government and large companies such as Apple, has shifted its focus from cracking corporations to fighting online pedophilia. The group is now targeting web host Freedom Hosting and is accusing it of knowingly hosting child pornography. “The owners and operators at Freedom Hosting are openly supporting child pornography and enabling pedophiles to view innocent children, fueling their issues and putting children at risk of abduction, molestation, rape, and death,” Anonymous said in a statement. “Our demands are simple. Remove all child pornography content from your servers. Refuse to provide hosting services to any website dealing with child pornography. This statement is not just aimed at Freedom Hosting, but everyone on the internet. It does not matter who you are, if we find you to be hosting, promoting, or supporting child pornography, you will become a target.” Read on for the full statement against online child pornography from Anonymous. 

1. #OpDarknet Press Release – 10/15/2011
2. ————————
3.    Timeline of Events
4. ————————
5. At apprx 8:30 CST while browsing the Hidden Wiki we noticed a section called Hard Candy which was dedicated to links to child pornography. We then removed all links on the website, within 5 minutes the links were edited back in by an admin. For this reason, we will continue to make the Hidden Wiki unavailable.
6. –
7. At apprx 8:45 CST we noticed 95% of the child pornography listed on the Hidden Wiki shared a digital fingerprint with the shared hosting server at Freedom Hosting.
8. –
9. At apprx 9:00pm CST on October 14, 2011 We identified Freedom Hosting as the host of the largest collection of child pornography on the internet. We then issued a warning to remove the illegal content from their server, which they refused to do.
10. –
11. At apprx 11:30pm CST on October 14, 2011 We infiltrated the shared hosting server of Freedom Hosting and shutdown services to all clients due to their lack of action to remove child pornography from their server.
12. –
13. At apprx 5:00pm CST on October 15, 2011 Freedom Hosting installed their backups and restored services to their child pornography clients. We then issued multiple warnings to remove all child pornography from their servers, which Freedom Hosting refused to do.
14. –
15. At apprx 8:00pm CST on October 15, 2011 despite new security features, we once again infiltrated the shared hosting server at Freedom Hosting and stopped service to all clients.
16. –
17. ————————
18.      Our Statement
19. ————————
20. The owners and operators at Freedom Hosting are openly supporting child pornography and enabling pedophiles to view innocent children, fueling their issues and putting children at risk of abduction, molestation, rape, and death.
21. For this, Freedom Hosting has been declared #OpDarknet Enemy Number One.
22. By taking down Freedom Hosting, we are eliminating 40+ child pornography websites, among these is Lolita City, one of the largest child pornography websites to date containing more than 100GB of child pornography.
23. We will continue to not only crash Freedom Hosting’s server, but any other server we find to contain, promote, or support child pornography.
24. ————————
25.       Our Demands
26. ————————
27. Our demands are simple. Remove all child pornography content from your servers. Refuse to provide hosting services to any website dealing with child pornography. This statement is not just aimed at Freedom Hosting, but everyone on the internet. It does not matter who you are, if we find you to be hosting, promoting, or supporting child pornography, you will become a target.
28. ————————
29.      Images & Misc
30. ————————
31. Dead Server Screenshot: http://i55.tinypic.com/vy9w7k.jpg
32. –
33. Freedom Host PR Screenshot: http://i53.tinypic.com/o5qlip.jpg
34. –
35. Our Manifesto: http://www.youtube.com/watch?v=aFuJp_zPIlU
36. –
37.   #Antisec | #Anonymous | #FreeTopiary | #AnonOps | #FreeAnons | #OccupyWallSteet | #OWS
38. We are Anonymous.
39. We are Legion.
40. We do not forgive.
41. We do not forget.
42. Expect us.

Massachusetts Attorney General Martha Coakley recently said her iTunes account was compromised by identity thieves and that she will press Apple for answers. It is unclear how the thieves gained access to Coakley’s account, perhaps through an application, but the hackers stole credit card information and made fraudulent purchases, ThreatPost said. Coakley brought up the attack during a speech for the launch of the Massachusetts Advanced Cyber Security Center. She noted that Dell blocked her credit card when the hackers tried to purchase a computer, believing the purchase to be fraudulent. Apple, however, did not. Coakley said she would reach out to the iPhone maker and demand information. ThreatPost argued that Coakley might have been speaking so strongly in an effort to build support for Massachusetts’ state data privacy, data protection and data breach notification laws. Coakley believes companies such as Apple should be held liable when in violation of the aforementioned laws. The Massachusetts Attorney General’s office said any company that has had a breach which “creates a substantial risk of identity theft or fraud against a resident of the commonwealth,” should publicly disclose the attack.

