Apple has issued a fix for a “critical security issue” in OS X following the discovery of a vulnerability in the Network Time Protocol which affects the Yosemite, Mavericks and Mountain Lion operating systems.
The bug, revealed earlier this month, could allow hackers to execute arbitrary code on systems not updated with the fix, and trigger buffer overflows while using OS X Network Time Protocol daemon (NTPD) privileges.
The exploit, named CVE-2014-9295, was uncovered by Stephen Roettger of the Google Security Team earlier this month, but Apple didn’t issue a fix straight away because the firm likes to be sure that the flaw is authentic.
“For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” said Apple on its support page.
The update is available now for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1.
Users can find the update via Software Update. It will have already downloaded if the ‘Install system data files and security updates’ option is checked in the App Store menu of System Preferences.
Those who want to verify their NTPD version can do so by opening Terminal and typing what /usr/sbin/ntpd. If the the update is already installed, users should see the following versions:
Mountain Lion: ntp-77.1.1
Apple hasn’t had the best luck with security in recent months, which is unusual as the firm is renowned for its tough defenses against the vulnerabilities that affect operating systems like Windows.
The company beefed up its iCloud security in October, adding per-application passwords for third-party apps that don’t support two-factor authentication following the high-profile celebrity iCloud hack in September.
The most recent addition is app-specific passwords to guard against exposure of a user’s iCloud details.
Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.
According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.
They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.
The instructions for reassembly of the app arrive through a phone-home after the app is installed.
The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
Anonymous has restarted its attack against North Korea and once again is using a North Korean Twitter account to announce website scalps.
The Twitter account @uriminzok was the scene of announcements about the hacked websites during the last stage of Op North Korea, and reports have tipped up there again.
The first wave of attacks saw a stream of websites defaced or altered with messages or images that were very much not in favour of the latest North Korean hereditary leader, Kim Jong-un.
They were supported by a Pastebin message signed by Anonymous that called for some calming of relations between North Korea and the US, and warned of cyber attacks in retaliation.
“Citizens of North Korea, South Korea, USA, and the world. Don’t allow your governments to separate you. We are all one. We are the people. Our enemies are the dictators and regimes, our goals are freedom and peace and democracy,” read the statement. “United as one, divided by zero, we can never be defeated!”
Before the attacks restarted, the last Twitter message promised that more was to come. It said, “OpNorthKorea is still to come. Another round of attack on N.Korea will begin soon.” Anonymous began delivering on that threat in the early hours this morning.
More of North Korean websites are in our hand. They will be brought down.
— uriminzokkiri (@uriminzok) April 15, 2013
We’ve counted nine websites downed, defacements and hacks, and judging by the stream of confirmations they happened over a two hour period. No new statement has been released other than the above.
— uriminzokkiri (@uriminzok) April 15, 2013
Downed websites include the glorious uriminzokkiri.com, a North Korean news destination. However, when we tried it we had intermittent access.
Last time around the Anonymous hackers had taken control of North Korea’s Flickr account. This week we found the message, “This member is no longer active on Flickr.”
A cyberattack campaign, dubbed #OpIsrael by hacking group Anonymous failed to bring down the Israeli government websites over the weekend.
Yitzhak Ben Yisrael, of the government’s National Cyber Bureau said that while the attack did take place, it did hardly any damage. Ben Yisrael said that Anonymous lacked the skills to damage the country’s vital infrastructure. And if that was its intention, then it wouldn’t have announced the attack before hand.
“It wants to create noise in the media about issues that are close to its heart,” he said, as quoted by the Associated Press news agency.
Posters using the name of the hacking group Anonymous had warned they would launch a massive attack on Israeli sites in a strike they called #OpIsrael starting April 7. Last week, a leading hacker going by the handle of “Anon Ghost” said that “the hacking teams have decided to unite against Israel as one entity…Israel should be getting prepared to be erased from the Internet,” according to Israeli media reports.
Israel’s Bureau of Statistics was down on Sunday morning but it was unclear if it was hacked. Defense and Education Ministry as well as banks had come under attack the night before but the security shrugged it off.
Anonymous did have a crakc at the stock market website and the Finance Ministry website but no one there noticed.
Where Anonymous was successful was when it targeted small business. Some homepage messages were replaced with anti-Israel slogans, media said. Israeli hackers hit sites of radical Islamist groups and splashed them with pro-Israel messages.
Anonymous apparently has declared war on Finland after the country began blocking access to the filesharing web site Pirate Bay.
