Hackers are exploiting a known — and patched — vulnerability in coding language Ruby on Rails, according to security researcher Jeff Jarmoc.

Ruby on Rails announced the security issue in versions 3.0.20 and 2.3.16 this past January. It released a patch for these issues, which were deemed “critical,” at the same time. But it seems that businesses did not all implement this fix, as the vulnerability is now being successfully exploited in the wild.

It turns servers running Ruby on Rails into botnets.

Using the vulnerability, hackers can direct servers to connect with Internet Relay Chat channels. Hackers within those IRC groups can download malicious code to the servers and push them on toward other IRC channels. This isn’t the most sophisticated way of controlling a botnet, Jarmoc notes. You do not need to authenticate to the IRC channel, and once there, you can control the bot by “issuing the appropriate commands.”

Jarmoc does explain that because the expertise level to run this kind of botnet is low, “functionality is limited.”

As Ars Technica notes, Ruby on Rails versions 3.2.11, 3.1.10, 3.0.19, 2.3.15, and later are all safe. Developers and admins should use these versions and patch any servers running the infected ones.

Jarmoc concluded, “This is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months.”

Ruby on Rails coffee image via yukop/Flickr

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

The iOS 6.1 lockscreen hack from earlier this month isn’t the only security vulnerability in Apple’s latest mobile OS.

Benjamin Kunz Mejri, the chief executive of the security firm Vulnerability Lab, detailed yet another iOS 6.1 hack last week in the Full Disclosure mailing list. The hack enables attackers bypass your iPhone’s lockscreen password, giving them access to your phone’s contacts, photos, voicemails, and more.

Judging from Mejri’s description, the new hack seems related to the earlier iOS 6.1 lockscreen exploit. Both involve using the iPhone’s emergency call function, cancelling it immediately, and then trying to make a screenshot. But the newer attack takes advantage of a slightly different method to make the iPhone vulnerable (basically, pressing the power, home, and emergency call buttons all at once).

Apple acknowledged the previous iOS 6.1 security flaw and quickly issued a fix to developers with the second iOS 6.1.3 beta. That update hasn’t yet trickled down to iPhone owners, and it’s unclear if it also fixes Mejri’s exploit.

Here’s how Mejri describes the exploit in his e-mail to Full Disclosure:

The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs.

The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.

Check out a video of the exploit below:

via Wired, ThreatPost; Photo: Devindra Hardawar/VentureBeat

Adobe has issued an emergency fix to its Flash software, yet another incident where Flash shows vulnerabilities to hacks and exploits.

Flash is one of the most notorious pieces of software for exploits, along with Java. Steve Jobs famously blasted Flash and blocked it from working on the iPhone and iPad over several issues including security concerns.

The latest Flash exploit targets people who use Flash in the Safari browser on Mac and the Mozilla Firefox browser on Macs and PCs. Adobe also warns that there are attacks happening in email as well — users are tricked into opening a Microsoft Word document attached to an email, but it actually hacks the computer using “malicious Flash content.”

Adobe recommends that all users of Flash immediately update to the latest version of the software to protect from these latest exploits. We think it’s a good idea too.

The latest fixes designed to block the exploits are specifically for Windows and Mac OS X. That said, Adobe also has issued new versions of Flash for Linux and Android as well.

Flash mob photo via JD Hancock/Flickr

Facebook recently fixed a bug that would have let criminals turn on a person’s webcam and record them without their knowledge, according to Bloomberg. The  Indian research firm XY Security found this vulnerability.

The hole that affected both Windows and Mac machines was reported to Facebook in July and shut down soon thereafter. Facebook spokesperson Fred Wolens confirmed to Bloomberg that the bug had not affected anyone in the billion-person social network.

Wolens explained that the bug only could have affected those who have previously gave Facebook permission to access that computer’s webcam. A criminal could then post a “malicious page” which would prompt the user to activate the webcam, which would start the recording process. The video could only be published if the user then went back to that page and deactivated the web cam, according to Wolens.

Seems like a farfetched attack process, but companies are right to be sensitive to any matters associated with the webcam. Stealing video of a person without their consent or knowledge brings concerns to a whole new level. It seems Facebook agrees and paid the researchers $2,500.

The social network participates in a bug bounty program, similar to its competitor, Google. The program allows anyone registered to poke around Facebook and find holes in the company’s code or code from external programs it may use that could lead to a security incident. The idea is to catch them with white hat hackers before the black hats take advantage of the situation.

