Samsung Invites You to Try to Hack Their Devices

In the world of technology security is king! So much so that most of the major tech giants have already launched security programs aimed at rewarding would be hackers if they share their exploits with the company before they become a major issue. Today Samsung has become the latest player in the game with the launch of their very own rewards program.

In an attempt at making sure sure that its smartphones, such as the Galaxy S8, S8 Plus and the Galaxy Note 8, are safe to use by the public, Samsung has officially the Samsung Mobile Security Rewards Program. The program invites members of the security community to assess the integrity of Samsung’s mobile devices and associated software to identify potential vulnerabilities in those products.

“As a leading provider of mobile devices and experiences, Samsung recognizes the importance of protecting users’ data and information, and prioritizes security in the development of each of its products and services,” said Injong Rhee Executive Vice President and Head of R&D, Software and Services of the Mobile Communications Business at Samsung Electronics. “As part of our commitment to security, Samsung is proud to work in close partnership with the security research community to ensure that all of our products are monitored closely and continually for any potential vulnerabilities.”

The program will cover all of Samsung’s mobile devices currently receiving monthly and quarterly security updates, currently a total of 38 devices. In addition, the program will reward submissions for potential vulnerabilities in the latest Samsung Mobile Services, including Bixby, Samsung Account, Samsung Pay and Samsung Pass, among others. Dependent upon the severity of a given submission, as well as the researcher’s ability to provide proof of concept, Samsung will issue rewards of up to $200,000.

The Mobile Security Rewards Program is effective immediately. For additional information, including terms and conditions visit the Samsung Mobile Security page.

Intel Wants to Help Keep Your Information Private During National Cyber Security Awareness Month

As we enter the first week in October we are reminded that this month is National Cyber Security Awareness Month. With that comes plenty of news, warnings and educational campaigns aimed at helping users at all levels to become more aware of the issues we all face with security and privacy.

Several major companies, including a long time geek favorite, Intel have announced their commitment to the National Cyber Security Alliance’s “Lock Down Your Login” Internet safety and security initiative.  The campaign, which was first announced by the White House in February, calls for all Americans to move beyond traditional username and password protections to better secure the important information in their email, banking, and social media accounts.

“Lock Down Your Login” provides consumers with information ranging from what strong authentication is, why it is important, and how it is implemented. FAQs provide details about the goals of the campaign, the limitations of traditional usernames and passwords, what kinds of information is collected and used to support authentication.

For their part in the National Cyber Security Alliance, Intel is offering users more information on True Key, a free application developed by Intel Security that offers users a multifactor password manager that secures and encrypts all your passwords. Unlike most traditional password managers, True Key utilizes unique-to-you factors, like face and fingerprints, or devices you already own and have registered, to use two-factor authentication allowing you to safely store all your passwords and guarantee that you'll be the only one using them.  Consumers can download this free app at www.truekey.com  — an easy way to enhance safety online.

Hackers Use the 2016 Rio Olympics to Target Potential Victims

With the 2016 Rio Olympics just a couple weeks away we are seeing new warnings of potential threats from hackers that include anything from malware and ransomware, to full blown interruptions of sites and services associated with the events. These potential threats mean that visitors to the Olympics and you viewers/followers at home should be extremely diligent and cautious when it comes to opening emails, viewing videos and visiting sites related to the 2016 Olympic Games.

It is fully expected that cyberthreats related to the games will escalate over the coming weeks and meaning you could see phishing emails pushed to your inbox or malicious attacks potentially affecting and infecting the websites you visit.

Malicious Apps and Sites

While we all like to think of our app stores and favorite sites as being secure, history shows us that is not always the case. Malicious apps can sneak past the gates and even our favorite sites can be hit with malicious ads or code that injects links for bad downloads. Add to that the warnings about phishing attempts above and users are likely to face the real threat of malicious downloads.

Again this all comes down to 'think before you click' mentality. When visiting sites related to the 2016 Olympics or installing applications to follow the games be sure you are using official applications on your smartphone rather than low-rated ones with small user bases.

If you are visiting a site from your phone or computer and you see pop-up boxes for things like Flash Updates, app installs or anything else that might not seem right, be sure that you use caution. Back out of the page, if you can, and download any and all updates directly from the source. If you are on your smartphone and an app is asking to install from '"Unknown Sources" stay away!

Beware Phishing Emails and Malicious Social Media Posts or Messages

 Major sporting events have always attracted the attention of would be scammers, targeting the public in just about any way imaginable. Over the years these world wide events have become very lucrative targets for hacking groups using tools like phishing emails, social media posts and malicious downloads.

