What has been reported as hacked/ Tech Thread

This is not a how to hack! WWP is not about how to hack and break the law and go to jail, but it would be ridiculous not to have some sort of thread listing out what has been compromised. This is for safety reasons.

Please do not turn this thread into the standard mac vs windows vs Linux argument thread. If we want to have something liek that go start one.

This grabbed my attention today. Mainly because I do not use apps and so I can mock everyone else who does when this sort of thing happens.

http://www.tripwire.com/state-of-se...force-attacks-threaten-millions-of-app-users/

Bad old Admins

http://thehackernews.com/2015/07/MongoDB-Database-hacking-tool.html

http://www.tripwire.com/state-of-se...rity (The State of Security | Tripwire, Inc.)

I could read tripwire all day

Why does Link always suck

http://www.tripwire.com/state-of-se...rity (The State of Security | Tripwire, Inc.)

So much bad code is being written.


http://www.theverge.com/2015/7/24/9...ulnerability-automobile-car-software-security

Antivirus is for mortals.
http://www.zdnet.com/article/tor-connection-vulnerability-uncloaks-hidden-web-services/

How to Configure Windows 10 to Protect Your Privacy




When you first get a new Windows computer (or set up an old one), you might be focused on downloading your favorite apps and transferring your files. This is also a good time to configure your machine to protect your privacy.

We all need to protect our private data. Whether you’re carrying sensitive work files, sensitive pictures, or just your passwords, there’s certain information you don’t want other people to have. When you’re first setting up a computer, you’re establishing the habits you’re going to use the entire time you have that machine. Rather than wait to care about your privacy later, it’s better to get started on the right foot.

First, a disclaimer: with Windows 10 coming out at the end of the month, we decided it’s best to write this guide as it pertains to Windows 10. Many of these settings, where applicable, still exist in Windows 8, but they may be in a different location or have slightly different names. In fact, even in the newest versions, settings are often duplicated in multiple places within the OS, but we’ll cover it the best we can.

It’s also worth mentioning that Windows still allows you to install any app you want. Once they’re installed, those apps can do pretty much anything. Locking down your privacy in Windows won’t do much if you install other apps that can still read your data.

Start with a Clean Install, Even If You Bought Your Computer New



Continued - http://lifehacker.com/how-to-configure-windows-10-to-protect-your-privacy-1716204024

Hacker-friendly Chrysler hauled into court for class-action showdown | The Register

Excerpt:

Chrysler released a firmware update to address the remote-control vulnerability, which triggered today's class-action lawsuit. It was brought to court by Brian Flynn, and husband and wife duo George and Kelly Brown. Flynn, of Belleville, Illinois, owns a 2014 Jeep Grand Cherokee, as do the Browns, of Pacific, Missouri. The Cherokee is included in the mass recall.

The trio's legal eagles claim the distribution of the security software update was flawed. Car owners download the patch via HTTP, and not secure HTTPS, which leaves the code vulnerable to tampering by man-in-the-middle attackers, the filing claims.

The key to a civil damages case is proving harm, and since no one has been hacked, such a claim should be hard to prove. So the lawyers are working on the idea that the affected vehicles are now worth less than they should be because of the flaw, and are seeking recompense – at least $50,000 per affected owner.

The only problem with this is that the hack demonstrated by Miller and Valasek is now impossible to exploit. At their Black Hat presentation on Wednesday (which was standing room only), the dynamic duo explained that the hack was possible thanks to an open IP port on the uConnect equipment in the cars.

Port 6667 was reachable from the public internet via the car's uConnect cellular system, which piggybacks on Sprint's network: accessing that port would allow you to control the car's systems without authentication. You'd just need to know the vehicle's public IP address.

The telco has now locked down its network, firewalling off access to that port, so drivers needn't worry about it – but should still install the patch anyway.

http://www.theregister.co.uk/2015/08/06/chrysler_lawsuit_wireless_car_hacking/

^

It certainly does now give credibility to the way in which Michael Hastings exited this world.

Hactivists aren’t terrorists – but US prosecutors make little distinction


Activists who use technology to conduct political dissent – hacktivists – are increasingly threatened with investigation, prosecution and often disproportionately severe criminal sentences.

