Predictably, Snapchat user database maliciously exposed

On January 1, 2014, an anonymous user announced the release of SnapchatDB and 4.6 million usernames and matched phone numbers in a Hacker News post.

The Snapchat accounts - even those marked 'private' - were exposed in a database hack that Snapchat knew about for four months, ignored, then told press last week was only "theoretical."

According to SnapchatDB, the leak was made possible with a recently patched, but still useful exploit.

Hacking the database wasn't enough to merit a response

One week ago in December, we broke news that Researchers at Gibson Security published Snapchat code allowing phone number matching after exploit disclosures ignored.

GibSec highlighted several Snapchat exploits and they were arrogantly dismissed by Snapchat, but it looks like someone else has taken GibSec seriously.

The SnapchatDB website is gone, but the database was copied, torrented and mirrored (on Mega) widely prior to its removal.

Several websites immediately sprung up offering a tool for users to see if they're in the database leak. The source of the first and second disclosures, Gibson Security, created this Snapchat hack lookup tool.

The last two digits of each phone number in the hack dump were hidden. But SnapchatDB said full numbers would be revealed for interested parties, indicating the 4.6 million usernames and numbers will likely be sold to spam and phishing operations.

The linking of phone numbers to usernames in accounts from major cities within the United States and Canada is a private information disaster that could have been avoided if the company had acted when repeatedly warned.

Gibson Security told ZDNet that fixing the threat would have only cost Snapchat ten lines of code.

With publication of username matches to phone numbers, malicious entities can now hop-step to brute force account passwords, and cross-match data from other databases to compile profiles across multiple services for stalking, spamming, and more.

In the EU, a person's phone number is categorized as personal information, and falls under data protection laws.

Responsible disclosure is dead

Snapchat joins a long legacy of companies denying responsible disclosure by security researchers, only to be embarrassed when users become victims of the exact targeted attacks whose warnings went ignored.

In October, Apple told press that Apple can read your iMessages with an iMessage man-in-the-middle attack (hijacking and changing messages between iPhones in real time).

Like Snapchat, Apple downplayed the risks and attempting to discredit responsible security researchers by cavalierly labeling responsible disclosures as "theoretical."

In a statement to AllThingsD, Apple spokesperson Trudy Muller said: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

The same day as Apple's dismissal, we published video of the researchers giving us a live demonstration of iMessage interception and alteration between iPhones, directly proving Apple wrong.

Snapchat's story is disturbingly egregious; Gibson Security warned Snapchat in August of its security problems, and went public with claims when Snapchat refused to acknowledge what GibSec felt were issues that put users - such as themselves - at serious risk.

Snapchat did nothing. On Christmas Day, Gibson Security published Snapchat exploits (only a few of the ones GibSec found) in an attempt to spur Snapchat into action to take user safety and database security seriously.

Gibson said it was sick of Snapchat ignoring security researchers.

"That vulnerability is completely theoretical." - Microsoft

Like Apple Snapchat did not respond to ZDNet's request for comment - despite the fact that we first broke news and published technical information about security researchers' discoveries.

In fact, Snapchat admitted to Gibson Security that it first learned about the exploits from our pre-publication email requesting comment about GibSec's disclosures.

Both companies only responded to press outlets that have a record of reporting uncritically about the companies.

read more : http://www.zdnet.com/predictably-snapchat-user-database-maliciously-exposed-7000024697/

The latest malware innovation: Infect ATMs and have them pump out cash

Hackers in Europe managed to target several cash machines from an unnamed bank earlier last year by infecting them with malware from USB drives, BBC News reports. The researchers who discovered the hack detailed their findings at the Chaos Computing Congress in Hamburg, Germany recently. According to their report, the ATM thefts were discovered in July after a bank noticed how its machines were emptied of cash even though the cash should have been protected inside safes. The bank then discovered how criminals were cutting holes into ATMs in order to transfer malware from the USB to the ATM. Once the data transfer was complete, the holes would be patched up to conceal the attack.

To withdraw money, hackers would then enter a 12-digit code that brought up a special menu showing how much of each currency denomination was available within the ATM. The thieves would then withdraw the highest value banknotes in order to spend as little time as possible in front of ATMs and thus avoid suspicion.

Interestingly, in order to prevent untrusted fellow gang members from withdrawing money from the compromised ATMs, the hackers used a double sign in mechanism. In addition to the 12-digit code, the thief would also have to enter a second code in response to a unique random sequence of numbers shown on the ATM. The response came via a phone call from another gang member, meaning that at least two people would be involved with each ATM heist. The machine would return to its normal state after three minutes of malicious inactivity.

The research has shown that the hack did not actually target data from regular customers using the machines, and instead focused only on directly retrieving the money. As for the code itself, the hackers “had gone to great lengths to make their malware code hard to analyze,” BBC writes, with researchers concluding that the hackers must have “profound knowledge of the target ATMs.”

