Hackers break into Washington Post servers for third time in three years

The Washington Post's servers were penetrated by hackers who accessed employees' user names and password data in a breach that marked the third intrusion in as many years, the paper reported.

Security personnel still don't know the full extent of the loss, an article published Wednesday said. The intrusion was discovered by outside security consultant Mandiant, which reported it to Washington Post officials Wednesday. Compromised data includes employees' user names and passwords that were "stored in encrypted form," which typically means as a cryptographic hash. Post officials, working under the assumption that a fair percentage of hashed passwords can be cracked, planned to direct all employees to change their passwords.

There's no evidence yet that subscriber information such as credit card data or home addresses was accessed. There was also no immediate sign that hackers had accessed the paper's publishing system, employee e-mail databases, or sensitive personal information belonging to workers. Wednesday's article cited a Washington Post official as saying investigators believe the intrusion lasted at most a few days.

Read 2 remaining paragraphs | Comments

Secret Service investigating massive credit card breach at Target (Updated)

UPDATE Thursday 5:34am CT: In a statement posted to its website early Thursday morning, Target acknowledged that "approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013," adding that the company is "partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."

Original story follows:

According to the Wall Street Journal and independent journalist Brian Krebs, retail giant Target was hit with a major theft of customers’ credit-card and debit-card data captured in stores during the Black Friday weekend.

Read 6 remaining paragraphs | Comments

Perv Utopia: Light on MacBook webcams can be bypassed

The MacBook's LED indicator is off, but its webcam is very much turned on.

A common pastime among the residents of the Internet's seedy underbelly is spying on people through their webcams then using the pictures to harass and blackmail the victims. This kind of hacking went mainstream when Miss Teen USA Cassidy Wolf was named as a victim of a blackmail attempt.

In addition to standard computer security advice given to combat this behavior—keep your computer patched, don't install malware, and so on—it's commonly suggested that you only use webcams where the activity LED is hardwired to light up whenever the camera is active. Among others, Apple's line of laptops has been identified as having such hardwired LEDs. However, researchers at Johns Hopkins University have published a paper, first reported on by the Washington Post, demonstrating that even this isn't good enough. Some hardwired LEDs turn out to be, well, software controlled after all.

As with just about every other piece of modern hardware, the webcams in the computers that the researchers looked at—an iMac G5 and 2008-vintage MacBooks, MacBook Pros, and Intel iMacs—are smart devices with their own integrated processors, running their own software. The webcams have three main components: the actual digital imaging sensor, a USB interface chip with both an integrated Intel 8051-compatible microcontroller and some RAM, as well as a little bit of EEPROM memory.

Read 9 remaining paragraphs | Comments

New attack steals e-mail decryption keys by capturing computer sounds

In this photograph, (A) is a Lenovo ThinkPad T61 target, (B) is a Brüel&Kjær 4190 microphone capsule mounted on a Brüel&Kjær 2669 preamplifier held by a flexible arm, (C) is a Brüel&Kjær 5935 microphone power supply and amplifier, (D) is a National Instruments MyDAQ device with a 10 kHz RC low-pass filter cascaded with a 150 kHz RC high-pass filter on its A2D input, and (E) is a laptop computer performing the attack. Full key extraction is possible in this configuration, from a distance of 1 meter.

Computer scientists have devised an attack that reliably extracts secret cryptographic keys by capturing the high-pitched sounds coming from a computer while it displays an encrypted message.

The technique, outlined in a research paper published Wednesday, has already been shown to successfully recover a 4096-bit RSA key used to decrypt e-mails by GNU Privacy Guard, a popular open source implementation of the OpenPGP standard. Publication of the new attack was coordinated with the release of a GnuPG update rated as "important" that contains countermeasures for preventing the attack. But the scientists warned that a variety of other applications are also susceptible to the same acoustic cryptanalysis attack. In many cases, the sound leaking the keys can be captured by a standard smartphone positioned close to a targeted computer as it decrypts an e-mail known to the attackers.

"We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer within an hour by analyzing the sound generated by the computer during decryption of chosen ciphertexts," the researchers wrote. "We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer and using a sensitive microphone from a distance of four meters [a little more than 13 feet]."

Read 9 remaining paragraphs | Comments