Attention Jailbreakers: BigBoss repo is allegedly hacked!

BigBoss, one of the default repositories for jailbreak tweaks in Cydia, has allegedly been hacked by an individual or a group of individuals whose identity is still unknown.

The attackers were apparently able to gain access to all packages (paid and free) that are available in the BigBoss repo, and made the deb index and database available for download. The assailants went as far as creating a new repo which can be added to Cydia to download all BigBoss-hosted tweaks.

As is always the case when this type of security breach happens, jailbreak users should be cautious and stay away from this.

Dubbed ripBigBoss, the website and companion repo are using Saurik’s recent “Competition vs Community” as a motivation for their acts, pushing the use of the #WhichSideAreYouOn and #SupportTheCompetition hashtags. It’s important to note that this verbiage could certainly be used as some sort of disguise in order to blur their tracks and put the blame on different groups of people.

We strongly advise jailbreak users not to install or download any tweaks from this new repo. Besides the obvious moral concern over downloading pirated tweaks, users could put themselves at risk of installing malware on their devices without their knowledge.

BigBoss repo manager 0ptimo has yet to comment on this security breach, but it is safe to assume he’s probably hard at work on securing his assets to prevent a future breach.

As a safety measure, and until more light is shed by official parties on this, we suggest not installing or updating tweaks that are hosted in the BigBoss repo. While the potentiality of malware being injected in the official repo is very unlikely, you’re better safe than sorry.

Note that we purposely did not link to the ripBigBoss website, which you may visit at your own risk.

“HeartBleed” Bug: What You Need to Know and How To Protect Yourself, Including for Yahoo, Gmail and Facebook!

heartbleed1

It’s been a while since there was a computer security bug we all had to worry about. 

Unfortunately, it seems like we may all have been facing one for two years and not even realized it.

Yesterday, security researchers announced a security flaw in OpenSSL, a popular data encryption standard, that gives hackers who know about it the ability to extract massive amounts of data from the services that we use every day and assume are mostly secure.

This isn’t simply a bug in some app that can quickly be updated. The vulnerability is in the machines that power services that transmit secure information, such as Facebook and Gmail.

We’ve put together the following guide to the so-called Heartbleed bug for those who want to understand what all the fuss is about, and how they can protect themselves.

What is the Heartbleed bug?

security

Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. It basically gives you a secure line when you’re sending an email or chatting on IM.

Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient.

Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat, a small packet of data that asks for a response.

Because of a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.

The flaw was first reported to the team behind OpenSSL by Google security researcher Neel Mehta, and independently found by security firm Codenomicon. According to the researchers who discovered the flaw, the code has been in OpenSSL for about two years, and using it doesn’t leave a trace.

How bad is that?

0

It’s really bad. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. According to Vox.com’s Timothy Lee, even credit-card numbers could be pulled out of the data sitting in memory on the servers that power some services.

But worse than that, the flaw has made it possible for hackers to steal encryption keys — the codes used to turn gibberish-encrypted data into readable information.

With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.

Am I affected?

Probably, though again, this isn’t simply an issue on your personal computer or your phone — it’s in the software that powers the services you use. Security firm Codenomicon reports:

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.

According to a recent Netcraft web server survey that looked at nearly 959,000,000 websites, 66% of sites are powered by technology built around SSL, and that doesn’t include email services, chat services, and a wide variety of apps available on every platform.

So what can I do to protect myself?

Since the vulnerability has been in OpenSSL for about two years and using it leaves no trace, assume that your accounts may be compromised. You should change your online passwords, especially for services where privacy and security are major concerns. However, many sites likely haven’t upgraded to software without the bug, so immediately changing them still might not help.

The researchers who discovered the flaw let the developers behind OpenSSL know several days before announcing the vulnerability, so it was fixed before word got out yesterday. Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks.