TIME privacy

International Hacking Ring Charged With Theft of Xbox Software and Data

Hackers also allegedly stole software used by the U.S. Army to train military helicopter pilots

Four members of an international hacking ring were charged with the theft of over $100 million worth of software and data related to the Xbox One and Xbox Live consoles and other technologies, the Department of Justice announced Tuesday.

The hackers were also charged for stealing data from the unreleased video games Call of Duty: Modern Warfare 3 and Gears of War 3, as well as the U.S. Army’s proprietary software used to train military helicopter pilots, the statement said.

Between Jan. 2011 and March 2014, the four men allegedly hacked into the computer systems of video game makers Microsoft, Epic Games and Valve Corporation, according to court documents. They also allegedly stole software from the U.S. Army and Zombie Studios, which produced helicopter simulation software for the Army.

Two of the charged members, whose ages range from 18 to 28, have already pleaded guilty to charges of copyright infringement and conspiracy to commit computer fraud.

“As the indictment charges, the members of this international hacking ring stole trade secret data used in high-tech American products, ranging from software that trains U.S. soldiers to fly Apache helicopters to Xbox games that entertain millions around the world,” said Assistant Attorney General Caldwell.

Three of the hackers are Americans, while one of the hackers is Canadian, the Department of Justice said. Officials believe the Canadian’s guilty plea is the first time a foreign individual was convicted of hacking into U.S. firms to steal information.

“The American economy is driven by innovation. But American innovation is only valuable when it can be protected,” Caldwell said. “Today’s guilty pleas show that we will protect America’s intellectual property from hackers, whether they hack from here or from abroad.”

TIME Security

Experts Say ‘Bash’ Bug Is a Major Vulnerability But Not a Major Threat

computer virus
Getty Images

Cybersecurity experts explain why the Bash bug might actually not be as risky as the Heartbleed bug discovered earlier this year

When the Heartbleed software bug was disclosed in April, there was no shortage of publicizing its risks and defensive measures—and for good reason. And the Bash bug, discovered Wednesday, is prompting similar widespread fear. The security flaw is named after a vulnerable piece of software, Bash, that’s built into several ubiquitous operating systems, including Apple’s Mac OS X.

“People were taking Heartbleed very seriously,” said Jim Reavis, CEO of cybersecurity firm Cloud Security Alliance. “If people don’t take Bash seriously, it’ll become a self-fulfilling prophecy.”

Cybersecurity experts like Reavis don’t doubt that the Bash bug is dangerous: it is, and it needs urgent attention. The afflicted Bash software, released in 1989, is an open source software that was built-in to Linux and Mac OS operating systems and then widely integrated into many corporate and personal computer programs, experts said. Preliminary estimates say it could impact up to 50 percent of Internet-connected servers, according to Darien Kindlund, director of threat research at FireEye, a network security company.

“Bash is yet another type of open source software that has been reused, repurposed,” Kindlund said.

But the threat posed by the Bash bug—it could theoretically remotely command computers and extract private information—is overblown, cybersecurity experts told TIME. Average computer users aren’t likely to be directly targeted by hackers, experts said. And for the vulnerability to be triggered, the attacker would need to deliver content to the user, and then get the user to execute Bash with that content, according to Kindlund. Normal web browsing, emailing or other common activities do not involve calling Bash. What average users should be worried about are more traditional hacking techniques, like phishing emails and links to malicious websites, said John Gunn of VASCO Data Security.

“There are so many other methods that have a high degree of success that would take priority over [Bash as a hacking tool],” Gunn said. “The vulnerability really exists for large organizations that may have servers running Linux.”

Companies who have web servers that aren’t updated internally on a frequent basis may be most at risk because they continue to use old technology, according to Kindlund. Some companies who still store private data on Internet-facing servers—an outdated practice, as it makes sensitive information more vulnerable—or do not have strong security may vulnerable as well, but they can take precautions by inspecting each and every of their Linux-based servers, said Tanuj Gulati, CTO of Securonix, a security intelligence firm.

