Tech Today w/ Ken May

The $90 WiFi Pineapple is now in its fourth iteration. The gadget does man-in-the-middle attacks on WiFi networks, allowing its owner to snoop on all the traffic, keylog password entries, and generally compromise the shit out of anyone using WiFi in the area. It’s a damned good reason to use a VPN, like The Pirate Bay’s IPREDator . Also: it has epic rickrolling potential. The WiFi Pineapple Mark IV improves tremendously on previous models in both hardware capabilities and ease of use. Where the Mark III brought a completely redesigned web management interface the Mark IV continues with plug & play 3G / 4G connectivity, automatic presistent reverse SSH tunnels and a simplistic status page to name a few. The new control center shows at a glance connected clients hostnames, IP addresses, Karma’d SSID as well as signal strength, idle time and network throughput. Hardware wise the Mark IV is built on a powerful Atheros AR9331 SoC at 400 MHz–over double that of the previous generation–and sports two Ethernet ports, 802.11 b/g and N connectivity, as well as most notably a USB 2.0 port, allowing for expansions like mass storage and 3G / 4G modems. *modem sold separately. Also it’s black, which adds at least 50 hacker points. WiFi Pineapple Mark IV ( via JWZ )

Nimey writes “Adobe has posted a security bulletin for Photoshop CS5 for Windows and OSX. It seems there is a critical security hole that will allow attackers to execute arbitrary code in the context of the user running the affected application. Adobe’s fix? You need to pay to upgrade to Photoshop CS6. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.” Read more of this story at Slashdot.

mask.of.sanity writes “An online search portal has been launched that reveals the IP addresses of any Skype user. The portal needs only a Skype username entered in a search bar for it to produce the IP address of a target user. It then uses IP addresses to geo-locate users on a map and reveal their ISP information.” Read more of this story at Slashdot.

This afternoon, the U.S. House of Representatives passed the controversial Cyber Intelligence Sharing and Protection Act (CISPA) by a vote of 248 to168 . Unlike SOPA , which focused on copyright violations, CISPA wants to give Internet companies and the U.S. government the tools to protect and defend themselves against cyber attacks by sharing information with each other. Critics, however, argued that this information sharing would be happening with very little oversight and would put Americans’ privacy rights at risk. Rep. Jared Polis (D-Colo.), an outspoken critic of the bill, argued that the bill would “waive every single privacy law ever enacted in the name of cybersecurity. Allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on.” Even though this bill has now passed the House, chances are that it will not get through the Senate. On Tuesday, the White House issued a statement condemning the bill and on Wednesday, President Obama threatened to veto the legislation because it “fails to provide authorities to ensure that the nation’s core critical infrastructure is protected while repealing important provisions” of long-established privacy law. Critics, including the Electronic Frontier Foundation, argue that the current version of this bill is basically a major violation of established privacy rights and would allow companies to hand anything and everything you do and say online over to the government in the name of “cybersecurity.” Proponents of the bill, including House Intelligence Committee Chairman Mike Rogers (R-Mich.), argue that the bill is “needed to prepare for countries like Iran and North Korea so that they don’t do something catastrophic to our networks here in America.” An earlier provision in the bill that would have given Homeland Security more authority to monitor the Internet was dropped before the bill (PDF) passed. In return, though, a number of last-minute amendments, including one that expands the list of reasons for which shared information can be used. While the bill still allows for Internet companies to hand over confidential customer information to U.S. security and intelligence agencies, as well as local low enforcement services, it is worth noting that it does not require them to do so. You can read a full version of the bill here (PDF).

Computer scientists have devised an attack that logs phone numbers, Social Security IDs, and personal identification numbers entered into smartphones by monitoring the devices’ integrated motion sensors. TapLogger, as their proof-of-concept application for phones running Google’s Android operating system is called, masquerades as a benign game that challenges the end user to identify identical icons from a collection of similar-looking images. In the background, the trojan monitors readings returned by the phone’s built-in accelerometer, gyroscope, and orientation sensors to infer phone numbers and other digits entered into the device. This then surreptitiously uploads them to a computer under the control of the attackers. Read the comments on this post

With more on the Flashback malware plaguing many Macs, beaverdownunder writes with some explanation of how the infection grew so quickly: “Alexander Gostev, head of the global research and analysis team at Kaspersky, says that ‘tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.’” Read more of this story at Slashdot.

suraj.sun writes with these snippets from an article at Ars Technica: “Hacker group Anonymous and the People’s Liberation Front have created a data-sharing site called AnonPaste.tk, meant to host pastes of code and other messages without any moderation or censorship of the information posted. The new site, which uses a free .tk web address, allows users to set a time for the paste to expire. It claims that data is encrypted and decrypted in the browser using 256 bit AES, so the server doesn’t see any of the information included in the paste.The site says it’s taking donations in the form of WePay or BitCoins. … AnonPaste is built using open-source software called ZeroBin, created by French developer Sebastien Sauvage. According to Infoweek Sauvage has experience in creating online authentication systems for French banks, suggesting the creator knows a thing or two about encryption of data. Still, on the software’s information page, Sauvage reminds potential users that ZeroBin software can not protect against potential Javascript attacks. ‘Users still have to trust the server regarding the respect of their privacy,’ he says. ‘ZeroBin won’t protect the users against malicious servers.’” Read more of this story at Slashdot.