Tag: user agreement

iCloud users take note: Apple two-step protection won’t protect your data

A diagram showing how Apple’s two-step verification works. Apple If you think your pictures, contacts, and other data are protected by the two-step verification protection Apple added to its iCloud service in March , think again. According to security researchers in Moscow, the measure helps prevent fraudulent purchases made with your Apple ID but does nothing to augment the security of files you store. To be clear, iCloud data is still secure so long as the password locking it down is strong and remains secret. But in the event that your account credentials are compromised—which is precisely the eventuality Apple’s two-factor verification is intended to protect against—there’s nothing stopping an adversary from accessing data stored in your iCloud account. Researchers at ElcomSoft—a developer of sophisticated software for cracking passwords—made this assessment in a blog post published Thursday . “In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” ElcomSoft CEO Vladimir Katalov wrote. “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.” Read 11 remaining paragraphs | Comments

Taken from:
iCloud users take note: Apple two-step protection won’t protect your data

Microsoft talks about Xbox One’s internals, while disclosing nothing

Here’s the money shot: the back of the console has a power connector, HDMI in and out (for the purposes of hooking your cable box up to the console), optical audio out, two USB ports, the Kinect port, an IR Out port, and an Ethernet jack. Kyle Orland The Xbox One is full of technology and after its big reveal, Microsoft talked a little about what’s going into the console, giving some tidbits of info about what makes it tick. Hardware Microsoft says that the Xbox One has five custom-designed pieces of silicon spread between the console and its Kinect sensor. It didn’t elaborate on what these are. There’s a system-on-chip combining the CPU and GPU, which we presume to be a single piece of silicon, and there’s at least one sensor chip in the Kinect, perhaps replacing the PrimeSense processor used in the Xbox 360 Kinect, but what the others might be isn’t immediately clear. Possibilities include audio processors, on-chip memory, and USB controllers. One of the key questions about the AMD-built, 64-bit, 8-core SoC is “how fast is it?” At the moment, that’s unknown. Microsoft claims that the new console has “eight times” the graphics power of the old one, though some aspects of the new system are even more improved; for example, it has 16 times the amount of RAM. Read 13 remaining paragraphs | Comments

Continued here:
Microsoft talks about Xbox One’s internals, while disclosing nothing

Mac malware signed with Apple ID infects activist’s laptop

F-Secure Stealthy Mac OS X spyware that was digitally signed with a valid Apple Developer ID has been detected on the laptop of an Angolan activist attending a human rights conference, researchers said. The backdoor, which is programmed to take screenshots and send them to remote servers under the control of the attackers, was spread using a spear phishing e-mail , according to privacy activist Jacob Appelbaum. Spear phishing is a term for highly targeted e-mails that address the receiver by name and usually appear to come from someone the receiver knows. The e-mails typically discuss topics the two people have talked about before. According to AV provider F-Secure, the malware was discovered during a workshop showing freedom of speech activists how to secure their devices against government monitoring. The malware was signed with a valid Apple Developer ID  allowing it to more easily bypass the Gatekeeper feature Apple introduced in the Mountain Lion version of OS X. If it’s not the first time Mac malware has carried such a digital assurance, it’s certainly among the first. Both F-Secure and Appelbaum said the backdoor, identified as OSX/KitM.A, is new and previously unknown. For its part, AV provider Intego said the malware is a variant of a previously seen trojan known as OSX/FileSteal. Intego continued: Read 3 remaining paragraphs | Comments

See more here:
Mac malware signed with Apple ID infects activist’s laptop

“SpecialisRevelio!” Macs use Harry Potter spell to unlock secret “backdoor”