“The Apples or the Amazons or the Googles of the world aren’t the ones I’m worried about the most,” Reavis said. “But it could be some big companies that use this technology, but simply don’t have an awareness budget, or not taking this seriously.”

Still, many companies already have protection mechanisms in place that would prevent Bash from inflicting significant harm. Most servers can detect anomalous traffic and behavior, and many already take precautionary efforts by keeping records offline where they are inaccessible, Gunn said.

“What this Bash vulnerability depends on is a lot of other failures,” Gunn added. “This isn’t a single point of failure, whereas in Heartbleed, it was.”

Numerous patches for the Bash bug have already flooded the market. While security researchers have claimed the patches are incomplete, experts agree that fully fixing the vulnerability would take years. Additionally, that there have not been any known major breaches using Bash has also boosted security experts’ confidence that the bug may not pose a widespread threat.

“Most vulnerabilities of value are either shared or sold in the hacking community,” Gunn said. “If this had been a viable hacking method, it would’ve been exchanged in the hacking community, and it has not.”

But fact that Bash may not pose a major threat to individuals or companies doesn’t mean its danger should be understated, experts agreed.

“You saw a lot of worry about [Heartbleed], and there really wasn’t much that happened. The economy didn’t grind to a halt. Cities didn’t black out,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “It’s a vulnerability. A flaw.”

 

TIME privacy

What We Know About the Latest Nude Celebrity Photo Hack

Kim Kadashian Attends The Kardashian Kollection Spring Launch At Westfield Parramatta
Kim Kardashian attends the Kardashian Kollection Spring Launch at Westfield Parramatta on September 13, 2014 in Sydney. Lisa Maree Williams—Getty Images

And what we don't

More explicit photos were posted on the website 4chan Saturday, this time purportedly showing Kim Kardashian, Vanessa Hudgens, Mary-Kate Olsen, Hayden Panettiere, Kaley Cuoco, Hope Solo and an underage Disney star, among other female celebrities.

Previously unseen photos purportedly showing Jennifer Lawrence, who became the face of the last major celebrity photo hack, were posted, too. The photos quickly spread from 4chan to Reddit, following the same pattern as the previous hack, which leaked private photos of Lawrence, Kate Upton, Ariana Grande and almost 100 other female celebrities.

Here’s what we do and don’t know about the latest nude celebrity photo hack:

Are the photos real?

At least two of the hack’s victims have confirmed their leaked photos are, in fact, real.

Actress Gabrielle Union told TMZ on Saturday that her photos were intended for only her husband’s eyes, and slammed the hackers’ insensitivity. “It has come to our attention that our private moments, that were shared and deleted solely between my husband and myself, have been leaked by some vultures,” Union said.

On Sunday, Actress Meagan Good released a statement on Instagram, saying “I’m definitely in shock… Saddened for everyone who is experiencing this… But I ‘choose’ not to give the persons responsible my power.. At the end of the day—We all know these pictures were for my husband.”

In the last celebrity hack, many victims confirmed that the photos were indeed authentic. Cuoco, whose photos were also released in the previous hack, said Thursday on Jimmey Kimmel Live! that she was disturbed to realize the photos were real, but ended up making a “joke about it,” because “you have to make fun of yourself.” Other reactions were less lighthearted: Lawrence’s rep called it a “flagrant violation of privacy.”

What about the other celebrities?

Most have not released statements, or have declined to speak. A rep for Kardashian has declined to comment about the leaked photos to multiple publications. There’s also no word from Panettiere, Olsen, Solo or Hudgens.

But many are wondering about Hudgens, and what approach she’ll take now that she’s not the young Disney starlet of the High School Musical franchise. In 2007, after being shamed for a leaked nude photo, the 18-year-old actress apologized to fans, while Disney followed up and told People that “We hope she’s learned a valuable lesson.”

How did it happen?

No one knows yet, but experts told TIME they believe it’s similar to the last celebrity photo leak, when Apple confirmed that it was a “very targeted attack on user names, passwords and security questions,” and a not system-wide breach of iCloud or Find my iPhone, as was first widely believed. (TIME has reached out to Apple for comment regarding the most recent hack.)