Read

Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user. That means typing the command: “dscl localhost -passwd /Search/Users/Roger” will actually prompt you to set a new password for Roger. As CNET points out, a hacker could only take advantage of the known bug if he or she has local access to the computer and Directory Service access. CNET suggests disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts as some preventative measures to keep your Mac secure.

[Via CNET]

Read

Following a major security breach earlier this year, Sony made good on its promise to bolster its security by hiring a former official from the U.S. Department of Homeland Security to serve as its chief information security officer and senior vice president, Reuters reported on Tuesday. Philip Reitinger formerly served as the director of the U.S. National Security Center. “Certainly the network issue was a catalyst for the appointment,” a Sony spokesman told Reuters. “We are looking to bolster our network security even further.” Sony’s online PlayStation and Qriocity networks were attacked in May when a hacker group known as LulzSec gained access to personal data belonging to more than 100 million users. A string of subsequent hacks on Sony’s digital properties made headlines for the better part of two months, and Sony’s PlayStation Network was not fully restored until July.

Read

A security expert at Italian security firm AIR Sicurezza Informatica claims to have found a security flaw in Google’s new social network that allows hackers to potentially use Google+ servers to execute DDoS attacks. Simone Quatrini explained the flaw on the IHTeam Security Blog, and he wrote a script that can perform the attack, repeatedly prompting Google’s server to send requests to the target site. DDoS attacks, or distributed denial-of-service attacks, flood a web server with requests in an effort to prevent it from functioning. Such attacks require appropriate resources and bandwidth to execute, and Google servers would obviously have more than enough of these resources to launch a significant attack.

[Via The Hacker News]

Read

A 22-year old student allegedly associated with the hacking group “Anonymous” has been arrested and charged in the United Kingdom. Peter David Gibson is charged with “conspiracy to do an unauthorized act in relation to a computer, with intent to impair the operation of any computer or prevent or hinder access to any program or data held in a computer or to impair the operation of any such program or the reliability of such data,” the Metropolitan Police said in a statement Thursday. Gibson is out on bail and is scheduled to appear in court on September 7th to stand trial. It is believed that Gibson was involved on a number of Anonymous’s DDOS attacks against large corporations; the “Anonymous Operations” branch of the hacking group most recently attacked Apple. Authorities in the United States and the United Kingdom have arrested a number of hackers believed to be associated with Anonymous and a sub-group called LulzSec. LulzSec spokesperson and hacker Jack Davis, aka Topiary, was arrested earlier this month and released on bail.

[Via Bloomberg]

Read

An alleged member of the notorious hacker collective “Anonymous” has apparently outed himself and quit. The UK-based hacker, who says his real name is Matthew, operated under the pseudonym “SparkyBlaze” during his time with Anonymous. As to his reasons for leaving the group, he points mainly to LulzSec, the AntiSec movement, and Anonymous’ leadership. “When I started with Anon I thought I was helping people but over the past few months things inside anon have changed,” the hacker said in a statement posted to the Web. “I am mostly talking about AntiSec and LulzSec. They both go against what I stand for (and what anonymous says they stand for). Antisec has released gig after gig of innocent peoples information. For what? What did they do? Does anon have the right to remove the anonymity of innocent people? They are always talking about peoples right to remain anonymous so why are they removing that right?” To the Anonymous members he leaves behind, SparyBlaze adds, “You are not helping anyone.” He continues, “Think about the long run. Some thinking now can save you some large legal bills later. And yes i will be there when you get out of court to say: I told you so. There are other ways to help people, just don’t go to anon you are not hurting the governments you are hurting yourselves in the long run.” The hacker’s full statement follows below.

Ok,
So Over The Past Few Days I Have Been At A Cross road With Anonymous. Why? Because I Started To Think.
So When I Started With Anon I Thought I Was Helping People But Over The Past Few Months Things Inside Anon Have Changed. I Am Mostly Talking About AntiSec And LulzSec. They Both Go Against What I Stand For (And What Anonymous Says They Stand For). AntiSec Has Released Gig After Gig Of Innocent Peoples Information. For What? What Did They Do? Does Anon Have The Right To Remove The Anonymity Of Innocent People? They Are Always Talking About Peoples Right To Remain Anonymous So Why Are They Removing That Right?

