Noted White Hat hacker and security expert Moxie Marlinspike (not his real name) was recently detained at New York's JFK airport as he returned from a trip to the Dominican Republic, Wired reports. Marlinspike says he was met at the plane's gate by agents with U.S. Customs and Border Protection. He was led to a detention room, where an investigator confiscated his computer and cell phones.
After trying to access the devices to copy the data, Marlinspike was instructed to give up his encryption keys. He refused and was eventually allowed to leave with his property about four and a half hours later. Marlinspike does not plan to use the devices again saying, "They could have modified the hardware or installed new keyboard firmware.”
Marlinspike gained notoriety in hacking circles last year when, at the Black Hat security conference, he disclosed a serious web vulnerability that allows attackers to fake security certificates. Marlinspike has been experiencing increased scrutiny for months. Ticketing agents can only issue him tickets after calling a Department of Homeland Security phone line. He has also been told by airline personnel that he is on a federal watchlist. Feel safer yet?
The now infamous Sarah Palin email hacker has been sentenced to just over one year at a halfway house, sparing him what many expected would be time behind bars for his attempts to derail her campaign during the 2008 presidential elections. According to the Associated Press, Federal Judge Thomas W. Phillips recommended be spared a prison sentence because of his struggles with depression which predate the incident.
Kernell apologized to Palin saying that the incident would undoubtedly affect him for the rest of his life, though it appears to have fallen on deaf ears. Palin’s official Facebook page was updated and compared the case to the 1972 Watergate scandal which led to Nixon’s resignation shortly thereafter. "As Watergate taught us, we rightfully reject illegally breaking into candidates' private communications for political intrigue in an attempt to derail an election."
Either way it did uncover the fact that not only did Sarah Palin conduct official state business using her Yahoo account, but that it could be accessed by simply guessing what high school she went to. Hopefully politicians who actually have juicy gossip to hide learned their lessons on this one
Adafruit Industries lit a fire under the hacking community's feet when it announced a chance to win $2,000 to the first person to deliver open-source software drivers for the Kinect, and it looks like a winner has emerged.
Nothing has yet been verified, but NUI Group forum member "AlexP" posted a couple of videos showing the Kinect merrily communicating with Windows. Microsoft, as you might imagine, probably isn't going to take the news well and was never in support of the contest to begin with.
"Microsoft does not condone the modification of its products," a company spokesperson told CNet. "With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant."
AlexP has been down this road before. In addition to hacking the Kinect, he also modified Sony's PS3Eye Camera to run under Windows.
A recent hacker attack against hosting provider Reality Check Network resulted in a massive blackout for several popular torrent sites, TorrentFreak reports. The attack took place on Saturday morning, corrupting the Master Boot Records (MBRs) of several servers, RCN said.
"We are writing this letter to inform you that a very targeted malicious attack took place on our network this morning at 6AM EST. As a result, most of our server operating systems have been corrupted resulting in the current downtime," the company wrote to the affected customers.
"We have access to all backups and have already figured out a strategy for bringing your servers back up, and have all hands on deck working to restore service," Reality Check Network President Moisey Uretsky added.
Much to the dismay of conspiracy theorists, the hacker in question doesn't appear to be a hired goon of the RIAA. Instead, Reality Check Network said "it was the result of an ex-employee" who had worked for the company for three years and "had intimate knowledge" of the systems.
Chris Paget made a name for himself back in 2009 when he exposed security vulnerabilities in RFID that allowed him to wirelessly download the contents of US passports from a parked car, and he’s making headlines again by exposing serious problems in the GSM cellphone network. Using nothing more than an off the shelf laptop, and a pair of RF antennas he was able to successfully imitate an AT&T cellphone tower which allowed him to intercept and record phone calls. “As far as your cell phones are concerned, I'm now indistinguishable from AT&T,” he told a crowd at this year’s DefCon security conference.
The demonstration was supposed to highlight a major flaw in the 2G GSM system which automatically directs phones to the tower with the strongest signal, apparently without proper authentication. So far the system only works on outgoing calls, but is a pretty critical flaw in the most commonly used wireless technology in the world. "GSM is broken," Paget said, "The primary solution is to turn it off altogether." I’m willing to bet carriers will take his recommendation “under advisement”, but hopefully a more reasonable fix is possible with the existing hardware.
It is unknown at this point if similar vulnerabilities exist in CDMA, but for the time being anyway, it will be the last refuge for tin foil hat wearing propeller heads who need to keep their calls private at any cost.