Phishing emails and social media posts are particularly popular ways for hackers to spread malware and other malicious software. They offer high reward and returns for little work and are seen as highly effective. A favorite among hackers are messages and links, sending would be victims to a site tp view high profile video of a favorite star, record breaking event or something similar. Another favorite phishing scam are links to bargains on great seats to events, or fake confirmations for reservations, service or seating to events. In reality these emails and links contain, things like malicious downloads of ransomware or fake sites that utilize realistic looking log-in pages to steal your passwords and log-in information.

The old adage “Think before you click, especially if something looks too good to be true!” rings loud and clear when it comes to emails involving the 2016 Olympic Games and is one most security researchers are trying to reiterate to everyone!

Thomas Fischer, a security researcher at Digital Guardian, has already been noticing an increase in phishing scams trying to take advantage of the Olympics. Typically, a user will receive an email loaded with an attachment that invites them to an Olympics ticket lottery. Inside the attachment, however, is malicious code that will download the Locky ransomware and begin encrypting all the user’s files. Hackers are already blanketing email addresses with this kind of attack. They’ll also pretend to be an organization like an Olympics committee.

Banks and Banking Data Are A Popular Target

For those that are luck enough to visit Rio for the games you should use extreme caution when using banks and point of sale machines. We know that anks and banking data are always popular targets, however we are seeing several warnings that Brazilian hackers are developing applications that install Trojans (back door access to your computer or phone) that pretend to be legitimate banking software, but in actuality can steal the victim’s payment information.

These apps tend to target local users more than anything, but they may evolve into something more and could be potential threats to travelers. 

Dmitry Bestuzhev, the head of global research for security firm Kaspersky Lab has warned that visitors to the Rio Olympics be wary of ATM and point-of-sale machines in the country. They often can be infected with malicious code that can secretly steal payment data once a banking card is swiped. “The attacker has the capability to intercept the data and then to clone the card,” he added.

Another danger Bestuzhev is warning users of is the use of public Wi-Fi spots in Brazil to access important person, financial or business data. These access points are often times insecure. A hacker can use them to eavesdrop on victims and steal their passwords, Bestuzhev said, adding the recommendation that users buy a VPN service to encrypt their Internet communications.

The Office of the Director of National Intelligence, in a recent awareness campaign, took even more drastic step stating that visitors should consider leaving all of their devices at home. Instead uggesting that travelers carry a burner phone, which doesn't contain personal data or secure information might be a good idea.It was also suggested that you change your passwords often while you are there.

In the end all of these warnings are meaningless unless the user actually implements a good plan. If you are traveling to Rio for the games you should make sure all your data is backed-up, not only in-case of security breach but of loss or theft (another real threat). You should, as always, make sure your devices and security software are fully updated with the latest patches, virus definitions ect. You should also run frequent scans just in-case.

The most important thing though is to be DILIGENT! Don't open odd emails, click links without confirming them, use odd sites or download software from unknown places and you should be fine!

Privacy: Why Do We Fear The Government Yet Embrace Major Corporations?

The recent firestorm around Apple's refusal to help the FBI crack the iPhone belonging to San Bernardino terrorists has certainly raised several questions. Not only about personal privacy and our government's access to our private data, but also about a company's role in protecting that data. For me however, it has raised a different set of questions, mainly the question of why we would trust a multi-national, billion dollar company over our own government that is sworn to protects its citizens.

I've long followed the case and leaked information Edward Snowden has provided the public with. Especially the disclosure of several NSA projects and programs that have for years used several high profile tech companies to conduct surveillance on 'everyday citizens'.

While I do believe there are plenty of nefarious projects out there, and that the government has been increasingly guilty of over-reach the question in my mind that has always remained was how much is it the government and how much is it the tech companies themselves or even the citizens. After-all, we are so willing to give up this information. Why wouldn't they want to take it?

So we now fast forward to Apple's most recent defiance of a court order that is meant to compel them to help the FBI access data on a locked iPhone. The question that is raised, is should Apple work with the FBI to bypass the locks that are in place and if they do, should those tools then be given to law enforcement agencies to use. We won't talk about whether or not Apple can/can't actually achieve this!

This brings me to my question: When did the notion that our government has somehow become a great evil become so entrenched in our brains that we are so blindly willingly to hand over all controls of our data to a company like Apple? Why are so many willingly to believe that they are actually going to act in our best interests over their own?

How is it that we are so willing to allow major corporations with no accountability complete and unfettered access to every aspect of our days lives and total control over our privacy yet we worry so much about our government, with a great deal of accountability and restriction, wanting to access even the most minor of details?

This is after-all a company that has the ability to act with an unfathomable level of impunity. They are shielded behind a TOS, which most users barely understand. We by all rights hand these companies that door, the lock and the key.  Yet we scoff at the government when they act within the full letter of the law to attempt to gain access to any portion of that data.

