News Blog

Comcast's Web portal has been hacked, leaving some subscribers unable to access their e-mail.

A company spokeswoman confirmed that the Comcast Web page had been hacked late on Wednesday. Subscribers who tried to access the site to check e-mail or access the company's official forums were greeted with this text instead:

The hackers apparently changed Comcast's registrar account at Network Solutions, which altered the DNS servers that were used to direct Comcast.net requests. In other words, the hackers essentially redirected traffic destined for the URL Comcast.net. Instead, the traffic went to IP addresses in Germany and elsewhere, reported the blog Broadband Reports.

Comcast has stopped the traffic from being redirected to bogus servers, but users were still having trouble accessing the page as of 11:30 a.m. EDT. The reason is that it could take hours for the redirected traffic to propagate through DNS servers throughout the Internet.

So far there is no indication that any of Comcast's customers' personal or private information has been jeopardized. But the incident serves as a reminder of how vulnerable users of Web e-mail can be. Security experts recommend that users change their passwords frequently. Ideally, people should change them once a week. If that seems too difficult, changing passwords once a month is still better than nothing. Experts also warn not to use birthdates, pet names or even family names as passwords. Instead, use mixed up letters and numbers.

Security vendor Trend Micro's Web site was hacked earlier this week in an attack that spread to hundreds of other sites, according to an InfoWorld report.

The malicious code tries to embed software that steals passwords from users as they visit Web sites, according to the report.

Trend Micro discovered the attack on Wednesday and took steps to shut it down. It affected about 20,000 Web pages written with Microsoft's Active Server Pages Web development software. According to Trend Micro:

(A similar previous) attack seems to have started more than a week ago, and nearly 200,000 Web pages have been found to be compromised, most of which are running phpBB. This contrasts (Wednesday's) attack in that the vast majority of those were active server pages (.ASP). The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.

Trend Micro also provided a video demonstration of what the attack looks like from the end user's perspective.

Someone apparently hacked into a computer belong to an employee of MTV Networks and possibly gained access to names, birth dates, social security numbers and compensation data of 5,000 employees.

MTV Networks, a unit of media conglomerate Viacom, notified employees of the security compromise on Friday and said that while the computer files pertaining to employees' private information were password protected, the company can't be sure they haven't been opened.

"Once we learned of the incident, we immediately launched an internal investigation," the company said in a statement. "We ... contacted appropriate law enforcement authorities, who have begun a criminal investigation."

The company apologized to employees and provided phone numbers to credit-monitoring services to help protect them from identity theft.

A team of respected security researchers known for their work hacking RFID radio chips have turned their attention to pacemakers and implantable cardiac defibrillators.

The researchers will present their paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," during the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy, one of the most prestigious conferences for the computer security field.

The authors of the paper are listed as: Shane S. Clark, Benessa Defend, Daniel Halperin, Thomas S. Heydt-Benjamin, Will Morgan, Benjamin Ransford, Kevin Fu, Tadayoshi Kohno, William H. Maisel.

Kevin Fu, an assistant professor at the University of Massachusetts Amherst, along with two graduate students who worked on the project all gained significant attention for their past work in attacking RFID-based credit cards and RFID (radio frequency identification) transit payment tokens.

Kohno, a professor at the University of Washington, was the subject of worldwide media coverage for his work in exposing flaws in Diebold voting machines back in 2003, and then later for finding major privacy flaws in the RFID-based Nike+iPod Sport Kit.

Shocking stuff

When contacted by e-mail, Kohno told me that he and his colleagues could not currently comment on their latest project. Without the help of the authors, it is difficult to predict the contents of their research paper. However, it is possible to piece together other bits of information to try to learn more about the project.

A previous research paper published by the same team noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. An increasingly large percentage of these can be remotely controlled and monitored by specialized wireless devices in the patient's home. The devices can be accessed at ranges of up to 5 meters.

By reading between the lines (millions of remotely implanted medical devices, able to administer electrical shocks to the heart, can be controlled remotely from distances up to 5 feet, designed by people who know nothing about security), it is easy to predict the gigantic media storm that this paper will cause when the full details (and a YouTube video of a demo, no doubt) are made public.

Just remember where you saw it first.

(Credit: Apple)

Update: It appears this may not work after all. And here I thought those Giz guys were crackerjacker hackers.

