Daily deals company LivingSocial is sending out an email to 50 million of its members today saying that the company has been hacked. It assures the public that the hackers did not access any credit card information.

Living Social announced the hack through an email to the affected people today as well as in an internal email to employees that emphasized the systems that were affected. Currently, only names, birthdays, email addresses, and encrypted passwords were collected by the criminals. Encrypted, or hashed, passwords can be unencrypted by the hackers with the right tools, so you should be sure to change you passwords if you used your LivingSocial one for any other accounts.

When asked when this breach originally occurred and if it was connected to a Java exploit or a phishing attack, a company spokesperson said LivingSocial is not yet ready to discuss those details.

Tim O’Shaughnessy, LivingSocial’s chief executive, explained in the email to employees that the hack did not touch the servers that hold credit card information nor the servers that store merchant financial or banking information.

LivingSocial is reaching out to everyone except those who live in Thailand, Korea, Indonesia, and the Philippines. A spokesperson for the company explained that customer information for anyone in those countries is stored on a separate, untapped server, “so there was no impact on them from the attack.”

In the aftermath of attacks like these, hackers often attempt to using phishing attacks to gain even more information. LivingSocial assures customers that it will never ask for personal or account information in an email. If you see an email asking for anything of this nature, assume that’s it’s a fraud and don’t respond. If you’re concerned about your account, go directly to the website and check out your account from there.

Here is the email sent to LivingSocial employees, which the company supplied us with:

LivingSocial image via justgrimes/Flickr

Pro-Syria hackers who call themselves the Syrian Electronic Army attacked National Public Radio’s systems and changed several article headlines yesterday evening. The group also accessed and tweeted from NPR’s Twitter accounts.

The issue began last night around 11 p.m. Eastern, according to NPR. The Syrian Electronic Army hacked into NPR’s content management system and updated its posts to say, “Syrian Electronic Army was here.” It did the same for the NPR Twitter accounts. The publication says some of these articles belong to its member stations and that all parties have been notified and the situation seemingly cleaned up.

The hackers posted a message to their own Twitter account explaining that ”We will not say why we attacked @NPR … They know the reason and that enough #SEA #Syria.”

The group went on to claim responsibility for hacking five NPR Twitter accounts. When asked if the hacking had anything to do with a Peabody Award NPR recently received, the SEA said, “You can ask @DeborahAmos.”

The Peabody Award committee named Deborah Amos for her reporting on Syria, which contributed to the overall NPR award.

The Syrian Electronic Army often goes after publications that do extensive reporting on the civil war in Syria. In 2012, the SEA hacked Al Jazeera’s website after it launched its “Syria Live Blog,” which pulled  in pictures and various social media updates regarding Syria. It was an attempt to provide up-to-the-minute information for an area torn by violence.

The SEA defaced the liveblog with an image depicting Syrian President Bashar al-Assad and the Syrian flag. It read, “You got hacked again by the SEA. We want Bashar al-Assad.”

NPR says it will continue to closely monitor the situation.

hat tip Ars Techinca; NPR hacked image via Tom Cheredar/VentureBet; Google results image via Sophos

Evernote has this morning announced a rash of suspicious activity and is instituting a service-wide password reset.

In a post this morning on the company blog, team members called the activity “a coordinated attempt to access secure areas of the Evernote service.”

Evernote’s security team says it has found no evidence that user data, including stored content, was accessed. The company also confirmed that payment information for Evernote’s premium services was not compromised.

What the hackers were really after was usernames, email addresses, and passwords. Evernote says the information sought had been encrypted (hashed and salted). Even so, the service is asking its users to change their passwords.

To change yours, go directly to the Evernote site; don’t click on any links in any emails you may receive.

Also, your friendly neighborhood nerds at VentureBeat would encourage you to change your passwords for any accounts that shared the same login information as your Evernote account. Using duplicative login credentials across multiple sites is a big personal Internet security no-no, but we know enough of you do it.

These kinds of hacks are becoming more and more common. To thwart hackers and prevent online or financial identity theft, all us Internet folk should generally not be idiots about passwords, the first line of defense in online security. Get creative with your passwords, or better yet, use password management software such as 1Password.

A small number of Apple employees’ computers were hacked recently by the same crew that attacked Facebook, and which Facebook claimed it traced back to China. In that case, Facebook said, its employees’ machines were fully patched and up-to-date, and entry was gained via a previously unknown zero-day attack in the Java browser plugin.

In a statement released to AllThingsD, Apple said there was no evidence the attack succeeded in getting any corporate data:

Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.

Java is notoriously a source of security problems, and Apple says it will release a software tool later today to patch the problem. Oracle had provided a patch on February 1, 2013, according to Facebook, but Apple is not known for being quick to release new updates. That update is not yet available, at least according to my MacBook Air’s software update mechanism.

Worth noting: Apple has not shipped Java since Mac OS X Lion — which launched in July of 2011 — and also disables Java if it has not been used in 35 days.

Apple says it is assisting authorities in tracking down the hackers.

photo credit: alles-schlumpf via photopin cc

Hackers reportedly breached email accounts for former U.S. President George W. Bush and his family, according to The Smoking Gun. The Secret Service confirmed that it is investigating the incident.

“There’s a criminal investigation under way,” Jim McGrath, a spokesman for George H. W. Bush (George W’s father and himself a former president) told AFP. “I can’t get into the specifics.”

The hacker claiming responsibility is called “Guccifer” and has placed related watermarks on the photos he lifted from the Bush family accounts. According to The Smoking Gun, Guccifer was able to take not only photos — one of which includes Bush standing in front of a cardboard cutout of himself — but also personal information such as phone numbers, addresses, and emails for people in the Bush family. Guccifer was also able to unearth private information about the health of former Bush who was recently hospitalized for bronchitis.