Bob Stasio, Vice President of Threat Intelligence at CyberIQ Services, said the most probable cause is that hackers obtained access to photos by answering security questions to recover or reset passwords—a common tactic and the one apparently used last time. Last year, Michelle Obama’s and other celebrities’ financial records were accessed by hackers who knew enough personal identifying information to impersonate them, according to CNBC.

“The problem with celebrities is that a lot of their information is publicly available,” Stasio said.

Once the passwords have been reset, the hackers can access the celebrities’ e-mail accounts to obtain the passwords to enter iCloud. Hackers will have previously gained access to the stars’ computer servers, thus their e-mails, either physically or remotely through backdoors planted in their systems, Stasio said. These backdoors may have been planted through targeted emails that tempt the users to click on a link or download an attachment.

“That’s really how hacking works,” Stasio said. “It’s all very iterative. You get to one spot, and you have to get to the next spot.”

Can the hackers be found?

They haven’t been found yet, and security experts believe it will be difficult, but not impossible, to track down the hackers. If iCloud accounts were accessed, then Apple can use a record of logins to determine the IP address, Stasio said. But hackers would likely hide their IP address by routing through a different one in another country, which complicates the process. Another method would be to track who had originally posted the pictures on 4chan.

In fact, experts say photo-leaking culprits are often caught, and the fact that both Apple and law enforcement are already involved make the investigation even more likely to turn up results. In 2011, for example, a hacker used the “forgot my password” function to access and leak nude photos and other personal information of Scarlett Johansson, Mila Kunis and Christina Aguilera. An FBI investigation resulted months later in a Florida man being sentenced to 10 years in federal prison, according to CNN.

“The success rate is very high. People doing this are very foolish, thinking they’re going to get away with it,” said Phil Lieberman, President of Lieberman Software Corporation. “For a period of time, they’re the hero. Once they’re caught, they’ll become the zero.”

So why haven’t we found the hackers yet?

In short, it takes time.

“If someone’s life is in danger, law enforcement moves very quickly,” Lieberman said. “But pictures of celebrities don’t rise to the level of kidnapping, murders or serious violent crimes. They’re seen more as economic crimes or invasions of privacy, which are serious, but go on a little slower track.”

Moreover, the fact that Apple’s weak iCloud security was patched only recently means that several intruders may have been in the system for quite a while, experts said, which would add additional layers to the investigation.

Will it happen again?

Experts say yes: This is the second major celebrity photo hack in one month, and it’s part of a rising trend. When Target was hacked last year, Stasio said, a group of hackers sent e-mails to other companies saying they’d detected a similar vulnerability, offering help through a clickable link, which, if opened, would’ve infected the company’s system.

“Not only have the trends of the actual hacks spread, but people use the awareness of the hack itself to try to use it as an infection,” Stasio said.

And there’s likely more photos that have been accessed but not yet shared. Lieberman said that for hackings in the commercial world, the average time the hacker or hackers have spent in the system is 200 days. This suggests the intruders could’ve had months to amass a large collection of explicit photos.

“This may not even be different than the first one,” Lieberman said. “This may in fact be the same group of people with the same set of data, just simply taking another bite of the apple.”

TIME Security

Home Depot Breach Exposed 56 Million Credit Cards

US-ECONOMY-HOUSING
A Home Depot store is seen in Silver Spring, Maryland, on March 28. 2013. Jewel Samad—AFP/Getty Images

Cyber thieves pulled off a massive attack

Hackers had access to 56 million credit and debit cards when they breached Home Depot’s security system this year, the company said Thursday. The breach was even larger than the attack on Target last year, when 40 million cards were compromised.

The company said that thieves had placed malware software on cash registers in Home Depots throughout the U.S. and Canada from April to September. The malware has since been eliminated. The breach will cost the company at least $62 million.

“We apologize to our customers for the inconvenience and anxiety this has caused and want to reassure them that they will not be liable for fraudulent charges,” Chief Executive Frank Blake said in a statement.

