Cosmo, the Hacker ‘God’ Who Fell to Earth

Mat Honan, at Wired's Gadget Lab:

“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.” After Mat fell victim to similar social engineering miscreants weeks ago, he has begun investigating how widespread this issue is. What he has found, through a goldmine source, is that this sort of thing is prevalent within the industry. This is a must read article. I applaud Mat for exposing these security issues and hope the MANY companies mentioned in this article will take action to close these vulnerabilities within their systems.

The NSA Is Building the Country’s Biggest Spy Center

James Bamford, at Wired's Threat Level:

Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy. But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.” For the NSA, overflowing with tens of billions of dollars in post-9/11 budget awards, the cryptanalysis breakthrough came at a time of explosive growth, in size as well as in power. Established as an arm of the Department of Defense following Pearl Harbor, with the primary purpose of preventing another surprise assault, the NSA suffered a series of humiliations in the post-Cold War years. Caught offguard by an escalating series of terrorist attacks—the first World Trade Center bombing, the blowing up of US embassies in East Africa, the attack on the USS Cole in Yemen, and finally the devastation of 9/11—some began questioning the agency’s very reason for being. In response, the NSA has quietly been reborn. And while there is little indication that its actual effectiveness has improved—after all, despite numerous pieces of evidence and intelligence-gathering opportunities, it missed the near-disastrous attempted attacks by the underwear bomber on a flight to Detroit in 2009 and by the car bomber in Times Square in 2010—there is no doubt that it has transformed itself into the largest, most covert, and potentially most intrusive intelligence agency ever created. In the process—and for the first time since Watergate and the other scandals of the Nixon administration—the NSA has turned its surveillance apparatus on the US and its citizens. It has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas. It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes. Finally, the agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it’s all being done in secret. To those on the inside, the old adage that NSA stands for Never Say Anything applies more than ever. It may look like I quoted a lot above, but, when you see the length of the article, you'll realize it is just a small section of a huge piece. Go read it. One piece of the above quote really stood out to me though:

According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US.

Does this not sound like something significant - like they're able to break standard SSL traffic, or some other common security tool that most believe is uncrackable? Perhaps they've done it?

Horrible, Almost Unforgivable Dropbox Authentication Bug Yesterday

Christopher Soghoian emailed Dropbox, posted over on Pastebin telling them how he had discovered a massive security vulnerability on Dropbox in the wee hours of yesterday morning. If you want to read the entire email thread of how he discovered it, do so, but the short of it is, for a period of 4 hours yesterday, anyone could log into any dropbox account without having to know their password. Any password worked for any account. Dropbox says they've fixed the issue, patching the bug just 5 minutes after they found out about it, however that doesn't change the fact that this happened. If you, like me, are worried about if anyone logged into your account during that period, check your Dropbox account event log.

Good Luck With That

John Gruber posted this over at Daring Fireball:

Stuart Sumner for Computing:

Apple cannot continue to lock down its iOS platform and restrict the types of software developed for it, says security firm Kaspersky’s CTO Nikolay Grebennikov. Speaking to Computing, he said: “Apple simply can’t continue with its current closed approach, and in my opinion, to remain competitive it should be looking to open up its platform within a year.” “The Android platform, which is growing its market share, is much more open than the Apple iOS and it’s easier to create new applications for Android, including security software,” said Grebennikov. MacDailyNews’s translation: “We wish Apple would make its platform insecure like Google, so that we can sell ‘security’ to hundreds of millions of iOS users.” The consumer software "security" industry have largely been leeches on the backs of consumers for the past 10 years. In the early 90's when they started out, they were mostly doing good - writing good software that solved a problem. When they stagnated in the mid-90s they began to peddle bloatware and drum up fear around every major virus/trojan that came out in order to scare customers into buying their software. They're new way of competing was to further bloat their products with crap that people didn't near or to 'out-scare' their competitors. Now that Apple is taking hold in the desktop and mobile markets, they're scared shitless because Apple customers simply do not need their crapware any longer. The emperor has no clothes. There are no words to describe how much I cannot wait to see them all go away. Although they'll probably go kicking and screaming on the way down with their cries growing increasingly frantic about how you're all going to die unless you are buy their Norton MacAfee Virus Checker 3000 Deluxe Edition Pro™. Fuck those guys.

Sony Hacked Again: 1 Million+ Accounts Compromised

The same group became infamous for hittin PBS earlier this week has just announced that they've now hit Sony with a SQL injection which allowed them full access to various Sony databases. LulzSec statement:

Our goal here is not to come across as master hackers, hence what we're about to reveal: was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it. Rob Beschizza, writing for BoingBoing: Sony traditionally is run as a set of 'silos', independent departments, divisions and joint ventures that have much autonomy from one another. This might be why there are so many different attacks: there is always another Sony silo which runs its own web infrastructure, where hundreds of dollars worth of web development can go down the drain, just like that. Ouch. As I said last week on Twitter, friends don't let friends create user accounts on Sony networks.

FaceNiff Android App Takes Firesheep Mobile, Hacks Facebook and Twitter Accounts In Seconds

Terrence O'Brien writing for Engadget:

Remember Firesheep? Well, the cookie snatching Firefox extension now has a more portable cousin called FaceNiff. This Android app listens in on WiFi networks (even ones encrypted with WEP, WPA, or WPA2) and lets you hop on to the accounts of anyone sharing the wireless connection with you. Right now it works with Facebook, Twitter, YouTube, and Nasza-Klasa (a Polish Facebook clone), but developer Bartosz Ponurkiewicz promises more are coming. You'll need to be rooted to run FaceNiff -- luckily, we had such a device laying around and gave the tap-to-hack app a try. Within 30 seconds it identified the Facebook account we had open on our laptop and had us posting updates from the phone. At least with Firesheep you had to sit down and open up a laptop, now you can hijack Twitter profiles as you stroll by Starbucks and it'll just look like you're sending a text message (but you wouldn't do that... would you?). Lovely