Yesterday we reported that the large Finnish ISP Elisa, had begun blocking the web site at the order of Finland’s High Court. This news was not taken well by Anonymous, which responded by hacking its ‘enemy’.
“TANGO DOWN http://www.antipiracy.fi Copyright Information & Anti-Piracy Centre In Finland | And We’ll keep it down as long as We want \o/,” wrote the Anon_Finland account on Twitter.
The cause caught the attention of the wider Anonymous hacktivist collective, and the Anonymous Finns got its support.
“Finland is apparently just begging for some sweet, sweet Anonymous action. We shall oblige them. #Elisagate ^_^” wrote Youanonnews.
Anonymous Sabu, one of the more vocal members of the group also took an interest. “Ladies and gents: today we will focus on Finland. and every country like it who has begun a campaign of censorship. First steps to Cyberwar,” he tweeted, adding, “To the Finnish government: Stop censorship or deal with the consequences.”
Elisa is appealing the decision and is calling its block a temporary one. It also said that it installed the block to avoid a fine. It added that it did not make the decision, but the High Court.
Anonymous has said it will respond if the controversial Stop Online Piracy Act (SOPA) is passed into law in the US.
The group has posted a statement in which it reiterated its attitude towards SOPA and its plans to create an internet police state.
“The goal of the so-called ‘Stop Online Piracy Act’ SOPA is to empower litigious U.S. corporations to police the internet, with the ability to act as judge, jury and executioner,” it says.
“SOPA tramples civil rights laws, fair use, freedom of press and freedom of speech. Under SOPA an average person could be arrested, fined, sued and spend time in a federal prison for so little as uploading a video to YouTube or even linking to one. This law further proves the reality of corporate rule and totalitarianism.”
The vote on SOPA has been delayed due to opposition, according to the post, and is not likely to happen until next year. However, the hacktivists suggest that it will be delayed only as long as it takes for the media to lose interest.
“In a democracy this should be enough to defeat the bill, however, in the U.S. it only means that the vote will get delayed until the media loses interest and the backing corporate lobbyists have enough time to ‘influence’ [read: bribe] the vote to their favour,” they warn.
“However, it has been clandestinely moved forward in an attempt to fast track the law under the radar of a culture drunk on materialistic obsession – as such The House Judiciary Committee is reconvening on the 21st of December. In short, we were lied to.”
The hacktivist group said that it would react to this, and react strongly. “Our reaction will not be little,” it warns.
Anonymous wants to spread awareness and increase opposition to SOPA while it is still up for debate, and called on fellow Anons are asked to carry out points of action, the first being to hack into and replace the front page of “every website we can” with a protest page.
“Encourage friends, businesses, organizations, social media to take a stand along side us in the same way,” it says. “Use/distribute the OpBlackOut material we’ve provided for this purpose, or make your own (but please try to be concise and indict SOPA specifically so the message is clear, unanimous and omnipresent). Get this image and message everywhere online. Plant the seeds of dissent where ever they can grow.”
As well as acting online, Anonymous said that supporters should physically protest through stickering and tagging billboards, signs and advertising.
“Get people talking. Put the truth not only where it can be seen, but where it cannot be avoided,” it adds. “This is something everyone can do. We are legion, this is our voice, people are listening, we will be heard.”
Sony’s corporate credit rating has been downgraded by finance company Standard and Poor’s, with the group citing the lack of a likely recovery for the company’s core business in the near future.
The company is now rated A- for long term borrowing and A-2 for short term loans.
“The CreditWatch listing is based on our view that the likelihood of Sony’s weak earnings persisting has increased as there are no signs of a halt to the deterioration in the earnings of the company’s core flat panel TV business,” read a statement from the company.
“In addition, Sony’s financial burden is likely to increase in tandem with the company’s making Sony Ericsson a wholly owned subsidiary. Taking these factors into consideration, we have concluded that we need to review the prospects for Sony’s operating and financial performance and verify the effects on the rating.”
The area of Sony’s business which includes both flat-panel TVs and the PlayStation business registered a loss of $449 million during a recent financial report marking a third consecutive year in the red for the company as a whole. That period of losses is expected to continue next year.
“Standard & Poor’s will resolve the CreditWatch listing after meeting with Sony management and verifying the prospects for an earnings recovery in the company’s mainstay electronics business and improvement in its financial soundness for the next few years,” continued the company’s statement.
For an in-depth view on the current financial and business position which Sony occupies, read our Sony Stock Ticker piece from GamesIndustry.biz contributor Rob Fahey, published yesterday.