Why is it that we are so willing to allow major corporations with no accountability complete and unfettered access to every aspect of our days lives and total control over our privacy yet we worry so much about our own government? A government that has to act within the scope of the law and has a great deal of accountability and restriction!

Have we come so far from the days of seeking government oversight, consumer protections, the break ups of monopolies and 'robber barons' that we are now fearing the very entity that we once embraced to save us from these 'Orwellian Giants'? Do we really truly want the keys to the kingdom to reside solely in the hands of corporations that only see the bottom line?

Personally I think not! I think we should really take a good hard look at these companies, especially the ones that want to proclaim themselves above the letter of the law and 'protectors' of overreach by the government. Now this shouldn't mean to say I think the government should have unfettered access to things like encryption keys, user data, or any sort of 'backdoor' programs. In fact the opposite is true! I think our government should be held to even higher scrutiny and standards than it is today. That doesn't mean we should not then scrutinize companies and their motives as well. 

Hackers Earn A Cool $1 Million With iOS 9 Remote Jailbreak

Just a few short months after security firm Zerodium offered a million dollar bounty for a working exploit that could remotely jailbreak an iPhone or iPad running the latest version of iOS a team of hackers may have found the answer and successfully claimed one of the $1 Million dollar prizes.

A tweet sent out on Monday from Zerodium congratulated one winning team, though it didn't identify the researchers, nor did they offer any further details of the exploit. However, it would appear as though they have submitted the results and Zerodium has confirmed that the exploit "is still being extensively tested by Zerodium to verify and document each of the underlying vulnerabilities."

The challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad running the latest version of Apple’s mobile operating system iOS (in this case iOS 9.1 and 9.2b), allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.

Zerodium founder Chaouki Bekrar explained to Motherboard that the winning team found a "number of vulnerabilities" in Chrome and iOS to bypass "almost all mitigations" and achieve "a remote and full browser-based (untethered) jailbreak."

If true this would likely be the first such jailbreak since the days of iOS 7. Zerodium hasn’t revealed any details of the hack or provided and details of the team who is claiming the bounty, and isn’t likely to do so either. In the past Zerodium has been known to be an exploit accumulation service, gaining the information from security teams and then selling that exploit for a profit to the highest bidder. These bidders are more often than not intelligence agencies like NSA or FBI, who have often complained about how difficult it is to access an iPhone.

In this case Bekrar says he expects to sell the new iOS hack to a U.S. customer and has no intention of informing Apple of the security vulnerabilities that are used or how the exploit works.

Security Company Offers $1 Million Bounty For iOS 9 Bugs and Exploits

Security is big business these days and bug bounty programs are becoming more and more lucrative with a large number of companies out there now offering some sort of reward to researchers and would be hackers for finding and disclosing exploits. One company however that has been late to the foray has notably been Apple.

While Apple has elected to keep themselves out of the 'pay for vulnerabilities' business, that hasn't sopped others from doling out loads of cash for exploits that impact Apple's software. Zerodium, an exploit acquisition company, stepped up where Apple has not with an impressive promise to pay up to $3 million to security researchers who can provide them with an “exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”

"Apple iOS, like all operating system[s], is often affected by critical security vulnerabilities," Zerodium said in an announcement. "However due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS.

"But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation," the company continued. "And here's where the Million Dollar iOS 9 Bug Bounty comes into play."

The Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by Zerodium to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks.

The initial attack vector must be a Web page targeting the mobile browser or any application reachable through the browser, or a text message delivered via a SMS OR MMS. Plus, the exploitation process should be achievable "remotely, reliably, silently, and without requiring any user interaction" except visiting a website or reading a message, Zerodium said. The jailbreak must also work reliably on the iPhone 6s, 6s Plus, 6, 6 Plus, 5, 5c, and 5s, as well as iPad Air 2, iPad Air, fourth-gen iPad, third-gen iPad, iPad mini 4, and iPad mini 2.

Zerodium will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to Zerodium an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices. The program is open until Oct. 31 at 6 p.m. Eastern. But keep an eye on Zerodium's website, as the bug bounty may end early, once the $3 million payout is depleted.

For those interested in taking a chance at the reward you can view the full details and terms of the program here.

We feel we should also mention there are at least a few concerns over what Zerodium's intentions with the vulnerability are.! Our brethren of geeks over at Engadget, have warned hackers to beware of Zerodium as founder Chaouki Bekrar has a history of selling exploits to the highest bidder, rather than disclosing issues to the manufacturer. In fact, Zerodium does not want these vulnerabilities patched—at least not until it can resell them for a profit, Engadget said.

