Security

A group that calls itself YGN Ethical Hacker Group has identified potential security holes in Apple's website for Mac and iOS developers. Those security holes could allow malicious hackers to use the Apple Developer Connection in phishing attacks to gain access to users' login and password information.

According to information supplied to Networkworld, the group identified three potential security issues on the site, including arbitrary URL redirects, cross-site scripting, and HTTP response splitting. In particular, the ability to arbitrarily redirect to other URLs could make phishing attacks against developers login credentials more likely to succeed.

"By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," the group said. "Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance." In other words, even though the redirect will cause users to end up at a malicious site, the original link would appear to come from developer.apple.com.

Since developers use their Apple ID to access password-protected areas of Apple's developer website, such as forums, beta OS releases, and SDKs, a successful phishing attack could give hackers access to a user's iTunes Connect account, iTunes Store purchases, and more. If the e-mail address is valid, hackers could also try using password cracks to get into a user's e-mail as well.

YGN said that it alerted Apple to the problem in late April, and that the company quickly acknowledged getting the report. "We take the report of a potential security issue very seriously," Apple told YGN. However, it doesn't appear Apple has closed the security holes.

To encourage Apple to act, the group says that it will release its discoveries to the security mailing list Full Disclosure "in a few days."

Read the comments on this post

Lulz Security, the group of hackers that have made a name for themselves with hacks of Sony, Nintendo, PBS, and more, claimed yesterday that it was calling it quits, with no more hacking or releases of stolen documents under the LulzSec name planned for the future. To celebrate the end of LulzSec, the group released final torrent of pilfered material: more documents and user credentials from a range of sources including AOL and AT&T.

The press release claims that LulzSec only planned to operate for fifty days, and hence that this decision to ditch the LulzSec name was not being made in response to the continued pressure the group is coming under from both law enforcement and other hacking groups. This claim is a little hard to reconcile with the release of documents stolen from the Arizon DPS that the group made on Friday. That publication was claimed to be the first of many, with more documents due to arrive on Monday, and subsequent documents on a weekly basis. If such releases are made, they won't be under the LulzSec brand.

The documents released on Friday were collected as part of "Operation Anti-Security", the name LulzSec has given to a bunch of attacks made on law enforcement and private security companies. In the press release announcing the retirement of the LulzSec name, the group expressed the hope that AntiSec would continue, and that security organizations would continue to come under attack. AntiSec was itself somewhat contradictory: LulzSec always maintained that it was motivated by amusement rather than political principles, and yet the decision to specifically make law enforcement agencies the target was an apparently political one.

These political motivations are also hard to reconcile with many of the releases the group has made; even the last torrent of information contained usernames and password hashes for gaming forums and the game Battlefield Heroes. As a result of that security breach, EA has taken Battlefield Heroes offline until the problem can be remedied. The torrent itself has been pulled by The Pirate Bay after it was found that the files taken from AT&T included malware.

One factor that may have encouraged LulzSec to retire its name and perhaps keep a lower profile is the continued efforts by the group's opponents to uncover the identities of those behind the LulzSec name and publish as much personal information about them as possible. A group calling itself The A-Team posted a substantial amount of data about members of LulzSec yesterday, and this release may have been the straw that broke the came's back, forcing LulzSec to drop out of the public eye.

Though the LulzSec name may now be dead, former members are promising that its AntiSec mission will continue, albeit in a less centralized way.

Read the comments on this post

Hacking group Lulz Security has released a torrent of documents stolen from the Arizona Department of Public Safety in what it says will be the first release of information accumulated as part of "Operation Anti-Security," a campaign to hack, disrupt, and embarrass law enforcement agencies and private security contractors. LulzSec claims that it targeted Arizona law enforcement in response to Arizona's controversial anti-immigration law, saying that it opposes the law itself, and "the racial profiling anti-immigrant police state that is Arizona."

The torrent, entitled "Chinga La Migra!"—which translates as "f**k the police" or "f**k the border patrol"—contains documents pertaining to "border patrol and counter-terrorism operations and describe the use of informants to infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest movements." The documents themselves are variously marked "law enforcement sensitive", "not for public distribution", and "for official use only."

Many of the documents appear to be mundane. There are bulletins describing suspects with outstanding warrants, court documents, and interdepartmental e-mail correspondence. The presumed source of the files are the e-mail accounts of seven police officers listed in LulzSec's press release. The officers' e-mail passwords are also included, and demonstrate a very low level of awareness of computer security; passwords include "12345", "rosebud", and officers' badge numbers.

The Arizona DPS has confirmed that it has been hacked, and has disabled its Web-based e-mail and Web site in response. DPS spokesman Steve Harrison confirmed that the documents seemed to be authentic, and said that the agency's IT people were investigating the attack. He also claimed that the agency had heard rumors or a tip that its systems were going to be attacked.

The group promised that it would make new Operation Anti-Security releases each week that will reveal private law enforcement and military documents, with intent being to "purposefully sabotage their efforts to terrorize communities fighting an unjust 'war on drugs'." The next set of documents can be expected on Monday.

