Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - December 30, 2014

Dec 29, 2014 11:15PM PST
Chaos Computer Club claims it can reproduce fingerprints from people's public photos

Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen.

We've seen before how fingerprints can be copied from a person who touched any object with a polished surface (like a glass or a smartphone). Krissler meanwhile showed how these biometrical attributes can be snatched without having to first obtain the physical objects.

Instead, he explained how fingerprints can be snatched from persons at public events by simply using a "standard photo camera." Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public."

Continued: http://venturebeat.com/2014/12/28/chaos-computer-club-claims-it-can-reproduce-fingerprints-from-peoples-public-photos/

Related:
Researcher Steals Fingerprints Using Only a Camera
German minister photo fingerprint 'theft' seemed far too EASY, wail securobods
Hacker claims you can steal fingerprints with only a camera
Politician's fingerprint 'cloned from photos' by hacker

Related to the CCC convention see "Invasive phone tracking: New SS7 research blows the lid off mobile security" below

Discussion is locked

- Collapse -
Invasive phone tracking: New SS7 research blows the lid ..
Dec 29, 2014 11:27PM PST
.. off mobile security

Hacker conference Chaos Communication Congress 31c3 is under way in Hamburg, Germany right now where a cluster of SS7 talks have revealed the ease of invasive cell phone surveillance.

Three groundbreaking research presentations and live demonstrations on SS7 have shown that the NSA -- or any government's ability or access -- isn't needed to track you completely (and terrifyingly) with your cell phone.

CCC is livestreaming all 31c3 talks and archiving them immediately, and you can see more of the conference's great presentations online now. [Screenshot]

... "But in three of the conference's earliest presentations, onstage only a day ago, researchers show what's commercially available in the realm of phone spying, and it may scare you more than the Snowden documents."

Continued : http://www.zdnet.com/article/invasive-phone-tracking-new-ss7-research-blows-the-lid-off-personal-security/
- Collapse -
Fake "The Interview" app is really an Android banking trojan
Dec 29, 2014 11:28PM PST

The must-see movie of the moment is surely not "The Hobbit: Battle of the Five Armies", "Unbroken" or even "Paddington". No, the one movie that everyone is talking about is "The Interview". [Screenshot]

Following the devastating hack upon its computer systems by a hacking group which might (or might not) have the blessing and backing of North Korea, Sony Pictures flip-flopped as to whether the Seth Rogan comedy about the assassination of Kim Jung-un would have a Christmas Day release.

Eventually, the movie had a limited Christmas Day release in the States, much wider online availability for US internet users via sites like YouTube, and an even wider still copyright-infringing distribution via torrent sites.

But the computer security story surrounding "The Interview" doesn't end there. [Screenshot]

Continued : http://grahamcluley.com/2014/12/the-interview-android-app-malware/

Related :
Beware: Fake "The Interview" movie download app is in the wild
Fake Android The Interview app actually banking Trojan

- Collapse -
Cowards Attack Sony PlayStation, Microsoft xBox Networks
Dec 29, 2014 11:28PM PST

A gaggle of young misfits that has long tried to silence this Web site now is taking credit for preventing millions of users from playing Sony Playstation and Microsoft Xbox Live games this holiday season.

The group, which calls itself LizardSquad, started attacking the gaming networks on or around Christmas Day. Various statements posted by self-described LizardSquad members on their open online chat forum — chat.lizardpatrol.com — suggest that these misguided individuals launched the attack for no other reason than because they thought it would be amusing to annoy and disappoint people who received new Xbox and Playstation consoles as holiday gifts.

Such assaults, known as distributed denial-of-service (DDoS) attacks — harness the Internet connectivity of many hacked or misconfigured systems so that those systems are forced to simultaneously flood a target network with junk internet traffic. The goal, of course, is to prevent legitimate visitors from being able to load the site or or use the service under attack.

Continued : http://krebsonsecurity.com/2014/12/cowards-attack-sony-playstation-microsoft-xbox-networks/

Related:
Grinches steal Christmas for Xbox Live, PlayStation Network users
Sony FINGERS DDoS attackers for ruining PlayStation's Xmas
With PSN, Xbox Live back online, focus shifts to hackers taking credit

- Collapse -
Facebook Users Targeted Via Android Same Origin Policy ..
Dec 29, 2014 11:28PM PST
.. Vulnerability

Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android's WebView browser in order to compromise Facebook accounts.

The flaw allows the attackers to bypass Android's Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

"The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser," according to the National Vulnerability Database.

Continued : http://www.securityweek.com/facebook-users-targeted-android-same-origin-policy-vulnerability
- Collapse -
The Year's Biggest Winners and Losers in Privacy & Security
Dec 29, 2014 11:28PM PST

In most contests the winner isn't simultaneously the loser. But that wasn't the case this past year in the unofficial contest to determine computer security and privacy winners and losers.

The biggest winner in 2014 was you, the user. That's because a host of new products and services emerged to help protect the privacy and security of your data and communications. The rulings in two court cases also provided better protection against the warrantless seizure of your data.