Google Makes Changes to Pwnium Competition Offers Bigger Rewards Year Around

It is almost time for the CanSecWest security conference, which has played host to Google's Pwnium competition for the last few years. For those that don't know, Pwnium is the hacking competition that gives security researchers a chance to show off some of their latest exploits for the chance to win a share of a huge pile of cash that Google puts up for rewards each year (last year it was e million). This year Google has announced it will be making a few changes to the competition taking it to all new levels of extreme!

Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at CanSecWest to a year round, worldwide opportunity for security researchers to showcase their findings of the latest bugs and vulnerabilities.

Google says they are making these changes for several reasons. The biggest of course being delays in reporting of new finds. As it stands there is little incentive for researchers to come forward with vulnerabilities, because it literally doesn’t pay to do so. With the new, more lucrative rewards program Google hopes to eliminate those delays. Some other reasons for the changes given are:

• Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.
• Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
• Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.

Starting today, instead of going the traditional route and applying for Pwnium, researchers can now submit bug chains to the Chrome Vulnerability Reward Program for confirmation and possible payout. Here are a list of rules for submission:

• Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
  
• Bugs disclosed publicly or to a third-party for purposes other than fixing the bug will typically not qualify for a reward. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
  
• If you have a fuzzer running on ClusterFuzz as part of our Trusted Researcher program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours.
  

Google will be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase the top reward to $50,000, which will be on offer all year-round. There’s no limit on the number of bugs you can submit. Last year, the Pwnium gave out awards ranging from $110,000 to $150,000 for various pre-determined exploits. Google says the reason Pwnium rewards were so much larger is because of the constraints on the types of bugs that could be submitted.

For security teams and researchers interested Google invites you to checkout their FAQ for more information. Good luck and happy bug hunting!

Easily Root Your Galaxy S5 and Other Android Devices Thanks to 'Towelroot'

Mobile device security it a priority Android developers and device manufactures. Google and OEMs like Samsung have been working to add as much protection as possible to their devices for years. While extra security is a good thing for all consumers, it has its downsides for us geeks that like to root and customize our devices to our liking.

Having root access to your Android device means you can make almost any changes you'd like, even system-level changes which include new custom ROMs (the OS that runs the phone). Back in the early days of Android it used to be trivial to root an Android device, but they’re much more locked down these days.

As a consequence of OEMs added a new level of security and more security features like Samsung's KNOX, it has become harder to gain root access to many of the new Android devices such as the Galaxy Note 3 and Galaxy S5. Until recently the AT&T and Verizon versions of the Samsung Galaxy S5 were unable to be rooted prompting XDA members to take up a collection for a bounty on a root method that topped over $18,000.

Enter famed developer and noted hacker George “Geohot” Hotz. Geohot has come forward with a working root method that not only roots the Galaxy S5, but it also roots almost every other Android phone currently on the market.

Dubbed Towelroot, the new tool comes in the form of a downloadable APK file that makes rooting your device as easy as allowing your device to install from 'unknown sources', sideloading an APK file and clicking “make it ra1n.” Because this method is easy it should be noted you should only download Towelroot from the official page. That’s also where Geohot is accepting donations for his work via PayPal and Bitcoin.

Since the tool differs from all the standard root methods in that it uses an exploit to root phones, it should work on almost all phones running Android 4.4.2 or earlier. That includes all of Samsung’s recent phones like the Note 3, Galaxy S5, and Galaxy S4. All of LG’s newer flagships (G2, G3, G2 Pro, etc.) are susceptible as well. And that’s just the start.

If you've ever wanted to try rooting your phone and using a custom ROM it certainly doesn't get any easier than this! Just be aware this tool will probably void your warranty, especially on Samsung devices where it will trip the Knox security flag.

iPhones Being Held For Ransom, Possible iCloud "Hack" To Blame

Over the past several days reports of iOS devices being locked via 'Find My iPhone' and held for ransom have been mounting and as of yet no one can explain what is going on or how the hackers gained access to the iCloud accounts.

Reports initially began to trickle in earlier this week, when Australian newspaper The Age discovered Tweets and forum posts from owners of Apple devices from across Australia. Users were reporting receipt of a Find My iPhone message indicating their iPhones and other iOS devices gad been remotely locked by "Oleg Pliss". The message, seen below, is demanding payment of a US$100 ransom via PayPal to unlock affected devices.

It now appears as though the issue is much more widespread and encompassing! The original Apple Support community page has grown to include 27 pages (at post time) of iOS devices owners posting reports similar problems.

Of course the first thing people assume when they see their locked device is that somehow, Apple is to blame. It must be a vulnerability in iCloud, right? When asked to comment Ben Grubb from the Sydney Morning Herald got this response from Apple.

The blanket generic response "we take security seriously" statement doesn't mean much. Apple is denying any compromise of iCloud and implying that weak user credentials are to blame. This may in fact be case! We know from numerous reports that people often make very bad password choices. However, their response is dismissive and does little to reassure a customer.

