Apple earlier today updated its Safari browser to version 5.0.4, plugging up 62 security holes in the process. Even so, it took French security firm Vupen just 5 seconds to exploit the browser and take home a $15,000 bounty from TippingPoint for doing so. This marks the first time in four years that Charlie Miller, an analyst with Security Evaluators, wasn't first to crack the Safari browser in the annual Pwn2Own contest. And what of Microsoft's IE8 browser? It didn't fare much better.
Online reports suggest Nintendo's upcoming 3DS console may be able to detect when users try to play an illegal flash cart on the device. In such a scenario, Nintendo could implement special firmware that would disable the console from working, basically bricking your $250 mobile gaming system. More than a theoretical possibility, at least one website is reporting that's exactly what Nintendo intends to do.
Microsoft is either supremely confident in it’s latest revision of Internet Explorer 8, or they’ve already come to terms with the reality that if you put enough hackers in one room, no amount of patching will save them. Either way the software giant announced on March 4th that it wouldn’t be issuing any security patches before the annual Pwn2Own hacking event which runs from March 9th to 11th in Vancouver Canada. If this holds true, they will be the only major browser contender to do so.
McAfee has published a new report that details a string of cyberattacks targeting global oil, energy and petrochemical companies. Dubbed “Night Dragon” by the security company, the attacks have been on its radar since November, 2009. While hackers have used a wide assortment of hacking techniques for attacking these companies in a very “targeted” fashion, McAfee’s vice president of threat research Dmitri Alperovitch described the hackers themselves as being sloppy, unsophisticated and mistake prone.
Shhhh ... very quietly hit the jump to read more about the covert attacks that are still continuing.
Online dating site eHarmony revealed that a hacker made off with some user info, including user names, email addresses, and hashed passwords, but said the site itself was not hacked. Even with the information obtained, eHarmony said it has a number of safeguards in place -- like state-of-the-art firewalls, load balancers, SSL, and other sophisticated security approaches -- that make it difficult for hackers to actually break into the site. It's a point eHarmony seemed intent to drive home.
Sony is turning up the heat on the hacking community as they seek to eradicate the PS3 jailbreak from the Internet, reports Wired. Sony is now promising to sue anyone that posts or links to the code in question. To those ends, Sony is seeking to force Google to turn over the IP addresses of people that viewed or commented on the YouTube video made by George Hotz (often called Geohot) explaining the hack. It doesn't even stop there.
In the grand scheme of things, relatively few people ever claim $20,000 for a day's worth of work. You can be one of them, provided you put your hacker hat on and attend the Pwn2Own contest next month. Google's challenge is this: Be the first to "pop [the Cr-48's Chrome] browser and escape the sandbox using vulnerabilities purely present in Google-written code" and the bounty, as well as the laptop, are both yours to keep, TippingPoint said in a blog post.
"If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope," TippingPoint said.
TippingPoint has put up a total cash pool of $125,000 in this year's Pwn2Own contest, with only $20,000 coming from outside funding (Google). This is the first time Google has offered a cash prize as part of the event, though it's worth mentioning that Chrome was the only browser to remain unscathed during last year's contest.
It a bit of a reversal, the US District Court in the Northern District of California has granted Sony a temporary restraining order against George "Geohot" Hotz and the Failoverflow team. The case revolves around the efforts of two unrelated hacks on the Sony PS3 that allow unsigned software to be run. Sony contends that this is supporting piracy, and the DMCA expressly forbids it.
As a result of this ruling, Geohot and Failoverflow have to stop all activities related to hacking the PS3, and cannot provide so much as an encouraging word or link to other attempting to do the same. Mr. Hotz is also required to turn over all computing equipment that was used in the creation of the PS3 jailbreak. This last bit may be contested by Geohot's lawyers, says Engadget.
Of course, this isn't stopping anyone from finding the code online. We have to assume Sony knows this genie isn't going to be magically put back in the bottle. It's out there and there are more industrious young modders out there that are likely to take up the banner even more readily in the face of legal action.
"Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, or schools. The option will exist as part of our advanced security features, which you can find in the Account Security section of the Account Settings page," the company wrote in a blog post. Eventually, HTTPS will be made the default setting.
Social authentication is another new security feature introduced by the company: “Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are.”
These security updates come close on the heels of two high-profile hacks. FB founder Mark Zuckerberg and French President Nicolas Sarkozy have both had their official fan pages hacked in the last few days.
An odd message on Mark Zuckerberg's fan page racked up over 1,800 likes and over 400 comments before the hacked post was removed, TechCrunch reports. Here's what it said:
"Let the hacking begin: i facebook needs money, instead of going to the banks, why doesn't Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a 'social business' the way Nobel Price winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011"
Assuming Zuckerberg didn't fall down a flight of steps head first in a drunken stupor as he made his way to his PC, it's pretty evident his fan page was hacked and the above message came from someone else. The post has since been removed, though not before raising questions about Facebook's security if it can't even keep its founder's fan page free from intrusion.