Weekly Cybernote #10

For this edition of the Weekly Cybernote, first of all, we will touch on Project Zero, the elite crack team set up by Google to fight zero-day attacks. We will then discuss an attack identified in China that apparently targeted databases of state employees living in the US. Lastly, we will look at how the Gmail application on iOS could very well prove to be the ideal opportunity for hackers.

Google creates “Project Zero”, an elite team to fight 0-day attacks
Through this team, whose existence is expected to become official shortly, Google intends to test the security of not only their products, but the products of other software vendors as well. Once an exploit is discovered, it would be communicated to Google, who will have between 60 and 90 days to fix it before it becomes officially public on the Project Zero blog. These deadlines may shrink to only 7 days if hackers have already exploited the flaw. The aim is to encourage vendors to track the quality of the tools they provide to their clients to the best of their ability. Ben Hawkes, a New Zealand security researcher and member of this team, discovered a dozen bugs in Adobe Flash and the Microsoft office software suite. Tavis Ormandy is one of the most prolific vulnerability hunters in the world. He took the antivirus industry by storm by revealing grave problems in certain Sophos products and discovered a zero-day vulnerability in Windows in June 2013, but the list doesn’t stop there. And it is far from staying as it is since Google is hiring to add members to this team.

An attack originating in China has targeted databases of American state employees
Chinese hackers have managed to penetrate federal administration files containing the personal details of all state employees, including those in the secret service and defense departments, according to the New York Times on Thursday. The Office of Personnel Management, the American ministry that manages federal state employees, and the Department of Internal Security have attempted to remedy any possible intrusions as soon as they had become aware of it. The hackers struck in March and snooped through the records of tens of thousands of persons who had applied for jobs in order to obtain security accreditations, affirmed the daily, quoting anonymous persons in charge.

Gmail on iOS: the new El Dorado for hackers?
Users of Apple mobile terminals who have installed Gmail on their iOS devices, may have their data intercepted by hackers for a simple reason: Google has not yet set up any security technology to prevent hackers from reading and modifying encrypted communications exchanged with the web giant, wrote Avi Basan, CTO of Lacoon Mobile Security, a company based in Israel and the US. Legitimate websites use digital certificates to encrypt data traffic by using the SSL / TLS (Secure Socket Layer Security / TLS) protocols. However, in certain cases, hackers can falsify these certificates in order to observe and decrypt such traffic. Fortunately, this threat can be kept at bay using a “pinning” certificate which hard-codes details of the legitimate digital certificate in an application.

Weekly Cybernote #9

For this 9th edition of our Weekly Cybernote, we will as usual cover three topics. The first concerns the new banking malware Dyreza, while the second will be about how YouTube is used by hackers to sell credit card numbers. Lastly, the third point revisits an old story about Nokia, who allegedly gave in to a hacker’s threats and paid millions of euros to regain control over its OS Symbian.

Dyreza: the new malware that targets users of banking websites
After Zeus, which has become famous for all the wrong reasons, researchers identified the Dyreza Trojan horse that was used to dupe the clients of banking websites with man-in-the-middle attacks that intercept internet users’ login credentials. The malware Zeus (or Zbot), already rampant since 2006 and targeting bank clients, gave way to Dyreza, also known as “Dyre”. As for this other Trojan, it also attacks bank clients. Recently identified by security researchers, it is used for launching MITM (Man in the middle) attacks, with the cybercriminal intercepting unencrypted traffic and misleading users into thinking they are on a secure connection with their bank. Even though Dyreza bears several similarities to Zeus, it is not a derivative but rather a new malware program. It uses an interception technique on the targeted browser to view unencrypted traffic in order to sneak in when a user attempts to set up a secure SSL connection with a website. During a Dyreza-led attack, the user will be under the impression that he is entering his authentication credentials on his bank’s website and establishing an SSL connection, but the malware is in fact redirecting traffic to its own servers.

YouTube, new platform for selling credit card data
You would think that to obtain stolen credit card numbers, you would need to arm yourself with all the latest complex cryptographic tools and plunge into the Darknet, as was the case for Silk Road, the underground Canadian supermarket shut down by the FBI in 2013. Today there is a much simpler way to do this: log on to YouTube. A report that the Digital Citizens Alliance (DCA) has just published shows that Google’s website is indeed used by a large number of hackers to promote their illegal services. Simply type in the right keywords, such as “CC info with CVV” or just “how to get credit card numbers”. YouTube will then return a whole list of film adverts, which sometimes run into tens of thousands. This is the opportunity for the hacker to show some samples, just to prove that he has what he claims to have. You will then see rows of a table listing credit card numbers, the type of card (Visa, Mastercard, etc.), the cardholder’s first name and last name and even the 3-digit security code (CVV).

