New attack cracks iPhone autogenerated hotspot passwords in seconds

The top 10 most commonly used words contained in default iPhone hotspot passwords, ordered by relative frequency.

If you use your iPhone's mobile hotspot feature on a current device, make sure you override the automatic password it offers to secure your connection, because a team of researchers can crack it in less than half a minute by exploiting recently discovered weaknesses.

It turns out Apple's iOS versions 6 and earlier pick from such a small pool of passwords by default that the researchers—who are from the computer science department of the Friedrich-Alexander University in Erlangen, Germany—need just 24 seconds to run through all the possible combinations. The time required assumes they're using four AMD Radeon HD 7970 graphics cards to cycle through an optimized list of possible password candidates. It also doesn't include the amount of time it takes to capture the four-way handshake that's negotiated each time a wireless enabled device successfully connects to a WPA2, or Wi-Fi Protected Access 2, device. More often than not, though, the capture can be completed in under a minute. With possession of the underlying hash, an attacker is then free to perform an unlimited number of "offline" password guesses until the right one is tried.

The research has important security implications for anyone who uses their iPhone's hotspot feature to share the device's mobile Internet connectivity with other Wi-Fi-enabled gadgets. Adversaries who are within range of the network can exploit the weakness to quickly determine the default pre-shared key that's supposed to prevent unauthorized people from joining. From there, attackers can leach off the connection, or worse, monitor or even spoof e-mail and other network data as it passes between connected devices and the iPhone acting as the access point.

Read 8 remaining paragraphs | Comments

Prepare for #OpPetrol Targeting Gas and Oil

On June 20, Anonymous will launch the #OpPetrol campaign against international gas and oil companies. It was announced on May 11, shortly after the campaign called #OpUSA began.

These types of organized attacks are often similar, as we have seen in previous operations, and may include:

  • Distributed denial-of-service (DDoS) attacks
  • Hacking and defacing social media accounts or posting fake messages
  • Hacking and defacing organization websites or stealing information and posting it as "proof" of breach
  • Hacking organization servers and attempting sabotage, such as planting disk wiping malware

There are various ways attackers may target these organizations, including using tools like the LOIC (Low Orbit Ion Cannon) or phishing emails to trick recipients into revealing account login details.

Symantec advises organizations to be prepared for attacks in the coming days.

Organizations should monitor for unusual activities in their networks, particularly any attempts to breach the perimeters. Staff members should be specifically trained on social engineering mitigation tactics along with regular security awareness training. As always, we continue to stress the importance implementing a multi-layered approach to defense.

These recommendations apply to all organizations as best practices that should be carried out regularly as most attackers do not provide warnings in advance to targets.

Microsoft will pay up to $100K for new Windows exploit techniques

Some bugs aren't worth very much cash.

Microsoft has announced that it will give security researchers cash rewards for devising novel software exploitation techniques, creating new exploit mitigation systems, and finding bugs in the beta of Internet Explorer 11 when it's released later this month.

Bug bounty programs, where security researchers receive a cash reward from software vendors for disclosing exploitable flaws in those vendors' software, have become an important part of the computer security landscape. Finding flaws and working out ways to exploit them can be a difficult and time-consuming process. Moreover, exploitable flaws have a market value, especially to criminals, as they can be used to propagate malware and attack systems.

Bounty programs address both concerns. They provide a means for compensating researchers for their efforts, and they provide a market for flaws that won't lead to compromised machines and harm to third parties. Google, Mozilla, Facebook, PayPal, and AT&T, among others, all offer monetary rewards for bug disclosures.

Read 7 remaining paragraphs | Comments