Even more embarrassing than a student discovering your GPS tracking device on his car, as the FBI found out last year, is having to ask him to give the expensive piece of equipment back.

So security researcher Brendan O’Connor is trying a different approach to spy hardware: building a sensor-equipped surveillance-capable computer that’s so cheap it can be sacrificed after one use, with off-the-shelf parts that anyone can buy and assemble for less than fifty dollars.

At the Shmoocon security conference Friday in Washington D.C., O’Connor plans to present the F-BOMB, or Falling or Ballistically-launched Object that Makes Backdoors. Built from just the hardware in a commercially-available PogoPlug mini-computer, a few tiny antennae, eight gigabytes of flash memory and some 3D-printed plastic casing, the F-BOMB serves as 3.5 by 4 by 1 inch spy computer. And O’Connor has designed the cheap gadgets to dropped from a drone, plugged inconspicuously into a wall socket, thrown over a barrier, or otherwise put into irretrievable positions to quietly collect data and send it back to the owner over any available Wifi network. With PogoPlugs currently on sale at Amazon for $25, O’Connor built his prototypes with gear that added up to just $46 each.

“If some target is surrounded by bad men with guns, you don’t want to have to retrieve this, but you also don’t want to have to pay four or five hundred dollars for every use,” says O’Connor. “The idea is that it’s as close to free as possible. So you can throw a bunch of these sensors at a target and get away with losing a couple nodes in the process.”


read more

Carrier IQ has recently found itself swimming in controversy. The analytics company and its eponymous software have come under fire from security researchers, privacy advocates and legal critics not only for the data it gathers, but also for its lack of transparency regarding the use of said information. Carrier IQ claims its software is installed on over 140 million devices with partners including Sprint, HTC and allegedly, Apple and Samsung. Nokia, RIM and Verizon Wireless have been alleged as partners, too, although each company denies such claims. Ostensibly, the software’s meant to improve the customer experience, though in nearly every case, Carrier IQ users are unaware of the software’s existence, as it runs hidden in the background and doesn’t require authorized consent to function. From a permissions standpoint — with respect to Android — the software is capable of logging user keystrokes, recording telephone calls, storing text messages, tracking location and more. It is often difficult or impossible to disable.

How Carrier IQ uses your behaviour data remains unclear, and its lack of transparency brings us to where we are today. Like you, we want to know more. We’ll certainly continue to pursue this story, but until further developments are uncovered, here’s what you need to know.


read more

A new paper to be published in the upcoming issue of Marketing Science shows that removing DRM from music leads to a decrease in piracy. Or phrased differently, DRM appears to be an incentive for people to pirate music instead of buying it. The researchers from Rice and Duke University used analytical modelling to come to this seemingly common sense conclusion. DRM only hurts legitimate customers. The phrase above has been written a few dozen times, and it’s now supported by an academic report. Researchers from Rice and Duke University looked into the effect of digital restrictions on music piracy. In their paper “Music Downloads and the Flip Side of Digital Rights Management Protection” they conclude that DRM doesn’t prevent piracy at all. Quite the opposite.


read more

This is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today. One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS because before then, Android Malware was a little bit more than an exercise of Style, essentially focused on Spyware. After that, everything changed and mobile malware targeting the Android OS become more and more sophisticated.

This compilation shows the long malware trail which characterized the hard days for information security. Looking at the graph, the climax was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile mentioning because of its capability to root the phone and potentially install applications remotely without direct user intervention.


read more

Some hackers use software and hardware to express themselves creatively—either solving entirely novel technical challenges or finding new ways to skin the same old cats. Others are motivated by money, power, politics, or pure mischief. They steal identities, deface Web sites, and break into supposedly secure and certainly sensitive databases.

IEEE Spectrum has written dozens of stories about both—the Steampunkers and Arduino do-it-yourselfers, on the one hand, the Anonymous and Lulzsec ne’er-do-wells on the other. Inspired by New York Magazine’s Approval Matrix, they took 25 of the biggest and best stories and assessed them along two dimensions: innovation and impact.


read more

The Autistic Hacker

A few months after the World Trade Center attacks, a strange message appeared on a U.S. Army computer: “Your security system is crap,” it read. “I am Solo. I will continue to disrupt at the highest levels.”

Solo scanned thousands of U.S. government machines and discovered glaring security flaws in many of them. Between February 2001 and March 2002, Solo broke into almost a hundred PCs within the Army, Navy, Air Force, NASA, and the Department of Defense. He surfed around for months, copying files and passwords. At one point he brought down the U.S. Army’s entire Washington, D.C., network, taking about 2000 computers out of service for three days. U.S. attorney Paul McNulty called his campaign “the biggest military computer hack of all time.”


read more

Visidon’s Applock will prevent the privacy-adverse from messing with your personally curated app collection. Snap a pick with your front-facing cam, enable the face-lock in your settings, and those confidential emails are as good as blocked. It’s far from foolproof, however, as some comments indicate an extended bit of facial-wriggling tricks the app into unlock mode. But it is a great start.


read more

Followed by a numerous news count of hacker break-ins (link 1, link 2 and link 3), it looks as though hackers are inflaming a cyber war against major corporations and institutions. This time the International Monetary Fund, United States Senate and Central Intelligence Agency servers got hacked. Full coverage of these stories inside.


read more

Google has removed 26 malware infected apps from the Android Market that are believed to have compromised the personal data of thousands of users. Security firm Lookout said that the apps were likely created by the same developers who were responsible for a previous attack of Android malware called ‘Droiddream’ back in March. This affected 21 apps that were also suspended from the Android Market.