From : http://bgr.com/2014/01/01/atm-hacking-malware-attack/

The Syrian Electronic Army Rings In The New Year By Hacking Skype’s Social Media Accounts

The Syrian Electronic Army is at it again. The group just hacked Skype’s blog and twitter accounts, spreading an anti-NSA, anti-Microsoft message in the process. “Don’t use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to the governments”, says one posting. “Hacked by Syrian Electronic Army.. Stop Spying!”,says another.

Skype, the service itself, does not appear to be affected.

The group also gained control of Skype’s Facebook although that message has since been deleted. However, the postings were up for nearly 40 minutes.

As of publication, the activist group still seemingly has control of Skype’s blog and Twitter.

Read More : http://techcrunch.com/2014/01/01/the-syrian-electronic-army-rings-in-the-new-year-by-hacking-skypes-social-media-accounts/

'Jailbreaking' Apple devices creates business for hackers

Each year, Apple releases a new version of the software running its iconic mobile devices, the iPhone and iPad. And each year, a small but dogged community of hackers sets out to break it - or, in the words of the hackers, "jailbreak" it.

The liberation imagery long seemed apt. Apple puts strict limits on how its devices can be used, requiring, for example, that all apps be bought through the company's lucrative iTunes store. By comparison, the hackers styled themselves as plucky hobbyists seeking freedom from what they derided as Apple's "walled garden" and into a promised land of virtually limitless new software.

That image has taken a beating in recent days as prominent hackers have battled allegations that they've been working not for ideals but for money. The supposed payoffs would have come from Chinese investors eager to cash in on the spread of Apple products in that country.

Although there's no evidence money changed hands, the controversy has highlighted how Apple's restrictions on its mobile devices have fuelled the creation of alternative marketplaces, where the thrill of trying to outsmart one of the world's richest companies mixes with at least the possibility of fat profits for those who succeed.

"Anything that can open up a whole new line of sales on [Apple devices] is certainly worth a lot to somebody," said Brian Krebs, who covers internet security issues on his blog, KrebsOnSecurity. "If you jailbreak it, it means there are millions of more apps to sell."

Apps for mobile devices earned nearly $US27 billion in 2013 and are projected to earn more than $US76 billion in 2017, with Google's Android operating system and Apple's iOS platform the dominant players, according to Gartner, a research firm. Apple reported $US9.3 billion in revenue last year from its iTunes store, which sells apps along with music, movies and electronic books.

Among the key growth markets is China, where lower-priced Android devices have a large lead and Apple is working to make inroads. It announced a deal in December to offer the iPhone through China Mobile, the world's largest cellular carrier.

Apple's tightly controlled ecosystem has long been part of its appeal. Company founder Steve Jobs, who died in October 2011, obsessed over every detail of the user experience, with the goal of having hardware, software and online services working together seamlessly.

The tradeoff came in control for consumers. While Google's Android devices are made by many different manufacturers and can load apps from any store a user chooses, Apple makes it own products and rigorously oversees the apps available on iTunes, typically taking a 30 per cent cut from every sale and barring developers who do not comply with the company's many rules.

"Apple products are like beautiful crystal prisons," said Peter Eckersley, director of technology projects at the Electronic Frontier Foundation, a civil liberties group. "Deviation from that is not allowed."

Jailbreaking can allow users of Apple mobile devices substantial new powers - for example, to fake their locations to defeat location tracking and service blackouts. It can allow free "tethering" so users can direct data streams from their iPhones to other devices without paying for a separate connection. And it can allow the use of alternative browsers that have privacy settings not available on Apple's Safari.

Advocates for the disabled, meanwhile, have sponsored a campaign to raise money in support of jailbreaking Apple's latest mobile device operating system, iOS 7, because iTunes does not offer some apps they find helpful.

Jailbreaking devices removes key security features. One of the few successful iPhone attacks - a prank virus that changed the background screen to an image of British pop star Rick Astley - spread on jailbroken devices.

"Apple's goal has always been to ensure that our customers have a great experience with their iPhone, and we know that jailbreaking can severely degrade the experience," Apple spokeswoman Trudy Muller said in a statement. "As we've said before, the vast majority of customers do not jailbreak their iPhones as this can violate the warranty and can cause the iPhone to become unstable and not work reliably."

Jailbreaks and other types of hacks once were widely available for free, but the security vulnerabilities they rely on have become valuable commodities, in part because of the demand from government intelligence services, such as the National Security Agency.

The recent controversy flared when, a few days before Christmas, a hacker group called the "evad3rs" released the first publicly available jailbreaking tools for iOS 7. The tools also loaded a Chinese app store, called Taig, for devices that were set to use the Chinese language.

Read more: http://www.smh.com.au/technology/technology-news/jailbreaking-apple-devices-creates-business-for-hackers-20140101-305p9.html#ixzz2pCo7sb9U