For example, in January 2015 self-proclaimed Anonymous spokesman Barrett Brown was sentenced to 63 months in prison for hacking-related activities including linking to leaked material online. Edward Snowden is currently exiled in Russia after leaking the global surveillance operations of the NSA and GCHQ.

Prosecutions of hacktivists intensified in 2013, when Andrew “weev” Auernheimer was sentenced to 41 months after exposing a vulnerability that affected 114,000 iPad users on AT&T’s service.

Jeremy Hammond was sentenced to 10 years in federal prison after hacking and releasing documents about military subcontractor Stratfor. Aaron Swartz, who was facing a prison sentence of 25 years after hacking into JSTOR – a database of academic articles – committed suicide in January of that year. Chelsea Manning leaked secret military documents to Wikileaks and was sentenced to 35 years imprisonment in August.


Long arm of the law is getting longer

While these are US citizens subject to US laws and punishments, the Obama administration has recently indicated that it will also aggressively pursue hackers located overseas for alleged criminal activities.

So in July 2015, British hacktivist Lauri Love was re-arrested under a US warrant for violating the Computer Misuse Act. His case, like those mentioned above, illustrates the remarkable steps the US government will undertake in the pursuit and prosecution of hackers.

In 2013 the US District Court for New Jersey issued an indictment against Love, charging him with hacking into the US Missile Defense Agency, NASA, the Environmental Protection Agency and other government departments. The US Attorney’s Office for the Southern District of New York claims Love stole the sensitive personal information including emails of Federal Reserve employees.

The leaked Federal Reserve emails may have been part of Operation Last Resort, an Anonymous project to avenge the death of Swartz, which they linked to prosecutorial harassment and the over-zealous enforcement of outdated computer crime laws.

Like all major Anonymous operations, Operation Last Resort was a visual spectacle, including hijacking an MIT website to put up a Swartz tribute, releasing the names and contact information of 4,000 banking executives, and hacking the US Sentencing Commission website.



Continued - https://theconversation.com/hactivi...-us-prosecutors-make-little-distinction-45260

YEEE HAAA



https://www.kali.org/releases/kali-linux-20-released/


https://www.kali.org/downloads/

The Teahouse @ #CCCcamp15

Windows 10 sends data to Microsoft, despite of privacy setting set not to




Windows 10 snooping and reporting back to Microsoft servers even if privacy settings are enabled

Seems like Windows 10 users have huge privacy headache on their hands. We had earlier reported that Microsoft EULA has some serious and ambiguous privacy related clauses but this one takes the cake. It seems that even after the user disable information sharing, Windows 10 continues to snoop and report back to Redmond.


Continued - http://www.techworm.net/2015/08/win...ft-despite-of-privacy-setting-set-not-to.html

The Lifecycle of a Revolution (Keynote)


Published on Aug 10, 2015
by Jennifer Granick

In the early days of the public internet, we believed that we were helping build something totally new, a world that would leave behind the shackles of age, of race, of gender, of class, even of law.

Twenty years on, "cyberspace" looks a lot less revolutionary than it once did. Hackers have become information security professionals. Racism and sexism have proven resiliant enough to thrive in the digital world.

Big companies are getting even bigger, and the decisions corporationsnot just governmentsmake about security, privacy, and free speech affect hundreds of thousands, or millions, of people. The Four Horsemen of the Infocalypseterrorists, pedophiles, drug dealers, and money launderersare driving online policy as governments around the world are getting more deeply involved in the business of regulating the network.

Meanwhile, the Next Billion Internet Users are going to connect from Asia and developing countries without a Bill of Rights. Centralization, Regulation, and Globalization are the key words, and over the next twenty years, we'll see these forces change digital networks and information security as we know it today. So where does that leave security, openness, innovation, and freedom?

The Digital Millennium Copyright Act is being used to weld the hood of cars shut to keep engine software safe from mechanics. Will we still have the Freedom to Tinker even in the oldest of technologies?

What does it mean that the U.S. is a big player in the zero-day market even as international agreements seek to regulate exploit code and surveillance tools? Will we see liability for insecure software and what does that mean for open source?

With advances in artificial intelligence that will decide who gets run over, who gets a loan, who gets a job, how far off can legal liability regimes for robots, drones, and even algorythms be? Is the global Internet headed for history's dustbin, and what does a balkanized network mean for security, for civil rights?

