Reported today by infosecurity-us and others, the two men (Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, California) who had fleeting fame after publishing insecurities in the AT&T iPad website in June 2010 have been arrested and charged with one count of conspiracy to access a computer without authorization, and one count of fraud in connection with personal information. Each count carries a maximum penalty of five years in prison and a fine of $250,000.
You can find the formal press release on the Justice.gov site.
The original hack involved farming the subscriber details off AT&Ts site by presenting it with random ID codes. Unfortunately, while demonstrating a weakness in a site is often not prosecuted, the pair went on to retrieve 120,000 subscriber details and then passed them on Gawker, who published a redacted list amongst much fanfare. This distribution of personal data will probably get them into a lot of hot water. Read more…
Following on from my post “10 Things You Don’t Want To Know About Bitlocker”, “TPM Undressed” and “Firewire Attacks Revisited” it recently came to my attention that Passware, Inc. A feisty California company has released a version of their forensic software which will decrypt Bitlocker and TrueCrypt protected hard disks via the classic Firewire vulnerabilities.
A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:
Recently Jordan Robertson reported that serious flaws had been found in so-called “Smart” power meters which are being rolled out slowly by the utilities companies.
These meters, designed to help individuals and companies more effectively manage their electricity usage were found to have serious security flaws which could allow hackers not only to tamper with your supply, a new twist on the “Denial of Service” attack, but could also be used to fool the utility provider into thinking you’re using more power than you actually are.
Recently it was announced with much fanfare that the now-ubiquitous “TPM” chip found in most modern computers had been hacked. This obviously unnerved a lot of people, especially those hanging the safety of their secrets on free solutions like Microsoft Bitlocker which use the TPM to provide convenience to their users.
The attack, invented about 60 years ago, but elegantly implemented by Christopher Tarnovsky of Flylogic involved attacking the hardware of the chip itself by uncasing it and probing its signal pathways – something that seems difficult until you read their blog and realize they do it every day.
Chris used a combination of off-the-shelf acids and rust-remover solutions to dissolve first the outer casing of the chip, then the wire grid tamper-proofing shields inside.
Once “undressed” he was able to probe and monitor what was going on inside anonymously. Read more…
Recently a whole slew of news sites announced a newly discovered vulnerability (care of the German Security firm SySS) on a range of “supposedly” secure consumer USB sticks.
These models from SanDisk, Kingston and Verbatim were apparently easy to defeat and retrieve the data from without knowing the users password or having any prior knowledge or touch on the stick.
The exploit was simple – it seems the software tool shipped with the sticks validates the password, not the stick itself, and the sticks use a fixed authentication key. Yes, ALL sticks use the same auth key. By simply sending this known ack key to the stick, you can unlock it, or any other stick.
Interestingly, some of these insecure devices had been through FIPS 140-2 Level 2 security certification, so should really have been immune to this kind of attack.