Hackers breach email accounts seemingly every day in recent years, so it comes as no surprise that another person’s information has been exposed. But because this information comes from U.S. presidents past, this becomes a much bigger issue. The Secret Service confirmed to Reuters that it is investigating who is behind the hack, though the email likely didn’t contain many state secrets.

According to The Smoking Gun, Guccifer broke into six different Bush family and friend accounts.

George W. Bush image via Official U.S. Navy Imagery/Flickr

Twitter announced in a blog post today that it recently detected “unusual access patterns” — meaning it was being hacked.

The company was able to shut down one attack while it was in progress, but discovered that up to 250,000 accounts had been compromised. Hackers got away with usernames as well as session tokens and hashed passwords. As a safety measure, Twitter says it shut down those affected session tokens and has reset the hacked accounts.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Bob Lord, Twitter director of information security in the blog post. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information.”

Companies tend not to discuss attacks as they happen so as to not tip off the hackers or disrupt an investigation. In the wake of both The New York Times and the Wall Street Journal admitting to hacks, it seems now is not the time to keep quiet. Lord went on to say that Twitter is “helping government and federal law enforcement in their effort to find and prosecute these attackers” and further urged people to turn off Java after a number of critical vulnerabilities were found in the Oracle product.

You will likely be notified soon if you haven’t already that your account was compromised. Twitter says you will need to reset your password as you will no longer have access to your account as it stands.

Twitter did, however, choose a funny title for its blog post: “Keeping our users secure.” Marco Arment, the founder of Instapaper, poked fun at Twitter’s attempt to hedge the hack tweeting, “Calling this ‘Keeping our users secure’ is like having just your garage burn down and announcing, ‘Preventing fires.’”

Twitter image via Jolie O’Dell/VentureBeat

Yesterday, ad analytics company Spider.io said that Internet Explorer is vulnerable to a simple hack that enables attackers to see what your mouse is doing onscreen – even when IE is minimized. Users don’t have to download, install, or even agree to any onscreen prompt — the attack vector is a simple banner ad on virtually any site on the web.

Today a Microsoft representative told VentureBeat that it’s investigating the issue:

We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers.

The vulnerability affects new and old versions of Internet Explorer, from version 6 to the current 10, and Spider.io said that at least two display ad analytics companies were already using it across billions of webpage impressions each month.

Spider.io also said that it informed Microsoft of the vulnerability almost two months ago.

If you’re using Internet Explorer, a simple way to protect yourself online is to simply enter nothing at all in a virtual, onscreen keyboard. At least until Microsoft issues a fix or determines that this is not actually a security problem.

Nationwide might be on your side, but the hackers who broke into it aren’t. The company released an apology today, revealing the October breach that compromised social security information.

The hack on Nationwide came through servers it shared with Allied Insurance, and may have affected up to 1.1 million people, according to The Washington Post. Hackers tapped into quite a payload of personally identifiable information including name, birthday, social security number, and driver license ID number. Nationwide says hackers may also have gotten away with marital status, gender, and work information such as your title, company, and company address. The company said it stores this type of information in order to give people quotes on its insurance.

“At this time, we have no evidence that any medical information or credit card account information was stolen in the attack,” the company said in a statement.

Nationwide says it found the attack the same day it happened, October 3, and immediately reported it to the authorities. It is currently sending out notices to everyone whose information was accessed and, through a partnership with Equifax, is giving those people free identity theft protection and credit monitoring. Anyone who uses Nationwide, or recently sent in their information for a quote, should check their bank statements often — even if you don’t believe your information was part of the hack.

As for who was behind the attack, Nationwide and law enforcement do not yet know. However, the insurance company does suspect that they came from outside the United States. Law enforcement officials are still looking through the forensic evidence to see if they can trace the event back to a specific person or country.

Nationwide image via tlarrow/Flickr

Facebook says reports that its servers have been hacked by Anonymous are false, and that the company is actually experiencing outages on the European continent.

A hacker that goes by the Twitter handle @AnonymousOwn3r claimed to have taken down Facebook in Europe earlier today, siting a vulnerability called cross-site request forgery. @AnonymousOwn3r is otherwise known for hacking into GoDaddy in September. “Evidence” was posted on Pastebin, but Facebook called the hacker’s bluff, telling VentureBeat in an email:

There has not been a hack of Facebook, we have investigated these claims and they are not valid. The evidence cited was produced by an automated vulnerability scanner that alerts developers of potential vulnerability, and we have found these all to be false alerts.

We expect Anonymous just like we expect any other attack on any other day. Due to our size, we face the same threats as seen everywhere else on the web, but we have developed partnerships, backend systems, and protocols to confront the full range of security challenges we face. Facebook has always been committed to protecting our users’ information, and we will continue to innovate and work tirelessly to defend this data.

“Earlier today we made a change to DNS as part of a traffic optimization test, and that change resulted in some users being temporarily mis-routed. We detected and resolved the issue immediately, but a small number of users located primarily in Western Europe experienced issues accessing the site while the DNS addresses repopulated. We are now back to 100 percent, and we apologize for any inconvenience.”

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

DETROIT — Jack Dorsey confessed something on stage here at Techonomy Detroit today: He hacked into the world’s largest dispatch company’s email system in order to get a job.

“I was in college, and I really wanted to go into the dispatch industry,” Dorsey said.

Dorsey had grown up loving cities and loving maps. That translated into a fascination with dispatch software — in fact, some of his open source software for taxi companies is still in use today.

But when he wanted to get a job with a dispatch company in New York and checked its website, he found a problem: no contact information.

“So I found a hole in their web server and found their corporate emails. I emailed their chairman, told him there was a security hole, and said here’s how to fix it.”

The next week Dorsey was on an airplane. He got the job.

Dorsey says he is still fascinated with New York — in fact, he even harbors a not-so-secret dream to be the mayor of New York.

However, I’m not sure a similar strategy will get him that particular job.

