Bypassing TouchID was “no challenge at all,” hacker tells Ars

Ars expressed surprise on Monday that a hacker was able to bypass fingerprint protection less than 48 hours after its debut in Apple's newest iPhone, but not everyone felt the same way. The hack, carried out by well-known German hacker Starbug, required too much expertise and pricey equipment to make it practical, according to critics.

Marc Rogers, a security expert at smartphone security firm Lookout, was among the skeptics. After independently devising his own bypass of Apple's Touch ID, he concluded that it was anything but easy. "Hacking Touch ID relies upon a combination of skills, existing academic research, and the patience of a Crime Scene Technician," he wrote. Rogers went on to say that no one would know just how feasible Starbug's hack was until he released a step-by-step video and we learned more technical details.

We now have both. Heise Online has posted the video here, and it was enough to satisfy Rob Graham, a security expert who donated $500 to the first person to hack Touch ID. Ars has also heard directly from Starbug, who (like us and several security experts) was surprised by how little time and effort his bypass required.

Read 19 remaining paragraphs | Comments


Who rooted servers two years ago, how did it happen, and why?

More than two years after unknown hackers gained unfettered access over multiple computers used to maintain and distribute the Linux operating system kernel, officials still haven't released a promised autopsy about what happened.

The compromise, which began no later than August 12, 2011, wasn't detected for at least 16 days, a public e-mail and interviews immediately following the intrusion revealed. During that time, attackers were able to monitor the activities of anyone using the servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers.

For three weeks in September and early October, officials kept closed so the servers that run it could be rebuilt. When the site reopened on October 4, a message on the front page prominently warned of the breach and noted the steps taken to rebuild the site. "Thanks to all for your patience and understanding during our outage and please bear with us as we bring up the different systems over the next few weeks," the message concluded. "We will be writing up a report on the incident in the future."

Read 7 remaining paragraphs | Comments


Craigslist SMS Spam Scam, with a Twist

While Craigslist has always been a favorite social engineering theme for scammers, Symantec has identified another on-going SMS spam campaign abusing Craigslist’s popularity. The scam tricks users into installing free and legitimate open source software on their PC by leveraging phone numbers posted on Craigslist ads. The software comes bundled with additional software that will allow scammers to make money through affiliate programs. 


FigureHow the SMS spam redirects users to download open source software

The first stage of the scam involves the victim receiving an SMS text message on their device. Online research suggests that the scammers are harvesting phone numbers directly from online Craigslist postings for this scam campaign. The sale of spamming and harvesting tools, which automate the harvest of phone numbers, is common on underground forums.

When a user follows the link provided in the SMS sent to them they are informed: "Device not compatible. Please view from a desktop or laptop computer." If a user then navigates to the link from their PC, they are informed that they need to install the GIMP Viewer legitimate open source software). Attempting to install GIMP does not take the user to the official GIMP website, but instead to a different website offering to install GIMP with the option to install several other pieces of software. If the additional software is installed, the scammers make money from affiliate commissions.

In this scam users are being tricked into installing unwanted software onto their computers and affiliate programs are being abused by scammers. The scammers could also easily switch tactics and trick victims into installing malware on their computers.

To avoid being a victim of this and other scams, be cautious when receiving any unsolicited SMS text messages and avoid downloading and installing any type of software unless it comes from an official and reputable site. Symantec also recommends users everywhere install a mobile security app and desktop antivirus protection, such as Norton Mobile Security and Norton antivirus.