With $3.14159 million in prize money at stake, Google’s Chrome OS has withstood attempts to hack it in the company’s semi-annual Pwnium contest in Vancouver, a Google spokeswoman told The Security Ledger. In a statement Thursday, Google spokeswoman Jessica Kositz said that the company did not receive any winning entries during the day-long contest, but that the company is evaluating work that may qualify for a partial prize: a potentially infinite series of Google Wallet transfers in the amounts: $1 followed by $.50 followed by $.25 followed by $.125 and so on. OK – We made that last part up. Pwnium runs alongside the better known pwn2own contest at CanSecWest. This year, Google is providing funding for both contests. However, in 2012 the company pulled its support for pwn2own, objecting to the lack of a requirement of “responsible disclosure” – in which entrants must disclose the details of their exploits to the […]
Web
Evernote Denies Java Exploit Used In Hack
The online storage and productivity service Evernote said that it does not believe that the hack of its network that exposed information on 50 million users relied on an exploit of a Java vulnerability, as did recent attacks on Twitter and Facebook. In an e-mail response to questions from The Security Ledger about the hack, Ronda Scott, an Evernote spokeswoman, said that the firm does not believe that the hack used the Java exploit attributed to the other attacks, but said it was still investigating the incident. “It’s premature for us to comment on the methods used, the specific systems affected and/or origin and motivation,” she wrote. She said the company first became aware of the “unusual and potentially malicious” activity within its online service on February 28 and began notifying Evernote users of the need to reset their password the next day, March 1st. Scott maintained that Evernote hasn’t […]
EverNote Latest Site Hacked In Coordinated Attack
The online personal and business productivity service Evernote.com said on Saturday that it is the victim of a hack that exposed encrypted user password information, forcing password resets across a broad swath of the service’s 50 million registered users. The Redwood City, California-based firm revealed in a blog post that its internal security team discovered “suspicious activity on the Evernote network” that “appears to have been a coordinated attempt to access secure areas of the Evernote Service.” The company said it sent password reset messages to its users as a “precaution” but didn’t believe that stored information in users’ accounts or payment information had been exposed. The hack is just the latest of a prominent online firm. In recent weeks, Twitter, Facebook, Apple and Microsoft have all reported compromises of their internal networks. Those intrusions were linked to attacks aimed at developers and relied on exploits of previously unknown “zero day” […]
Report Exposes Links Between Chinese Govt., Hacking Group
If you read one story today (besides this one, of course!) it should be The New York Times’ write-up of a just-released, 60-page report (PDF) on a Chinese hacking group known as APT1 by the security firm Mandiant. At a one level, the report doesn’t tell us anything we didn’t already know: APT1 is a professional, hacking crew that operates from within China and with the full knowledge and support of the Chinese Government. Most of us already suspected that. The report is worth reading for the depths of Mandiant’s research into APT \1 and the revelations of just how close the ties are to the Chinese government and, particularly, the People’s Liberation Army (PLA). Specifically: Mandiant is able to parse the findings of around 150 intrusions it has analyzed that are attributable to APT 1 – which is probably some small fraction of all the attacks the group has carried out. […]
Are Mobile App Developers Prey In A Massive Watering Hole Attack?
Say you’re a “bad guy” and what you really want to do is compromise the systems of some high value targets – like software developers working a prominent, Silicon Valley firms like Facebook and Twitter. Breaking through the front door isn’t easy – these companies mostly have the technology chops to protect their networks and employees. Phishing e-mails are also a tough sell: the developer community is heavy on Apple Mac systems and – besides – application developers might be harder to phish than your average Fortune 500 executive. A better approach might be to let your prey come to you – attacking them passively by gaining control of a trusted third party web site – a so-called “watering hole.” That’s a scenario that has played out in a number of recent, high profile attacks, such as the so-called “VoHo” attacks documented by Symantec and RSA. It may also be […]