Image credit: John Koetsier

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Last week Anonymous claimed it plucked 12 million unique identifiers associated with iPhones from an FBI laptop. Today, however, a Florida publishing company says it was actually its servers that were hacked, according to NBC News.

On September 4, Anonymous announced that it stole 12 million UDIDs after hacking into what seemed to be a poorly protected FBI agent’s laptop. The group released one million of those numbers as proof that it had actually obtained them. The incident raised questions of government surveillance and what the FBI would be doing with all those UDIDs (which on their own don’t provide give any personal information such as credit card numbers or passwords).

Quickly following the hack, both the FBI and Apple responded. The FBI said it had “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” The agency went on to call the claims “totally false.”

Apple later said it hadn’t given the FBI any of the UDIDs and that the FBI had not requested any of them.

According to NBC News, publishing company Blue Toad said it ran the publicly available UDIDs against its own database and found they matched up with 98 percent accuracy. That was enough to convince the small company that its own servers had been hacked, and it has called foul on Anonymous’ claims. The company says it has already reached out to law enforcement but does not plan on contacting those who may have been affected.

As per its website, Blue Toad lets people publish content such as a magazine to a catalog or brochure using its technology. It also works with app development.

“As an app developer, BlueToad would have access to a user’s device information such as UDID, device name, and type,” Apple spokeswoman Trudy Muller told NBC News. “Developers do not have access to users’ account information, passwords, or credit card information, unless a user specifically elects to provide that information to the developer.”

via NBC News; Anonymous image via skenmy/Flickr

They say the best offense is a good defense.

Tenable Network Security has taken $50 million in its first round of funding for its software that protects against cybercrime. The technology keeps its clients safe by identifying vulnerabilities with passive scanning, monitoring networks in real time, and configuration and compliance management.

TNS’s comprehensive platform identifies weaknesses in enterprise security networks before attackers can exploit them and manages these threats. Its flagship products are Nessus and SecurityCenter.

Nessus, dubbed “The Swiss Army Knife of vulnerability assessment,” continuously seeks out risks by scanning IT infrastructures for security flaws and compliance issues. SecurityCenter collects, analyzes, and communicates threats from a central hub to keep vulnerabilities under control.

Security is a major concern for any enterprise that wants to keep its data safe (all of them, I hope). Evolving technology means evolving threats. Mobile malware has exploded this year, and every company with an online presence needs to fight against hackers and other network hazards.

“Security is a mainstream issue – especially with the explosion of mobile, cloud, and virtual computing,” said CEO Ron Gula. “Serious network attacks are far more common than anyone wants to publicly admit.”

These products are used by 15,000 organizations worldwide, including the U.S. Department of Defense and 12 out of 14 federal civilian departments.

The rest of the client list reads like a Who’s Who of American industry, including large corporations and businesses of every persuasion. Customers include technology leaders Dell, Google, Intel, Microsoft, Skype, Apple, and Yahoo; financial services companies Barclays, Deloitte, and Visa; universities including Brown, Michigan, and Ohio State; healthcare organizations such as Johnson & Johnson, Merck, and Coventry; energy corporations Chevron, and ConocoPhillips; media conglomerates CBS, Comcast, Time Warners, and 20th Century Fox; telecom providers Verizon and British Telecom; and retailers ranging from Chipotle to Zappos. To name a few.

Revenue has grown by more than 5 times over the past four years. In the past year alone, the company has had to double its staff and expects to double it again to accommodate high demand for is products.

It was founded in 2002, but only now took institutional investment in order to continue researching evolving and increasingly dangerous cyber threats, translate this research into product development, and accelerate global growth. The investment came from Accel Partners.

It is headquartered in Columbia, Maryland, with offices around the U.S. and the U.K. Read the full press release.

For secrets, nowhere’s safer than the inside of your head, right? Wrong. Commercially sold electrode-headsets, often used in gaming, can be hacked to extract your ATM PIN, birthday month, location, and more, according to Wired.

It’s a whole new era of phishing attacks. Instead of tricking you into giving up sensitive information with convincing e-mails, hackers could tap into your gaming headsets and pull the information out of your brainwaves that are converted into data streams.

The headset in question is the Emotiv EPOC headset, which is used for a number of computer interaction purposes, including gaming. It taps into the player’s brain waves to control what’s happening on the screen via a set of electrodes that sit on the top of your forehead when in use. The software collects your thoughts and translates them into data that can be extracted using an application programming interface, or API.

A new paper called “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces” shows how the attack is performed. The research team got a hold of the brainwave data stream using the API and performed five experiments to see if they could gather a PIN number, bank account information, location information, month of birth, and facial-recognition information.

Each experiment flashed a sequence of pictures on a computer screen. For example, when trying to extract bank account information, test subjects saw pictures of ATM machines and debit cards. In the PIN test, they were shown a series of numbers.

The researchers then studied the “event-related potential,” or the electrical change in the brain that, in this case, signals that the subject recognizes or has a connection to what they’ve just seen on the screen.

For the PIN test, debit cards, and ATM machines researchers correctly guessed the sensitive information for 20 percent of the victims on the first try. For the bank based on the ATM, as well as the location of their homes, researchers correctly guessed for 30 percent of the test subjects. The most successful test was the month of birth, which researcher pinned down correctly for 60 percent of the subjects.

The scariest part of this isn’t necessarily that the brainwaves give up this kind of information, but the fact that it’s available in an API form that is currently accessible by anyone. The Emotiv EPOC headset allows any developer to create apps based on that API, which researchers say could lead to “brain spyware.” Indeed, many of these apps include a bit of “calibration” or regular installation that could be used to show victims these kinds of pictures and steal the brainwave data.

Check out the research report below:

via Wired, Image via Emotiv

Over 500,000 credit card numbers in Australia were discovered compromised today, stolen through a hack on a business’ point of sale system.

Law enforcement suspects a group of Romanian hackers is behind the attack.