Aurich Lawson / Warner Bros. Entertainment The Mac on your desk or on the cafe table next to you has a chip with secret functions that can be unlocked only by inputting a spell from the Harry Potter series. The SMC, or system management controller, is a chip used to regulate a Mac’s current and voltage, manage its light sensor, and temporarily store FileVault keys. Turns out that the SMC contains undocumented code that is invoked by entering the word “SpecialisRevelio,” the same magic words used to reveal hidden charms, hexes, or properties used by wizards in the Harry Potter  series written by author J. K. Rowling. That fun fact was presented Wednesday at the NoSuchCon security conference by veteran reverse engineer Alex Ionescu. While most details are far too technical for this article, the gist of the research is that the SMC is a chip that very few people can read but just about anyone with rudimentary technical skills can “flash” update. Besides displaying the Apple engineers’ affinity for Harry Potter, Ionescu’s tinkerings also open the door to new types of hacks. But don’t worry because they’re mostly the fodder for a hacking scene in a James Bond or Mission Impossible screenplay. “The attacks discussed in my presentation are attacks that likely only a nation-state adversary would have the sufficient technical knowledge to implement, and they require precise knowledge of the machine that is being targeted,” Ionescu, who is chief architect at security firm CrowdStrike, wrote in an e-mail to Ars. “They are perfect, for example, at a border crossing where a rogue country may need to ‘take a quick look at your laptop’ to ‘help prevent terrorism.’ I don’t suspect most Mac users (and certainly not those that read Ars or other similar publications) would be at a high-profile enough level to warrant such level of interest from another state.” Read 7 remaining paragraphs | Comments

View post:
“SpecialisRevelio!” Macs use Harry Potter spell to unlock secret “backdoor”

Feds seize money from Dwolla account belonging to top Bitcoin exchange Mt. Gox

jurvetson The Department of Homeland Security has apparently shut down a key mobile payments account associated with Mt. Gox, the largest Bitcoin exchange. Chris Coyne, the co-founder of online dating service OKCupid, tweeted out an e-mail he received from Dwolla this afternoon. The e-mail states that neither Coyne, nor presumably any other Dwolla user, will be able to transfer funds to Mt. Gox. Dwolla confirmed the change to the New York Observer , which first reported the story. Dwolla received a seizure warrant from a federal court. Read 4 remaining paragraphs | Comments

See the original post:
Feds seize money from Dwolla account belonging to top Bitcoin exchange Mt. Gox

How hackers allegedly stole “unlimited” amounts of cash from banks in just hours

Wikipedia Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards. The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, “cashing crews” in cities in at least 26 countries withdrew more than $40 million in a similar fashion. Prosecutors have labeled this type of heist an “unlimited operation” because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn’t identify the payment processors except to say one was in India and the other in the United States. Read 3 remaining paragraphs | Comments

Taken from:
How hackers allegedly stole “unlimited” amounts of cash from banks in just hours

Network Solutions seizes over 700 domains registered to Syrians

While Syria’s Internet connection is back up, many of the sites hosted in Damascus have lost their domain names. As Brian Krebs of Krebs on Security reports , the domain registrar Network Solutions LLC has taken control of 708 domain names in the .com, .org, and .net top-level domains registered to Syrian organizations. The organizations affected by the seizure include the state-supported hacker group Syrian Electronic Army. Usually when there’s a domain name seizure, it’s the work of government agencies like Immigrations and Customs Enforcement or the FBI, or domains are shut down with the help of US Marshals as part of a court-sanctioned seizure related to malware. But in this case, Network Solutions appears to have seized the domains in question without coordinating with federal authorities, though its action was guided by federal regulations—domain name registration is one of the services explicitly banned in US trade sanctions enacted against Syria last year. Network Solutions has marked the seized domains with the notation “OFAC Holding,” indicating they were taken over in accordance with regulations propagated by the Department of the Treasury’s  Office of Foreign Assets Control , a unit of Treasury’s Office of Terrorism and Financial Intelligence. The vast majority of the seized domains were pointed at IP addresses assigned to the Syrian Computer Society. As we’ve reported previously, Syrian President Bashar al-Assad, who was an Army doctor and ophthalmologist before being groomed to take over for his father, was head of the Syrian Computer Society in the 1990s. He became president in 2000. The Syrian Computer Society acts as Syria’s domain registration authority and regulates the Internet within Syria, and is also believed to be connected to Syria’s state security apparatus. The Syrian Computer Society registered .sy domain names for the Syrian Electronic Army’s servers, giving the hacker group a national-level domain name (sea.sy) rather than a .com or other non-government address, signifying its status as at least a state-supervised operation. Read 1 remaining paragraphs | Comments

