The man used his first-class ticket to score free meals and drinks at a VIP airport lounge nearly every day for a year, the Kwong Wah Yit Poh reported.

He changed his flight itinerary more than 300 times within the year so he could enjoy the facilities at the Xi’an Airport in Shaanxi, China.

What’s more, he cancelled his ticket for a refund when its validity was about to expire.

via China Eastern Airlines passenger uses first class ticket for free meals | News.com.au.

70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I’m sure it’s hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it’s just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.

via Insecure healthcare.gov allowed hacker to access 70,000 records in 4 minutes | Computerworld Blogs.

Many top notch hackers blasted the site and the lack of any basic security. An audit found 17(!) vulnerabilies originally, and after ‘fixes’ an extra 20+

Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript

Office 365 Vulnerability Allowed Unauthorized Administrator Access.

It’s been fixed now 🙂

These are some volatility plugins that extract the masterkeys from a memory dump, enabling you to extract them from Windows / Linux machines and giving you full acces to the disks as well as identifying the disks.

Volatility Labs: TrueCrypt Master Key Extraction And Volume Identification.

Turns out that to correct errors, each SD card comes with a 100mhz microcontroller which reports on the size of the device and runs algorithms to block out certain errors. On at least one brand, the firmware loader is not secured. This opens up a host of possibilities, from a very cheap source of Arduino alternatives, to a smtp server that sends copies of your files to an external source, or more complexity, as sd cards tend to be trusted once inserted.

http://www.bunniestudios.com/blog/?p=3554

According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”

via Our Government Has Weaponized the Internet. Here's How They Did It | Wired Opinion | Wired.com.

This includes a fairly detailed list of the methodologies employed.

SkyJack (available from github) is primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones

http://samy.pl/skyjack/

http://jewelpie.com/easy-way-to-peel-mandarin-oranges/

A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country’s data protection watchdog.According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules – CVV details were held unencrypted on Loyaltybuild’s systems in the run-up to attacks in the middle of October.

http://www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/

One of the better, understandable, but still technical, explanations of why the encrypted password list of 38 million users being out in the open is such a disaster.

Anatomy of a password disaster – Adobe’s giant-sized cryptographic blunder | Naked Security.

A Melbourne security professional has sent ear-piercing ‘garbage’ tunes to the top of online music charts by spoofing track plays.

Despite that Peter Filimore (@typhoonfilsy) has never played an instrument, in a month he accrued hundreds of thousands of plays for his tunes hosted in online music charts, trumping artists like P!nk, Nicki Minaj, Flume and chart topper album The Heist and making $1000 in royalties in the process.

Hacker uses bots to top music charts, bumps P!nk, Nicki Minaj – Networks – SC Magazine Australia – Secure Business Intelligence.

Not only that, but he’s thought of a way to use his technique to bump rival artists off the services entirely as a DDoS.

Digital Attack Map.

With instructional sales video

http://www.theregister.co.uk/2013/09/16/tampered_pos_market_surfaces/

You do need shell access for a user that has sudo’d before, but still, easy way to get root.

http://arstechnica.com/security/2013/08/unpatched-mac-bug-gives-attackers-super-user-status-by-going-back-in-time/

In normal situations, when a call or SMS is sent over the network, a cellular tower “pages” nearby devices to find the one that should receive it. Normally, only the proper phone will answer—by, in effect, saying “It’s me,” as Seifert puts it. Then the actual call or SMS goes through.

The rewritten firmware can block calls because it can respond to paging faster than a victim’s phone can. When the network sends out a page, the modified phone says “It’s me” first, and the victim’s phone never receives it.

“If you respond faster to the network, the network tries to establish a service with you as an attacker,”

via Software Update to $20 Phones Could Topple 2G Cell Networks | MIT Technology Review.

The researchers managed to control an $80 million 210 foot yacht using a cheaply built spoofer. Aircraft were a definite possible target too.

EXCLUSIVE: GPS flaw could let terrorists hijack ships, planes | Fox News.

A US company called Emerging Objects researches different materials to use in 3D printers, apart from plastic. So far they can use paper, salt, cement polymer, nylon, wood and acrylics.

emerging objects » Materials.

Just like Red October this has been going on for a long time and the antivirus / malware community has been caught with their pants down. They did this by sunberting TeamViewer. They were detected because after 10 years of impunity, the team has been getting sloppy. http://www.theregister.co.uk/2013/03/21/teamspy_cyber_espionage/

The researchers use a timing attack to break SSL

Lucky Thirteen: Breaking the TLS and DTLS Record Protocols.

This is supposed to work in almost any application on OSX. Oops.

rdar://13128709: OSX apps (TextEdit) crashing in spell-checker (I think)..

During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab’s researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

It doesn’t seem to be a governmental attack, allthough the base code seems to be written by Chinese people and plugins by Russians. Someone out there has an awesome intelligence gathering capability!

The "Red October" Campaign – An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies – Securelist.

Especially for entering passwords using your mouse this is a problem. 2 advertisers are known to use the expoit.

Internet Explorer tracks cursor even when minimised • The Register.

And this is why it’s a bad idea to store all of this data for 5 years. Are you looking, holland?

Two arrested for hacking personal data of 8.7 million phone users | ZDNet.

A useful summary:

Cleanly Restarting Your System

Used in sequence, some of these actions can be used to cleanly end processes, flush data to disk, unmount all file systems, and restart your computer. To perform this process, press and hold the Alt + SysRq key combination and – while holding the Alt and SysRq keys down — type the following keys in order, pausing for several seconds in between each key:

reisub

The mnemonic “Raising Elephants Is So Utterly Boring” is often used to remember this sequence. Here’s what each key does:

r – Puts the keyboard into raw mode, taking control of it away from the X server.
e – Sends the terminate signal to all processes, asking them to end gracefully.
i – Sends the kill signal to all processes, forcing them to end immediately.
s – Flushes data from your cache to disk.
u – Remounts all file systems read-only.
b – Reboots your computer.

More Commands

Here are some other actions you can perform with the magic SysRq key. To perform an action, press and hold the Alt + SysRq keys while typing the letter:

n – Resets the nice level (priority) of all high and realtime priority processes.
f – Calls oom_kill, which will kill a memory-hogging process.
o – Shuts off the computer.

Use the Magic SysRq Key on Linux to Fix Frozen X Servers, Cleanly Reboot, and Run Other Low-Level Commands – How-To Geek.