Indian rape victim sues Uber in US court

The Indian woman whose alleged rape by an Uber driver led to the service being shut down in New Delhi has now sued the car-hailing platform in San Francisco, according to Reuters. The woman, who asked the federal court to protect her identity, said Uber’s service was the “modern day equivalent of electronic hitchhiking”. Uber, which recently reopened its Delhi services after applying for a taxi license, has repeatedly promised to improve its driver-vetting procedures in India. The woman wants unspecified damages from Uber, as well as the installation of in-car cameras and the creation of local customer support centers. The driver, who denies the attack, is currently on trial for rape and kidnapping.

Gaming service hack attack whacks thousands of Swedish bystanders

On Thursday, Sweden’s biggest internet service provider, Telia, said that its network had suffered an attack earlier this week from hackers who were apparently trying to target a gaming company. Reports suggest the target was Electronic Arts (EA), which runs some Battlefield services out of the country.

According to Telia, the distributed denial of service (DDoS) attack occurred on Tuesday night and through much of Wednesday, forcing the ISP to toughen up its systems. While it was ongoing, the DDoS made it difficult for thousands of [company]Telia[/company]’s customers to surf the web, watch digital TV and make VoIP calls.

Telia spokesman Marcus Haglund told me Thursday that the attack first hit around 10pm on Tuesday evening, running for around 45 minutes. “Then it calmed down overnight,” he said. “It continued from 10am and was running all through the day and escalated in the night. It ended at 8pm.”

“We have an internal investigation that will run to the bottom of what has happened and what we can do to prevent it in the future,” Haglund continued. “There was a configuration that was a bit lax yesterday that we have corrected. If the same attack was aimed at us or any of our customers, we can say we are not vulnerable in the way we were yesterday.”

Haglund said thousands of customers had been affected. In such attacks, the target’s systems are flooded with data, causing them to stop working. Recent years have seen such attacks grow in severity, with the culprits amplifying them by bouncing the traffic off open servers, notably domain name system (DNS) servers.

The ISP hasn’t named the gaming company that was the target, but the Swedish newspaper Dagens Nyheter reported that it was Electronic Arts (EA), which has offices in Stockholm that develop and run the Battlefield Heroes and Battlefield Play4Free services. The paper quoted F5 Networks security expert Joakim Sundberg as saying the attack used DNS servers for amplification, and that it was perpetrated by the “Lizard Squad” hacker group.

Lizard Squad claimed on Twitter that it had taken down EA’s servers, and has previously claimed responsibility for repeatedly knocking over Sony’s PlayStation Network, Microsoft’s XBox Live and other online gaming services.

TeliaSonera chief Johan Dennelind told ZDNet that the ISP had not “seen an attack on that type of scale before”.

This article was updated at 7.40am PT to change “a few thousand customers” to “thousands of customers” — a correction made at Telia’s request, which may indicate that there were more than a few thousand victims.

Yik Yak shown no slack in intern hack attack

Getting hacked seems to be a rite of passage for social media companies. It’s sign that they’ve grown big enough to attract the attention of the hacking community.

Right on schedule, anonymous local chatting app Yik Yak has been hit with a big security breach, a mere two weeks after closing its $62 million round led by Sequoia. An intern from a security firm figured out how to unearth people’s real life identities and take control of their accounts.

I reached out to Yik Yak for comment and a spokesperson said, “Upon being informed of the issue, Yik Yak acted immediately to address and remedy the situation.” The company released an updated app last week that fixes the hole, before SilverSky Labs, a security firm, disclosed the flaw on Monday.

Yik Yak is huge in U.S. colleges, where people within a two mile radius of each other can post anonymous, public messages to a feed.

A young intern at SilverSky Labs decided to test Yik Yak’s system given recent privacy controversies in the anonymous app space (see: Whisper). It didn’t take long to crack the app’s code — just a few days. “This attack is not particularly sophisticated,” Brandon Edwards, VP of SilverSky Labs, told me. “A lot of the tools [we used] are common place in network analysis.”

Intern Sanford Moskowitz figured out that although Yik Yak encrypted the messages sent over its network, it also communicated with third party service providers that didn’t do so. Therein lay the weakness, allowing Moskowitz to find unique Yik Yak user ID numbers (different from the publicly facing username).

Since Yik Yak doesn’t require passwords, anyone with this person’s user ID number could tamper with the Yik Yak app to log into said user’s account, see their content, and post under their identity. They could also use the ID to figure out someone’s real-life identity, by running it through Wireshark and linking it to the person’s smartphone cues. For example, if you’re logged into other social networks that have your name, a hacker could trace that through your Yik Yak ID.

Until recently, Yik Yak had been the bastard child of the Secret-Whisper triangle, largely forgotten by Silicon Valley. But with its star is on the rise, its days of anonymity are over. Its systems are now under scrutiny, from investors, press, and hackers alike.

Feedly’s “extortion” attack continues with third DDoS wave

Feedly is suffering yet another distributed denial of service (DDoS) attack, the third since the news aggregation service was first targeted on Wednesday. The company, whose service was going up and down like a yoyo at the time of writing, tweeted on Friday that it was “working on it” — presumably with CloudFlare, as the CDN and security firm’s name appears on Feedly’s error page. When the first wave hit, Feedly said the attacks were part of an extortion attempt that apparently also targeted other unspecified firms.

Target confirms PIN data was stolen in mega-breach

The massive Black Friday data breach that caused Target(s tgt) to keep call centers open on Christmas to support the 40 million customers affected might not be over just yet. CNNMoney has announced via Twitter that debit card PIN data was also stolen in the attack. This means that customers who purchased items in Target stores between November 27 and December 15 could have their entire bank accounts compromised, not just debit/credit transactions. It’s not the news Target customers want to hear, but it does show how deep this breach really goes.