Cody Brocious, a software developer at Mozilla, showed off his latest hack at the Black Hat Security Conference in Las Vegas. He has found a way to hack over four million hotel rooms that are locked by Onity programmable key cards. What’s even worse is that the hack only costs a little under $50 in supplies.

So how does this particular hack work? Brocious has identified a 32-bit key that identifies the hotel’s “sitecode.” The worst part is that every Onity lock has this key. By reading the key back to the lock, the lock opens. The hack is so simple that he’s surprised more people haven’t found out about it yet.

Like most hackers, Brocious doesn’t intend people to use this information maliciously. He exposed the security flaw to make Onity change the locks. When an electronic lock can be opened so easily, it’s only a matter of time before something bad happens.

Brocious has created a hypothetical scenario that we hope never happens:

Given the ability to read the complete memory of the lock, it is possible to gain access to the master key card codes. With these — in combination with the sitecode for encryption — it is possible to create master cards which will gain access to locks at the property.

Let’s look at a hypothetical situation:

An attacker uses the beforementioned vulnerabilities to read the memory of the lock

Attacker uses the sitecode and master key card codes to generate one or more master cards

Attacker uses a master card to enter a room

Attacker murders the victim in the room

Attacker escapes

During the course of investigation, it’s quite possible that the criminal investigators may look at the audit report for the lock, to see who entered the door at what time. Upon doing so, they will see a specific member of the staff (as the key cards are uniquely identified in the ident field) using a master key card to gain access to the room near the time of death.

Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member’s case, there’s no way we can know whether or not the audit report is false.

Will this happen? Probably not. It’s all just a hypothetical scenario to get security experts to replace these locks with better ones. If it’s electronic, it can be hacked. I think I’ll stick with my old fashioned keys for now. At least I can protect against lock pickers.

[h/t: ExtremeTech]

He then released the information minus several critical aspects including card number, security code, and expiration date. The message was posted via Pastebin on the 18th of June.

Reckz comments in his Pastebin post about the bank hacks and the release of information:

“Today’s target is VISA & Mastercard, I will be only leaking a portion of the credit card information, as I cannot leak the entire data, it’s too large, and this is the certain proof that i’ve hacked into VISA & Mastercard….”

“I’m also censoring the credit card information such as CC Number, Secret Code, Expiry date for security measures, I also edited the way the information will look, the original one looked bullshit.”

He further explains that his purpose for hacking the banks involves good old fashioned curiosity rather than some malicious intent. He also claims to have no special talents, just passionate curiosity.

He mentions Chase Bank as one of the institutions he infiltrated, but suggests there are several more involved. ZD Net speculates the hacks could be related to a credit card security breach that occurred in late March where big banks sent out letter to customers that a security leak may have compromised their information.

According to another message on Pastebin from Reckz posted on the 12th of June, he is retiring from the hacking business, realizing he has no real purpose for his unusual skill. He says he will use his talents for only good purposes from here on out.

Reckz comments on his retired status:

“I’ve realized that I am doing this shit for nothing.”

“I am officially..a whitehat.”

“I will use my intelligence for good.”

“I’ve done over 50 large hacks, and leaked many essential information, I am sorry if I harmed you, or affected your families.”

“This is my departure from the hacking scene.”

In his post from yesterday, he reminds us that of the purpose for his hacks; all in the name of curiosity and challenge. What I have to wonder is whether his latest hack falls in line with his new mission to use his hacking prowess for only good. Perhaps he hopes to reveal to the general public just how antiquated bank security really is.

If he doesn’t have any overarching goal or message, and his hacks are just for curiosity sake, he probably should retire. He really doesn’t, “fulfill your (our) ‘lulz’ attention with some excitement & entertainment!”, as he suggests.

Visa and Mastercard are most likely very interested (and probably Chase Bank as well), the general public however, doesn’t really care. Find something more exciting to do, you bore me Reckz.

Hynek Blinka, on the AVG blog, detailed his recent run-in with a Chinese hacker as he was investigating a Diablo III key logger. It’s common practice to intentionally infect your machine with a virus so that you can take it apart and find out how it works. It was pretty standard procedure until a dialog window opened up.

According to Blinka, the person who had constructed the Trojan was talking to him through a backdoor in the malware. The first thing the hacker says, “What are you doing? Why are you researching my Trojan?” If your mind isn’t blown by that, I don’t know what it will take to impress you.

Blinka continues on with the hacker pretending to be interesting in purchasing Trojans from him. The hacker knows that Blinka is debugging his Trojan and even knows that Blinka doesn’t currently have a Web cam plugged into his machine. If he had, the hacker would have been able to take remote control of the camera and get a good view of what was on the other side.