According to SC Magazine, law enforcement was alerted to the scheme when banks started noticing fraudulent activity on the credit cards. It is expected that the 500,000 credit cards will be sold on the black market. The banks have already shut down access to those credit card numbers.

The hack was allegedly executed by the same Romanian hacker ring that stole credit card information from point of sale terminals in Subway restaurants across the United States. Reports say the hackers were able to access the point of sale systems using Microsoft Remote Desktop Protocol, which was left open and unprotected so that the company could “monitor stocks.” From there they installed a program to grab credit card information when a card is swiped.

Australian law enforcement has otherwise not disclosed the name of the business due to the ongoing investigation.

In March, a similar hack occurred on Global Payments’ point of sale system. Over 1.5 million credit card numbers were stolen from systems installed in New York City parking garages. The attack was uncovered when Visa and Mastercard suddenly began warning banks about a large number of compromised credit cards. By the time the story surfaced in April, law enforcement said the issue was “contained.”

hat tip Wired, via SC Magazine; Photoshop via Meghan Kelly, Australian Flag and POS images via Shutterstock

Amazon no longer allows you to change account information over the phone, after Wired reporter Mat Honan shared his story of how weak security in Apple and Amazon led to a major hack on his digital life this week.

Wired discovered this after trying to recreate Honan’s hack.

Honan’s Amazon, Twitter, Gmail, and iCloud accounts were broken into over the weekend by a hacker who goes by the name of “Phobia.” It all started when Phobia was able to trick Amazon customer service into believing that he was Honan. The company has since seemingly told its customer service department that information can no longer be added to accounts over the phone.

Amazon allows you to add a credit card number or a new email address to an account if you are able to supply the account holder’s name, a billing address, and an email address on file. These three pieces of information are easily accessible, including the billing address, which Phobia discovered through a “Who Is” look-up of one of Honan’s websites.

Phobia was able to add a credit card to the account, which he then used as a piece of identification when he called Amazon back, pretending to have lost access to Honan’s account. After gaining access to the account, Phobia used information from Amazon to get into his iCloud account, wipe his devices, delete his Gmail account, and hijack his and Gizmodo’s Twitter accounts.

The power of linking your accounts.

via Wired; Photo credit: Mat Honan via photo pin

You don’t often hear about planes crashing in mid-air. The systems they have in place have done a fairly good job at keeping passengers safe. But safety and security are two different things, and while the systems may work, one researcher has found they are scarily easy to hack.

“This is like shooting fish in a barrel. If you’re not scared about this, you should be,” said researcher Nick Foster at the Def Con conference in Las Vegas. “Without encryption without any bottom security and protocol, it’s just not hard.”

The systems that keep planes from running into each other are called Automatic Dependent Surveillance Broadcast and there are two types ADS-B In (the transmissions sending information to the planes) and ADS-B out (the transmissions sending information to the tower). Both of these transmission types are unencrypted and unauthenticated — meaning  the transmissions between the plane and tower are not protected and there’s no way to prove it actually came from the plane or the tower. Anyone can listen to these transmissions and monitor where planes are going and how fast.

Renderman, or Brad Haines, discovered this blatant vulnerability after checking out Planefinder AR, an app that lets you hold your phone to the sky and see where the flights overhead are going. He wondered where the app got its data, and found a number of websites that aggregated data from users. These users set up ground stations, collect data from flights going over, and feed the data into the site’s database.

So, what can people do with that information? Hack it, of course.

If you have access to the transmissions being sent to the tower, who is to say you can’t fuzz the information, add a bit of your own data to the real data. For example, you could tell air traffic control that there was a plane headed straight for the tower, though no plane existed. You could also potentially jam the system by adding fifty more planes to the control tower’s systems, which could send the operators scrambling or overload the system. You could also duplicate a real flight headed through the area. This is dangerous if the tower operators decide to ignore the right flight data, thinking it was a glitch in the system.

Pilots in flight can be messed with as well. A hacker could alert pilots to a fake plane headed straight for it. They could also spoof the GPS, which pilots depend on to know where they are in the skies. We saw GPS spoofing recently when Iran landed a U.S. drone flying in the vicinity. The country’s engineers were allegedly able to hack into the drone’s systems, make it think it was in its landing location and landed the drone within its borders.

Haines stressed, “for the love of Spongebob do not try anything you’re about to see.” He wanted to make this public so that the airline industry can patch up its leaky ship — encrypt and protect this information.

Image via Dean Takahashi/VentureBeat

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Apple is continuing its fight against a Russian hacker who is supplying a way for iPhone users to download in-app purchases without paying. The company is now including a unique identifier in all in-app purchase receipts, according to MacRumors.

Last week Russian hacker Alexey V. Borodin developed a way for iPhone users to steal in-app purchases without having to jailbreak their phones. The method involved installing two security certificates and change the DNS settings on the phone to download in-app purchases over a special connection. Apple soon came after Borodin, shutting down his IP’s access to Apple servers and asking his Internet service provider to take down his website, In-App.com. Borodin, however, dodged Apple’s efforts by setting up his website outside of Russia and devising a way to steal in-app purchases without going through Apple’s App Store servers.

However, Apple isn’t giving up just yet. As MacRumors observes, the company is now tracking the UDID associated with each in-app purchase. That is, Apple is watching the unique identifier associated with each phone that performs this transaction. It is then sending that data on the receipts to the developers.

Apple recently decided to start rejecting applications using UDIDs, since gathering data from them is a slippery privacy slope. MacRumors notes that this could be a placeholder for a new type of identification that will be associated with each in-app purchase, or it could be that Apple wants to know which users specifically are stealing in-app purchases using Borodin’s system.

For now, Borodin continues to use his YouTube account, ZonD80, to promote his tactics, though Apple had his first video introducing the hack taken down.

via MacRumors; Angry apple image via Shutterstock

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Thanks to the hacker community, Google’s new media streamer, the Nexus Q, isn’t just an expensive Tron bowling ball with limited functionality.

