Hacking and Anonymous surfing

In the dark days before the iPad 2 announcement the rumour-mill was in full swing, with mockups doing the rounds of the usual tech blogs with even more frequency than usual. These mockups were unusually accurate this time around, thanks to various leaks of case specifications coming out of China and Taiwan. We even had photos of cases for an unreleased iPad 2, all but confirming the size and dimensions of Apple’s next wonder-tablet. Apple wasn’t happy, and now three Foxconn employees have been charged over the saga.

Several online shopping retailers in China were able to sell iPad 2′s protective case products before the iPad 2 was even launched, leading Foxconn to suspect that there might have been some employees leaking the design of iPad 2 which it reported to the local police.

Foxconn is the main supplier of Apple hardware, especially iPhones and iPads – a leak of a new product more than likely originates from within the Foxconn walls. According to DigiTimes three Foxconn employees were arrested way back on Boxing Day, 2010 and they were officially charged with ‘violating Foxconn’s trade secrets’ on March 23rd.

For those of you watching Ubuntu’s website recently, you may have noticed a new version of the popular and easy to use variant of Linux has been surfaced – Natty Narwal. It can be downloaded from the previously linked site free of charge. Among the various new features, the Unity interface is set as the default UI, and includes the launcher (an OS X like dock), the dash (a popup menu with user defined shortcuts), and workspaces (a virtual desktop manager). According to the Ubuntu website, the OS can boot in as little as 7 seconds (following POST).

Driving all of this eye candy is Gnome 2.32.1 (according to Ubuntu Vibes). If your current equipment is not capable of Unity, the classic desktop experience will kick in as to keep you moving along with minimal lag. Those of you wanting to experiment with Gnome 3, it cannot be installed via the Ubuntu repositories, and there have been reports of system instabilities post installation, though there is a workaround. If you’re ready to install, there are 3 options for download, one for a CD/USB stick type installation, another to create a second boot partition alongside windows, and another for a standard standalone installation. The downloads are a one size fits all affair — no longer is the Ubuntu Netbook edition or Desktop edition; there’s just a single download for all platforms.

Researchers have discovered a flaw in the system used by Nikon professional digital cameras to ensure images have not been tampered with.

Normally, in high-end SLR digital cameras a unique and encrypted signing key is appended to an image when it is taken, which is verified in Nikon’s case by its proprietary Image Authentication System. If an image is edited this key will be overwritten, an action that will be picked up by the software.

Russian company Elcomsoft, however, said that it has found a way to extract the original verification key so that it can be attached to any image regardless of whether it has been edited or not. The security hole is said to affect all Nikon digital cameras supporting the verification system, specifically the D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 SLRs.

One potential suspect behind Sony’s massive PlayStation Network security breach was 21-year old George Hotz, AKA Geohot, who recently settled a lawsuit with the company over hacking into the PlayStation 3’s hardware. But in a blog post today, Hotz denies that he had anything to do with the PSN attack.

Assuming he’s telling the truth (“I’m not crazy, and would prefer to not have the FBI knocking on my door,” he said), that leaves plenty of other suspects for Sony to consider, like the patchwork group of hackers calling themselves “Anonymous,” who have been known to cause distributed denial of service (DDoS) attacks.

Hotz clearly doesn’t have much sympathy for Sony. He says in the blog post that Sony invited the attack by making enemies of hackers: “The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”

The data breach of Sony’s PlayStation Network notwithstanding, the frequency of major data breaches of companies that store massive of amounts of consumer data has been on a downward trend over the past couple of years.

Security experts say that’s largely due to stronger enforcement of the Payment Card Industry Data Security Standard (PCI DSS), a worldwide standard for secure data handling practices governing all organizations that conduct credit and debit card transactions.

Big merchants, like TJX, and credit card processors, like Heartland Payment Systems, clearly have tightened down in the wake of major, costly breaches. PCI DSS demands, for instance, that companies scan their infrastructure and applications for vulnerabilities at least once per quarter.

Office documents can contain metadata such as names, storage locations and version information about the software used to create them. An attacker can exploit this information for targeted attacks. The free tool Foca shows how talkative a company’s downloadable documents are.

In recent weeks, reports of hacking attacks on companies have been mounting up. HBGary, RSA, Epsilon and Barracuda Networks are among the companies from which hackers have stolen highly sensitive data. The attack on RSA was a highly focused attack which targeted individual employees. The hackers appear to have collected information on target personnel on the web; social networks such as Facebook and Xing offering ideal forums for doing so.

Often unintentionally, files available to download from a company can also be a rich source of interesting information: Office documents, presentations, images and other files contain metadata such as the author, date and software used which can provide useful tips for carrying out targeted technical or social engineering attacks.

In wearily predictable fashion, security vendors have been quick to warn about increasing volumes of Royal Wedding-related spam, scams and malicious software.

Symantec outlined in a blog post various spam campaigns hoping to cash in on the big day by advertising items including a replica of Princess Diana’s engagement ring, a ‘limited edition Buckingham Mint Royal Wedding Commemorative Coin’ and limited edition customisable mugs and t-shirts.

Blackhat SEO attackers have also predictably used the event to attract news-hungry surfers to malicious sites. Symantec said it has seen over 500 compromised sites used in this campaign over the past few days. “Attackers create multiple fake pages on each site and use unethical SEO techniques – such as keyword stuffing, cloaking, and link farming – to ‘game’ the search engine algorithms to achieve high search engine rankings,” the firm said.

The FBI has requested and received a preliminary injunction from a U.S. district judge to continuing issuing “stop” commands to the zombie machines infected with the Coreflood botnet. It is an essential step that is part of the agency’s dramatic takedown of the botnet’s command-and-control system earlier this month, an agent said in written testimony.

In mid-April, the FBI seized five command-and-control servers and 29 domain names registered in the United States and then obtained a temporary restraining order to intercept signals — that is, issue stop commands — from any other C&C servers handling the botnet. It was the first time the agency took such steps against a botnet.

That was only meant to be a temporary measure to keep Coreflood from reconstituting itself elsewhere. Toward that end, the FBI proposed another radical move in its court plea: tracking down the individual owners of the zombie PCs that have been hijacked by Coreflood and uninstalling the malware, with their permission.

The New York Yankees have made a serious error.

According to an email sent by Yankees Chief Operations Officer Lonn Trost, an employee accidentally emailed a spreadsheet file that listed season-ticket holders’ personal information: account numbers, names, home addresses, phone numbers, seat numbers and email addresses. The document was sent to thousands of current Yankees clients.

Deadspin reports 21,466 season-ticket holders’ details were listed, representing the “non-premium” seats at Yankee Stadium, excluding only high-roller suites and the more expensive seats in the first few rows of the infield. So no celebrities have been compromised, just regular Yankees fans. “This is totally flooring me,” Robert Groder, a Yankees season-ticket holder since 1993, told The Star-Ledger. “This is totally getting me off guard. I’m shocked.”

NAVIGATION DEVICE MAKER Tomtom has admitted that it has been inadvertently giving Dutch police data collected from its devices in order to set speed traps. Dutch newspaper Algemeen Dagblad revealed that the police were using the information to catch racing drivers, but Tomtom claims it never intended or foresaw this use.

The police gained access to the data after Tomtom gave it to the Dutch government, apparently oblivious that it might be used in ways that would anger customers. The company claims that it handed the data over to help make roads safer and less congested.

Tomtom’s CEO, Harold Goddign, posted an apology to customers, saying that it won’t happen again. He said the company is looking at whether or not it should allow the police to use the data it collected, suggesting that a decision has not yet been finalised.