So how is this iCloud hack being propagated?

At this time no one really knows for sure, and Apple sure isn't saying.The only statement issued so far follow those Mr. Grubb recieved:

In full, Apple said: "Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store."

The ransom may just be the beginning!

Locking a users iPhone or iPad and asking for $100 could just be the start of something far grater. If the hackers truly have full access to someone's iCloud account there is much, much more potential than just a small ransom.

For starters, most people use iClouds automatic back-up feature to keep their device contents in Apple's cloud. An attacker with control over someone's iCloud has full access to those contents and the ability to restore one of these backups to their own device. This means they get the victim's photos, videos, documents, iMessages, email stored on the device and basically any conceivable digital asset the victim has on their iPhone or iPad. It's a very large collection of extremely personal data.


There is also the potential and very real threat of stalking victims or using their location data. Find My iPhone present the location data of each device the hackers have on a map. Clearly that creates the potential for a serious invasion of privacy, particularly when you consider that families often have multiple devices under the one iCloud account.

In addition to the above threats we are hearing that it's not just iDevices connected to iCloud that have been breached. According to a few reports we've already seen Macs impacted as well. This opens the door to a whole new level of intrusions and data leaks.

The hard reality is that our digital lives are so intrinsically chained together across otherwise independent devices that a breach of a common service like iCloud can have very broad-reaching ramifications.

The Department of Homeland Security Issues Internet Explorer Warning

Amidst ongoing reports that a recently discovered zero-day exploit is being used to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. The US Department of Homeland Security has issued a warning urging everyone to stop using IE until the exploit is patched!

US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.

US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.

For more details, please see VU#222929.

The vulnerability, which was first discovered over the weekend has been confirmed by numerous sources an advisory issued by Microsoft to be currently active in 'limited attacks' in the wild. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm FireEye, which first reported the flaw Friday.

The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (data execution prevention) and ASLR (address space layout randomization) protections, according to FireEye.

While the Microsoft security advisory offers some suggested actions there was no word as to when we'll see a patch from for the flaw. Given that we feel the best course of action would be to stop using Internet Explorer entirely and switch to Google's Chrome, Mozilla Firefox or another browser of choice (not one back-boned by IE of course).

In a separate set of attacks, security researchers have also warned of an active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player. These attacks threatened not only Windows based PCs but OS X and Linux as well causing Adobe too issue an emergency update.

The vulnerability was fixed in the newly released Flash Player 13.0.0.206 for Windows and Mac and Flash Player 11.2.202.350 for Linux. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 on Windows 8 and Internet Explorer 11 on Windows 8.1, will get the fix automatically through the respective update mechanisms of those browsers.

Adobe Confirms Data On 2.9 million Customers Stolen In Hack

Adobe Systems confirmed on Thursday that hackers had breached several severs and databases accessing source code to the companies more popular software such as Adobe Acrobat. During the breach the hackers were also able to gain access to full user data, including credit card information on about 2.9 million customers accounts.

Adobe Chief Security Officer Brad Arkin said the company had been investigating the breach since its discovery two weeks ago and that it had no evidence of any attacks based on the theft. "Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident," Arkin wrote on an Adobe blog.

Arkin said hackers also took information on 2.9 million Adobe customers, including their names, user identification numbers and encrypted passwords and payment card numbers.

Adobe has said it will be taking the following steps to ensure customers are aware of the attack and to prevent any further intrusions:

• As a precaution, Adobe will be resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. It is also recommended that you change your passwords on any website where you may have used the same user ID and password.

• The company is in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter directly from Adobe with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.

• The company has worked to notify the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.

• Federal law enforcement has been contacted and the company is working closely with them assisting in their investigation.

What the Adobe Hack means to you!

Despite their steps to keep customers safe, this level of security breach should be a major concern for all those that may be impacted. We strongly suggest that anyone that has worked with Adobe's sites in the past immediately change their log-in information. Secondly anyone that has a credit card that could be on file with the company, whether you are contacted directly from Adobe or not, should be diligently monitoring their statements and transactions for any possible misuse. Third, and this can't be stated enough, be on the lookout for fake Adobe emails with malicious links. Often times hackers unassociated with the original breach will use news headlines to create phishing attacks. Sending legitimate looking emails to unsuspecting users trying to dupe them into visiting fake sites with malicious code. Always check those links, emails sources ect and never share any personal information once you are there.

Mobile Pwn2Own Offering $300K In Prizes Money

The second annual Mobile Pwn2Own contest will take place in Tokyo Japan on Nov. 13-14, TippingPoint announced on its company blog today. This year's event will offer participants up to $300,000 in prize money for those researchers who can successfully demonstrate attacks against mobile services and browsers.