Dubbed “Operation Fox Hunt”, Anonymous announced the plans on YouTube to attack the Fox News website on the anniversary of Guy Fawkes Day. Anonymous is also planning to target former Fox News personality Glenn Beck as well as current Fox News representative Sean Hannity and Bill O’Reilly during “Operation Fox Hunt”.
Anonymous said that it has had a gutsful of “right wing conservative propaganda” and “belittling the occupiers” of the Occupy Wall Street demonstrations. Anonymous recently a distributed denial-of-service attack against the Oakland police department’s website after a 24-year-old wounded Marine home from serving two tours in Iraq was critically injured in the Occupy Oakland protest. Police allegedly threw an object that fractured the marine’s skull landing him in the hospital.
Inspiration for Anonymous members, Guy Fawkes is most commonly known as the only person to enter Parliament with an honest intention. He wanted to blow up the House of Lords on November 5 in the year 1605 as part of a Catholic uprising.
Anonymous is launching a second round of protests against online payment service Paypal, which could see thousands of people closing their Paypal accounts.
Anonymous member and spokesperson Sabu told some 25,000 supporters on his Twitter page, “If you haven’t already – close out your paypal accounts. Transfer your money to a credit union. Small steps we need to take for big picture.”
Another tweet that is making the rounds on Twitter is, “Today is #OpPayPal round two. Close out your paypal accounts. Inform your family//peers. Email companies that rely on PP to use alts. RT!”
For those who want to continue making online payments without using Paypal, Sabu suggested using an “anonymous prepaid visa card”, which can bought from many local shops.
However, users might encounter problems with online payments, as many online retailers use Paypal for everything, even normal credit card purchases. This means that those who do buy a prepaid credit card could be forced to use it through Paypal anyway.
In response to this concern Sabu said, “Might have to start emailing companies to use alternative payment systems. If enough people communicate this point: win.”
There are no recent tweets about Paypal on the Anonymous Twitter page, but it’s likely only a matter of time before the news starts appearing on multiple accounts associated with the group.
This latest round of Paypal protests appears to be in response to Paypal’s decision to freeze donations to the independent social networking project Diaspora. Paypal refused Diaspora’s appeal and has failed to provide an explanation of what it alleges Diaspora did wrong. It can hold Diaspora’s money, which is around $45,000, for up to six months. Diaspora is now using Stripe in place of Paypal.
Anonymous has said that it is joining in the anti-Wall Street Protests in New York.
Despite low press coverage the Occupy Wall Street protests gaining traction around the US and now the hacking collective known as Anonymous issued a statement about a planned attack for the financial district. It said that it would specifically target the New York Stock Exchange on October 10 and claims to “erase” the NYSE from the Internet on that day.
Operation Invade Wall Street is likely to be a Distributed Denial of Service (DDoS) attack on the New York Stock Exchange website. The message was included in a video uploaded to YouTube that’s designed to recruit more hackers to the Operation Invade Wall Street cause.
A one-day DDoS attack would be a nuisance for the officials of the NYSE, it’s unlikely to cause any significant damage. However, there are fears that Anonymous will attack to disrupt the exchange and attempt to harm trading on October 10.
So far Anonymous targets the New York City police department which has been doing its best to kill off any good will it might have gained during September 11, by battering harmless protesters and innocent bystanders. Anonymous has released personal information in regards to the officer using the pepper spray such including his phone number, home address and names of relatives.
The group has joined an existing campaign that is being promoted by Adbusters and Culture Jammers under the S17 banner, and has asked its followers to attend with tents and portable kitchens so that it can set up a barricade.
The date for the occupation is 17 September, and on its poster Anonymous said that it had one simple demand, which is “Bring Tent”. We expect it will have others to make of Wall Street itself however.
Adbusters was pleased by the groups joining and welcomed it on its own web site. The flood of attention could also help it carry out other ‘occupations’ in other major cities.
“Simultaneous occupations of financial districts are now being planned in New York City, Madrid, Milan, London, Paris and San Francisco. With a bit of luck, this list of participating cities will grow,” it wrote.
“If we can pull together just the right mix of nonviolence, tenacity and strategic smarts, S17 could be the beginning of the global revolution we’ve all been dreaming about for so long … wouldn’t that be lovely.”
Anonymous announced its support earlier this week with a video, but has increased the campaign with a poster as the event draws closer.
Over the weekend, researchers at Defcon highlighted how easy it is for would-be ‘hackers’ to get employees of large companies to divulge information that could be used in attacks. The technique, known as social engineering, essentially results in sensitive information being acquired through subterfuge rather than stolen.