The End of the Internet Dream: the speech that won Black Hat (and Defcon)

By Cory Doctorow at 8:08 am Tue, Aug 18, 2015




"The End of the Internet Dream," cyberlawyer Jennifer Granick's keynote at Black Hat, was all anyone could talk about at this year's Defcon -- Black Hat being the grown-up, buttoned-down, military-industrial cousin to Defcon's wild and exuberant anarchy.

The text of Granick's speech is now online, and I can see what they were all raving about. Granick tells the true story of "Internet Utopians" -- not people who believed the Internet would deliver a better, freer world; rather, people who believed that it could, if the rest of us fought for it.

She also tells the tale of how that dream was dashed by giving in to cybersecurity scaremongering, copyright bullying, easy answers to difficult speech, unexamined racism and sexism, and the global war on terror. How governments, companies and our complacency all but killed the dream of the Internet as a force for improving the world.

But she also provides a prescription for changing that -- hope that we can avert that future, and that therefore, we must.

If you wondered why I went back to EFF after a decade of sitting on the sidelines, this is why.



Continued - https://boingboing.net/2015/08/18/the-end-of-the-internet-dream.html

How Hacktivists Will Break Corporate Control of Information Within a Decade

Sci-fi author and information rights activist Cory Doctorow appeared out of the dusty heat of the 2015 Burning Man in a gray jumpsuit and a pair of Adbusters Black Spot sneakers. In his hand he held a small black moleskin, which he glanced at intermittently while delivering an electrifying, albeit head-spinning talk on the future of the Internet of Things.

Doctorow, who recently re-joined the Electronic Frontier Foundation (EFF), contextualized the Internet of Things as an information rights struggle that requires an end to patent laws that forbid jailbreaking digital locks. Concordantly, he and the EFF have an ambitious plan: To dismantle the draconian Digital Rights Management (DRM) laws currently protected by the DMCA Section 1201. Doctorow and the EFF seek to counter this oppressive legislation with the Apollo 1201 initiative, by which they will strategically pick cases that can clearly demonstrate Congress violated the Constitution when it passed the Digital Millennium Copyright Act (DMCA) in 1998.

Continued here:
http://theantimedia.org/how-hacktivists-will-break-corporate-control-of-information-within-a-decade/

Ker-Ching: One Group of Hackers Was Apparently Making $30 Million a Year | Motherboard

Even the biggest fish in cybercrime have to raise their eyebrows at this one: Security researchers say they’ve found proof that a hacker or group of hackers is making $30 million a year from their operation.

Cybersecurity company Cisco announced today that had traced use of the Angler exploit kit, a notoriously effective and popular tool for hacking into computers, to servers belonging to hosting provider Limestone Networks. After some more digging, joined by researchers from Level 3 Threat Research Labs and OpenDNS, Cisco's researchers estimated that one hacker or group of hackers using these servers are targeting up to 90,000 victims a day.

Cisco got to the $30 million figure by building on a few other estimates:

• The average life of an Angler server is 24 hours.
• They worked out that there were likely around 3600 compromised users per day.
• Most users are targeted by ransomware, and on average have to pay $300 to the hackers.

In all, they tally up this particular actor's winnings to an annual revenue of more than $34 million. Again, it's worth remembering that these figures are only Cisco's estimates, and there is no way to immediately independently verify their results. Indeed, Cisco note that “It is difficult to be 100% accurate with these numbers.”

They also claim that this hacker or group likely makes up 50 percent of all Angler activity, meaning that, supposedly, the Angler exploit kit might be bringing in around $60 million a year for hackers around the world.

Limestone Networks have apparently shut down the offending servers.

Continued here:
http://motherboard.vice.com/read/ke...ckers-was-apparently-making-30-million-a-year

Chaos Communication Congress: A Very German Hacking Conference

Written by Joseph Cox
January 25, 2016 // 09:30 AM EST




Mime artists lounge on the carpeted staircases, hundreds of tables littered with laptops stretch throughout various halls, and one man lies fully dressed and face down in a squatter's mattress, burnt out from the previous night of ferociously hitting keyboards.

