hack

Hacker delves into secret world of warranties

LAS VEGAS -- A young hacker here at Defcon 20 has pulled back the dense curtain of text and ambiguity surrounding warranties to show consumers how they can hack the warranty system -- and to tell companies how to improve their warranty management.

"Darkred," as he prefers to be called, explained to a standing-room only session that it's the way manufacturers manage serial numbers and warranties that allows the system to be hacked.

"The serial number makes you the owner of a product," said the 17-year-old, a high school senior from Texas. Darkred declined to … Read more

iOS app hacking alive and well

LAS VEGAS -- While Apple was making its decidedly lackluster Black Hat debut just one floor up, security researcher Jonathan Zdziarski was explaining the dark art of iOS app hacking to a smaller but still crowded room.

A senior forensics scientist at viaForensics, he clearly didn't have much faith in the security of apps running on iOS. "iOS can be infected through a new zero-day, or you can take a phone and run real fast. Apparently, bars are a great way to pick up iPhones," he said as the audience chuckled, clearly remembering the two separate lost iPhone prototype incidents. … Read more

Facebook aims 'bug bounty' at in-house network

Facebook is to widen its "bug bounty" program to reward researchers who spot holes in its corporate network.

According to a Bloomberg report today, the move will be announced at the Defcon hacking conference in Las Vegas.

Facebook already pays a bug bounty to outside hackers who report weaknesses in its products, but the move extends the program to its own infrastructure, too.

Rewarding "white hat" companies and individuals who unearth vulnerabilities in Web services and report them, rather than exploit them, is "not a new concept. The reasoning is thus: entice individuals with cash … Read more

Hacking, the card game, debuts at Black Hat

LAS VEGAS -- There's much more to hacking than just the Hollywood portrayal of a speed typing contest, say the computer security professionals who've developed a new hacking-themed card game called Control-Alt-Hack.

Control-Alt-Hack is based on Steve Jackson Games' Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching … Read more

Watching the crooks: Researcher monitors cyber-espionage ring

LAS VEGAS -- Researchers have uncovered a huge amount of malware and registered domains being used by criminals linked to China who are conducting cyber-espionage on a wide range of government, industry, and human rights activists.

The growing menace from these "Advanced Persistent Threats" is detailed in a report unveiled today called "Chasing APT." In an interview at the Black Hat security conference here, Joe Stewart, director of malware research at Dell Secureworks Counter Threat Unit, said that over the last 18 months he's been monitoring attacks designed to steal data from organizations around the … Read more

Hotel cardkey locks said to be vulnerable to bypass hack

You may not be as safe in your locked hotel room as you think.

Keycard door locks from Onity -- used in more than 4 million hotel rooms around the world -- are susceptible to vulnerabilities that could lead to a security bypass, according to Cody Brocious, a 24-year-old Mozilla developer and security researcher. Brocious, who is expected to present his findings at the Black Hat security conference tomorrow, showed Forbes how he is able to open hotel doors with a gadget he built with materials costing less than $50.

Brocious' device spoofs a portable programming device used to control … Read more

App Store hacker says the 'game is over'

The creator of an exploit that let users purchase digital goods inside of iOS apps without actually paying for them said today that Apple's fix puts the hack out of business.

"Currently we have no way to bypass [the] updated APIs," creator Alexei Borodin wrote in a post on his development blog. "It's a good news for everyone, we have updated security in iOS, developers have their air-money."

Borodin says that the exploit, which requires the use of third-party servers and specially-installed security certificates, will continue to be up and running until Apple releases … Read more

In-app purchase hacker sets sights on Mac App Store

The exploit that allowed users to purchase digital goods inside iOS apps without actually paying has jumped platforms and now works on Apple's Mac platform.

The Next Web notes that programmer Alexei Borodin, who created the iOS in-app purchase exploit, now has a similar solution for apps purchased in Apple's Mac App Store. Like the exploit for iOS, this too requires that users install special security certificates on their machines, though it also requires the installation of an extra helper program.

Earlier today Apple said it had a fix coming in the next version of iOS, due out … Read more

Apple to close in-app purchase hack in iOS 6, offers interim fix

Apple has outlined a way for iOS developers to protect themselves against an exploit that lets users gain free access to paid add-on content sold within their apps.

In a new support document posted today, the company provided detailed guidelines, urging developers to use its receipt validation system that cross-checks purchases made inside applications with the company's own records. It also said that it will be taking extra precautions to keep this from happening in the next version of iOS, due out later this year.

"We recommend developers follow best practices at developer.apple.com to help ensure … Read more