Funny enough, it turns out that the Diablo III key logger wasn’t a key logger at all. It was actually more interesting as it was hoping to steal usernames and passwords of those who are still on dial up connections. It seems almost a waste to have this advanced of a virus and wasting it on finding passwords to outdated technology.

Besides the impressive use of technology here, it’s important to note that this virus is still out there. It’s been spotted on the battle.net forums in China with users linking to an executable disguised as a video guide. It could very well migrate to the forums here in the U.S. so be on your guard. Blizzard may say that there have not been many cases of account theft, but it is still happening.

By the way, if you happen to stumble across this talkative hacker, send him my way. I would love to conduct an interview within a virus. I’d be willing to infect my worthless laptop for the chance.

Since he was going after Americans, New Yorker Petr Murmylyuk, 31, likely would’ve had an easier time eluding authorities if he’d conducted the hack while living in Russia – it would appear that the unspoken rules of the hacking trade in that country generally state that if one were to hack, don’t hack a fellow Russian, try to hack an American, and don’t practice Scientology. In all seriousness, Russia is cracking down on cybercrime, with the country-wide auditing of ISPs to slow down rampant media piracy, and the recent SWAT team arrest of a teen who was trying to extort millions from an oligarch.

Petr Murmylyuk, 31, who lives in New York, hacked into several brokerage accounts, resulting in losses in the millions. He is charged with conspiracy to commit wire fraud, unauthorized access to computers and securities fraud, and could face up to 5 years, along with a $250,000 fine. The U.S. District Attorney’s Office of New Jersey alleges that Murmylyuk would break into the accounts, and then change the user info to keep his victims from ever noticing the trades he was making. Murmylyuk and his ring would then sell options from the hacked accounts to their own fraudulent accounts, and then turn around and sell them back for up to nine times the price, minutes later.

The U.S. Securities and Exchange Commission is also filing a civil suit against Murmylyuk, who was also running a similar scam to where he’d sell securities at inflated prices from his fake accounts to the accounts he’d hacked. Murmylyuk is also accused of tapping foreign nationals to open up bank accounts so he’d have a place to move his “winnings,” which cost Fidelity, Scottrade, E*Trade, and Schwab about $1 million each. Murmylyuk is presently in custody in Manhattan.

Presented by: Background Check Guide

Notable mentions are the Epsilon hack, to where millions of user names and emails held by by marketing firm were accessed by hackers in 2011, causing a loss of $4 billion, as well as the massive compromise of the Playstation Network’s user data by hacker group Lulzsec.

In related news, it has been recently reported by Mike Tuttle that companies who are conducting background checks are not governed by any sort of regulations, meaning that anyone with a computer and Google can charge a client for running whatever sort of background history query they’d like. Background check agencies likewise run into a lot of errors, with the top 5 being:

Mismatch people (i.e. a person with no criminal background with someone who has a record, which is especially problematic for people with common names)
Omit crucial information about a case, (i.e. a person is arrested but then found innocent)
Reveal sealed or expunged information (i.e. a juvenile offense)
Provide misleading information, (i.e. a single charge listed multiple times)
Misclassify offenses (i.e. reporting a misdemeanor as a felony)

It is evident that when searching for a job in the United States, it might be best to not have a common first and surname, or a Facebook account for that matter, which an employer might ask for access to.

The Google Chrome security team posted on Google+Chrome+Blog%29″>Chrome blog that the total payout in the last week for Pwnium is now up to $120,000. They were paid out to two submissions, one of which came from Sergey Glazunov. Google was able to roll out updates to patch these security flaws within 24 hours of being exploited.

Exploits are normally patched by a security team that has limited information in regards to how the hacker exploited their software. They are usually forced to guess how the exploit was implemented by the trail left behind by the hacker. The Pwnium contest is akin to a controlled environment where the Chrome team can see the exploit in its entirety and have time to study it before rolling out an update.

The Chrome security team also detailed a third exploit that was discovered at a different event last week. The exploit in question used a vulnerability in the Flash Player plug-in that could affect all browsers. The exploit was detailed to Adobe and their team is working on a patch that will be implemented in the near future.

Speaking of Flash Player, Google announced that they are working with Adobe to provide a version of Flash Player that will run natively inside the Chrome sandbox. The Chromebook already has this functionality.

All of this just goes to show you that there are good hackers out there. Hackers are usually painted in a bad light due to the actions of rogue agents, but the majority of them are just making the Web a safer and better place.

Password1 is so common because it satisfies the Microsoft Active Directory setting, meaning it has a capital letter, a number, and the right amount of characters to meet the requirements for basic password security. This isn’t good news in the progressively hostile web environment.

