All posts in “hacking”

Safe-cracking robot proves nothing is secure

The safe doesn't stand a chance.
The safe doesn’t stand a chance.

Image: jack morse/mashable

If hackers want what’s on your computer, chances are they can find a way to get it. But what about your non-digital goods? Like, the ones you keep in a safe at home?

Turns out those aren’t that secure, either. 

This was made abundantly clear at the 25th annual DEF CON in Las Vegas, where professional tinkerer and founder of SparkFun Electronics Nathan Seidle could be found demonstrating an open source safe-cracking robot. Costing around $200 to build, the device uses magnets to attach to the exterior of a safe and is run by an Arduino microcontroller. 

Oh, and it’s very portable. Like, carry around in a backpack as you sneak into a house portable. What’s more, the robot basically runs itself. 

“We wanted to make this thing as autonomous as possible,” he told the gathered crowd. And autonomous it is: You just hit the red button, and off it goes. 

Checking out the details.

Checking out the details.

Image: jack morse/mashable

To demonstrate just how quickly the robot works (and it does work quickly), Seidle pulled a Sentry Safe that he bought from a Home Depot in Vegas — which he claimed is one of the more common personal combination lock safes — right out of the box at the start of his presentation. With just a few adjustments, his robot was off to the races.  

The safe was fully cracked by 12:31 p.m. The talk started at noon.

Importantly, this tool works for this specific type of safe, but that doesn’t mean your other options are much better. 

Toward the end of his talk, Seidle quickly ran through different methods for locking up your valuables. Say, for example, you want a safe with a key? Or maybe a fancy digital keypad? With a casual dismissal, he mentioned that many of those can be opened in minutes. 

“No matter how much money you spend on a safe, nothing is impervious,” noted Seidle. Which, well, was basically music to the crowd’s ears.  

Because, essentially, nothing can be kept out of reach from a dedicated hacker. Not your computer, not your cellphone, and definitely not whatever it is you keep in your safe at home. Consider yourself warned. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

Creepy spyware has infected Macs for years, and we’re only just realizing it now

Your Mac is not safe. Well, at least not as safe as you think it is. 

That’s the big takeaway following the detailed investigation of a particularly insidious strain of Apple-focused malware that has potentially been around for up to a decade — all the while broadcasting video and audio from victims’ computers back to an unknown attacker. 

The malware, dubbed Fruitfly, was first reported on in January by Malwarebytes. However, it was Synack Chief Security Researcher Patrick Wardle who blew the lid off Fruitfly’s true nature on July 21. 

“[A] hacker built this to spy on users for probably perverse reasons.”

In a conversation with Mashable, Wardle explained that he was sent the malicious software by a friend earlier this year, and that he found it interesting enough to investigate. That investigation led to some unexpected places. 

Wardle discovered that the malware directed infected computers to contact a command and control server for instructions — known as “tasking” — but that the primary server was offline. As such, he realized the computers would look for specific backup domains for their directions. It just so happened that “one or two” of those domains were available for registration.  

So he registered one, and created a server that could talk to the malware. What he found, well, is pretty damn creepy. 

First, Fruitfly gave him both the infected computers’ IP addresses — which can be used to determine their locations — and the computers’ names. With most Macs, the computer name is just the owner’s name. 

So, for starters, Wardle was sitting on the names and locations of many of the victims. But that’s not all. The malware gave him the power to remotely switch on webcams and microphones, take control of mice, change files, and would even notify him if the computer was in use by its owner. 

“Usually you see that in government or nation-state software,” Wardle, who used to work for the NSA, observed. 

But the victims weren’t nation-state actors — they were regular people. Strangely, however, the system didn’t seem designed for financial gain as is more typical of malware infecting the devices of everyday folks. Instead, it appeared to have a completely different objective. 

“[A] hacker built this to spy on users for probably perverse reasons,” explained Wardle, emphasizing that it was “designed to performance surveillance.” 

Approximately 90 percent of the infected computers are located in the U.S., with Wardle identifying around 400 compromised devices. He cautioned that those are just the infected systems he found, and that the total could be in the low thousands. Why so low? He speculated two reasons: To keep things manageable for the aforementioned creep, and to avoid detection. 

Speaking of detection, how did this thing go undiscovered for so long? Well, according to Wardle, a lot of that has to do with Macs.