Renting movies from iTunes? Love it. Having to finish watching a movie within 24 hours of starting it? Not so much with the love. Fortunately, those crafty fellows over at Gizmodo figured out an easy way to turn the clock back, so to speak, thus extending your watchability window.

Basically, if you set your computer's clock ahead a few days (or weeks, or months) before starting the movie, then set it back to normal again, you'll have virtually unlimited time in which to finish watching. Already started the flick? Set the computer clock back a few days until you're able to reach the closing credits.

Apple will no doubt patch iTunes to prevent this little trick from working forever. But until then, at least you have a little more control over your rentals.

A congressional committee is once again questioning the U.S. Department of Homeland Security's ability to detect and fend off cyberattacks, as a recent investigation has turned up evidence of Chinese-linked hacking incidents on internal computers last year.

According to the results of a recent U.S. House of Representatives Homeland Security investigation described in a letter released Monday (PDF), "dozens" of computers on networks at the sprawling cabinet department's headquarters were "compromised by hackers" last year. The intrusions involved planting malicious code that cracked network administrator passwords, masked signs of intrusion and beamed back information to "a Web hosting service that connects to Chinese Web sites."

Excerpt from the House panel's letter to DHS Inspector General

That style of attack is reminiscent of those carried out on computers at the Commerce and State departments around the same time last year, the committee wrote.

The letter pinned at least some of the blame on an outside contractor that failed to deploy the necessary "network intrusion detection systems" and attempted to hide "security gaps in their capabilities."

That contractor, Unisys Corp., is now under investigation by the FBI for alleged criminal fraud, according to the The Washington Post, which first reported the Friday letter in a story published Monday morning.

But the letter, signed by Rep. Bennie Thompson (D-Miss.), who leads the Homeland Security Committee and Rep. James Langevin (D-R.I.), who leads a cybersecurity panel within that committee, also faulted Homeland Security officials. The committee leaders accused the department--and particularly its chief information officer--of downplaying the potential for serious cyberintrusions and providing "misleading" responses to the congressional panel's requests for information about reported incidents. They asked Homeland Security Inspector General Richard Skinner to conduct his own investigation into the matter.

Unisys, for its part, told the Post that it hadn't yet been informed of any criminal investigation against it. The company also denied failing to install the proper number of network intrusion tools and said it even continued deploying the monitoring services after Homeland Security, citing lack of funding, stopped paying for them.

Homeland Security representatives, meanwhile, told the Post that Unisys' version of the story was "entirely baseless and disingenuous" and suggested the firm may not be awarded contracts in the future. The agency also denied withholding any information from congressional investigators, with a spokesman saying department officials are "aware of, and have responded to, malicious cyberactivity directed at the U.S. government over the past few years."

Thursday, Swedish computer security consultant Dan Egerstad posted online the usernames, passwords and server addresses necessary to access up to 100 e-mail accounts worldwide. He says he used an unnamed vulnerability to obtain the usernames and passwords for up to 1,000 e-mail accounts of government employees around the world. Egerstad also said he's found information for accounts belonging to major U.S. and U.K. corporations. He has not used the information himself.

Egerstad told Computer Sweden: "I did an experiment and came across the information by accident." He said he tried contacting a few of the administrators responsible for the sites he posted, but so far they have all ignored him. He hopes that by posting the information the agencies will take corrective action.

Computer Sweden confirmed that the log-in details for at least one of the accounts is correct. Egerstad provided the publication with an e-mail sent by an employee at the Swedish royal court to the Russian embassy. The Russian embassy has since changed its password.

Computer Sweden has not been able to confirm the authenticity of any of the other information that has been posted.

An NBC reporter learned the hard (and embarrassing) way that Defcon 15, a conference of underground hackers who also happen to be security experts, is not the place to go undercover with a hidden camera.

George Ou, who blogs for CNET News.com's sister site ZDNet, has written a detailed account of the drama that unfolded Friday at the Las Vegas conference when staff members announced the "spot the undercover reporter" game. Staffers had apparently learned that a Dateline NBC producer hoping to catch someone confessing to a hacking crime was there as a regular attendee after refusing repeatedly to seek a press pass.

Just as Defcon officials were about to put her photo up on the conference projector, the reporter bolted and a crowd followed her out to her car, taking video and shouting out questions and statements. (Check out the YouTube video embedded in Ou's blog). Our favorite comment, by far: "You must feel like Lindsay Lohan."

And we thought Black Hat was exciting.