This should come as a suprise to absolutely no one, but underground merchants in China are cashing in on weak Wi-Fi encryption by selling network key cracking kits. What is a little surprising, however, is how brazen the sellers have become. Available both online and at China's electronics bazaars, the kits consist of a Wi-Fi USB adapter with a Linux OS, key-breaking software, and an easy-to-follow user manual. The whole shebang is being marketed as free Internet.
It doesn't take a whole of tech savvy to use one of these kits, nor do they require a hefty investment. Some merchants are selling Wi-Fi cracking kits for as little as US$24, and sellers offer free setup from an associate on the opposite end of the building.
Both WEP and WPA keys are vulnerable, the former by exploiting a long-known weakness in the protocol and the latter by way of a brute-force attack.
"Depending on many factors, WEP keys can be extracted in a matter of minutes," said one of the kit's developers who goes by the name Muts. "I believe the record is around 20 seconds."
A 9-year-old student attending a Fairfax County Public School in Falls Church, Virginia, created quite the scare for his school district. Faculty thought it was the victim of a hacker attack after someone had been changing teacher passwords on the school district's Blackboard system.
Local police were called in to investigate, who then traced the incident to the home of a 9-year-old student. The kid didn't actually hack the system, but had simply swiped a teacher's password from a desk.
"This was a case where an individual...got hold of a teacher's password, and the passwords had administrative rights," said Paul Regnier, a school board spokesman.
The rebellious student used the administrative account to change enrollment lists and alter other teachers' passwords. Much to the student's chagrin, however, he wasn't able to alter grades or access other machines on the school's system.
"Nothing bad happened this time, but we have to make sure that...it doesn't happen again," said Regnier.
Not writing down high-level passwords and putting them in an unlocked desk might be a start.
The real victim here might be Fancois Cousteix, an unemployed Frenchman who goes by the online handle "Hacker Croll." Sure, he's accused of hacking into Twitter and poking around the accounts of President Barack Obama and singers Britney Spears and Lily Allen, but he's a nice guy - just ask him.
"I'm a nice hacker," Cousteix told France 3 television on Thursday, a day after he was released from police questioning.
According to "Hacker Croll," there was no malicious intent, and in fact he wanted to warn Internet users about data security. By breaking into celebrity and high profile accounts. On Twitter.
"He says it's the challenge, the game, that made him do it," said Jean-Yves Coquillat, prosecutor in Clermont-Ferrand, where the suspect will go to trial in June for hacking.
Though he didn't profit from the hacked accounts, Cousteix stands to serve up to two years in prison and a fine of nearly $41,000 if convicted on the charge of breaking into a data system.
A handful of hackers will leave CanSecWest's security show a little richer than when they arrived after participating in the annual Pwn2Own contest. Charlie Miller, for example, won $10,000 for hacking Safari on a MacBook Pro without having physical access to the rig. You may recall that Miller, a principal security analyst at Independent Security Evaluators, walked away with $5,000 last year for exploiting a hole in Safari, and $10,000 for hacking a MacBook Air in 2008.
Safari wasn't the only software to fall. Peter Vreugdenhil won $10,000 for hacking Microsoft's Internet Explorer 8 browser, while Nils, head of research at UK-based MWR InfoSecurity, collected the same amount for exploiting Firefox on Windows 7-64 bit (Nils declined to provide his last name).
Both Ralf Philip Weinmann and Vincenzo Iozzo will share a $15,000 prize for hacking Apple's iPhone. They did so with an exploit written two weeks ago designed to steal the contents of the SMS database.
"The payload executes and uploads the local SMS database of the phone to the server we control," Weinmann said.
The question isn't whether or not convicted computer hacker Albert Gonzalez will do any time, but how much time. Prosecutors in the case want Gonzalez to serve 25 years, while his lawyer will argue that he should do no more than 15.
Back in September, Gonzalez, 28, pleaded guilty to conspiracy to gain unauthorized access to computer servers at a number of supermarket chains and corner convenience stores. Three months later, Gonzalez admitted to hacking into the computers at TJX Cos. BJ's Wholesale Club, OfficeMax, BostonMarket, Barnes & Noble, Sports Authority, and the Dave & Buster's restaurant chain.