In a developer forum, hacker kornyone revealed today that he was able to unlock the Nexus Q, install an Android app library launcher tool, and control the device with an external keyboard and mouse. Basically, anyone who uses this method will be able to access services like Netflix on their television sets, much in the same way a set-top box does. Kornyone specifically noted that he was able to stream 1080p-quality video to his TV using Netflix.

Directly out of the packaging, the Nexus Q seems like a rather limited device for the $299 price, as both VentureBeat’s Jolie O’Dell and I stated when Google debuted the product a few weeks ago. You can only use it in conjunction with mobile devices running Android 4.1 (Jelly Bean), and it only streams music, movies, and YouTube videos stored or accessed on your phone or tablet. The Nexus Q’s media sharing features are nice, but they pale in comparison to Google TV set-top boxes that have access to third-party applications. In short, it’s a huge disappointment.

However, the company did state at the Google I/O developer’s conference that it’s very interested to see how developers use the Nexus Q’s USB port to hack the device. Barely a day after the Nexus Q launched, a developer managed to hack the device to run (but not play) video games like Angry Birds, as VentureBeat previously reported. It’s nice to see Google taking this prohacking stance, especially when competitors like Apple unofficially frown on the practice.

For anyone that wishes to hack their Nexus Q, Kornyone has kindly produced a step-by-step how-to video, which we’ve embedded below.

Via The Verge

Cyber-criminals have stolen Visa and Mastercard credit-card data by hacking into payment processors in New York City parking garages. Visa confirmed that the data — enough to create counterfeit cards — was stolen, and both companies are doing damage control by alerting banks and credit unions for the 56,455 cards.

According to security researcher, Brian Krebs, a group of individuals have compromised the a payments processor, rumored to be Global Payments Inc. The group is believed to be New York-based, targeting the payment systems in New York garages. The criminals gained access through the processor to “Track 1 and Track 2 data,” which gives them enough information to make fraudulent purchases on the compromised cards.

Visa and Mastercard have alerted a number of banks and credit unions associated with the cards, warning that they should be on the lookout for fraud.

“Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” the company said in a statement, “As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity.”

The company takes a small jab at the individual business (potentially the NY garages themselves). It explains that each business accepting credit payments is responsible for updating its systems and putting in place the most recent security measures.

According to Krebs, the PSCU is saying 56,455 cards have been compromised, with only around 1.5 percent of those cards actually showing fraudulent charges. Joe Levy, chief technology officer of Solera Networks, believes there may be more to the hacks, which have occurred in the past in cases like Heartland Payment Systems.

“It would not be surprising if the investigation slowly reveals that the breach involved techniques such as web application exploitation, maneuvering from a compromised public system into the internal systems, and that the presence on the network was a longer-term than estimated,” said Levy in an e-mail. “These tend to be common characteristics of these kinds of events. And it underscores the fact that perimeter defenses are imperfect and will almost always be breached by a sufficiently motivated adversary.”

The hack has seemingly been isolated at the third-party payments processor, according to Visa. Visa’s own systems have not been compromised.

Credit card image via Shutterstock

I didn’t know it could be someone’s job to attend hackathons. I hadn’t heard of a developer evangelist before, so a year ago when I stumbled across an opportunity to become one, I was drawn by its novelty.

The mission was to build a developer community from the bottom up by saturating the hackathon scene, gaining allegiance from the early-adopters, the enthusiasts, the hackers. The kind of people who geek out over a new JavaScript library, smother their MacBook Airs with stickers, and maintain wardrobes consisting primarily of startup t-shirts.

If the goal is to build a business on an API, were hackathons the place to start? I wasn’t sure. The tactic seemed so niche. But hey, if someone wanted to pay me to travel and build weekend hacks, that sounded fun to me.

My first hackathon surprised me. I expected it to be quiet and secluded, consisting of the most die-hard geeks, an exclusive community disconnected from the outside world.

But it wasn’t. It was inviting. It was cool. It was a spot for anyone with an entrepreneurial itch to try something new, from bankers to artists to lawyers, all sprinkled amongst designers and developers of all skill levels.

I expected it to feel underground, but it didn’t. Microsoft and Amazon, among other high-profile sponsors, pitched their tools, platforms, and APIs to an eclectic group of would-be world-changers.

I realized after that first event that my weekend calendar was not going to be free for a while. There was no shortage of events to attend or companies wanting to throw sponsorship dollars at those events.

I travelled to hackathons in Dallas, Portland, Boulder, Chicago, Las Vegas, Seattle, DC, and Boston, among others. Every city I went, I asked them the same question: what’s the tech scene like here?

Every time I got the same response: It’s growing.

Everywhere I went, people told me that their tech community was thriving, that their city was going to be the next big tech hub. A year ago there was nothing. Now there were incubators, investors, meetups, and new hackathons popping up every month.

It quickly became clear to me that hackathons are not an outlandish trend, popular only among techies in Silicon Valley and NYC. They are a national phenomenon.

So I asked 150 hackathon attendees, hosts, and sponsors from across the country what they thought about the rise in hackathons. I found some interesting things:

• Why they go: Learning (85 percent) and networking (81 percent) were the top two reasons, followed by changing the world (38 percent) and winning prizes (28 percent). More people are interested in the tech scene and want to learn to code but this community has many people who really have big, ofter altruistic visions. Hackathons offer newbies an environment to learn from experienced coders while building something tangible. Some of those hacks have turned into real businesses, like GroupMe, Launchrock, Zaarly, and Foodspotting.
• APIs are a core strategy: 78 percent of event attendees said APIs are becoming an increasingly integral part of their business strategy. They attend hackathons to increase awareness (56 percent), partner with other cool brands with APIs (75 percent), and build a showcase of apps using their API (56 percent). Since hackers are driven to go to these events, hackathons are a good place to get in front of early adopters, get feedback, and gain enthusiasts for a new API.
• Women are underrepresented: While this is true in many areas of the technology and startup worlds, it was interesting to note that only one in 10 attendees at hackathons are women.
• So many hackathons: The combination of more people wanting to hack on new projects, and more companies wanting to get their APIs consumed has stimulated a surge in hackathons. The top three reasons why attendees believed there are more and more hackathons going on were: an increased awareness of APIs (46 percent); an increased general interest in tech (40 percent); and an increase in the number of hackers (39 percent).