Webcam photo via Shutterstock

The government wants more mobile know-how, and not just in protecting employees’ phones. The U.S. Defense Intelligence Agency put out a request for information to find those who can hack into a mobile phone both by using readily available tools, and creating tools where there are none.

The RFI was posted on December 12th and states that it is looking for a contractor that will need to receive Top Secret clearance with a “single scope background investigation.” On the mobile side, the contractor will need to provide both analytical and engineering support. That is, you must be able to find and harvest the data from phones, and perhaps even use the phone for information gathering.  You need to know how to operate “commercially available off-the-shelf” tools and “government available off-the-shelf tools.” You must also be able to provide training to others on the team about using these tools.

The engineering is where building tools on the fly comes in. A mobile phone’s data may not be accessible through conventional means, thus it would on you to figure out a way in.

This is just another example of how mobile is becoming a critical element of national safety. It’s the classic case of hiring (potential) hackers who know their way around anything and can help the government become just as limber.

If you think you’re the person they’re looking for, the RFI requests that you email Mr. Quentin McCoy, Contracting Officer at quentin.mccoy@dodiis.mil.

hat tip TechCrunch, via FierceMobile; Smartphone image via Shutterstock

As security takes the spotlight, hackers are often touted as being both smarter and faster than the average white hat. Google isn’t afraid to admit this and wants to pay up to $2 million in prizes for devastating exploits — no matter what hat you wear.

The company announced yesterday that it will award up to $2 million in prizes at the Hack in a Box conference in Kuala Lumpur to hackers who can deliver exploits and bugs associated with its Chrome Browser. The contest is called the Pwnium competition — a play on the words “pwn,” slang to take total control of something, and “Chromium,” a reference to the element Google’s Web browser is named after.

This is the second Pwnium competition Google has held. Last year, however, the company offered only $1 million in prizes.

Prizes are awarded in different levels. Those who find a “full Chrome exploit” get up to $60,000. A $50,000 prize is given to those who find a “partial exploit,” or have to use bugs in software Chrome may use but is not directly developed by the Chrome team.

A panel of judges will reward those who get part of the way but can’t make it to a full exploit. All exploits must be full documented, meaning you’ll need to record the steps you took to find the exploit. Google may also want you to demonstrate the way you found it as well.

The search giant recently changed its regular bug-reporting payment structure and is now offering $1,000 bonuses if an exploit or bug proves to be particularly valuable. That is, Google will shell out the extra cash after the fact if it turns out you poked a bigger hole than originally thought.

Forbes makes a good point in that, while Google and other companies such as social network Facebook offer cash incentives, there are much bigger entities with much deeper pockets. Governments and the police are willing to pay a lot more money for a bug that may be used to that entity’s benefit.

Def Con and Black Hat, while both security conferences held together in Las Vegas, are two very different beasts. One attracts the corporate security type, another the hacker underbelly.

Black Hat could almost be described as mellow in comparison to Def Con, one of the largest running hacker conferences in the world, often attracting up to 12,000 attendees. The con is held at the Rio in Las Vegas, compared to Black Hat, which is held at Caesar’s Palace on the strip.

The two conferences attract chief security officers, hackers, Feds, and press alike. Because of the that, the talks vary too, from those like former FBI executive assistant director Shawn Henry who spoke about finding and getting rid of “the adversary” to hacking planes in mid-air. Indeed, there is a nice mix of preaching to the choir coupled with vulnerabilities and exploits that may or may not have been found illegally.

But both conferences are important to a community of CSOs and hackers that generally are pretty segregated. Black Hat celebrated its 15th year running last week, and Def Con celebrated its 20th.

Check out our gallery below comparing tell which one you’d rather go to next year.

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

It’s been 10 days since Russian hacker Alexey Borodin unleashed hell for Apple with his iOS in-app purchasing exploit. But after successfully countering some of Apple’s attempts to shut him down, Borodin is calling it quits on his iOS hack. Instead, he’s going to focus more on his Mac OS X exploit, unveiled over the weekend.

“By examining Apple’s last statement about in-app purchases in iOS 6, I can say that currently game is over,” Borodin wrote in a blog post, referring to Apple’s fix for developers against his exploit. “Currently we have no way to bypass updated APIs. It’s good news for everyone, we have updated security in iOS, developers have their air-money.”

Borodin went on to say that he will continue running his iOS exploit service until iOS 6 comes out. Apple has offered developers early access to some APIs to secure their in-app purchases, but it won’t be able to widely fix Borodin’s exploit until iOS 6 is released.