Members of dozens of Chaos Computer Club (CCC) chapters spread around Germany, along with attendees from all over the world, have descended on Hamburg for four days of hacking, debating, lectures, and drinking Club Mate.

This is the Chaos Communication Congress, the CCC's annual arts, politics, and security conference, built by an over-thousand strong volunteer army.

***
“Nobody gets a cent for anything,” Linus Neumann, a CCC spokesperson, told me in a Berlin cafe before the Congress. Whether that's the people filming the talks, the guides making sure that broadcast media don't point cameras at people without their permission, the trained first-aiders who can respond to accidents, or the guys running the cloakroom and checking people's wristbands as they enter the conference, nobody gets paid, and they often buy a ticket for the event themselves to support it.

Tim Pritlove, a long time CCC member and former Congress organiser, doesn't think of it as simply working without pay though.

“It's not really for free. I really think you can't look at this like that: because it's not work,” he said over coffee at the most recent Congress. “It's their event: they own it. It's built into their DNA and they can't really live without it.”


Continued - https://motherboard.vice.com/read/chaos-communication-congress-a-very-german-hacking-conference

https://www.grahamcluley.com/2016/01/msn-home-page-spreads-malware-malicious/

Oh the sneaky motherfuckers!

UCOP (University of California, Office of the President ) Ordered Spyware Installed on UC Data Networks


The San Francisco Chronicle has coverage of an issue that has been circulating on faculty email networks at UC Berkeley for a few days. The piece, "Cal professors fear UC bosses will snoop on them," is behind a paywall.

The first sentence reads, "UC Berkeley faculty members are buzzing over news that University of California President Janet Napolitano ordered the installation of computer hardware capable of monitoring all e-mails going in and out of the UC system." UC's Chief Operating Officer says "that UC policy “forbids the university from using such data for nonsecurity purposes.”

UC Berkeley's Senate chair replies, "What has upset a lot of the faculty was that the surveillance was put in place without consulting the faculty.

In fact, the people installing the system were under strict instructions not to reveal it was taking place." On the blog's Facebook page, we've had some debate about how new this capability is, with some faculty from various universities saying they've always assumed their university email could be monitored at any time, and others saying this is a new level of intrusion.
Here are two communications from UC Berkeley faculty, one about how faculty there came to know about the program, and the other a timeline of events.
EMAIL 1: January 28, 2016:
In recent weeks The Senate-Administration Joint Committee on Campus Information Technology (JCCIT) has learned that UCOP installed hardware on the campus network designed to monitor and possibly record all network traffic coming or going to the campus.

This secret monitoring is on-going.

UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

Some salient facts:

- The UCOP had this hardware installed last summer.

- They did so over the objections of our campus IT and security experts.


Continued - http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html

That UC Berkeley story is very interesting. Seems like a lot of effort having to defend against "Advanced Persistent Threat" agents constantly.

I wonder, if we had reliable strong encryption combined with distributed storage so that no single hard drive would be of use to anyone, would we save a lot of what we spend on security right now?

At least, I would think, we could escape the fear that our boss is reading our emails, provided we aren't saving a local unencrypted copy.

Ransomware creep accidentally hijacks San Francisco Muni, won't give it back | Boing Boing

A ransomware criminal's self-reproducing malicious software spread through a critical network used by the San Francisco light rail system, AKA the Muni, and shut it down; the anonymous criminal -- cryptom27@yandex.com -- says they won't give it back until they get paid.

https://boingboing.net/2016/11/27/ransomware-creep-accidentally.html

Alleged Muni ‘hacker’ demands $73,000 ransom, some computers in stations restored | San Francisco Examiner

http://www.sfexaminer.com/alleged-muni-hacker-demands-73000-ransom-computers-stations-restored/

Hackers Breached San Francisco’s Transit System and Demanded a Ransom | Slate

http://www.slate.com/blogs/future_t...ancisco_muni_hacked_for_a_ransom_payment.html

San Francisco Metro System Hacked with Ransomware; Resulting in Free Rides | The Hacker News

https://thehackernews.com/2016/11/transit-system-hacked.html

Hackers are holding San Francisco’s light-rail system for ransom | The Verge

http://www.theverge.com/2016/11/27/...ght-rail-system-ransomware-cybersecurity-muni

Destructive Hacks Strike Saudi Arabia, Posing Challenge to Trump | Bloomberg

• Multiple attacks emanated from Iran, digital evidence suggests
• Mid-November breaches wipe data at Saudi air authority, others

Quote:

State-sponsored hackers have conducted a series of destructive attacks on Saudi Arabia over the last two weeks, erasing data and wreaking havoc in the computer banks of the agency running the country’s airports and hitting five additional targets, according to two people familiar with an investigation into the breach.