It will be interesting to see if these findings change over time. Perhaps my company will run the survey again next year. But for now, we compiled our findings into a nice infographic to provide a bit of a peek into what really goes on at those hackathon events.

Jon Mumm is a developer evangelist for TokBox, a San Francisco-based startup that provides an API for live video chat. Follow his hackathon adventures on Twitter @jonmumm.

Top image courtesy of lenetstan, Shutterstock

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Proving that anticipation was exceptionally high for a full iPhone 4S jailbreak, the folks behind the Absinthe jailbreaking tool report that it received over 1 million downloads within its first 24 hours.

Even more impressive, the number only includes downloads for the Mac version of Absinthe, as the Windows client debuted a day later, Cult of Mac reports.

The figure shows that jailbreaking — or hacking your iPhone to run unauthorized apps and services — is on the cusp of becoming mainstream. MuscleNerd, a member of the hacker group iPhone Dev Team, points out that there were over 250,000 new installs of the Cydia jailbreak app repository over the first weekend, which implies that a considerable number of Absinthe users were jailbreaking their phones for the first time.

Absinthe, developed by the hacker collective Chronic Dev Team, was the first untethered jailbreak tool available for the iPhone 4S and iPad 2, meaning it can retain the jailbreak after you reboot the phone. Typically, untethered jailbreaks appear fairly quickly with the arrival of new Apple hardware, but the combination of the iPhone 4S and iPad 2′s A5 processor, together with complications from iOS 5, made it difficult for hackers to achieve the untethered hack sooner.

As Cult of Mac points out, the last time we saw such a widely adopted jailbreak was with the release of the JailbreakMe website last year, which let you jailbreak your iPhone simply by visiting a website. Absinthe isn’t as easy to use as JailbreakMe, but it’s certainly a step up over complicated jailbreaking methods of yore.

Stratfor, a highly trusted source of international intelligence, provides reports on international security and related threats to government and military personnel as well as to the private sector.

It is unknown whether Anonymous gained access to other, more sensitive information during the Stratfor hacks, which occurred on December 24.

“The time for talk is over,” Anonymous wrote last night on Pastebin.

“It’s time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor. But that’s not all: we’re also dumping ~860,000 usernames, email addresses, and md5 hashed passwords for everyone who’s ever registered on Stratfor’s site… Did you notice 50,000 of these email addresses are .mil and .gov?”

Anonymous’ motives for the attack are also somewhat hazy. In last night’s statement, representatives of the movement wrote, “All our lives we have been robbed blindly and brutalized by corrupted politicians, establishmentarians and government agencies sex shops, and now it’s time to take it back.”

In addition to the Stratfor attack and exposure, Anonymous is threatening a new action on New Year’s Eve, December 31.

In addition to “noise demonstrations” outside of jails and prisons, ostensibly to show solidarity and support for the incarcerated, Anonymous says it will unveil “our contributions to project mayhem by attacking multiple law enforcement targets from coast to coast.”

Project Mayhem, a name nabbed from the book and film Fight Club, alludes to the group’s desire to topple (or at least shake up) systems of capitalistic and political power by exposing certain types of information by or on December 12, 2012.

Stratfor’s site has been offline since December 24, and the firm has delayed its website relaunch in order to review its security.

“As part of our ongoing investigation, we have also decided to delay the launching of our website until a thorough review and adjustment by outside experts can be completed,” the company said in an email to VentureBeat earlier this week.

For a detailed account of what happened during the Stratfor hack and what it means, see our 10-part FAQ on Anonymous and Stratfor.

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Thanks to Apple’s mobile operating system update,iOS 5.0.1, anyone with a little technical knowledge and desire can now put Apple’s voice assistant Siri feature to use on their iPhone 4.

The update leaves the phone’s RAM disks unencrypted, which allows you to write a script to extract the files needed to enable Siri on the iPhone 4, according to iPhone hacker MuscleNerd. To implement this hack, iPhone 4 owners must download the iOS update, if they haven’t already done so. If you currently have the update, you must download the revised update from Apple’s site.

The new Siri hack is much less painful than previous methods, which required an iPhone 4S unique identifier and validation tokens to fool Apple’s server running Siri. The new method is arguably superior, since “borrowing” someone else’s unique identifier raises security and legal questions.

While hacking the iOS files is (mostly) legal, Apple probably won’t like it. Until the company rolls out another update, however, you can enjoy Siri on your iPhone 4 without having to purchase a new device.

[Via Cult of Mac]

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Apple’s iOS 5 has enough new features that I haven’t really missed jailbreaking my iPhone, but for those who miss tweaking their phone or downloading jailbroken apps, it looks like a completely untethered iOS 5 jailbreak is on the horizon.

The above video, released by iPhone hacker pod2g, demonstrates the untethered jailbreak — so-called because the jailbreak hack is retained even after you reboot your phone. A tethered iOS 5 jailbreak has been out since June, but that’s far more inconvenient than an untethered jailbreak since it requires hacking your phone upon every reboot. A jailbreak for the iPhone 4S was demonstrated in October, but it’s also tethered.

Casual iPhone tweakers, like this reporter, typically wait for untethered jailbreaks because the tethered alternative is far more trouble than it’s worth. This time around I’ve been less anxious to jailbreak my phone since iOS 5 includes many features formerly only available to jailbreakers, like its drop-down notifications interface. One jailbreak developer has even taken issue with how closely Apple’s notifications resemble his own design.