He hinted that he has something in store for Apple’s Mac OS X app store. That exploit is similar to the iOS in-app hack, but it also requires a separate app called “Grim Receiper” to function. Apple hasn’t yet responded to Borodin’s OS X hack, but I would imagine that it would be tougher to fix, since the desktop OS is more open than iOS.

As I’ve written previously, Borodin is taking advantage of Apple’s shortsightedness when it comes to in-app purchases. Instead of tying purchases directly to customer accounts or devices, Apple’s in-app purchase receipts can be easily reused with Borodin’s method, as ZDNet’s Emil Protalinski points out. On iOS, Apple also sent customers’ Apple IDs and passwords in plain text, which could allow the hacker to easily collect login credentials. It’s unclear if that’s the case for the Mac exploit.

Via The Next Web

While Apple was hard at work coming up with a fix for Russian hacker Alexey Borodin’s iOS in-app purchasing exploit, the wily hacker has unveiled a similar exploit for in-app purchases on Mac OS X.

The latest hack, which affects OS X 10.7 and above (earlier versions don’t support in-app purchases), also relies on tricking Apple’s very basic receipt system for in-app purchases.

Borodin’s latest exploit method doesn’t differ too much from his original iOS hack: You simply need to install two system certificates, change your DNS settings to point to his server, and use a new app call “Grim Receiper.” The app is the only unique element of the Mac OS X hack, and it serves to keep track of receipts for you to reuse, according to Borodin.

Basically, Borodin is taking advantage of Apple’s shortsightedness when it comes to in-app purchases. Instead of tying purchases directly to customer accounts or devices, Apple’s in-app purchase receipts can be easily reused with Borodin’s method, as ZDNet’s Emil Protalinski points out. On iOS, Apple also sent customers’ Apple IDs and passwords in plain text, which could allow the hacker to easily collect login credentials. It’s unclear if that’s the case for the Mac exploit.

Apple last night announced that iOS 6 will fix Borodin’s iOS hack, and earlier this week it started attaching unique device IDs (UDIDs) to in-app purchase receipts. For now, developers need to authenticate in-app purchase receipts before they get sent to Apple’s servers.

Apple initially tried to cut off Borodin from its servers using his IP address and urged his ISP to shut down his website. As VentureBeat’s security guru Meghan Kelly tells it, Borodin was eventually able to relaunch his website via an off-shore ISP and figured out another way to steal in-app purchases without using the App Store.

We’re interested in seeing where this game of cat and mouse goes. We’ve dropped a line to Apple for further comment on the news.

Borodin is now accepting donations via Bitcoin, after PayPal stopped accepting donations to him.

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Just one day after Apple announced and released an early version of iOS 5 to developers, hackers have proven that the mobile OS is just as susceptible to exploits as past versions.

One eager beaver has figured out a way to install iOS 5 without the need for an Apple developer account (which costs $99 a year). And a prominent iPhone hacker has confirmed that iOS 5 is easily jailbroken, allowing users to run apps unapproved by Apple and tweak their iPhones in a variety of ways.

The hacks show that security concerns will remain an ever-present problem for Apple in iOS 5, and likely all future versions of the platform.

Apple fan and amateur developer Mert Erdir discovered that he could install the new OS by tricking the operating system’s Voice Over feature, Gizmodo reports. The process (which we won’t replicate here) seems simple for users already familiar with hacking their iOS devices. As with any hack, though, you do run the risk of screwing up your device should something go wrong.

“My will is not to do something harmful to anyone,” Erdir wrote in a statement to Gizmodo. “I just wanted to get the attention of Apple, the company I’m in love with; and maybe one day have a chance to talk to/meet Steve Jobs himself.” He’s currently accepting donations on his blog so that he can get a legitimate developer account.

Meanwhile, “MuscleNerd“, a member of the rogue group of iOS developers known as the iPhone Dev Team, confirmed last night on Twitter that he was able to jailbreak iOS 5. The jailbreak took advantage of the existing limera1n exploit, ReadWriteWeb reports. The existing hack is only for serious iOS tweakers though — it’s a tethered jailbreak, meaning you’ll have to connect your iOS device to a computer every time you want to reboot.

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Researchers have developed a proof-of-concept Android program that can literally keep an ear out for credit card numbers.

