Hacker’s List: Personalizing the Enterprise of Hacking

In a recent article, the New York Times has cast a spotlight on a new website called Hacker’s List; possibly a reference to the popular classified advertising site Craigslist. The website allows its clients to “Find professional hackers for hire.” Despite the use of the word “professional,” the types of jobs clients desire seem to be limited to relatively mundane, if illegal activities. ZDNet gives several examples of job offers that were posted on the site, including the following:

$10-$350: Need some info and messages from a Facebook account. Other jobs to come if successfull

$300-$600: I need a hacker to change my final grade, it should be done in a week.

$200-$300: Hack into a company email account. Copy all emails in that account. Give copies of the emails employer. Send spam emails confessing to lying and defamation of character to everyone in the email list.

Continue reading Hacker’s List: Personalizing the Enterprise of Hacking

An Update on Verizon’s UIDH Injection

In October last year, I posted a summary of phone carriers injecting unique identifiers into outgoing http requests made by customers. From the perspective of privacy, the main problem with this scheme is that it provides a way for third parties such as advertising networks to uniquely identify their users without using cookies.

Recent developments show that this threat is not merely theoretical. John Mayer recently discovered Continue reading An Update on Verizon’s UIDH Injection

KeySweeper Claims the Ability to Eavesdrop on Microsoft Wireless Keyboards

Have you ever wondered whether you can trust the security of wireless keyboards? Samy Kamkar has released the schematic and source code for a device called KeySweeper, a device that looks like a USB wall charger, but claims the ability to intercept and decrypt all keystrokes from any Microsoft wireless keyboard in the area. If true, it would mean no Microsoft wireless keyboard is safe at the moment. The code is posted on GitHub, and according to Samy, a basic version of the device could be built for as little as $10. The device even features an internal battery, which means it could sniff keystrokes without even being plugged in.

French Law Enforcement Officers Told to “Erase Social Media Presence”

In the aftermath of the terrorist attacks in France, CNN is reporting that French law enforcement officers have been told to erase their social media presence and to carry weapons at all times. The article says that these instructions were given because “terror sleeper cells” have been activated, thus implying that the suggested actions are related to a threat to law enforcement. Continue reading French Law Enforcement Officers Told to “Erase Social Media Presence”

Gogo Issues Fake HTTPS Certificates

A number of publications, including Ars Technica, have reported that Gogo is issuing fake HTTPS certificates to users visiting YouTube. HTTPS, when properly used, assures users that:

1. They are actually visiting the real site; Youtube in this case.

2. The communications between the visitor and the site, including passwords and cookies, are encrypted.

Ars Technica shows a screenshot of the fake certificate. It clearly shows that the issuer is Gogo rather than a Certificate Authority (CA) that the browser trusts; hence, the pop-up warning. Unfortunately, Continue reading Gogo Issues Fake HTTPS Certificates