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

A demonstration by researchers at the Black Hat security conference Thursday revealed that Square‘s mobile payment system, which turns smartphones and tablets into physical point-of-sale credit card processing terminals, can be used for credit card fraud, reports CNET.

The researchers, U.K.-based Aperture Labs directors Adam Laurie and Zac Franken,  revealed two different methods for committing credit card fraud using Square. The first method transfers money from a stolen card into a bank account associated with Square without having to swipe it through Square’s card reader accessory.

It’s done using code written by Laurie that allows a person to feed magnetic stripe data from a credit card into a microphone and convert it into a sound file. Using a stereo cable, the audio file is played through the Square device, which transmits the credit card data directly into Square’s application.

The hack means that thieves can obtain credit card data and make transactions without having to clone the card, use a PIN number or go to a physical location.

The second method uses the Square card reader dongle to clone credit cards by grabbing the magnetic strip data and converting it into audio. Then, using the same code written by Aperture’s Laurie, the audio is translated into credit card information. This is possible because Square’s card reader dongle doesn’t use encryption or authentication.

“The (Square) dongle is a skimmer. It turns any iPhone into a skimmer. Now you need less technical hardware to (commit credit card fraud) and no technical skills at all,” Laurie said during a press conference where he and Franken demonstrated the hack using Visa gift cards. “This lowers the bar” for credit card fraud, he added.

Square could not immediately be reached for comment about the potential credit card fraud risks associated with its card reader dongle.

Update: A Square spokesperson responded with the following statement:

This was not a vulnerability, but rather a simulated attempt to commit fraud. Like all credit card processors, we aggressively guard against fraud (such as the use of stolen credit cards)–and we use traffic analysis and other patented methods to detect and prevent malicious activity.

July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Drink up your free AT&T tethering while you can, jailbreakers. AT&T has got you in its sights.

The carrier confirmed today that it will soon begin killing unlimited-data plans for users who hack their iPhones and use unauthorized tethering or hotspot apps. The new rules also apply to users of Android and other smartphones who hack their way to free tethering access.

“Earlier this year, we began sending letters, emails, and text messages to a small number of smartphone customers who use their devices for tethering but aren’t on our required tethering plan,” the company wrote in its statement to the press. “Our goal here is fairness for all of our customers.”

We reported back in March that AT&T had begun warning unauthorized tethering users that their unlimited plans would be revoked, but today marks the first time the company has declared it’s moving in that direction.

AT&T offered three choices to users in its statement:

1. Stop tethering and keep the current plan (including grandfathered unlimited plans),
2. Contact AT&T and move to the required tethering plan, or
3. Do nothing and AT&T will go ahead and add the tethering plan.

Users who continue to use unauthorized tethering apps will be moved over to AT&T’s DataPro 4 gigabyte tethering plan, which costs $45 a month.

Basically, if you’re a jailbroken-iPhone user and cherish your unlimited AT&T plan — and you should, as truly unlimited plans are a rare thing in the mobile world these days — you should consider giving up on free tethering apps. The company also confirmed last week that it would begin throttling data speeds for heavy unlimited users.

Just after Sony suffered a long and embarrassing outage for its 77-million member PlayStation Network, a Sony site has been hacked again.

This time, hackers compromised a Sony website for users in Thailand. F-Secure, a web security company, found the live phishing site at the Sony Thailand address. That means hackers had broken into the site’s security and were redirecting users to a fake website where it could steal their credit card numbers.

While it’s not that significant, it’s another black eye for Sony at a time when it is trying to lure back angry and frustrated users to its online services, which were down for almost a month. Sony has been notified of the hack.

Update: A second attack on Sony’s systems was more malicious. About 100,000 yen ($1,225) was stolen from Sony accounts in Japan. Users lost virtual points in their accounts. That shows that Sony’s troubles aren’t over yet.

The Kinect for Windows software development kit (SDK) will be released this spring when Microsoft Research and its game division finish work on it. The goal is to support a growing community of academic researchers and enthusiasts who want to take Kinect to the PC to launch creative new motion-sensing applications. If the SDK takes off, Microsoft can benefit from an experimental and innovative community growing up around the Kinect technology.

Microsoft announced the details of the SDK today at its Mix11 developer conference in Las Vegas. When Microsoft launched the Kinect system in November, it had no idea that users would want to come up with their own apps. But users quickly circumvented the Kinect’s security system and came up with a bunch of hacks to enable things like a Kinect piano and use Kinect to control a flying drone.

The SDK’s features include the ability to track body movements in a skeletal outline for one or two people moving within Kinect’s camera view. It also has advanced audio capabilities, allowing developers to take advantage of the four-microphone array with acoustic noise and echo cancellation for clear audio. It also has “beam formation” technology to identify a sound source and recognize what is being said. And it has an XYZ depth camera for detecting motion in a 3D space, measuring the distance of the object from the Kinect camera.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

Users first started noticing the bug sometime around midnight (PST), using Twitter as a platform to share their annoyance. “My facebook account was disabled for reasons unclear. Liking a story on CNN? Sharing a link about Nicolas Cage? Serious crimes!,” wrote user raeracquel, characteristic of many others who were puzzled as to what behavior led to the incident.

After his wife’s account was affected by the bug, Kansas-based designer Brian Ford noticed that all users who were complaining seemed to be females or those associated with females. “Most of the accounts have been disabled for being “inauthentic”, and several people are reporting that they can only get it back by uploading a “government issued” photo ID. Sketchy,” Ford added.

A little later in the evening, Boy Genius Report received an acknowledgement of the bug from Facebook, with the following statement:

Earlier today, we discovered a bug in a system designed to detect and disable likely fake accounts. The bug, which was live for a short period of time, caused a very small percentage of Facebook accounts to be mistakenly disabled. Upon discovering the bug, we immediately worked to resolve it. It’s now been fixed, and we’re in the process of reactivating and notifying the people who were affected.