Read the comments on this post

Hacking group Lulz Security has found itself coming under attack from all angles, drawing unwanted attention from both law enforcement and other hackers groups. Though the group's antics have won it many fans who appreciate LulzSec's anti-establishment leanings, they've also earned plenty of enemies, and those enemies have started to fight back. So far, they've posted LulzSec's "dox"—the names, pictures, and addresses of the people claimed to be the ringleaders of the group.

Since LulzSec first gained prominence, pro-US hacker th3j35t3r ("The Jester") has worked to uncover their identities and embarrass them. th3j35t3r, who has made a name for himself by knocking pro-jihad Web sites offline, has butted heads with Anonymous in the past, opposing the faceless collective's support for WikiLeaks. He worked to disrupt the activities of the AnonOps faction—taking servers offline and revealing names of the participants. Since many of AnonOps' key players moving on to form LulzSec, th3j35t3r's focus has shifted accordingly.

Hacking group Lulz Security has found itself coming under attack from all angles, drawing unwanted attention from both law enforcement and other hackers groups. Though the group's antics have won it many fans who appreciate LulzSec's anti-establishment leanings, they've also earned plenty of enemies, and those enemies have started to fight back. So far, they've posted LulzSec's "dox"—the names, pictures, and addresses of the people claimed to be the ringleaders of the group.

Since LulzSec first gained prominence, pro-US hacker th3j35t3r ("The Jester") has worked to uncover their identities and embarrass them. th3j35t3r, who has made a name for himself by knocking pro-jihad Web sites offline, has butted heads with Anonymous in the past, opposing the faceless collective's support for WikiLeaks. He worked to disrupt the activities of the AnonOps faction—taking servers offline and revealing names of the participants. Since many of AnonOps' key players moving on to form LulzSec, th3j35t3r's focus has shifted accordingly.

A 19-year-old alleged member of the Anonymous and LulzSec hacking groups has been arrested in the UK. The Metropolitan Police Central e-Crime Unit announced that Ryan Cleary, of Wickford, Essex, was arrested last night on suspicion of offenses under the Computer Misuse Act and Fraud Act. He's currently being held in a central London police station.

Cleary was responsible for running one of the IRC servers used by AnonOps, a faction of the Anonymous group that co-ordinated attacks on both perceived "enemies" of WikiLeaks and various Middle Eastern governments, until an acrimonious split last month. Subsequently, he is believed to have been a member of Lulz Security, responsible for running that group's IRC server.

The police, working in co-ordination with the FBI, have seized a "significant amount" of material from Cleary's address which is now undergoing forensic examination.

LulzSec, for its part, is denying that any member of their group has been arrested, wondering which "poor bastard" had been taken in. However, their IRC server is offline, which would be consistent with claims that it was operated by Cleary.

Concurrent with this, a post made to Pastebin that purports to be a LulzSec press release claims that the group has stolen the data collected in the UK's recent census. The post claims that the data will be published once it has been suitably formatted. Collecting the data was outsourced to defense contractor Lockheed Martin—itself the victim of recent attacks. Speaking to Channel 4 News, a spokesperson for the census claimed that there was "no evidence" to suggest that the data had been compromised.

LulzSec this morning sought to distance itself from the census claims. The group pointed out that anyone can paste the Lulz Boat ASCII art into Pastebin, and said that only releases that were promoted via Twitter should be trusted. There was no tweet publicizing the census post.

Read the comments on this post

Hacking group Lulz Security is continuing to amuse itself at the expense of others, with the release today of 62,000 e-mail addresses and associated passwords. The group didn't say where it got the information, or how it got it; instead, it exhorted its Twitter followers to create lulz of their own, and use the information to break into Facebook, Twitter, World of Warcraft, and much more—a task often made easy by the use of shared passwords.

The tweets that followed suggest that their followers have risen to the challenge, with numerous tales of multiple e-mail break-ins and account compromises, vandalism of Facebook and dating site profiles, and more.

This comes after another day of distributed denial of service attacks. Following on from Titanic Takeover Tuesday, LulzSec yesterday continued to DDoS various game login servers. In a more daring move, the group brought down cia.gov under a flood of traffic. If its past actions haven't got the attention of law enforcement, the CIA attack is sure to have done so.

The group also embarked on a rather more old-school denial of service attack, flooding not just Web servers but phone switchboards too. They set up a phone number and redirected it to various targets of their choosing—apparently including an FBI office in Detroit—and then asked their Twitter followers to call it. The result? Switchboards swamped with thousands of calls.

The CIA attack, along with a bunch of tweets today mocking HBGary, and the earlier PBS hack, shows that perhaps the group is a little more politically motivated than it lets on. Though ostensibly motivated merely by lulz, seeking amusement from the trouble caused for others, LulzSec's members do seem to retain political leanings similar to their Anonymous forbears. Indiscriminate as they may be—it doesn't matter what line of business you're in, if your systems suffer from basic security flaws, they're happy to exploit you and publish the results—being part of the establishment and acting against the interests of WikiLeaks are both grounds for extra attention from the LulzSec crew.

LulzSec's escapades have also been immortalized in a video from NMA. Never before has the true spirit of 4chan, Anonymous, and LulzSec been captured on film.

Read the comments on this post