Saudi Arabia said after inquiries from Bloomberg News that “several” government agencies were targeted in attacks that came from outside the kingdom, according to state media. No further details were provided.

Although a probe by Saudi authorities is still in its early stages, the people said digital evidence suggests the attacks emanated from Iran. That could present President-elect Donald Trump with a major national security challenge as he steps into the Oval Office.

The use of offensive cyber weapons by a nation is relatively rare and the scale of the latest attacks could trigger a tit-for-tat cyber war in a region where capabilities have mushroomed ever since an attack on Saudi Aramco in 2012.

Unlike the Aramco attack or the one by North Korea against Sony Pictures in 2014, the latest was perpetrated by detonating a cyber weapon inside the networks of several targets at once, the people said. Concerns over a broader campaign set off a search in computer networks throughout the Gulf for more traces of the digital bomb.

No one was available to comment at the Iranian foreign ministry or at the Iranian presidency’s media relations department. Wednesday was a public holiday and Thursday is the start of the Iranian week-end.

Continued at https://www.bloomberg.com/news/arti...strike-saudi-arabia-posing-challenge-to-trump

/facepalm

facebomb

Yahoo: Did We Say 500 Million? Actually It Was 1 Billion Pwned | Motherboard

Quote:

2016 is definitely not the year of Yahoo. After admitting in September that hackers had stolen at least 500 million users passwords and personal data, the company now says they found evidence of what might be a separate attack affecting 1 billion victims.

“We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” Yahoo’s head of security Bob Lord wrote in a blog post.

Continued at https://motherboard.vice.com/read/yahoo-reveals-hack-1-billion-victims

Private details of 2.5 MILLION PlayStation and Xbox users are leaked in major hack

• Two popular gaming forums 'XBOX360 ISO' and 'PSP ISO' were hacked
• Account passwords, email addresses and IP addresses were all exposed
• Forum users are advised to change all of their accounts' passwords
• It remains unclear who was behind the original attacks

Quote:

Two popular gaming forums have been hacked leaking the details 2.5 million accounts globally. The hack breached forums 'XBOX360 ISO' and 'PSP ISO' in 2015 but details of the leak are only just coming to light.

Gamers who have used the forum are being advised to change the password for all of their accounts. Email addresses, account passwords and IP addresses were all exposed by the hack. It is unclear who is behind the attacks but both forums were breached around the same time in September 2015.

Continued at http://www.dailymail.co.uk/sciencet...-5-MILLION-PlayStation-Xbox-users-leaked.html

I'm waiting for the list of election and government sites that are hacked in Trump's campaign and government. The Cyber *shudder*

Hackers are selling Yahoo data on the dark web | CNN

Quote:

The most recently revealed Yahoo hack is considered the largest data breach in history, and the saga just got worse.

In 2013, more than one billion Yahoo (YHOO, Tech30) accounts were breached, and personal information like phone numbers, passwords, security questions and backup email addresses was stolen.

All of that data is for sale on the dark web, according to cybersecurity firm InfoArmor, which discovered the compromised information in August. At the time, it was sold to three parties for $300,000 each. Data is still for sale, but now that the breach is public, the price is expected to drop.

Continued at http://money.cnn.com/2016/12/16/technology/yahoo-for-sale-data-dark-web/

DOJ: 2 Russian spies indicted in Yahoo hack | CNN

Quote:

The Department of Justice announced Wednesday that four people -- including two officers of the Russian Federal Security Service (FSB) -- have been indicted in connection to a massive hack of Yahoo information.

The hack, which the DOJ said was initiated in January 2014, affected at least 500 million Yahoo accounts. Some of the stolen information was used to "obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies," the DOJ said in a statement.

Hackers stole data that included names, email addresses and passwords -- but not financial information, according to Yahoo's announcement regarding the breaches.