See the article here:
Network Solutions seizes over 700 domains registered to Syrians

Cray brings top supercomputer tech to businesses for a mere $500,000

A Cray XC30-AC server rack. Cray Cray, the company that built the world’s fastest supercomputer, is bringing its next generation of supercomputer technology to regular ol’ business customers with systems starting at just $500,000. The new XC30-AC systems announced today range in price from $500,000 to roughly $3 million, providing speeds of 22 to 176 teraflops. That’s just a fraction of the speed of the aforementioned world’s fastest supercomputer, the $60 million  Titan , which clocks in at 17.59 petaflops. (A teraflop represents a thousand billion floating point operations per second, while a petaflop is a million billion operations per second.) But in fact, the processors and interconnect used in XC30-AC is a step up from those used to build Titan. The technology Cray is selling to smaller customers today could someday be used to build supercomputers even faster than Titan. Read 19 remaining paragraphs | Comments

View article:
Cray brings top supercomputer tech to businesses for a mere $500,000

German court convicts, sentences BitTorrent site operator to nearly 4 years

A German district court in the western city of Aachen has handed down one of the harshest sentences for abetting copyright infringement: three years and 10 months in prison. The 33-year-old alleged operator of the Russian-hosted torrent.to , who was named only as “Jens. R” in court documents, remains under investigation for fraudulent bankruptcy filings and embezzlement. Other than pleading not guilty, Jens R. did not offer a defense in the case and is expected to appeal. Like similar sites, such as the Pirate Bay, the defendant was accused of selling ads against links to torrent files. Read 5 remaining paragraphs | Comments

Read More:
German court convicts, sentences BitTorrent site operator to nearly 4 years

Defense contractor pwned for years by Chinese hackers

QinetiQ , a UK-based defense contractor, has its fingers all over some of the US Defense Department’s most sensitive systems. The company’s subsidiaries provide robots, diagnostic systems, intelligence systems for satellites, drones, and even “cyber-security” to the US Department of Defense. The parent company, which was created as a privatized spinoff of the British Defense Evaluation and Research Agency—what was the UK’s equivalent of the US Defense Advanced Research Projects Agency—is often cited as the inspiration for James Bond’s “Q.” But for at least three years, QinetiQ was apparently unintentionally supplying its expertise to another customer: China. In multiple operations, hackers tied to the People’s Liberation Army have had the run of QinetiQ’s networks, stealing sensitive data from them and even using them to launch attacks on the systems of government agencies and other defense contractors. E mails uncovered by the hack of security firm HBGary revealed that Chinese hackers had the run of the company’s networks starting in 2007. Bloomberg’s Michael Riley and Ben Elgin report that in one effort that lasted for over three years, “Comment Crew”—the group tied to the recent hacking of the New York Times and other news organizations, plus a host of attacks on other defense contractors and technology businesses—managed to gain access to “most if not all of the company’s research.” The company was notified on multiple occasions by government agencies of ongoing breaches, starting with a report from the Naval Criminal Investigative Service in December of 2007 that “a large quantity of sensitive information” was being stolen from two computers at the company’s US subsidiary, QinetiQ North America (QNA). A month later, NASA informed QNA that one of the company’s computers was being used in a cyberattack on its network. Read 1 remaining paragraphs | Comments

More:
Defense contractor pwned for years by Chinese hackers