“Mac security software is not that good,” he noted before elaborating that while Macs are good at detecting known threats, they are not that good at identifying new threats. Which, well, is a not-so-gentle reminder that even Mac users should get webcam covers. What’s more, Wardle added that Macs are actually easier to hack than recent versions of Windows — a statement which is sure to not win him any love in the Apple community. 

Wardle contacted law enforcement with his findings, and he says the entire Fruitfly malware net appears to be shut down at this time. And while that is good news for the 400 victims he identified, the findings suggest that a host of Mac-focused malware may already be out there under all of our noses. All someone needs to do is look for it. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

These hackers stole $85 million in Ether to save it from *the real crooks* (or so they say)

One for you, 85 million for me...
One for you, 85 million for me…

Image: Backyard Production/Getty Images

The clock was ticking. Thieves stole $32 million worth of Ether out of a popular Ethereum wallet, and with every passing minute the potential for additional losses grew. 

And so the White Hat Group stepped in. 

Like something out of a weird cryptocurrency reboot of National Treasure, the unidentified WHG hackers decided to steal the remaining Ether before the crooks could. All $85 million of it. 

Or so they say. 

The claim was posted to Reddit on July 19, and details a plan to return the funds to their rightful owners. Here’s how the poster, jbaylina, says it went down:

“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract,” explained the post, referring to a vulnerability in the popular Ethereum wallet Parity that was successfully exploited by unknown thieves. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”

Essentially, the White Hat Group says they came across the vulnerability — likely because hackers were exploiting it to steal the aforementioned loads of Ether — and went ahead and boosted every last bit they could. But for a good cause.  

“If you hold a multisig contract that was drained, please be patient,” the post continued. “We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there.”

In other words, the WHG says it saw your money sitting in a busted safe, removed it before thieves could, and now promises to return it to you in a new safe that works. Unsurprisingly, people flocked to Reddit to thank them.

“You guys are literal fucking heros [sic],” wrote one person who may or may not have had Ether stolen. “Good fucking job.”

“They’re like ‘The Avengers’, but for buggy smart contracts instead of aliens,” noted another

And so, just like we would with a real-life caped crusader, we are left wondering the identity of the White Hat Group’s members. We reached out to the Reddit user who posted the WHG message, curious as to the group’s motivation and future plans, but perhaps unsurprisingly didn’t receive a response. 

Notably, however, this isn’t the first time WHG members have swooped in to save the day. As ETHNews notes, the WHG previously made waves when it hacked a hacker that had ripped off The DOA, “an investor-directed venture capital fund on Ethereum.” Just like in the recent case, WHG announced it would return the stolen funds that it had recovered. 

Even so, skeptics remain. After all, this unknown person or persons now controls around $85 million worth of Ether. Are they really going to just give it all back?

It’s the $85 million question, and one that an untold number of people in the cryptocurrency community are waiting with bated breath to see answered. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

A security researcher just revealed a huge Myspace security flaw. (And yes you should care.)

Tom, u up? MySpace — you know that game-changing social media platform that you created and sold — appears to have some serious security issues, dude. 

Security researcher Leigh-Anne Galloway shared a blog post on Monday detailing a huge security flaw she spotted on Myspace’s account recovery page back in April. 

“In April this year whilst roaming the plains of the wild world web, I stumbled across an old Myspace account of mine,” Galloway explains in the post. “Attempting to gain access and delete the account I discovered a business process so flawed it deserves its own place in history.”

Essentially, Galloway discovered that an attacker could use public information — info as basic as name, email address, username, and date of birth — to gain access to any myspace account by simply using the ‘Do Not Have Access To Old Email Address Form.”

Galloway shared the issue with the company … and, according to Galloway, she “received almost no response from Myspace, except an automated one.”

Why is this so troubling?

In 2016 you may recall that Myspace suffered a massive security breach involving 427 million passwords belonging to approximately 360 million users who created accounts before 2013. The database of passwords was then put online for all to see.

This is a bigger deal than it seems. In addition to the breach allowing hackers to access a trove of personal user information and direct messages from Myspace, basically everyone reuses their passwords (which for the record, is not something you should do). So the 2016 Myspace breach may have put a lot more people and accounts at risk than expected.

This, coupled with the fact that it’s been about three months since Galloway reported the most recent security flaw and she’s only received an automated response begs one very serious question: What are you doing Myspace?