Given the moniker Droiddream Light, the malware had code associated with previous Droiddream samples and is believed to have affected between 30,000 and 120,000 users. Magic Photo Studio, Mango Studio, ET Team, BeeGoo, Droidplus and Glumobi were the six developers named as publishing malicious apps with names like Sexy Legs, Volume Manager, Quick SMS Backup and Tetris. None of the apps actually needed you to launch them on your device for the malicious bits to work, instead relying on an incoming voice call.


read more

Poor Sony — not again. Lulz Security has broken into SonyPictures.com, where it claims to have stolen the personal information of over 1,000,000 users — all stored (disgracefully) in plain text format. Lulz claims the heist was performed with a simple SQL injection — just like we saw the last time around. A portion of the group’s exploit is posted online in a RAR file, which contains over 50,000 email / password combos of unfortunate users. In addition to user information, the group has blurted out over 20,000 Sony music coupons, and the admin database (including email addresses and passwords) for BMG Belgium employees. Fresh off the heels of the PlayStation Network restoration, the fine folks in Sony’s IT department are now surviving solely on adrenaline shots.

Update 1: On the topic of clear-text passwords, Neflix, Foursquare, LinkedIn and Square are also spotted to expose your data. Therefore as a developer, please be careful developing apps with sensitive information; and as a user be even more careful sharing your sensitive information over the internet.

Update 2: 3rd of June 2011, Codemasters (UK game developer that brought us Dirt, GRID, Operation Flashpoint, etc) website got also hacked. The say tens of thousands accounts have been compromised exposing the names, addresses (both physical and email), birthdays, phone numbers, Xbox gamer tags, biographies, and passwords of its registered users. Payment information wasn’t compromised, but when you consider that almost everything else was, that feels like hollow consolation.


read more

It didn’t manage to do it during the most recent Pwn2Own challenge, but VUPEN Security is now claiming that it has finally managed to hack Google’s Chrome browser and crack its so-called “sandbox.” According to the firm, the exploit relies on some newly discovered zero day vulnerabilities, works on all Windows operating systems (and only Windows, apparently), and could give malicious websites the ability to download code from a remote source and execute it on a user’s computer — the video below shows an example, in which the Windows Calculator application is downloaded and run automatically. For its part, Google says it has been unable to confirm the hack since VUPEN hasn’t shared any details with it — something the firm apparently doesn’t plan to do, as it says it only shares its vulnerability research with its “government customers for defensive and offensive security.”


read more

We knew that well-trained bees were capable of sniffing out dynamite and other explosives, but researchers at MIT have now come up with a slightly less militant way to use our winged friends as bomb detectors. A team of chemical engineers at the school recently developed a new, ultra-sensitive sensor that’s sharp enough to detect even one molecule of TNT. Their special ingredient? Bee venom. Turns out, a bee’s poison contains protein fragments called bombolitins, that react to explosive compounds. To create the detector, researchers applied these bombolitins to naturally fluorescent carbon nanotubes. Whenever an explosive molecule binds with the protein fragments, the interaction will alter the wavelength of the carbon cylinder’s fluorescent light. The shift is too small for the naked eye to pick up on, but can be detected using specially designed microscopes. If it’s ever developed for commercial use, the sensor could provide a more acute alternative to the spectrometry-based detectors used at most airport security checkpoints. At the moment, however, the technology isn’t quite ready to be deployed on a widespread basis, so feel free to keep on living in fear.


read more

The outage of Sony Corp.’s PlayStation Network ran into its sixth day Monday as the company said it has no timeframe for restoring the Internet-based system that links users in live game play worldwide.

In a blog post Monday, Sony spokesman Patrick Seybold said he couldn’t predict when rebuilding work would be completed, but that it’s a “time intensive process.” The company said on Thursday that it would take a “full day or two” to restore service after it first shut down the system that serves both PlayStations and its Qriocity entertainment services the previous day. It subsequently blamed the outage on an “external intrusion” and said it would have to rebuild its system to add security measures and strengthen its infrastructure.


read more

In technology that is lifted straight from Robocop, Brazilian cops will be outfitted with glasses that can scan faces in a crowd and automatically pick out criminals.

Facial profiling! The camera analyzes 46,000 biometric points on up to 400 faces per second – data that then gets compared with a database of up to 13 million people. If a mug happens to match a wanted person or known troublemaker, a red light will appear on a small screen connected to the glasses. And, in a twist particularly befitting Robocop, the glasses can be calibrated to zoom in from 12 miles away, though they’ll typically be used to manage crowds at a much more personal 50 meters (164 feet).


read more

The names and e-mails of customers of Citigroup Inc and other large U.S. companies, as well as college students, were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.
A diverse swath of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.

Drugstore Walgreen, Video recorder TiVo Inc, credit card lender Capital One Financial Corp and teleshopping company HSN Inc all added their names to a list of targets that also includes some of the nation’s largest banks. The names and electronic contacts of some students affiliated with the U.S.-based College Board — which represents some 5,900 colleges, universities and schools — were also potentially compromised in what could be one of the biggest breaches in U.S. history.

No personal financial information such as credit cards or social security numbers appeared to be exposed, according to the company statements and e-mails to customers. Epsilon, an online marketing unit of Alliance Data Systems Corp, said on Friday that a person outside the company hacked into some of its clients’ customer files. The vendor sends more than 40 billion e-mail ads and offers annually, usually to people who register for a company’s website or who give their e-mail addresses while shopping.


read more