hackers Archive

Hacker Claims He can Shut Down Apple MacBook Battery

How would you like to wake up one day to a fiery house all because some hacker decided he was going to hack into your MacBook’s battery and blow it up? That would not make for a good day to say the least.

A famous Apple hacker, Charlie Miller, has found a way to hack into Apple Macbooks battery and manipulate the software that controls the battery to basically shut it down. In other words, Miller is able to modify the battery power controller chip, the chip that monitors and controls all laptop battery functions and power management, and shut down the laptop having access to its own battery.

Miller explained how this is possible at a recent presentation at the Black Hat security conference Thursday in Las Vegas.

The exceedingly scary part about Millers discovery is he thinks it could be a way for a hacker with this know-how to actually make the Macbook explode.

CNN sat down the Miller in a Q and A session. The edited transcript is available below for your entertainment. Hopefully what Miller is explaining cannot be replicated by the average hacker or all of some Macbook users may be in for some serous trouble.

CNN: Tell me what you were able to do with Apple’s laptop batteries.
It’s sort of complicated, but the way batteries get charged in your laptop is there’s a little chip in your battery and the computer talks to that chip to figure out what’s going on. That chip will tell it how much charge it has, how much charge it needs, how much charge it should give it — that sort of thing. What I figured out was how to change the software that runs on that chip.
When it comes from the factory, they don’t want you messing with it, so they set up passwords and stuff to prevent you from doing that. There’s two passwords, actually, and Apple didn’t change those, so you can just find documents on the Internet that said what those were and then I could change the firmware on the chips to make it (the battery) do whatever I wanted.

So what does that allow you to do?
Well, you could make it not work anymore. You can make the battery to where the computer doesn’t even know it’s plugged in. …
My goal was to see if I could make one blow. I never did that. There’s lots of different protections to stop that from happening, and also I was a little scared to blow one up in my house, you know.

Why blow it up? Why was that the goal?
I approach it like, what can people do to me, right? So I don’t want to wake up one day and have my computer blow up. I want to be the one looking at that — not the bad guys.
So I found this thing where Apple didn’t change their passwords. Well, now they’re hopefully going to change their passwords, right? So then next time I buy a laptop from Apple I won’t have to worry quite so much that someone will do something (bad).
I released a tool that you could run, if you’re particularly paranoid, that would fix this problem.

Is this the first time a hack has targeted a battery?
No one that I know has ever looked at it — or no one has ever published anything about it. You carry this thing around with you, and it has a chemistry set in it.
Other people go into a store, and they think about what to buy. I think about how to steal stuff. I don’t (actually) do it — that’s just kind of how I think.

You target Apple products primarily. Tell me why you’ve chosen to do that?
That’s a good question. I started this gig four years ago — and so back then the Apple products were way easier to break into than, say, Windows.

Really?
Yeah, they were very far behind in security.
That goes against the common perception.
Yeah, I know. People thought they were secure when they weren’t. And when I told people that, no one would believe me.
So the reason I started is it was easy. But since then, with (OS X) Lion coming out, it’s caught up. Now it’s not any easier anymore. I either have to find something else that’s easier to work on — or whatever.

Do you like Apple products?
Yeah, I have an iPhone in my pocket right now. That’s another reason. If I use it, I want it to be secure. I don’t want Steve Jobs having a commercial saying it’s secure — I want it to actually be secure. That’s my job to figure out what’s secure and what’s not.

Currently, do you think Apple products are more secure than their counterparts?
(Apple) iOS is definitely more secure than Android. Lion is basically comparable to Windows 7. You can nitpick on those two, but they’re basically both really good.
Android is lacking a couple of features that iOS has, so it’s behind.

Do you have any security tips for iPhone users?
Make sure to set a passcode for it. Otherwise, if someone picks up the phone, there’s nothing there. So set a passcode. It’s not going to protect it forever, but at least it’s some barrier for some kid that picks it up.
Don’t jailbreak your phone if you care about the security of it — because that breaks all of the security. Make sure to configure for remote “locate and wipe,” so if you lose it you can either find it or blow away all of your data on it.

How long is your mobile password?
It’s four digits, which Dino (fellow Apple hacker Dino Dai Zovi) showed in his talk you can break in 18 minutes. So if I don’t get my phone back in 18 minutes I’m in trouble. I’ve tried longer ones, but it’s just impractical. I couldn’t stick with it.