During his online crime spree, Gonzalez racked up monetary damages worth almost $200 million.
"The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled," Assistant U.S. Attorney Stephen Heymann said in a sentencing memorandum.
For his illicit efforts, authorities say Gonzalez amassed $2.8 million in cash and assets, though as part of the plea deals, he was forced to forfeit more than $2.7 million, his Miami condo, a car, Rolex watches, and a Tiffany ring he gave to his girlfriend.
A report by China Business News today indicates that Google may have set a hard date of April 10th to shut down their Chinese operation. CBN also reports that an official announcement may come on March 22nd. Google is still remaining tight lipped on the matter.
The Google/China dispute started in January when Google disclosed that it had been part of a hacking attack from within China. Combined with the state imposed censorship, Google said the market was perhaps more trouble than it was worth. We’ve been hearing reports of ongoing talks, but in recent days more rumors have emerged pointing to a Google exit.
Former Google Asia employee Peter Lui says if Google leaves, they might not be able to get back in. “[Google] burnt bridges and they’ve burnt the Google brand in China,” said Lui. This is all still rumor, but come Monday if there is a Google press conference scheduled, we’ll know we’re on to something.
After our USB 3.0 coverage last week, we figured it would be a good time to turn our attention back to USB 2.0 (aka High Speed), and one of the classic nerd hobbies: USB hacking. Because of its highly-accessible wiring, USB can be easily modified for all sorts of purposes, even by neophyte hardware hackers. In the past, we've shown you how to perform some simple hacks, but now we want to highlight some of our favorite hacks created by members of the DIY community.
Some are of questionable utility, some of them are downright dangerous, but all of them are good, old-fashioned fun. Read on for our picks for the 10 most amazing USB hacks!
When Google announced that it might be pulling out of China as a result of recent cyberattacks, everyone assumed the Chinese Government was involved in the breach. After all, pulling the plug on the largest customer base of Internet users in the world couldn't have been an easy decision to make, and would have been a bit of an overreaction if the evidence was pointing to a private individual or company. With this in mind however, its important to note that Google hasn't officially implicated the Chinese government in the attacks, and that rumor now stands in stark contrast to a statement issued today by Chinese officials.
The "accusation that the Chinese government participated in (any) cyberattack, either in an explicit or inexplicit way, is groundless and aims to denigrate China," an unidentified ministry spokesman told Xinhua, according to an Agence France Presse report. "The U.S. has criticized China's policies to administer the Internet and insinuated that China restricts Internet freedom...This runs contrary to the facts and is harmful to China-U.S. relations," a Chinese Foreign Ministry spokesman said.
The harsh words quoted above out of Beijing are one of the first public reactions to Hillary Clintons recent lecture on Internet freedom. In her speech Clinton criticized Chinas efforts to censor the country's 384 million web users which she claims are trapped behind "The Great Firewall of China". Clearly the Chinese government was not amused. Google hasn't stopped censoring the results on Google.cn just yet, but CEO Eric Schmidt said on Thursday that it would happen soon.
So is China's blanket denial of any wrong doing good enough for you? Keep this link bookmarked for ongoing coverage of the situation as it unfolds.
Sorry Baidu users, your search engine is down for the count (in parts of the world, anyway), at least for the time being. No, a late night watchman didn't trip over the power cord in a data center, and instead the outage appears to be the work of Iranian hackers.
Baidu, China's most popular search engine with a market share exceeding 77 percent, now shows a page saying "This site has been hacked by Iranian Cyber Army." These are the same dudes who also attacked and defaced Twitter just a few weeks ago using the same method: DSN cache poisoning.
Sounds toxic, but rest assured, no chemicals were used. DNS cache poisoning involves corrupting a DNS table by replacing an IP with a malicious address, which in this case is the Iranian Cyber Army page.
The DataTraveler BlackBox, DataTraveler Secure — Privacy Edition, and DataTraveler Elite — Privacy Edition are the only flash drives being recalled. Kingston has advised those affected to contact tech support before returning their flash drives. Its site contains a country-wise list of all its tech support phone numbers.