In response to a request for comment, a Myspace spokesperson told Mashable, “In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access.”

“We take data security very seriously at Myspace,” the spokesperson went on. “We will continue to monitor the security of these accounts and make appropriate modifications.”

Okay, Myspace. But why did it take so long to even address the issue?

What even is Myspace nowadays?

The Myspace that today’s users know is far from the Myspace you left behind to join Facebook back in the day, and maybe that’s part of the problem.

After co-founder Tom Anderson sold the social media platform to NewsCorp in 2005, it was acquired in 2011 by Tim and Chris Vanderhook and Justin Timberlake. A year later, Timberlake attempted to bring sexy back to the site with a swanky new redesign and then the world basically never heard another peep about Myspace ever again.

Cut to today where the site appears to be a somewhat confusing, music-centered hub where people can stay informed on the music world but also chat with one another and maintain a personal profile.

The website’s stats page proudly displays the number of songs on the site, and a search bar at the bottom of the homepage gives you access to articles, songs, videos, and artists on what vaguely resembles iTunes.

Image: screengrab/myspace

Image: screengrab/myspace

According to the site, Myspace is currently comprised of 150 engineers, designers, writers, and strategists. For comparison, as of March 31, 2017 Facebook reported a whopping 18,770 employees. And back in 2016 Myspace received a reported 15 million monthly unique global visitors, whereas Facebook currently has around 2 billion monthly active users.

In other words: Myspace is not top dog. But you still have to care.

Do I really have to?

Yes.

You may not use Myspace anymore but if you have an old dormant account, you either have to keep tabs on it or delete it completely. Breaches have happened before and they can happen again. That said, there’s no denying that the months-long delay in Myspace addressing the issue is concerning.

Myspace may be struggling to stay relevant in the modern era of social media, but there is one easy way to get people to take your site seriously: address your security flaws.

Https%3a%2f%2fvdist.aws.mashable.com%2fjw%2f2017%2f5%2f9e0648d8 8f77 b38e%2fthumb%2f00001

It only took hackers 3 minutes to steal $7 million worth of Ether

Oops.
Oops.

Image: Shutterstock / Lightboxx

All it took was three minutes. 

Shortly after going live, CoinDash’s July 17 Initial Coin Offering (ICO) was in serious trouble. The company, which allows for the trading of the popular cryptocurrency Ether (the “money unit” of the Ethereum platform), was all set for a big fundraising round with investors given the chance to invest in CoinDash with Ether. It’s a well-established practice similar to an IPO: Buy into a company now in exchange for tokens, which are in some sense analogous to stock, and hope to reap the rewards later. 

It didn’t exactly work out as planned. 

As explained after the fact on the company’s website, hackers managed to change one tiny but important detail on the CoinDash website just as the ICO was scheduled to begin: The Ethereum wallet address. That little change was all it took to redirect cryptocurrency slated for CoinDash into the wallet of the attacker. 

“It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event,” the company explained. “During the attack $7 million were stolen by a currently unknown perpetrator.”

According to a screenshot of the CoinDash Slack channel, posted to Reddit and confirmed as authentic by Motherboard, CoinDash realized what was happening within three minutes — but the damage was done. 

Well this is bad.

Well this is bad.

Image: Coindash/reddit

Angry online commenters, who may or may not have fallen prey to the scam, quickly took to Reddit to vent their frustration — with some hinting at the possibility of an inside job. 

“Is there any proof that this was a hack,” wondered one Redditor. “What if Coindash put an address in and then cried hacker to get away with free ETH?”

“This propably [sic] was a set up from the beginning,” speculated another

However, those that sent their Ether to the wrong address may not be entirely out of luck. CoinDash says it will still issue tokens to anyone who was swindled (as long as it happened before company employees shut their site down upon discovery of the hack). 

“CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution,” the company further noted on its site. “Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.”

CoinDash, for its part, did manage to raise $6.4 million from its “early contributors and whitelist participants” before things went south. 

As for the stolen Ether? Well, that’s just chilling in a wallet, waiting until the crook comes to collect. And, unless the perp left some clues behind during the hack itself, he or she will soon be sitting pretty with their ill-gotten gains. Following laundered cryptocurrency, after all, is a notoriously difficult task. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2f7b8092f3 b074 5cce%2fthumb%2f00001