How did you get into hacking in the very beginning?
I’ve been into computers and thought hacking was cool. I got my Ph.D. in math from Notre Dame and I got hired by the NSA (National Security Agency) to be a cryptographer. But when I got there, I didn’t really like that, so they had a training program in computer security, so I learned the basics of my training there in an internship.

Where do you do your work?
At my house. I work out of my house. I’m a consultant. I spend half my time doing consultant work and the rest of my time doing research — like this kind of stuff.

Where do you live?
St. Louis.

How long did it take you to do the battery hack?
It took about seven months — it took a really long time. Most of my research projects are like two weeks, or a month or something. But this one was so far from my comfort zone, and there had been so little written about it that it really took a long time.
So basically you’re giving away information about how to break things in an effort to make it more secure. Some people might be confused by that.
I mean, people think that — like with my battery thing — that if people didn’t talk about this, no one would have ever found out about it. And that’s just not the case.
No matter what we talk about here, there’s always bad guys — or guys who are trying to do this to make money — that are just as smart as us. And there are way more of them.
All we can do is present to everyone what we know. You can’t defend against something you don’t know.

Do you feel paranoid using Apple products knowing how many flaws you’ve been able to find in them?
A little bit. But they’ve gotten so much better. Like the iPhone. For the first year, when the iPhone came out, it was horrible. It was awful. It had no security in it, basically — at all. And then when the second iPhone came out it was much better. And since March it’s had basically every feature a security guy would want.
It’s not just me. I think it’s everyone saying they want more secure devices.

Do you work with Apple?
Not exactly. I have a cordial relationship with them. I shared with them my paper on the battery stuff like three weeks before the talk. But then again, if they would have told me not to do it I would have said, “Go to hell.” I don’t want to be their adversary. I want to have them fix stuff — and I want them to get better. I try to share with them.

Are they working on this battery thing?
Unfortunately, there’s not a lot they can do except start again and get it right.

Have hackers ever targeted you?
If they have, I haven’t caught ‘em.
I’d be pretty easy to hack, I think. I don’t practice the best security myself. I’m impatient. So anytime security is going to add a lot of hassle I’m not going to do it.
I’m the cobbler whose kids have no shoes or whatever. And everyone knows exactly the software I use, the hardware I have, so it probably wouldn’t be that hard.
I just try to be a really nice guy so no one wants to go after me.

So, are you anymore scared than you were before reading the transcript above?

Popularity: 10%

The Top 5 Facebook Hacks, Attacks and Scams You Need to Know About

facebook-security-hacks-scams-attacksLately myself, along with upwards of over 500 million people, have used Facebook and spent a bit too much time on it attempting to tweak settings so we do not become the next victim of a new Facebook scam. Little did we know, all we had to do was know about the top 5 Facebook hacks, attacks and scams so we could avoid them.

Recently I have noticed that it seems to be an abundance of scam links on Facebook not only from bogus accounts, but from my very own Facebook friends. In looking into some of these scams I have found out that the majority of them are composed of some type of enticing link or one that appears to offer a video of a woman in a bikini. Sure, I don’t mind perusing a nice looking female specimen every once in a while but not at the expense of sharing the same link with every friend I have on Facebook and compromising my personal information. Unfortunately, that is exactly what is happening in one of my top 5 Facebook hacks, attacks and scams that you need to know about.

Facebook is a great place and the only social network that connects so many people from around the world. Facebook over the course of 2 years has done wonders in improving privacy and basically giving the user more settings than the space shuttle. Every Facebook user must, however, learn about some of the most common scams and attacks usually rendered by hackers over the internet. These attacks can range from a simple link to a rogue Facebook application designed to steal personal data.

Here are the Top 5 Facebook Hacks, Attacks and Scams You Need to Know About

#1 Clickjacking: This is a process that has become very popular on Facebook where an enticing, eye-catching, too-good to be true link is posted on someone’s profile asking that you copy and paste it to your web browser or click on it to view. After doing so, the user’s Facebook wall is then populated with the same link which essentially spreads it to all of their Friends luring them to click on the same link. Ultimately, clickjacking could allow a hacker to gain access to a user’s Facebook account.