But you were also the biggest loser this year in terms of privacy and security. Ongoing revelations about the NSA's widespread surveillance have made it clear that the intelligence agency, and its spy partners in the UK and elsewhere, will not rest until they've seized or deciphered every bit of your data.

Continued: http://www.wired.com/2014/12/biggest-privacy-security-winners-losers-2014/

- Collapse -
Happy 5th Birthday, KrebsOnSecurity!
Dec 29, 2014 11:34PM PST

It's hard to believe, but KrebsOnSecurity turns five years old today! How time flies!

Probably the most rewarding part about being an independent reporter (for my part, anyway) is watching your readership grow and mature into a community that not only adds perspective and balance but also helps educate other readers.

"....Leaving aside the pieces in my All About Skimmers series, here are some of the most-read, exclusive posts from the past 365 days:

Antivirus is Dead: Long Live Antivirus
Lorem Ipsum: Of Good & Evil, Google & China
Are Credit Monitoring Services Worth it?
The Scrap Value of a Hacked PC, Revisited (oldie but a goodie) ...

Continued : http://krebsonsecurity.com/2014/12/happy-5th-birthday-krebsonsecurity/

- Collapse -
The Slow Death of 'Do Not Track'
Dec 29, 2014 11:34PM PST

FOUR years ago, the Federal Trade Commission announced, with fanfare, a plan to let American consumers decide whether to let companies track their online browsing and buying habits. The plan would let users opt out of the collection of data about their habits through a setting in their web browsers, without having to decide on a site-by-site basis.

The idea, known as "Do Not Track," and modeled on the popular "Do Not Call" rule that protects consumers from unwanted telemarketing calls, is simple. But the details are anything but.

"..Now, finally, an industry working group is expected to propose detailed rules governing how the privacy switch should work. The group includes experts but is dominated by Internet giants like Adobe, Apple, Facebook, Google and Yahoo. It is poised to recommend a carve-out that would effectively free them from honoring "Do Not Track" requests. .."

Continued : http://www.nytimes.com/2014/12/27/opinion/the-slow-death-of-do-not-track.html

- Collapse -
WTF? Malware spreads via Steam chat
Dec 29, 2014 11:34PM PST

If you are one of the many people enjoying playing games via Steam this holiday season, be wary of chat messages inviting you to click on a link.

Messages have spread between Steam users saying "WTF?????" linking to what appears to be a JPEG image file.

However, if you click on the link you will actually find yourself downloading a .SCR Windows executable file, containing malicious code.

Below you can see a screenshot of a malicious Steam conversation (details have been censored to protect the innocent), where a user eventually realises they had been compromised: [Screenshot]

Continued : http://grahamcluley.com/2014/12/wtf-malware-spreads-via-steam-chat/

- Collapse -
Target Hackers Hit OneStopParking.com
Dec 29, 2014 11:36PM PST

Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week's victim — onestopparking.com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot.

Late last week, the cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They'd all been used at onestopparking.com, a Florence, Ky. based company that provides low-cost parking services at airport hotels and seaports throughout the United States.

Continued: http://krebsonsecurity.com/2014/12/target-hackers-hit-onestopparking-com/

- Collapse -
Internet Systems Consortium Site Redirects to Angler Exploit
Dec 30, 2014 1:22AM PST

The Internet Systems Consortium website is offline today after the non-profit domain name service maintainer announced its website had possibly become infected with malware.

The ISC, as it is commonly known, is perhaps best known as the developers of BIND, the most widely used DNS software on the Internet. However, the group also maintains the F-root server, one of the Internet's 13 root name servers.

The security firm Cyphort says it notified ISC.org of the infection on December 22. Sometime thereafter, the ICS replaced it's homepage with a static notice informing users of the infection.

"We believe the web site may have become infected with malware," the ISC announced. "Please scan any machine that has accessed this site recently for malware. This is a WordPress issue, ftp.isc.org, kb.isc.org and our other network resources are unaffected."

Continued : http://threatpost.com/internet-systems-consortium-site-redirects-to-angler-exploit/110131

- Collapse -
Lizard Squad launches DDoS tool that lets anyone take down..
Dec 30, 2014 1:22AM PST
.. online services, starting at $5.99 per month

Lizard Squad, the "hacker" group best known for multiple attacks on Microsoft's Xbox Live and Sony's PlayStation Network, has now launched a distributed denial-of-service (DDoS) attack tool. In other words, anyone can now take down the website or online service of their choice thanks to "Lizard Stresser," which we're not linking to for obvious reasons.

A DDoS attack is a common method for taking down a server by overloading it with requests. The end goal is to make a machine or network resource unavailable to its intended users.

"Welcome to LizardStresser, brought to you by Lizard Squad," reads the tool's introduction page. "This booter is famous for taking down some of the world's largest gaming networks such as XBOX Live, Playstation Network, Jagex, BattleNet, League of Legends and many more! With this stresser, you wield the power to launch some of the World's largest denial of service attacks."

Continued : http://venturebeat.com/2014/12/30/lizard-squad-launches-ddos-tool-that-lets-anyone-take-down-online-services-starting-at-5-99-per-month/