TIME Security

Apple: We Can’t Give Your iPhone Data to the Government

Apple Unveils iPhone 6
Apple CEO Tim Cook shows off the new iPhone 6 and the Apple Watch during an Apple special event at the Flint Center for the Performing Arts on September 9, 2014 in Cupertino, California. Justin Sullivan—Getty Images

"We don’t build a profile based on your email content or web browsing habits to sell to advertisers."

After dozens of celebrities had their most intimate photos stored on Apple’s iCloud service stolen by hackers and released online, the company used Wednesday’s iOS 8 update launch to defend its concern for privacy and introduce new security measures.

In an open letter posted on Apple’s website, CEO Tim Cook stressed the company’s efforts to keep consumers’ information private and sought to distinguish Apple from how its competitors use personal data.

“A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” Cook wrote, referring to how major websites, such as Google and Facebook, use personal information and personal activity online to tailor advertisements to their users. “But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.”

The statement is particularly pertinent after the Sept. 8 announcement of a smartwatch and new apps on the upcoming iPhone 6 and iPhone 6 Plus that represent Apple’s most significant foray into health tracking and mobile payments.

“Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers.”

Apple does have a service that tailors ads based on some of what Apple knows about users, but Cook wrote that the service doesn’t pull data from products like Apple’s health apps or the Mail app.

Cook also addressed allegations that the U.S. government has collaborated with major Internet firms to gather data on users, saying Apple has not allowed access to its servers and has “never worked with any government agency from any country” to allow exclusive access to personal information retained by Apple.

Apple also said that iOS 8, the newest iPhone operating system, would automatically encrypt data stored on iPhones and protected by your passcode, making it impossible for even Apple to share that information with the government or law enforcement. That encryption rule, however, doesn’t apply to data stored on Apple’s iCloud storage service.

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” said Apple. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

 

TIME How-To

How to Double Check Your Google Account Security Settings

Google Account Settings
Google's account settings page shows which sites, services and devices have access to your account Google

The unofficial Google Operating System site writes about a little gem found under the security section of everyone’s Google account settings page.

Head over to your account’s security section, and click the “Get started” button located under the “Secure your Account” heading.

It’ll step you through the various lock-downs available for your Google account, including setting a recovery phone number, a recovery email address and the ability to revoke access for apps, websites and gadgets you no longer use. You’ll also be able to check out your recent activity to make sure nobody’s been using your account without your knowledge.

It’s a good idea to run through a security audit such as this every once in a while, especially after a high-profile data breach.

[Google Operating System]

TIME privacy

U.S. Threatened Yahoo With Massive Fines Over User Data

Yahoo's Headquarters In Sunnyvale, California
A sign is posted in front of the Yahoo! headquarters on May 23, 2014 in Sunnyvale, Calif. Justin Sullivan—Getty Images

Yahoo tried to fight the government's requests for user information

The U.S. government threatened Yahoo with a $250,000-a-day fine in 2008 if the tech company did not comply with requests for user information, according to roughly 1,500 pages of newly released legal documents.

“We refused to comply with what we viewed as unconstitutional and overbroad surveillance and challenged the U.S. Government’s authority,” Yahoo’s General Counsel Ron Bell wrote in a Tumblr post published on Thursday. “The released documents underscore how we had to fight every step of the way to challenge the U.S. Government’s surveillance efforts.”

Yahoo’s multiple challenges against the government were unsuccessful however, and the company started providing user data to PRISM, the controversial National Security Agency program that was shut down in 2011 and revealed to the public by Edward Snowden in 2013, the Washington Post reports.

Yahoo felt these government requests, which asked for data about whom and when users outside of the U.S. emailed (though not email content itself), bypassed required court reviews of each surveillance target.

Federal Judge William C. Bryson of the Foreign Intelligence Surveillance Court of Review ordered the unsealing of the documents as part of a move to declassify cases and documents that established the legal basis for the PRISM program.