#2 Fake Questionnaires or Polls: Facebook has recently implemented a polling system that allows users to post a poll full of questions that they choose and share it with their friends. Unfortunatly there has been an onslaught of fake polls and questionnaires circulating Facebook. These fake polls sometimes redirect users to pages outside of Facebook were they can act as a Phishing site designed to steal personal information. Furthermore, these fake polls could lead to malware laden sites that offer quizzes and online games that could prove to be harmful to a PC.

#3 Fake Friend requests: Let’s face it; some people on Facebook do not have much of a life outside of their computer screen. For those who fall into this virtual trap, hackers are seeking them out by sending friend requests for the purpose of extracting data from the Facebook user. If a Facebook user’s privacy settings are set to block non-friends, then by requesting to be a friend will bypass that feature provided the user on the other end accepts the friend request. It is best to only accept friend requests from people that you actually know instead of a stranger.

#4 Fake Facebook Pages Spam: There is an abundance of fake page profiles setup on Facebook that are usually headlined with some type of feature that is not offered by Facebook such as a ‘Dislike button’ feature. These fake pages are usually created by hackers who look to steal personal information from users after they either LIKE the page or choose to ‘attend’ a page’s newly created event. .

#5 Rogue Applications: Fake Facebook apps have been a growing problem since the conception of apps on Facebook. It is already bad enough that Facebook apps have access to obtain personal information from your Facebook profile. Rogue apps takes it a step further by potentially posting bogus links to your wall or even reposting something personal about you. Anytime that a user chooses to use a Facebook app, they have to click Allow when the app requests initial permission to access information about you thus opening it up to pilfer your personal data.

What do you do to avoid Facebook attacks, scam and hacks? Will you continue to use Facebook in knowing that so much ‘bad stuff’ can happen?

The video below on how Facebook beefed up security in response to all of the daily scams circulating the largest social network in the world.

Popularity: 14%

Facebook Faces Privacy Failures and Backfires

facebook-privacy-issuesI use to think that Twitter had all lot of privacy issues but lately it seems Facebook has become king of privacy backfires.

If you use Facebook’s chat feature then you may have noticed that today it was down due to maintenance. Well, I had to find out what was going on because I like to chat with my geeky partners via facebook chat from time-to-time and low-and-behold, Facebook was fixing a security hole that allowed others to view pending friend requests and chat history of friends.

A few sources including TechCrunch posted this issue today along with a demonstration video below. Among other security issues that Facebook has had blow up in their face lately, are issues that lets people view others events that they are attending via Facebook’s Graph API. That’s right, any old Joe Schmo could go to http://zesty.ca/facebook/ and search for anyone and view upcoming events that a specific person has accepted to attend.

As more and more people join Facebook, currently over 400 million members, they will start to find other security holes. Remember, nothing online is full-proof. There is always a way for a hacker, or your friend, to get a-hold of personal information. If you post it online, then you better be sure that you do not mind sharing it with the world.

Popularity: 7%

Targeting Hackers via Google Earth: Mapping Spam and Malware Hackers

SophosLabs, a security company that gets all types of malware and spyware information from around the world, has used Google Earth to map out where the latest spam and malware campaigns have initiated. I have to say, this is quite an unusual way of putting Google Earth to use. I can never recall a time that I actually used Google Earth for something other than my own personal enjoyment.

The map below, although it may look rather gross or like a bunch of red ants crawling over European countries, is an actual representation of locations of zombie computers according to SophosLabs.

google-earth-mapping-malware-spam
photo credit: SophosLabs click for full-size image

I thought that this was worth sharing because SophosLabs took the effort to compile all of this data from other a years’ time to actually pinpoint the areas of zombie computers or those that have been taken over as a result from a malware or spyware infection. Usually these types of parasites are used to steal information from a computer arming hackers with enough data to log into computer user’s online banking accounts or even steal their personal identities. Crazy isn’t it?

SophosLabs even went as far as to create a video and upload it on YouTube demonstrating where spam comes from, mainly home machines located in UK and Europe. They even show examples of zooming into areas on the Google Earth map of where they suspect a piece of malware has originated from and then redirected to a website.

What do they do with all of this data? Who knows! Hopefully security companies can use this type of data to actually catch the perpetrators instead of notifying the public on where these hackers are located. Unless they plan on doing some house raids to confiscate the hackers’ computers, I really do not know how we will greatly benefit from this data right now. Nonetheless, this is pretty darn interesting.

Popularity: 10%