Now I Could Talk for Hours On Why I Have Came To This Choice But I Don’t Think Anyone Would Or  Read It Or Care. So I Will Just Say Some Key Points:
They Are Removing Peoples Right To Anonymity, A Right Which They Claim To Protect And Uphold.
Sending Some Packets To A Server And Putting Info On-line Is Not Helping Or Solving Anything
Anonymous DOES Have A Leader Ship And They Don’t Give 2 Fucks About Us. Think, When Anons Were Arrested For DDoSing Paypal A While Back Was There A Mass Free Anon Operation?. Did They Put-Out Press Releases And Start Donations For Them?. No They Did One TV Interview And Fed Them To The Lions But When TopIary Was Arrested They Started #FreeTopIary We All Know He Is A “Higher Up” In Anon And They Started A Op For Him. You Think Those Donations Are Going To Topiary? Why Start A Op For Him? Well I Think It Is Because Of 2 Things:
- Press (Anon Is The Biggest Fucking Media Whore I Have Ever Seen)
- TopIary Is A Anon Who They Give A Fuck About
Now You May Think I Am Mad But All The Proof Is There. I Am Not Saying People In Anon Are All Fags, Some Thing They Are Helping. But They Have Been Tricked Into Thinking It. Truth Is Anonymous Hasn’t Brought Down Governments. The People Have. If You Was A Dictator you Wouldn’t Give a Fuck About People Taking Down Your Site. You Would Give A Fuck About The People Rioting And Wanting You Dead.
Anonymous Has Prayed On Peoples Willingness To Help Others. And Most Of Them Are Kids Who Don’t Understand What They Are Doing Can Fuck Up There Lives And The IRC Wont Help Them.
I Could Put More But I Don’t See The Point.

A Message To The Governments:
If You Hate Anon, Don’t Arrest The Kids. Arrest The Leaders. Without Them Everything Will Fall To Shit. All The Recruitment Will Stop And Then The People Will Start To Think And Understand That Anon Is Not Helping Anyone.
A Message To The Leaders Of Anon:
Fuck You Can’t Wait Till You All Get Arrested :D
And If One Anon Sees The Truth Every Week Then Your Time Is Running Out
A Message To The Anon’s:
Quit While You Still Can, You Are Not Helping Anyone And You Need To Think About The Long Run. Some Thinking Now Can Save You Some Large Legal Bills Later. And Yes I Will Be There When You Get  Out Of Court To Say: I Told You So. There Are Other Ways To Help People, Just Don’t Go To Anon You Are Not Hurting The Governments You Are Hurting Yourselves In The Long Run. And No I Am Not Saying I Agree With What The Governments Are Doing But I Also Do Not Agree With Anon.
You Cant Arrest A Idea But You Can Throw A Kid In Jail And Fuck Up Their Life.
Don’t Do The Crime If You Can’t Do The Time.

Ps:
I Am Not Saying Everything Anon Has Done Is Pointless Things Like Getting Internet To People When Governments Cut It Off I Support. I Am Just Saying Most Of It Isn’t Helping Anyone And Is Just Getting Kids Arrested.

I Would Like to Thank People Like:@th3j35t3r@sambowne@AnonTangoDown@providesecurityAnd Everyone Else Who Has Been Spreading The Truth About Anon.Thanks
SparkyBlaze

For Proof That I Am Not Trolling:
My Name Is Matthew And I Live In The UK, Manchester And No I Wont Post My Address And Phone Numbers Because I Know I Will Have Pizzas And Prank Calls To My House (That In It’s Self Is More Proof That You Are All Kids). If You Want To Know More Then By All Means Dox Me. Remove My Right To Remain Anonymous.

District Judge Howard Riddle released 18-year old alleged LulzSec hacker Jake Davis on bail Monday morning. Davis hacked under the name “Topiary” online and served as the public face of LulzSec, often publishing press releases and status updates on the group’s Twitter account, before he was arrested on July 27th. The news debunks earlier reports that authorities had been duped into arresting an the wrong man. Authorities in the U.K. said they discovered personal information for more than 750,000 people on Davis’ computers. Davis has been charged with hacking the Sun, Times, Sony and the Serious Organized Crime agency. Davis’ lawyers are highlighting his role as a press secretary for LulzSec and have argued that Davis did not participate in the attacks directly. Davis was released on bail but cannot access the Internet from any device, including from smartphones, The Financial Times said.

Read

The Metropolitan Police Service announced on Wednesday that it has arrested a 19-year old hacker suspected to be a member of both “Anonymous Operations” and “Lulz Security,” also known as “LulzSec.” The hacker, who went by the name Topiary, served as the publicist of both hacker groups and often posted press releases and statements on Twitter. His apartment in the Shetland Islands, Scotland is currently being searched and Topiary is on his way to a police station in London. A second 17-year old person in Lincolnshire, England is also being interviewed but has not yet been arrested. The FBI began raiding apartments and arresting a number of people believed to be involved with Anonymous and LulzSec on July 19th. The hacker groups responded to the arrests and said there is “nothing – absolutely nothing – you can possibly to do make us stop.” During that time, Topiary is believed to have tweeted “Arresting people won’t stop us, FBI. We will only cease fire when you all wear shoes on your heads. That’s the only way this is ending,” from the official LulzSec Twitter account.

[Via The Next Web]

Read