TIME cybersecurity

Nearly 5 Million Google Passwords Leaked on Russian Site

Google Reports Quarterly Earnings
A sign is posted outside of Google headquarters on Jan. 30, 2014, in Mountain View, Calif. Justin Sullivan—Getty Images

The usernames and passwords of 4.93 million users were posted in a Russian Bitcoin security forum

Almost 5 million usernames and passwords purportedly for Google accounts were uploaded to a Russian online forum by hackers late Tuesday.

The International Business Times reports that data for 4.93 million Google accounts of English-, Spanish- and Russian-speaking users was leaked and published on a Russian-language Bitcoin security online forum. The posters said about 60% of the accounts were active.

In a statement sent to TIME, Google said it had “no evidence that our systems have been compromised.”

“The security of our users’ information is a top priority for us,” the statement reads. The company said that whenever it is alerted that accounts may have been compromised, “we take steps to help those users secure their accounts.” Email users are encouraged to utilize two-step verification when logging into accounts, as well as to create strong passwords.

According to Russian news service RIA Novosti, this leak followed another large hack of Russian email accounts. Several million accounts of Russia-based email services were also posted in a Bitcoin security forum.

TIME Security

Home Depot Confirms Credit-Card Data Hack

Home Depot credit card breach
The Home Depot home improvement store in Portland, ME on Thursday, September 4, 2014. Home Depot is currently investigating a potential credit card breach, and determining whether customers' card numbers were collected and sold by hackers. Portland Press Herald—Press Herald via Getty Images

The construction-equipment retailer says anyone who shopped there since April could be a victim

Hackers infiltrated Home Depot’s payment system and stole an untold amount of shopper information, perhaps including credit-card numbers, the construction-equipment retail giant confirmed in a statement Monday.

The hack “could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward,” Home Depot said in a statement, adding that shoppers online or at stores locations in Mexico do not appear to have been affected.

The firm joins the ranks of other major stores, like Target and others, that have been the victims of successful, large-scale cyberattacks.

Home Depot disclosed it was looking into reports of “unusual activity” on Sept. 2 and has offered free identity-theft protection and credit-monitoring services to anyone who shopped at a Home Depot store during the months in question.

“We apologize for the frustration and anxiety this causes our customers,” Home Depot said.

TIME Social Media

Reddit Bans Groups Where Users Have Been Sharing Celebrity Nudes

Actress Jennifer Lawrence attends the Christian Dior show as part of Paris Fashion Week — Haute Couture Fall/Winter 2014-2015
Actress Jennifer Lawrence attends the Christian Dior show as part of Paris Fashion Week — Haute Couture Fall/Winter 2014-2015 Rindoff/Dufour—2014 Rindoff/Dufour

Reddit says the groups were not removed in response to outside pressure to prohibit the sharing of links to leaked celebrity nudes

Reddit has banned controversial groups that have been a hub for leaked celebrity nudes over the past week, though the site says the move wasn’t a result of it buckling to outside pressure.

Reddit says “subreddits” like “r/TheFappening” and others were banned for violating the typically freewheeling site’s community rules after they were covered in links to nude photos that were released following a massive hack of celebrities’ iCloud accounts. The move is unusual for the site, whose small management team typically embraces a hands-off approach to community moderation, leaving it up to the thousands of subcommunities to self-police themselves. Some Reddit users were angered by the move, though Reddit’s team said the situation became particularly untenable when it was realized that some of the links pointed to lewd photos of underage celebrities.

“We put up a blog post explaining why we don’t ban things for reason X (which some people want us to, but we will not), but at the same time behavior in a subreddit started violating reason Y (a pre-existing and valid rule for which we do ban things) and we banned it, resulting in much confusion,” Reddit’s explanation of the ban reads.

Reddit has complied with legal requests under copyright law to not allow the posting of the stolen images, but the site did not initially obstruct the dissemination of links to the photos. Reddit said in a blog post it has no plans to change existing policy in response to the recent events.

“Reddit’s platform is structurally based on the ability for people to distribute, promote, and highlight textual materials as well as links to images and other media,” Reddit’s blog post reads. “We understand the harm that misusing our site does to the victims of this theft, and we deeply sympathize.”

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser