Pinboard (guardiantech)

Snapchat can't stop the parasite apps that screw its users >> WIRED

guardiantech — 2014-10-12T20:47:15+00:00

Andy Greenberg:

even if Snapchat users’ data was accessed via someone else’s servers, that doesn’t make the breach any less of Snapchat’s problem, says security researcher Adam Caudill. He’s been reverse engineering Snapchat’s API to demonstrate exactly the problem of rogue third party apps for years. “Your average developer can build something in a day’s time that interacts with Snapchat’s API and saves everything that comes through it,” Caudill says. “Quite honestly, I’m surprised this hasn’t happened sooner.” Caudill first warned Snapchat in 2012 that he had analyzed its API and could build a pirate app that stripped out its time-deletion features. “Given the nature of the application, I suspect unofficial clients are unavoidable…especially as the service grows in popularity,” he wrote at the time.

How do you prevent, in perpetuity, a third-party app with the correct login details from accessing your server?

#Floodhack and opening up Environment Agency flood data >> mapgubbins

guardiantech — 2014-02-17T18:23:08+00:00

Owen Boswarva isn't impressed by the data made available by the Environment Agency for the floodhack day:

this very limited release of open data does not represent a significant “opening up” of government resources. The arrangements for river-level data are slightly more flexible than release of the data under a three-month developer licence would have been, but the effect is broadly similar and presents no erosion of the Environment Agency’s strongly commercial stance on licensing of flood data.
There has been a good effort to pull together existing open datasets that might be useful to #floodhack developers. However most of the EA’s flood-related datasets remain subject to restrictive licensing.

Microsoft Office blog hacked after redesign | Security | News | PC Pro

guardiantech — 2014-01-21T14:56:58+00:00

Microsoft fell victim to hackers for the third time in a month, after attackers defaced the newly redesigned Office blog.
The group known as the Syrian Electronic Army posted several articles on the Microsoft Office site, including one titled "hacked by the Syrian Electronic Army".
The group crowed that it had managed to hack into the blog's CMS [content management system] despite Microsoft's best efforts - and suggested it had access to employee login details.

This could continue for quite a while. Two-factor authentication isn't any use if the intruder is inside the system and the system is big enough.

Security researchers claim Apple technically capable of intercepting iMessages >> TechCrunch

guardiantech — 2013-09-19T21:10:14+00:00

Techcrunch: Is this attack something you feel can be widely distributed or leveraged, or is it so difficult that this is not likely?
Cyril Cattiaux: The iMessage protocol is strong. Only Apple or a powerful institution (NSA is randomly chosen as an example) could tamper with it.
TC: Does it require physical access to a user’s device? If not, then can you give some details on what info you need to make it happen?
CC: Basically, if you are Apple or the NSA, it doesn’t require any prerequisites.

Await the demonstration: next October 17-18 at the HITB Security Conference in Asia.

Bug In Apple’s CoreText allows specific string of characters to crash iOS 6, OS X 10.8 apps >> TechCrunch

guardiantech — 2013-08-29T21:13:18+00:00

Matthew Panzarino:

A bug in Apple’s CoreText rendering engine in iOS 6 and OS X 10.8 causes any apps that try to render a string of Arabic characters to crash on sight. The string of characters which can trigger the bug — which was discovered yesterday and has spread around the hacking and coding community — has made its way to Twitter, where even looking at it in your timeline will crash the app.

The Russian hacker who seems to have discovered it says Apple was told of this six months ago. (Thanks #imaginarynumber for the link.)

Apple credits security researcher Balic, but not for vulnerability related to Developer Center >> TechCrunch

guardiantech — 2013-08-20T21:06:55+00:00

Matthew Panzarino:

The vulnerability reported directly below [Ibrahim] Balic’s entry [which related to iAd] was credited to 7dscan.com and SCANV and is annotated with Apple’s Developer Center address. It seems far more likely that these two researchers are the ones who discovered the remote code execution vulnerability in the Developer Center which caused the outage. For researchers who are in this game, the credit from a company is the reward, so they most likely reported it to Apple. Once it had been confirmed, Apple was worried enough to take the Dev Center down to fix the problem.