The officers of the FSB -- Russia's successor to the Soviet Union's KGB -- were identified as Igor Anatolyevich Sushchin, 43, and Dmitry Aleksandrovich Dokuchaev, 33. The two allegedly conspired with Russian national Alexsey Alexseyevich Belan, aka "Magg," 29, and Karim Baratov, aka "Kay," "Karim Taloverov" and "Karim Akehmet Tokbergenov," 22, who is a resident of Canada.

Dokuchaev was arrested in a Russian sweep in December and accused of spying for the US, a lawyer for one of the men charged with Dokuchaev said. A Justice Department official said the agency has not confirmed it is the same person and declined further comment to CNN.

Baratov was arrested Tuesday morning "without incident" in Ancaster, Ontario, Toronto police spokesman Mark Pugash told CNN.

"The criminal conduct at issue -- carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters -- is beyond the pale," acting Assistant Attorney General Mary McCord said at a news conference in Washington.

Continued at http://www.cnn.com/2017/03/14/politics/justice-yahoo-hack-russia/

A billion fossil accounts. There's no way Yahoo has that many users.

Ex-Marriott Employee Busted Playing Robin Hood, Allegedly Hacked to Slash Room Rates | TMZ

Quote:

Marriott hotels got nailed by a disgruntled ex-employee who allegedly hacked into the reservation system and cut room rates to as little as $12 a night, costing the company big money.

According to court docs, Marriott fired Juan Rodriguez last August, and must have had a hint he wouldn't go quietly because he was ordered to stay away from the company computer system.

Several weeks later, he allegedly hacked Marriott's booking network to practically give rooms away. Prosecutors say he slashed rates on about 3,000 rooms from $159 - $499 per night to $12 - $59.

Rodriguez got nabbed because the IP address he used for his remote access matched an IP address used at his NYC home, according to docs.

Tons of people made out on the Robin Hood-esque maneuver. It ended up costing Marriott more than $50,000! Rodriguez was busted last week and hit with 3 felonies, including computer tampering and computer trespass.

Source: http://www.tmz.com/2017/04/11/ex-marriott-employee-hacked-room-prices/

All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack

Quote:

Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2.

Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.

What's interesting about Cloak and Dagger attack?

The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.

Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.

Continued at http://thehackernews.com/2017/05/android-hacking-technique.html

Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop

Quote:

Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.

TL;DR — Main Takeaways

• We uncover a series of vulnerabilities and design shortcomings affecting the Android UI.
• These attacks abuse one or both of the SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y").
• If the malicious app is installed from the Play Store, the user is not notified about the permissions and she does not need to explicitly grant them for the attacks to succeed. In fact, in this scenario, "draw on top" is automatically granted, and this permission is enough to lure the user into unknowingly enable a11y (through clickjacking).
• The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking + arbitrary actions (while keeping the screen off). See the full list below.
• These attacks are practical: we performed a user study (with 20 human subjects), and no user understood what happened.
• Most of these attacks are due to design issues, and they are thus challenging to prevent. In fact, one may say that some of these functionality work "as intended"; Nonetheless, this work shows that this functionality can be abused.
• To date, all these attacks are still practical (see "Which versions of Android are affected" and "Responsible Disclosure" below).

Continued at http://cloak-and-dagger.org/

At least one US nuclear plant's computer system was hacked | ABC News

Quote:

Federal authorities were investigating a breach into computer systems of at least one U.S. nuclear power plant, sources familiar with the matter told ABC News.

There was no evidence that any particularly sensitive or operational systems were breached. Instead, authorities believe only a less sensitive, business-associated side of systems was compromised in at least one breach detected over recent months.

The breach was first reported by E&E News, which covers the energy and environment sectors.

E&E noted the hack did not garner the attention of the public safety alert systems at the Nuclear Regulatory Commission or the International Atomic Energy Agency, which could be further evidence of a low-risk level associated with the breach.

One U.S. official called this an "ongoing matter" that was still being investigated. No public word has been given on who may be responsible, but authorities were looking at the possibility that a nation-state may be behind the hack.

It was unclear if the case is related in any way to other known cyberattacks.

Source: http://abcnews.go.com/Politics/us-nuclear-plants-computer-system-hacked/story?id=48314345