The company seems to have followed up on its promise, and users are beginning to see their accounts reactivated. Additionally, a scan through Twitter’s search for “facebook disabled” finds no new users complaining.

While the incident only affected a very small minority of users, it’s not a good sign that a social network most users rely on so heavily in their lives could be so easily affected by a trivial bug. If the incident wasn’t so widespread, it’s unclear how Facebook would have dealt with it. As Ford noted, “Facebook provides no way (to) actually contact someone, or submit a report about the issue.”

The incident raised questions about Twitter’s security. The site has swiftly grown to more than 140 million users. It recently raised $100 million in venture capital and is valued by its investors at more than $1 billion. It has gone on a hiring spree, even as many question its plans to make money. And the fact that two teens were so easily able to take it over raises the concern that it’s neglecting security amid its torrid growth.

The hack first spread through an account named @Matsta, who resides in Auckland, New Zealand, the city where I live. I got in touch with Matt, the 17-year-old behind that Twitter handle, to find out the real story.

Matt and his friend Harrison, both high school students, admited that they were involved in spreading the exploitative code. (Both are 17, so VentureBeat is not publishing their last names.) Drawing from our exclusive interview with the pair, who have both blogged about the incident, we now have the story behind the Great Twitter Exploit of 2010.

The hack used well-known security flaws in JavaScript, a simple programming language used extensively in websites, to take over the accounts of Twitter users when they visited the service’s website. Users rolling their mouse over certain pages and links automatically retransmitted malicious code, messages, and links to their followers — the mechanism by which the Twitter worm swiftly spread. Twitter fixed the exploit later Tuesday morning.

The story began when a developer in Japan, known as @kinugawamasato on Twitter, found a vulunerability in Twitter’s code. The exploit, a version of a commonly known hacking technique called cross-site scripting (XSS), enabled custom JavaScript code to be executed whenever a user’s cursor paused over a link. The developer reportedly made Twitter aware about the issue a month ago. Company representatives reportedly responded by telling him they’d fixed it. (According to a Twitter corporate blog post, they had addressed the issue, but subsequently rolled out code that restored the vulnerability.) The Japanese hacker, noticing that the vulnerability remained, went on to create a harmless Twitter profile that changed the background colors of his tweets to different colors as a proof of concept.

The exploit was seen by a 17-year old Australian teenager named Pearce, who goes by @zzap on Twitter. Pearce modified the exploit to enable it to insert JavaScript in a tweet. This version of the exploit, which he posted on Twitter, displayed the words “uh oh” whenever a user rolled their mouse over a link.

One of Pearce’ followers on Twitter was Harrison, a friend of Matt’s, who goes by @Peppery on Twitter. Harrison noticed the code in the hack was too long for it to run any “meaningful” JavaScript code, given Twitter’s 140-character limit on posts. He went on to shorten the code to a fourth of its original size, and found a way to make it automatically retweet a message by having the entire page — not just a single link — react on the movement of the cursor. That improvement proved key to spreading the hostile code.

“When you can make something retweet itself, you have what is essentially the same thing as the Samy XSS worm that propagated on MySpace some years ago — a virally spreading exploit,” Harrison pointed out.

Having laid the groundwork for a successful exploit, Harrison then instant-messaged the code to his friend, Matt (@Matsta), as a joke. ”Go to Twitter and copy and paste this into the box,” he said in a message, pointing to the code he had just come up with.

“When I sent it his way, I was mostly curious as to what would happen when the code was posted,” Harrison says.

Matt, who said he was unaware of what the code would do, tweeted it out to his 800 people who subscribed to him on Twitter, and thus was born the infamous Twitter exploit.

Now it’s no secret what took place afterwards. In just over two minutes, the exploit had been retweeted thousands of times, spreading from user to user as they opened their Twitter homepages and saw someone’s tweet.

Jonathan George, the developer of Boxcar, a popular iPhone application which sends Twitter notifications to a phone, noted that one of Matt’s tweets had been retweeted 61,516 times. Needless to say, within minutes, the word “Matsta” was trending on Twitter.

Soon after, spammers and other miscreants took notice and modified the code for their own use, spreading links to pornographic sites and opening up malicious popup windows. What started as some idle fun to see how Twitter would handle self-propagating JavaScript code turned into a viral spam heaven, with links being spread by the the mere opening of the Twitter homepage.

“We had no idea that it would take off in that way,” said Matt. “I only gave it two seconds of thought before I posted the code.”

Around 7 a.m. Pacific Time, Twitter suspended Matt’s Twitter account, apparently in response to the hacking incident.

However, the code was still out and being retweeted until Twitter developers finally fixed the underlying vulnerability at around 9 a.m. Pacific Time. Meanwhile, back in New Zealand, where it was already night, Matt and Harrison headed to bed to get ready for class the next morning.

The news caught fire as they slept. The story was covered by nearly every major outlet around the world. To date, there are over 1,800 news stories containing the word “Matsta”, according to Google News. Back at home, the New Zealand Herald reported the involvement of two fellow Kiwis in the attack, as did a national TV news channel.

As a result, Matt and Harrison’s Facebook pages have since been littered with links to coverage of the incident, with friends and acquaintances congratulating the two for making world news with an idle prank.

Matt has since made a new Twitter profile and hopes the company will let this one slide. “No, I will not hack your Twitter,” he promises in his bio. (Update: it appears Matt’s new account has also been suspended by Twitter. Update 2: Twitter is working with Matt to restore his account, on the promise that he will “report this kind of stuff responsibly before letting it spread.”)

Carolyn Penner, a Twitter spokesperson, said the company would not pursue legal action against either Matt or Harrison.

[Homepage photo: bixentro]