Fits with what we reported previously: Balic's claims didn't fit with his claim to have hacked developer details.

DIY Headphone Implant >> H+ Magazine

guardiantech — 2013-07-03T20:54:09+00:00

Rich Lee:

First, the idea is based on this. The project is set up like this: 1. implant magnets; 2. test implants with coil to make sure audio is picked up; 3. implant coil/other parts w/transdermal jack & power charger.
Having stuff like this done isn’t really the realm of doctors. Most Grinders rely on body modification artists to install their implants. I’ve had work done by the body modification master Steve Haworth in the past and have relied on him for advice on several project ideas. Steve instinctively knew the best way to go about the implantation in a way that would minimize chances for infection and would leave no scarring. The implant procedure itself went very smoothly and the pain was surprisingly minimal.
The first thing everyone asks is “why would you do this?” Honestly, I don’t feel the need to answer this question. People either get it or they don’t. I’m a Grinder, and we are notorious for getting it.

Yes, he really had magnets implanted in his head so that he would have invisible headphones. Apart from the coil around his neck, obviously. (But as he points out, that can go under a shirt.)

Important message from Facebook's white hat program >> Facebook

guardiantech — 2013-06-21T22:32:35+00:00

Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

It really is the world's phone directory.

When Twitter rogues move markets: a timeline >> Businessweek

guardiantech — 2013-04-25T16:56:51+00:00

Four occasions in the past couple of years:

The AP hack highlights the potential pitfalls of relying on social networks for tradable information, but false tweets have been affecting markets and companies for the past few years. In some cases the impact of false tweets can be immediate.

Like LinkedIn, eHarmony is hacked; 1.5 million passwords stolen >> latimes.com

guardiantech — 2012-06-07T06:16:35+00:00

LA Times reports that the eHarmony culprit is suspected of being the LinkedIn hacker.

The Towson Hack: The mystery of vanishing iTunes credit >> Macworld

guardiantech — 2012-03-18T21:45:18+00:00

September 2011, but possibly still going on:

Many customers whose store credit was stolen noted that the purchases centered on a handful of apps from specific developers. One of those developers was “gao jing,” the name behind apps like Expert Guide for Black Ops, Cheats Guide for Black Ops, Weapons Guide for Black Ops, and Game Guide for New Vegas. Notably, none of those apps remain in the App Store as of this writing; however, Apple declined to comment on the reason for their removal from the store. Other customers noted that the purchased apps on their accounts were all from other developers, including “Hongbin Suo,” “lane ma,” “Yang Yun,” “KAMAGAMES,” and “Lakoo.” Many of the purchased apps, or the companies behind them, appeared to be Chinese in origin.

YouPorn hacked user database >> Is It Hack Day

guardiantech — 2012-02-24T06:40:28+00:00

YouPorn got hacked and the user names and passwords leaked onto the web. The information is interesting, with passwords being very simple and most emails having been created for the purpose of consuming adult material.

The common passwords contain the usual suspects… well, slightly more sexual, actually, than usual.

Love online: 100,000 Grindr users exposed in hack attack >>> Sydney Morning Herald

guardiantech — 2012-01-22T19:26:19+00:00

This is big.

The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf. The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had "no real security" and were "poorly designed".

USA Today Twitter account hacked by “The Script Kiddies” >> TechCrunch

guardiantech — 2011-09-26T20:37:02+00:00

"A group calling itself “The Script Kiddies” hacked USA Today’s Twitter account this weekend and used it to solicit requests for future targets and even to promote its own Facebook page. Although this recent hack seems like more of a childish prank, this group is being taken seriously by the FBI due to its earlier hacks involving false terrorism claims posted to NBC’s Twitter account."

They're a British group. Hope they're using more than one VPN.

Sony BMG Greece the latest hacked Sony site >> Naked Security

guardiantech — 2011-05-23T05:58:34+00:00

"An anonymous poster has uploaded a user database to pastebin.com, including the usernames, real names and email addresses of users registered on SonyMusic.gr.

"The data posted appears to be incomplete as it claims to include passwords, telephone numbers and other data that is either missing or bogus."