This year’s Mobile Pwn2Own contest is offering the following prizes in the following categories: 

• Short Distance/Physical Access ($50,000), either:
  • Bluetooth, or
  • Wi-Fi, or
  • Universal Serial Bus (USB), or
  • Near Field Communication (NFC)
• Mobile Web Browser ($40,000)
• Mobile Application/Operating System ($40,000)
• Messaging Services ($70,000), either:
  • Short Message Service (SMS), or
  • Multimedia Messaging Service (MMS), or
  • Commercial Mobile Alert System (CMAS)
• Baseband ($100,000)

Contestants are allowed to select the target they wish to compromise during the pre-registration process.  The exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The following targets are available for selection:

• Nokia Lumia 1020 running Windows Phone
• Microsoft Surface RT running Windows RT
• Samsung Galaxy S4 running Android
• Apple iPhone 5 running iOS
• Apple iPad Mini running iOS
• Google Nexus 4 running Android
• Google Nexus 7 running Android
• Google Nexus 10 running Android
• BlackBerry Z10 running BlackBerry 10

 In addition Google’s Chrome Security Team, in conjunction with the Chrome on Android team, is sponsoring a top-up reward for the Mobile Web Browser category. If a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10k to make it a total of $50,000.  There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.

For those looking to enter the full contest rules are listed here. For those geeks that want to stay updated on the contest ZDI will be tweeting regular updates and news on Mobile Pwn2Own up to and during the contest. You can follow them at @thezdi on Twitter or search for the hash tag #pwn2own.

Google Bets Big On Chrome OS Offers Pwnium Hackers $3.14M In Potential Prizes

Google has had a long standing history in betting big on it's products. They were one of the first companies to offer the public bug bounties for their Chrome browser and just last year took thing to a new level with the $1million sponsorship of "Pwnium". Now the search giant is taking things to new heights tripling the maximum total prize money to $3.14 million.

Dubbed Pwnium 3, this new challenge will open the door for researchers to focus their sites on the Chrome OS, Google's browsers based operations system that has been gaining a bit of traction thanks to the ChromeBook. The content will reward those who can hack the operating system with individual prizes of $110,000 and $150,000 with a max total up to $3.14159 million.

The attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack.

Pwnium 3 will take place along side the Pwn2Own during the CanSecWest security conference held March 7th in Vancouver, British Columbia. Google will also partner with HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program to host Pwn2Own. That contest, with $560,000 in total cash prizes, will focus on Web browsers, including Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox, as well as plug-ins from Adobe and Oracle.

Google withdrew support for last years event citing differences in what information was going to be made available concerning the exploits used in achieving the hacks. Full exploit details are traditionally been handed over after the contest however last year was an exception and an explicit non-requirement for the contest which Google felt was unacceptable.

"This year, we've teamed up with ZDI by working together on the Pwn2Own rules and by underwriting a portion of the winnings for all targets," said Evans about the new understanding between Google and HP TippingPoint. "The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards."

Pwn2Own 2013 Going To Be Bigger Than Ever With Record $560K In Prize Money

This year's Pwn2Own hacking contest promises to be bigger and better than ever with HP TippingPoint, the long-time organizer of Pwn2Own, revamping the challenges and offering cash awards exceeding half a million dollars.

For the 2013 content HP’s DVLabs Zero Day Initiative (ZDI) is expanding the focus of the annual Pwn2Own competition beyond vulnerabilities in the web browser alone. Instead this year focusing not just on the browser itself but browser based plug-ins which are often the target of malicious attacks. Hackers will be allowed to target and demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari as well as popular add-ons like the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.

• Web Browser
• Google Chrome on Windows 7 ($100,000)
• Microsoft Internet Explorer, either
• IE 10 on Windows 8 ($100,000), or
• IE 9 on Windows 7 ($75,000)
• Mozilla Firefox on Windows 7 ($60,000)
• Apple Safari on OS X Mountain Lion ($65,000)
• Web Browser Plug-ins using Internet Explorer 9 on Windows 7
• Adobe Reader XI ($70,000)
• Adobe Flash ($70,000)
• Oracle Java ($20,000)

The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. You can follow along as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.

For more details checkout: DVLabs Pwn2Own 2013

iPhone 4S, Samsung Galaxy S3 Hacked At Mobile Pwn2Own

TippingPoint DVLabs and the Zero Day Initiative (ZDI) the major sponsors for the infamous Pwn2Own hacking contest have created a new mobile only version of the Pwn2Own competition. The primary goal of the new contest is to demonstrate the current security level of the most prevalent mobile technologies in use today; including attacks on mobile web browsers, mobile operating system, Near Field Communication (NFC), Short Message Service (SMS), and the cellular baseband.