Some other findings in regards to the hacking incidents Trustwave has investigated include:

• Customer records remained a valuable target for attackers, making up 89 percent of breached data investigated.
• For the second year, the food and beverage industry made up the highest percentage of investigations at nearly 44 percent.
• Industries with franchise models are the new cyber targets: more than a third of 2011 investigations occurred in a franchise business.
• In 76 percent of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies.
• Law enforcement detected more breaches in 2011—up from 7 percent in 2010 to 33 percent in 2011.
• Data harvesting techniques continued to target data “intransit” within victim environments showing up in 62.5 percent of 2011 investigations.
• Anti-virus detected less than 12 percent of the targeted malware samples collected during 2011 investigations.
• For Web-based attacks, SQL injection remains the number one attack method for the fourth year in a row.

Trustwave goes on to say that business employees are “finding creative ways to override” corporate IT policies on passwords. Examples are setting usernames as passwords, adding numerically predictable changes to passwords, ie – 1234, or merely capitalizing the first letter of a password, and then adding an exclamation point to the end. Another problem relates to IT policies requiring passwords to be changed frequently, with greater complexity, and also in the necessity of multiple passwords. Employees tend to write down passwords and leave them in places where they can be seen, mainly sitting on the computer they are set to protect.

Trustwave also warns against keylogger software used by hackers and social engineering techniques employed to get users to inadvertantly give up their passwords.

Jeffrey admitted to gaining unauthorized access to data and a computer with the intention of compromising its operation.

James Jeffrey stole over 9,000 personal records on on March 8th from BPAS and compromised the confidentiality of people who contacted BPAS to inquire about information and services regarding STDs, testing, sterilization, abortion, and other women’s health services.

The 27 year old was brought before Westminster Magistrates court in London after he attempted to break into BPAS’s site 26,000 times within a six hour period. He plead guilty to the offense and accepted responsibility for defacing the website with an image of Anonymous.

On Friday we covered the details of Jeffrey’s arrest in an article that I posted on Friday. Jeffrey was arrested by the Metropolitan police at his home in Wednesbury, West Midlands last week after “he boasted of breaking into the BPAS by tweeting details of the exploit, including the login for the BPAS sysadmin, under the name Pablo Escobar.”

According to The Inquirer, BPAS stated that the incident was an extreme example of how anti-abortion activity has been becoming more agressive in its efforts to target abortion providers. Prosecutors told the court Jeffery targeted the BPAS website after two women he knew had terminations.

Judge Daphne Wickham described him as a “zealot with an anti-abortion campaign” and refused to grant Jeffrey bail, saying that he was an “able hacker” who could target other organizations.

Jeffery remains in custody and will be sentenced at Southwark Crown Court at a later date.

Bond, who was among hand-picked delegates at the Apple conference last year, has been permanently expelled from King Edward VI College in Totnes, after getting caught accessing confidential information on the school’s computer system. The information included the financial records of the school’s vice principal, and Bond also went ahead and edited the school’s newsletter, and made changes to its IT room booking system.

Police were called in and took fingerprints and DNA samples (?) from the teen as evidence. School principal Kate Mason, located in Devon in southwest England, deemed the expulsion to be appropriate, stating “we excluded him in accordance with the serious nature of the offense and the college’s behavior policy and acceptable user policy, which he had signed.” Aaron’s comment on the matter was “I am very sorry and if I had known the consequences I never would have done it.”

Aaron’s mother chimed in, wondering how a 14-year-old can hack a computer system – “the security of the school computer system should be a lot better. A 14-year-old should not be able to hack in. I don’t see why they can’t give him a second chance.” Apparently, she is not aware that Aaron is atypical of an average middle school computer user.

So far, Bond has designed 6 iPhone apps, the first being the game “Spud Run,” released last year. he began designing websites at 6, and is looking to enter college early to further develop his skills. Perhaps the school should’ve just asked him to point out the flaws in its computer security system after the hacking, and given him a warning.

The culprit is accused of trying to break into the British Pregnancy Advisory Service’s (BPAS) website, extract information about women who had received abortions, and possibly release the names of the women.

According to BPAS, there were approximately 26,000 attempts to break into its website over a six hour period on Thursday. At this point BPAS has not confirmed that any medical or personal information of the women who had received treatment was accessed.

Police have stated that data on the website was compromised but explained that the stolen data did not contain any medical details of women who had received treatment.

The data that was stolen did contain personal information (names, addresses and phone numbers) from people who had inquired about resources and services from BPAS relating to contraception, pregnancy, abortion, STI testing and sterilisation.

Detective Inspector Mark Raymond from the Met’s e-crime unit said: “We have taken rapid action to identify and arrest a suspect involved in hacking. This was done to prevent personal details of people who had requested information from the BPAS website being made public. It should be stressed that the stolen data did not contain the medical details of women who had received treatment or why individuals had contacted the British Pregnancy Advisory Service.”

To prevent the publication of such data BPAS has been granted a court injunction and all proper legal channels are being employed to protect all potential and current patients’ information.

The suspect is currently in custody at a West Midlands police station.