Dubbed Soundminer, the software uses the phone’s microphone to listen for credit card numbers spoken aloud, or typed into the phone, Forbes reports. It was developed by six researchers at Indiana University and the City University of Hong Kong, who plan to demonstrate it next month at a security symposium in San Diego.

The team set out to show how even a smart user — one who doesn’t give unknown programs access to their keyboard or web browsing — can be tricked. If a strange application asks for access to their phone’s microphone instead, they may be less inclined to think it could steal their data. As they speak or type credit card numbers, Soundminer then records their information.

The software also doesn’t require access to a network connection to transmit data. It instead relies on a sneaky “covert channel” — one that allows apps to send small bits of data to other apps — to forward the stolen information to an app called Deliverer, which in turn sends the data to a hacker. According to the researchers, the Deliver app could be installed automatically upon Soundminer’s installation.

“The covert channels that the researchers identify include the phone’s vibration, volume, and screen wake-up settings, all of which are shared with other applications when they’re changed,” writes Forbes’ Andy Greenberg. “By tweaking those settings in a certain pattern, Soundminer sends a simple secret code to Deliverer, which in turn passes it on to the hacker. And because Soundminer extracts the credit card number from the audio track rather than transmit the entire file, it only has to share 16 digits with Deliverer, easily small enough for its subtle communications to the other malicious app.”

Being the product of researchers, and not malicious hackers, Soundminer’s real purpose is to expose the security flaw in Android. In their paper on Soundminer (PDF link), the researchers propose that users can disable audio feedback noises, and Google could implement better app permissions, to plug the security exploit.

Check out a video of Soundminer in action below:

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

The first iPhone operating system (iOS) 4.1 jailbreak has hit the streets. Hacker Geohot’s “Limera1n” exploit lets users hack their phones to install a variety of unofficial apps and tweaks.

The exploit currently supports the iPhone 4, iPhone 3G S, iPod Touch 3rd gen and 4th gen, and the iPad. It only works on official iOS releases at the moment, so don’t expect it to jailbreak any early beta software. Limera1n is Windows-only at the moment, but Geohot says that a Mac version is on the way. He stresses that the exploit is still a beta release, which means rough edges may get smoothed over with future releases.

We reported in September that the iPhone Dev Team, a rival hacker group, had come across an exploit for iOS 4.1 (dubbed “Shatter”) that targets a low-level portion of the OS, which makes it impossible for Apple to patch the exploit with a simple software upgrade. That means all existing iOS devices will be able to rely on their exploit forever, and Apple won’t be able to fix the security hole until it rolls out new hardware. But that group hasn’t released its exploit to the general public, making Geohot the first to make a jailbreak publicly available.

It’s unclear if Limera1n is taking advantage of the same security hole as the iPhone Dev Team, although Geohot says that his exploit is similarly “unpatchable” by Apple. (It can also technically jailbreak the Apple TV, like the iPhone Dev Team’s exploit.)  By releasing his exploit first, Geohot has thrown down the gauntlet to the iPhone hacking community — potentially forcing other groups to finalize their own exploits soon. The iPhone Dev team is currently recommending that users wait for its Shatter exploit to be released, Engadget reports.

Getting content noticed is a challenge for everyone making apps. Join us at DiscoveryBeat 2010 and hear secrets from top industry executives about how to break through and profit in the new cross-platform app ecosystem. From metrics to monetization, we’ll take an in depth look at the best discovery strategies and why they’re working. See the full agenda here. The conference takes place on October 18 at the Mission Bay Conference Center in San Francisco. To register, click here. Hurry though. Tickets are limited, and going fast.

Twitter’s Safety account mentioned that it was aware of the exploit earlier this morning, and it announced that it was fixed shortly after.

According to Sophos Senior Technology Consultant Graham Cluely, thousands of Twitter accounts featured the exploit. Those include Sarah Brown, wife of the former British Prime Minister, who has over one million Twitter followers. Her account was apparently hacked Cluely created a short video (below) demonstrating the various ways the exploit was used.

To be clear, the exploit only affected Tweets on Twitter.com. Users of third-party Twitter clients like TweetDeck were in the clear. The news comes only a week after Twitter began rolling out a new version of Twitter.com.

As Twitter co-founder Evan Williams mentioned last week, when he unveiled the company’s new website design, most people experience the service through Twitter.com. 78 percent of active Twitter users have used the website in the past month — more than other clients combined.

It’s good that Twitter resolved the issue quickly, but it will need to be extra vigilant about issues on Twitter.com in the future. With its improvements, even more users are going to rely on the website instead of using a third-party client.