During this week's competition held alongside the 2012 EUSecWest conference in Amsterdam, Netherlands, hackers had the chance to try to exploit several of today's most popular phones running the latest operating systems on the market. Among the options were several Android based phones, an Apple iPhone 4S running iOS 5.1.1, a BlackBerry Bold 9900 and two phones running Windows Phone 7.5.

As of today only two phones had been exploited. The first being the iPhone 4S which was exploited via a bug in WebKit. According to ZDNet security researchers Joost Pol and Daan Keuper, of Certified Secure, exploited a WebKit vulnerability to launch a drive-by-download to hijack the address book, photos, videos, and browsing history from a fully patched iPhone 4S.

The attack works on iOS 5.1.1 and the developer release of iOS 6, as well as on the iPad, iPhone 4, and previous versions of the iPod Touch, Pol told ZDNet.

The second phone to fall victim to hackers was the Samsung Galaxy S3which was hacked via NFC, allowing the attackers to download all the data from the Android based smartphone. Researchers from security company MWR Labs were able to to beam an malicious file over a NFC (Near Field Communication) connection by holding two Galaxy S3s next to each other.

Using this technique, a file is loaded on the targeted S3. The file is then automatically opened and gets full permissions, meaning that the attacker has full control over the phone, explained Tyrone Erasmus, security researcher at MWR. The app runs in the background so the victim is unaware of the attack. The attacker can gain access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

The exploit is aimed at a document viewer application that comes as a default installed app on the Galaxy S2, S3 and some HTC phones, the researchers said. They wouldn't say which specific app is targeted because they did not want others to take advantage of the exploit. The vulnerability was tested on both the S2 and the S3, and worked on both phones, they said.

For their successful exploits both teams were rewarded $30,000 cash and other prizes, such as a BlackBerry Playbook tablet from sponsor Research in Motion.For more details on the Pwn2Own mobile contest you can follow either @thezdi on Twitter or search for the hash tag #pwn2own.For details on the phones used in the contest or contest rules checkout the TippingPoint Blog.

Related Articles:

• ZDNet - Mobile Pwn2Own: iPhone 4S hacked by Dutch team
• PC Mag - iPhone4S Hacked at Mobile Pwn2Own
• CIO - Galaxy S3 Hacked Via NFC At Mobile Pwn2own Competition

Apple, FBI Deny Claims That Hackers Stole Apple UDID's

The web was a buzz yesterday as hacking group AntiSec claimed to have stolen more than 12 million UDIDs (Unique Device IDs) for Apple iPhones, iPads and iPod Touch devices while hacking an FBI agent's laptop. These claims have since been denied by both the FBI and Apple with both stating that the FBI never had the information and that Apple had never released it.

AntiSec, a group of hacktivists, released a file of over one million Apple UDIDs on Tuesday. Claiming that this is only a small part of a total haul of over 12 million records of both UDIDs and personal information taken from an FBI agent's laptop. The group announced the release on its @anonymousirc Twitter account.

Details of the information dump were placed on Pastebin where AntiSec says a number of the records in the original data contained zip codes, full names, addresses and cell numbers, while others contained none. However, they decided to trim the information down to the Apple Device's unique device identifier (UDID), APNS (Apple Push Notification Service) tokens for accessing the notification service, the device's name (e.g. "John Doe's iPhone") and device type (e.g. "iPad").

The group had released a million UDIDs, push notification tokens, device names and types as evidence that they had the information.

This prompted responses by both the FBI and Apple, who are claiming that Apple never released the data and that the FBI was never in possession of such information. The FBI  tweeted: "We never had info in question" and said that the story was "TOTALLY FALSE". In a further statement, the agency said:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

In a statement rleased this morning, Apple said it did not furnish a list of Unique Device Identifiers (UDIDs) to the FBI or anyone else, and that the feature was soon to be removed.

"The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization," Apple said in a statement provided to AllThingsD. "Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID."

The, now more active, @AnonymousIRC twitter account used by AntiSec responded to the FBI's statement: "So because you don't know of any data breach it never happened?"

At this time it still remains unclear how the FBI would have obtained the UDID's, what they were being used for or even if they ever had them at all. AntiSec suspects that the FBI uses the list of devices for monitoring and tracking users. But it is still uncertain how the FBI came into possession of this UDID list to begin with.

iOS4 Jailbreak Hole Could Mean Big Trouble For Users

Apple along with several big name security researchers are warning that the recent exploit used in JailBreakMe to Jailbreak iOS4 could mean bad news for iPhone and iPad users. Both exploits could potentially allow would be hackers easy access to the devices 'root' control privileges.

The JailBreakMe exploit utilizes a hole discovered in the way Safari reads and parses PDF files. This security vulnerability allows the JailBreakMe site to gain access to the 'protective sandbox'. The second security vulnerability allows the code to get out of the 'sandbox' and access root control privileges for the device -- potentially allowing hackers the ability to install rogue apps that could monitor user actions. The end result is that the program can then have unrestricted access to your iPhone or iPad or iPod Touch on virtually all versions of iPhone firmware.