A young Argentinian hacker, known only by his sobriquet Ch Russo, claims to have successfully slipped past The Pirate Bay's defenses, gaining access to the torrent site's administrative control panel. An SQL injection vulnerability discovered by Ch Russo and a couple of his chums exposed the site's user database, which is said to contain account information belonging to around 4 million users. However, the hacker denies altering or deleting information.
The trio also resisted the temptation of selling the data to the companies assisting the entertainment industry in its fight against piracy. “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told security blog KrebsOnSecurity in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”
Had 45-year-old Barry Ardolf, an accused hacker living in Minnesota, been on an episode of "Deal or No Deal," the audience would have been screaming for him to take the deal. Only in this case, Howie Mandel was no where to be seen and the stakes were decidedly higher.
The deal was for 2 years in prison in connection to charges accusing him of hacking into a neighbor's computer and using it to send Vice President Joe Biden a threatening email. His lawyer said the decision to reject the plea "was a difficult one," and those words may come back to haunt Ardolf.
According to authorities, Ardolf now faces up to 20 years in prison after additional charges were tacked on. He's looking at up to 10 years for two child-porn accusations, and five years each for two hacking charges.
Ardolf is currently out on $25,000 bail with the conditions that he be denied Internet access and must surrender his electronic devices, including his iPhone.
Andrew Auernheimer, a 24-year-old authorities believe is one of the hackers who participated in Goatse Security's shenanigans in which some 114,000 iPad owners' emails were obtained through a security flaw and then posted online for all to see, has been arrested. Want to venture a guess as to why?
If you said "drugs," then you cheated, but you're also correct. By way of an FBI search warranty, Auernheimer, who goes by the name "Escher" and the hacker handle "Weev," had his home raided earlier this week. It's unclear what prompted the warrant, but during the search, authorities claimed to have found drugs.
Auerner faces four felony charges of possession of a controlled substance and one misdemeanor possession charge. According to Lt. Anthony Foster of the Washington County Detention Center in Fayetteville, Arkansas, the drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals.
What's interesting about all this is there doesn't seem to be any indication that Auernheimer faces charges for the hacking incident, even though he's believed to be a key member of the Goatse Security group that discovered the security flaw in an AT&T website for iPad users. In a letter sent out last week to iPad owners, AT&T said it would assist in the investigation of any illegal activities related to the security breach.
The life of a white hat hacker isn't one I envy. They do an amazing job of uncovering security exploits that threaten us all, but whistle blowers who come forward too often seem to get the cold shoulder, or worse yet, labeled as criminals. This is the situation allegedly facing Goatse security, the firm that first reported on the iPad data leak that exposed over 114,000 iPad email accounts last week.
According to a Goatse spokesman known only as "Weev", "We did this as niceguy as we could. The Wall Street Journal wrote an article that implies pretty strongly that we are criminals. We did not publically release the dataset, we waited until we confirmed the system was secured before we went public with technical details. I hope they don't try to get charges pressed but if charges are pressed we will fight it and win".
A similar situation is facing a Google employee who recently exposed a vulnerability in Windows XP and was labeled by Microsoft as "irresponsible". It can sometimes be difficult to gage the intention of those who bring these exploits to light, and at least in this case, Google insists the employee in question was acting alone. Regardless of how you feel about each of the individual cases listed above, it raises interesting concerns about how to deal with situations like this in the future.
Are these guys criminals or heroes? Let us know what you think after the jump.
Here's something that will help you sleep a little less soundly at night. According to the cybersecurity intelligence division of VeriSign, hourly botnet rentals can be had for less than $9. The average price of a 24-hour rental runs $67.20.
VeriSign said it launched an online investigation into 25 botnet operators back in February, zeroing in on botnet services advertised on three web forums. The services offered a range of attack vectors, including ICMP, SYN, UDP, HTTP, HTTPS, and Data. What's more, these services came advertised through forums and banner ads, just like a legitimate business would.
"While these attacks are becoming increasingly sophisticated, the criminals targeting your business may not be," said VeriSign iDefense director of intelligence Rick Howard in a statement.
Howard's chilling scenario has already played out, and at these prices, there's no reason to believe this won't be a common theme for a long time to come. For example, it was just two months ago that three men were arrested and accused of operating the Mariposa botnet. None of these men had any significant programming background, yet the Mariposa botnet was comprised of some 12.7 million PCs and stole credit card and bank log-in data from about half of the Fortune 1000 companies and over 40 banks.