Not every security story has to involve a potentially catastrophic piece of malware out to steal your identity and destroy your computer. Sometimes, exploits are ineffective, trivial or just plain silly. In today's selection of news items, two Polish researchers uncover harmless tricks to embed messages in dance music and get free beer from restaurants. Meanwhile, a Mr. Robot-themed piece of ransomware is making the rounds, but fear not: It doesn't actually work.
You can dance if you want to
Ibiza isn't just the name of a Spanish resort island; it's also a style of dance music. Krzysztof Szczypiorski, a security researcher from the Warsaw University of Technology, took advantage of the music's unique stylings to encode secret messages inside songs. A Morse-code-like algorithm encoded the message "steganography is a dancer!" in five different popular songs remixed in the Ibiza style.
These messages are inaudible to human ears, but by listening carefully to faster or slower tempos, someone who knew the code could translate a rhythm into a message. The potential security applications here are obvious, but the real treat would be imagining high-ranking government officials blasting "Dancing Queen" with straight faces.
Restaurant-reward apps are great, but there's just one tiny catch: You have to actually spend money to get points. Wouldn't it be great if you could just get food and drinks for free? Kuba Gretzsky, a Polish software developer, thought so. He embarked on a quest to see how secure his favorite rewards app might be, and found that while hacking it was complicated, it definitely wasn't impossible.
The process was complicated, but basically, the rewards app (he didn't name it, for fear of others replicating his success) uses a location beacon technology from Estimote. Using the Estimote software-development kit, he was able to reverse-engineer how the beacons collected PINs from legitimate users. Using an Android phone and a Windows machine running a fake virtual private network, Gretzky could enter a fake PIN and add points to his account without actually buying anything. Bottoms up!
Fans of the Mr. Robot TV show know of FSociety, an Anonymous-like hacking collective that drives the program's plot. The show's second season involves ransomware created by FSociety, and some enterprising hacker took that as license to make his or her own program inspired by the program. FSociety ransomware is now making the rounds, but the good news is that it doesn't actually work.
Security researcher Michael Gillespie discovered the FSociety ransomware while trawling the Internet, but didn't find it to be much of a threat. It will indeed encrypt a user's files, but it uses a known algorithm and doesn't actually demand anything. It just displays an FSociety logo, meaning it's probably a work in progress. If you do encounter it, follow the instructions to use a decryption key.