Hacking and Anonymous surfing

Facebook users can now have a more secure log-in to their accounts as Facebook tightened the log-in verification process, Via Facebook Blog.

By activating the new feature in the security section of the account settings page, the user will have a new security feature integrated into their login procedure called Log-in Approvals. The two-step process involves entering a username and password along with a numeric verification code sent to the user’s mobile phone.

Facebook sends the code as a SMS message when a log in attempt is made from a device that hasn’t been saved as an ‘approved one.’ Failure to enter the correct code results in the user being locked out, preventing hackers from gaining access to the account.

Verizon Wireless may be following rival AT&T in making it difficult for users who do not subscribe to an official tethering plan, valued at $20 per month for 2 GB of data, to unofficially connect their WiFi-enabled laptop to share their Android smartphone’s mobile broadband connection.

One user noted that his data connection was blocked after he had upgraded to the most recent built of Android–presumably Android 2.3 Gingerbread–on his Droid X and proceeded to install an unofficial tethering app that attempts to bypass Verizon’s tethering plan. That user says that soon after, all webpages that he attempted to connect o redirected him to a page asking him to subscribe to the official $20 per month tethering plan. However, a quick reboot resolved his data connection as usual, but he’ll be re-directed to the upsale landing page again should he try and unofficially repeat his tethering experience.

Carriers have restricted tethering in the past, and unofficial use of tethering without the appropriate mobile broadband data plan is in violation of your terms of service with the carrier. AT&T had begun to block tethering recently as the carrier had recently introduced its own tethering data plan.

RSA hackers might have been behind the recent information security incident at defense contractor Lockheed Martin, according to security experts.

Lockheed Martin said on May 27 that it detected a “significant and tenacious attack on its information systems network.” The firm stressed that “our systems remain secure; no customer, program or employee personal data has been compromised.” It added that “appropriate” US federal agencies had been notified of the incident. Lockheed Martin and other defense firms use RSA SecureID tokens to enable employees to gain access to corporate networks from outside the office.

In March RSA admitted that an “advanced persistent threat” attack had extracted information related to its Secure ID two-factor authentication products. “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Art Coviello, RSA executive chairman, said in an open letter to RSA customers.

A number of security experts think that RSA’s confidence was misplaced. Researchers at NSS Labs said that “there have been malware and phishing campaigns in the wild seeking specific data linking RSA tokens to the end-user, leading us to believe that this attack was carried out by the original RSA attackers.”

Unlike hactivists LulzSec‘s recent posting of a false news story on the PBS Newshour website, any hardware hacker could build a “hidden” Newstweek device to distort news on wireless networks. Plus there is a web interface to configure the man-in-the-middle (MITM) attack, making it easy to modify keywords or sentences, and thereby create fake news reports for people reading the news at Wi-Fi hotspots.

Yes there are many ways to intercept Internet traffic or pull off a MITM attack, but that does not mean “average” users knows how to do so. The Firefox browser addon Firesheep is one of the easiest “canned” tools for the clueless, so an attacker can sniff and capture a user’s unencrypted cookie information, HTTP session jacking, allowing anyone to become an Internet griefer. For a little bit different take on how to mess with people’s minds, there is Newstweek to manipulate the news people are reading at wireless hotspots. For those who like to tinker with hardware, break out the soldering iron because building a Newstweek device just got easier with a detailed how-to post – starting with hardware, software, firmware, installing, and remote controlling the Newstweek device.

Part of the amusing disclaimer states, “Installing network modifying devices on a LAN you don’t own, without permission, is probably illegal in most countries, unless you work for government.”

An executive at defense giant L-3 Communications warned employees this spring that hackers were targeting the company using inside information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security.

“L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information,” read an April 6 e-mail from an executive at L-3’s Stratus Group to the group’s 5,000 workers, one of whom shared the contents with Wired.com on condition of anonymity.

It’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved. L-3 spokeswomen Jennifer Barton declined comment at the time, except to say: “Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.” Barton declined further comment Tuesday. Based in New York, L-3 Communications ranks eighth on Washington Technology’s 2011 list of the largest federal government contractors. Among other things the company provides command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.

Just days after hacking the PBS servers, the hacker group that calls itself LulzSec says its is turning its attentions to Sony.

The group, which also claims responsibility for an attack on Sony’s BMG Website in Japan over a week ago, said via Twitter that it was “working on another Sony operation” – adding “this is the beginning of the end for Sony.” LulzSec caught the public eye with its attack on PBS, going so far as to insert a false news story on the NewsHour website that rapper Tupac Shakur was still alive and living in New Zealand.

The group says it has never hacked Sony’s gaming servers, choosing instead to focus on the company’s music services. Sony has been the target of several hacks since the theft of personal information from over 100 million PlayStation Network and Sony Online Entertainment user accounts in April. Earlier this month CNET reported a group of hackers was planning another wave of attacks against the company.