On Wednesday an Apple spokeswoman told Cnet via a statement, "We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

Pirate Bay User Database Hacked, Millions Of Email And IP Addresses Exposed

According to Brian Krebs, at KrebsonSecurity.com, an Argentinian hacker named Ch Russo reported that he and his group had discovered a SQL injection vulnerability in The Pirate Bay's website that allowed them to obtain and expose personal information of all the users registered at the site. This includes not only identifiable information like email addresses and usernames, but also more important information like users IP addresses.

Russo maintains he and his group did not alter, copy or delete information in The Pirate Bay database. But he acknowledges that they did briefly consider how much this access and information would be worth to anti-piracy companies like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA).

“Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told KrebsOnSecurity.com in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”

Russo's original post has since been removed and they site is now returning "403" errors, most likely due to some sort of retaliation attack. Before the site was taken down Russo admitted that The Pirate Bay administrators had removed the Web site component that facilitated access to thepiratebay.org user database, although he added that he’s had no direct contact with the site administrators about his findings.

Other than financial gains possible from selling the information to the RIAA or MPAA the leak could potentially be threatening to the millions of users out there that use the Pirate Bay. Not only could spammers utilize the emails for a mass phishing scheme or spam attack but hackers could utilize IP information obtained for sniffing attacks to attempt to gain control of a Pirate Bay users computer.

AT&T Confirms iPad User Info Exposed

According to Gawker the emails of over 114,000 iPad 3G owners were accidentally exposed over AT&T's network. The hackers were able to gather emails of every AT&T customer who purchased an iPad 3G before Monday June 7, 2010.

The specific information exposed in the breach included subscribers' email addresses, coupled with an authentication ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.

AT&T was already aware of the breach and had since closed the security hole but the victims have been unaware, until the news was leaked via Gawker. “The issue has escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses,” AT&T said in a statement.

AT&T spokesman Mark Siegel confirmed the breach to CNET stating "AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained," he said. "At this point, there is no evidence that any other customer information was shared."

The subscriber data was obtained by a group calling itself Goatse Security.

Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large section of ICC IDs by looking at known iPad 3G ICC IDs, either their own ICC-IDs or some of those unwittingly posted on the internet.

According to the Gawker article there were some rather big names who's addresses were leaked and may now be vulnerable. Among those are several military based email addresses from all branches of the military, NASA, the Department of Homeland security and several devices registered to the domain of DARPA, the advanced research division of the Department of Defense. There are also several major names in the tech sector, finance and media.

While there may not be much information leaked and hackers may not be able to do much with what little was leaked the fact that the info and email addresses are out in the wild might be a reason for concern. I'm sure they all have security measures in place to avoid phishing scams, spam and or other malicious emails but that doesn't mean hackers won't be trying and we all know it doesn't take much to slip something by.

What Does Hacker Charlie Miller Have Up His Sleeve For Pwn2Own 2010?

Charlie Miller quickly gained notoriety two years ago at the CanSecWest security conference when he and his team used an exploit in the Safari web browser to hack the brand new MacBook Air in just under 2mins winning himself and his team not only the new MacBook Air but also $10,000 from security firm TippingPoint Technologies.

A year later he repeated the feat when he used yet another of his already known exploits to win him his second MacBook Air and an additional $5,000.

This year looks like it will be a three-peat for Miller who took second slot and first draw for Safari yet again. The security expert claims to have found no less than 20 zero-day exploits within OS X. Miller via Twitter last week stated he will present details on how he found the exploits during the conference but he made it clear he will not reveal the exact details on how the exploits work.

While the full details will not be disclosed Miller eluded to the approach in finding the zero-day flaws. According to his interview with Heise Security, Miller discovered the new vulnerabilities by fuzzing, a process which involves bombarding an application's input channels with as much corrupted data as possible. His presentation is subtitled: "An analysis of fuzzing 4 products with 5 lines of Python". The expert explained: "The talk is about what you really find when you fuzz and it tries to draw conclusions about what to expect in the future when you fuzz a mature product." Parts of the presentation apparently consist of statistics, for instance, about which percentage of flaws causes crashes, and which percentage can be exploited remotely.

Pwn2Own 2010 should be an interesting event this year, not only because of the flaws Miller found but because many including Miller himself are predicting the fall of the iPhone this year, this coming in-spite of the fact that last year not a single smartphone was hacked.

If you want full detail on the event including a schedule checkout the TrippingPoint Blog and to follow along with real-time updates and real-time feedback follow the TippingPoint Zero Day Initiative via theirTwitter account @theZDI.