Free songs

Hacking

Prodigy/Telmex E-Mail Vulnerabilities Exposes Thousands of Accounts and Puts Millions At Risk

Over the past few weeks I have been working with  El Economista on the discovery and disclosure of a massive security hole in Prodigy’s  (Telmex) mobile email and web based mail systems in Mexico.

The hole has exposed at least several thousand email accounts, even enabling the indexing of email accounts and messages by Google and  putting all Telmex customers who have an email on the Prodigy.net.mx and several other domains at risk.

Read More»

ToorCamp 2012 – Tracking Technology, Forensics and Privacy

My presentation from this summer at ToorCamp, probably the most fun you can possibly have at a security conference. I learned tons.

Read More»

Mobile Penetration Testing: There’s An App For That

When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely.

Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools.

Read More»

Anonymous vs GoDaddy: Social Media As Social Engineering

When GoDaddy’s services went down last week there was instantly speculation that Anonymous had something to do with it. The fact that the group has been responsible for a number of high profile hacks leads many to think that any hack or data breach has something to do with the group. When GoDaddy’s services went down and an Anonymous member claimed responsibility many in the press didn’t even blink and accepted the claim as fact. Even journalists who should know better to check their facts were citing Anonymous claims as fact, or at least helping to distribute the claims to the masses.

Read More»

You down with UDID? Yeah, you know me… my location and app activities

It was announced this week by the hacker group AntiSec that they compromised a laptop belonging to Supervisor Special Agent Christopher K. Stangl from the FBI taking advantage of vulnerability in Java that allowed them to gain access files on his system. The data they claim to have downloaded allegedly holds more than 12 million UDIDs ( Uniqe Device Identifiers) from Apple iOS devices.

Read More»

Is That A Phone In Your Pocket Or Area You Scanning My Network?

I wrote an article for PenTest Magazine which was published today on how to attack networks from the inside using just a smartphone. When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely. Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools. However, given the proliferation of mobile devices in the workplace and use of Wi-Fi networks inside of an office, attacking from inside the network provides unique opportunities. Smartphones have become much more powerful over the past few years, with powerful processors and a plethora of hardware at your fingertips. Combine this power into a compact unit with the right apps you can scan a network from the inside in seconds along with several other new types of attacks and information gathering.

However, given the proliferation of mobile devices in the workplace and use of Wi-Fi networks inside of an office, attacking from inside the network provides unique opportunities. Smartphones have become much more powerful over the past few years, with powerful processors and a plethora of hardware at your fingertips. Combine this power into a compact unit with the right apps you can scan a network from the inside in seconds along with several other new types of attacks and information gathering.

Read the full article ( PDF )

Scarlet Johansson Leaked Photos EXIF Data

Recently Scarlet Johansson has been added to the list of celebrities who have had photos taken on their phone compromised. The media is stating this is an apparent ring of hackers that are stealing the data from celebrities phones and laptops, however this theory seems suspect.

More likely is that the images are being stolen from cloud and backup services, where data sits unencrypted, not directly from the devices themselves. I took a look at the recent alleged  images ( research! ) and scanned them for EXIF data to see what information I could find about the images. One of the images had quite a bit of data embedded, I was able to see that the photo was taken with Blackberry Bold 9000 taken on October, 12, 2010 at 8:02PM. It is interesting that these photos are over a year old. Unless the image data and EXIF tags were tampered with the image came directly from the phone and was not modified by any applications like Photoshop, or compressed by any service. The images could have been emailed to another party as an attachment, it is highly likely that an email account or backup service was compromised.

The second photo that shows Johansson’s backside was not taken with the same phone, very little EXIF data was embedded in the image, but it was taken at a much higher resolution of 300 px/inch, the image also uses Progressive DCT encoding vs Baseline DCT like we have on the Blackberry device.

Several celebrities have had images leaked lately Vanessa Hudgens reportedly had nude images leaked after someone hacked her Gmail account. Odds are something similar has happened here, particularly given the age of the images.

Celebrity security needs to be taken as seriously as government security, all data should be encrypted even personal images and data. If celebrities are using cloud services they need to make sure the data is encrypted before it is backed up.