Apparently all that it took to terrify many dutch iPhone users was a “trivial” port scanning technique and “a modicum of networking know-how”. After the hacker gained access to the jailbroken phones with unchanged root passwords, he sent the pictured message which led to a demand for a €5 ($8) PayPal payment and words of caution:

If you don’t pay, it’s fine by me, but remember, the way I got access to your iPhone can be used by thousands of others-they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It’s just my advice to secure your phone.

This particular gentleman was almost kind. He didn’t inflict any serious harm, only demanded a small optional payment and limited his activity to the Netherlands. Whoever learns from his approach might not be as nice. The lesson, my darlings? Change your root passwords if you’ve got a jailbroken iPhone. I finally did. [Ars Technica]

Yes, McKinnon should pay for his crime somehow, he did break the law after all, but to pay to close security gaps he exposed while omitting the crime is a bit unreasonable. I’m happy that the ridiculous damages bill is being challenged by experts, because as Peter Sommer, professor of security at the London School of Economics, put it:

Damage assessments of computer security breaches should consider “whether the victims have taken reasonable steps to limit the damage”.

According to what we’re seeing about this series of intrusions, they would’ve been preventable, had Uncle Sam’s security experts been on the ball. So really, they should be paying McKinnon a consultation fee for pointing out the security gaps in the first place. [Computer Weekly via Slashdot]

“They can’t seem to secure my account,” Mitnick told The Register. “And then instead of doing something about it, they try to kill the messenger and want to boot me off their network when all I want them to do is to secure my account so no one gets access to my phone records.”

Mitnick said the cellular account has been repeatedly breached over the years, despite a wide range of countermeasures he’s followed to prevent the attacks. In recent years, he’s committed the password to memory and has deliberately not shared it with anyone or kept it stored on a computer. …

“There are so many ways into these networks,” he said. “They have to take some responsibility, not just silence the people that are filing complaints.”

An AT&T spokeswoman didn’t immediately have a comment. She said she would have to check whether customer passwords are encrypted when stored on AT&T servers.

Oh, how comforting! Nice to know security is AT&T’s top priority.

Update: And here’s AT&T’s response:

We investigated Mr. Mitnick’s claims and determined they were without any foundation. We refused Mr. Mitnick’s demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with.

We require that any systems containing sensitive information regarding passwords encrypt the data. In addition, we send reminders to our customers explaining the importance of using complex, hard to guess passwords and changing them frequently.

Good to know about encrypted passwords, but what’s this about demands for money? They didn’t even really address the main issue here. [The Register via Boing Boing Gadgets]

The flaw involves invisible SMS bursts that allow hackers to gain total control over your phone. The two dudes who discovered it plan on unveiling it at the Black Hat conference on Thursday. They say they told Apple about it a month ago, but nothing’s been done.

So how do you prevent your phone from being hijacked? Well, if you get a text containing only a single square character, turn your phone off. Fast.

Hey Apple, wanna fix this please? That’d be great. Thanks. [Forbes]

The move isn’t so much about catching criminals as it is a pre-emptive strike, by trying to educate people that their networks are unsecure, they can potentially close up the network and make it harder for criminals to log on.

The big question here is that it’s easy for someone to find out if a network is unsecured, but if the Queensland police are testing to see if the network still has a default password enabled (which is just as easy for a hacker to bypass, obviously), then wouldn’t they need to connect to the network in question to find that out? And when they do that, aren’t they then breaking the very law they’re trying to protect?

Still, I guess we can only wait and see how well this whole thing plays out…

(UPDATE: It’s come to my attention that the story was originally broken by Brett Winterford at ITNews. Without going on a tirade as to how newspapers are dying because they refuse to adapt to the net and credit their news sources, I’ve updated the post to acknowledge the original article.)

[ITNews]

The technique is a form of keylogging, which is nothing new, but in an interesting twist hackers have figured out a non-traditional way to replicate the process using nothing but the electric signals created with each keystroke. Oh, and even if you aren’t plugged into a socket, they they can still log keystrokes remotely using a laser.

Called the “power-line exploit,” the two-part technique is outlined in a Network World article ominously headlined “How to use electrical outlets and cheap lasers to steal data,” and will be but one of several nefarious data-stealing methods on display at Black Hat USA 2009 in Las Vegas later this month.

Network World explains:

In the power-line exploit, the attacker grabs the keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds.

[If the laptop is unplugged], attackers point a cheap laser, slightly better than what is used in laser pointers, at a shiny part of a laptop or even an object on the table with the laptop. A receiver is aligned to capture the reflected light beam and the modulations that are caused by the vibrations resulting from striking the keys.

Which is precisely why I blog and work in a Faraday cage. In my underwear with stains on my shirt, naturally, as Best Buy revealed earlier. [Network World via CrunchGear]

Moss, also known as Dark Tangent, founded both the DefCon and Black Hat hacker conferences in addition to legit security work—most notably at Ernst and Young, one of those giant corporations that provides auditors, attorneys, brokers, designers, and lots more to other companies. He’s a sort of godfather of hackers, a pioneer who uses his underground skills in mostly above-ground ways.

As the Obama administration has been placing a heavier focus on cybersecurity, it’s an extremely smart move to ask one of the world’s foremost professional hackers to assist on the Department of Homeland Security Advisory Council. He’s got enough expertise to really be able to offer some help, but he’s also not a dangerous hacker—one analyst called him “as corporate as hiring someone out of Microsoft,” meaning that for the hacking world, Moss is hardly a loose cannon. But that’s exactly why it’s also a smart political choice. Picking a hacker seems like an edgy choice, but Moss is a guy who’s worked for Fortune 500 companies, not someone who’s working in his basement to bring down the power grid.

We’re looking forward to seeing cybersecurity finally advance, and this kind of guy is just what we need to get ourselves back on track. [CNET]

What happens when you put a hacker in camouflage? He only grows more deadly.

The NYT published an interesting piece categorising the new role of cadets from West Point as digital information sabotage—scenarios like mailbombs flooding email servers in hot zones —becomes a worrisome daily hurdle in a war.

During a senior elective class at West Point, the cadets competed with the Navy, Air Force, Coast Guard and Merchant Marine to thwart attacks from the N.S.A. The students went so far as to hang a sign reading “Information Warfare Live Fire Range” outside their class.

In other words, military dudes can now pwn your arse in analogue and digital. [NYT]