STE WILLIAMS

Hackers pwn PBS in Revenge for WikiLeaks Documentary

Hackers aligned with WikiLeaks broke into and defaced the website of US broadcaster PBS over the weekend shortly after it had aired a less than flattering documentary about the whistle-blowing site.

LulzSec took particular offence at the portrayal of presumed WikiLeaks source Bradley Manning during of an episode of PBS’s Frontline news magazine programme. In response, the hackers broke into PBS website before swiping passwords and other sensitive information.

The hacker pranksters uploaded usernames and hashed passwords for the PBS database administrators and users onto Pastebin.com. Even more embarrassingly, the prankster also posted the logins of PBS local affiliates, including plain-text passwords.

Just so everyone would know the hack had happened, LulzSec also defaced PBS’s website, posting a bogus story (cached here) that claimed dead rapper Tupac Shakur was alive and well in and living in the same New Zealand town as nemesis Biggie Smalls. PBS posted a statement on the hack but that was defaced as well with an abusive message posted against Frontline.

Hacks of this type are normally carried out using SQL injection attacks. Flaws in content management systems are also a popular target. However LulzSec said that it had used a zero day exploit in Movable Type 4 on Linux servers running outdated kernels. That in itself would only have allowed LulzSec to deface the PBS website, but the use of the same password across multiple systems within PBS allowed the hackers to pull off a far more deeply penetrative attack.

Since the hack, LulzSec has turned it attention towards patriot hacker Jester, the most prominent member of the anti-Wikileaks cyber-militia, who attacked WikiLeaks after the release of US diplomatic cables. Unsurprisingly, LulzSec claimed his hacks were “lame” before threatening an attack against long-running hacker magazine 2600

Source

Hack reveals passwords from locked iPhones and iPads

Researchers have devised a method for stealing passwords stored on locked iPhones and iPads that doesn’t require cracking of the device’s passcode.

The technique, disclosed on Thursday by members of the Fraunhofer Institute for Secure Information Technology, requires physical access to the targeted iPhone or iPad, so remote attacks aren’t possible. But it takes less than six minutes and carry out, and the after effects are easy to conceal, making it ideal to carry out on devices that are lost, stolen or temporarily unattended.

The hack exploits cryptography in the iOS password management system – known as keychain – that uses a secret key that is completely independent of the device’s passcode. That saves attackers who manage to access the file system the hassle of deducing a key that’s based on a passphrase set up by the user.

“After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain,” the researchers wrote in a paper (PDF). “The decryption is done with the help of functions provided by the operating system itself.”

The script also reveals always-encrypted account settings for things like user names and server addresses for all stored accounts, as well as the account clear-text secrets. The hack worked on a locked iPhone 4 running iOS 4.2.1, which was the most current firmware version at time of writing. A demo of the attack is available on YouTube – you can view it below.

“The accessibility of keychain secrets without requiring the passcode is considered a result of a trade-off between system security and usage convenience,” the researchers wrote. “The passwords for network related services should be available directly from device startup, without having to enter the passcode first.”

The technique doesn’t retrieve passwords stored in parts of the device that remain off limits until the passcode is entered.

Still, the hack can reveal a wealth of sensitive codes, including those used for virtual private networks, Wi-Fi networks, LDAP accounts, voicemail systems and Microsoft Exchange accounts. And that’s likely to spook large business customers with employees that use the devices to connect to sensitive company systems. ®

Source

Gawker makes a hash of non-ASCII characters in passwords

Gawker is phasing out the use of email-address-and-password login in favour of more modern OAuth authentication and the use of anonymous one-off accounts.

Tom Plunkett, CTO at Gawker Media, briefly explained the plans in responding to the discovery of another password-related security snafu involving the media news and gossip site. Computer scientists at Cambridge University discovered that, until a fortnight ago, it was failing to handle non-ASCII characters in passwords. Instead, all non-ASCII characters were mapped to the ASCII ‘?’ prior to generating a password hash.

As a result of the cock-up, the accounts of Native Korean speakers, to quote just one example, might be opened by hackers who simply guessed a string of question marks.

Joseph Bonneau, a computer scientist at Cambridge University, came across the security hole in researching the handling of non-ASCII characters in passwords. “Gawker was using a relatively little-known Java library with the known bug of converting all non-ASCII characters to ‘?’ prior to hashing,” Bonneau explained.

Bonneau credits Gawker with responding quickly to his discovery by applying a fix within three days, though the number of exposed accounts is small. Gawker’s blog is only available in English and checks by Bonneau suggested fewer than one in 50,000 users elected a password which was entirely non-Latin.

The latest glitch follows a far more serious breach last month, when security slip-ups by Gawker resulted in the exposure of millions of user passwords. A database dump containing user login credentials, chat logs, and other Gawker-site collateral was released as a Torrent by hacking group Gnosis. Gnosis extracted the material after gaining root access to Gawker’s servers. The attack was motivated in large part by an online feud between hackers affiliated with anarchic imageboard 4chan and Gawker.

Gawker responded to the breach by asking users to change their password, a similar response to its attitude to the much less significant non-ASCII hash snafu. Users affected by the non-ASCII bug are being prompted to change their password as soon as they login to the site with their old (vulnerable) credentials. Meanwhile, Gawker is making backend changes that will allow it to move to a more secure password system, Plunkett explained.

“Longer term (beginning early February), we will be migrating all of our users to our new commenting platform that will be described on the tech.gawker.com blog later this month,” Plunkett explained. “This will eliminate the need for email addresses or passwords on our platform. Once this change goes live, new commenters will not be able to register with a user/password – we will support only OAuth or anonymous accounts we are calling ‘burners’.”

Gawker earlier said it was going to introduce two-factor authentication logins for its employees, in response to the compromise of the site’s security last month.