Reuters reports that in one case, a contestant taking part in a Defcon competition pretended to work for a company’s IT department and got an employee to hand over information on what PC she was using. Chris Hadnagy, one of the Defcon organisers told Reuters, “A lot of this could facilitate serious attacks if used by the right people.”
Hadnagy said that Oracle’s employees handed over more data than those of any other company targeted in the competition. Other targets included Apple, AT&T, Symantec, United Airlines and Verizon.
Social engineering is a well known tactic of acquiring information from people. The application of social engineering in computer hacking became widely known following the 2002 publication of The Art of Deception by legendary hacker Kevin Mitnick following his release from prison.
What the security researchers have highlighted is that firms need to spend a great deal more time and money on training front line staff to be aware of such tactics. Although information given out through social engineering might on its own seem inconsequential, in some cases it can provide the ‘in’ that hackers are looking for.
The accused ‘Topiary’, whose name is Jake Davis, was charged on Sunday and bailed by the courts yesterday. He was charged with five offences: Unauthorised access to a computer system, Encouraging or assisting offences, Conspiracy with others to carry out a Distributed Denial of Service Attack on the website of the Serious and Organised Crime Agency, Conspiracy to commit offences of Section 3 Computer Misuse Act 1990, and Conspiracy with others to commit offences of Section 3 Computer Misuse Act 1990 contrary to Section 1 of the Criminal Law Act 1977.
According to a report at the Guardian, his bail conditions are that Davis must wear an electronic tag, not access the internet, and not leave his house between 10pm and 7am.
Davis, who appeared outside court wearing sunglasses and holding a copy of “Free Radicals: The Secret Anarchy of Science” by Micheal Brooks and who allegedly authored the Rupert Murdoch is dead story that appeared on the hacked web site of the Sun newspaper, has already gained support on the internet in general and especially on Twitter.
“After a life full of efforts and diligence, courage and patience, incitement and cyber victory, generosity and charity, expatriation and travels, advice and good planning, wisdom and sophistication, the life of the Garden Hedge came to an end during this specific era. His blood, words, attitudes, and his ending are to remain a longcat running within the junctions of Anonymous generation after generation,” reads a message posted to Pastebin and described as being to and about the teenage hacker.
“His message was this poetic verse: ‘You cannot arrest an idea.’ Topiary – may you fly always over the horizon.”
A list of 27 user names and encrypted passwords allegedly for an Apple website was posted to the Internet over this past weekend along with a warning from hacker group Anonymous that the Cupertino-based computer maker could be a target of its attacks.
The list was posted to the Pastebin website, a hosting site for text files, by an unknown user under the title “Not Yet Serious.” It wasn’t immediately clear if the user is a member of the Anonymous hacking group, but the existence of the file became widely known after Anonymous linked to it in a Twitter message.
“Not being so serious, but well,” the message read before linking to the PasteBin page. “Apple could be target, too. But don’t worry, we are busy elsewhere,” the message said.
The data appears to be a set of user names and encrypted passwords from an SQL database for an online survey at the Apple Business Intelligence website. The site is currently offline.
Apple did not immediately respond to a request for comment.
In an apparently unrelated posting, a Lebanese grey-hat hacker called idahc_hacker said he had found vulnerabilities on another Apple website. The SQL injection and iFrame code attacks can be used by hackers to gain unauthorized access to data.
Grey hat hackers do not normally hack for malicious purposes and the Lebanese hacker did not post and data obtained from the site.
In pointing out the hacks, he said he was not part of Anonymous or LulzSec, an allied group that disbanded recently.
Nintendo is the latest company to be targeted by cyber crooks in a hacking attack. In April, cyber criminals breached Sony Corp’s servers and exposed the personal information of more than 100 million of its customers. No group has taken responsibility for that attack.
Nintendo’s break-in did not affect consumers’ information, the company said.
“The server contained no consumer information. The protection of our customer information is our utmost priority,” Nintendo of America, the company’s U.S. unit, said in an e-mailed statement.
“We constantly monitor our security,” Nintendo said.
On Sunday, the hacker group Lulzsec said it had attacked Nintendo in a statement posted on its Twitter feed. Lulzsec is the same group that broke into the servers that run Sony Pictures Entertainment websites last week, and claimed attacks on U.S. PBS television and Fox.com.
Lulzsec tweeted it had taken one file but “we didn’t mean any harm. Nintendo had already fixed it anyway.”
Nintendo is expected to debut its new gaming console and successor to its hit product, the Wii, on Tuesday. It will be the first home console to enter the market in five years.