Nokia paid millions of euros in ransom for Symbian
A Finnish television channel recently revealed that the telecoms manufacturer Nokia was blackmailed 6 years ago by hackers and paid a “ransom” of several million euros. The events have been partially confirmed by the police. Apparently, hackers had gotten their hands on the keys allowing the decryption of a central portion of the Symbian source code, the operating system on older Nokia terminals. They then threatened to go public with the code, which would have compromised its integrity. It would have been possible to insert malware programs without them being detected. This was obviously a risk that Nokia did not wish to take. Following the orders they received, Nokia left a suitcase of bills in a parking lot, which the hackers immediately took. Nokia had warned the police beforehand, but they were unable to keep track of the blackmailers. The investigation is still ongoing.

Weekly Cybernote #8

For this eighth edition of the Weekly Cybernote, we will concentrate on three very different subjects: the hack orchestrated by Iranian cyber-spies through a bogus news website, the music streaming service Spotify whose data had been hacked, and lastly a cybercriminal in Australia who hijacked Apple devices for ransom.

A group of Iranian cyber-spies targeted more than 2000 military officials using a bogus news website
In Iran, a group of cyber-spies managed to spy on more than 2000 people, including American and Israeli military officials using a fake news site called NewsOnAir.org. For three years, these spies used this site to target and establish contact with military personnel in the US and in Israel and hack their personal accounts on social networks. The operation was apparently orchestrated by Iranians but there is still insufficient information to trace back to the main mastermind. According to iSight, the site republished legitimate articles that were first published by actual press organizations, including BBC and press agencies Associated Press and Reuters, but with the bylines replaced by fake reporters’ names. The identities of some journalists were also stolen in this affair.

Spotify victim of a hacking
After eBay, it was Spotify’s turn to get hacked. The Swedish online music giant had in fact detected “unauthorized access” to its systems and internal data. As simple users of the service, there is not much to worry about, as only personal particulars may have been compromised. Anything more confidential, such as passwords or credit card PINs, was not involved in this operation. However, as a precaution, Spotify advises its users to log off and log on again to the service in order to update security measures. Users of the service are also urged to update their Android applications through Google Play, the Amazon Appstore of the official website. As for iOS or Windows Phone, nothing amiss has been reported.

An Australian cybercriminal demands a ransom for unlocking Apple devices
Oleg Pliss is a cybercriminal based in Australia who demanded a ransom for unlocking Apple devices. Pliss apparently “hijacked” several Australian iPhones, iPads and Macs, which he would unlock in exchange for sums ranging from 50 to 100 dollars. For almost a week, several owners of such devices in Australia were woken up by unpleasant messages indicating that their devices had been hacked and that they would need to pay a ransom in order for them to be unlocked. The hacker, who used the name of an engineer at Oracle, demanded payment from targeted users to his PayPal account before he would restore the devices to working order.

Weekly Cybernote #7

For this latest edition of the Weekly Cybernote, we will expand on three hot topics that have been widely debated on the internet over the past week: the notorious hack on eBay’s website and the theft of its users’ data, the zero-day flaw identified on Internet Explorer 8 that had still not been fixed by Microsoft even after 7 months, and lastly, new revelations from WikiLeaks about the NSA. 

eBay victim of hacking: personal data of millions of users exposed
eBay, the online auction giant, was last week the victim of a major online attack that aimed to retrieve its users’ private data. As such, this cyber-attack compromised the American giant’s databases, which contained among other things its users’ encrypted passwords. Following the detection of this attack, eBay decided to act in full transparency and reacted quickly by asking users to change their passwords as quickly as they could. Fortunately, only a tiny portion of eBay users were affected by this attack – those who accessed the site between late February and early March. Apparently, eBay discovered this attack about two weeks ago. eBay has indicated that it is currently working with a team of experts to identify the masterminds of this attack, who are still unknown. The only upside: PayPal data of users of the auctioning service was intact, as it is stored separately in encrypted formats.

Internet Explorer 8: a zero-day vulnerability of more than 7 months still unfixed
The Redmond-based firm dropped a bombshell last week – it was discovered that Microsoft had not fixed a security flaw affecting its web browser Internet Explorer 8, which dates back to October 2013. This is no small flaw, since it would allow users to install malicious code on workstations in order to take full control of them. It is currently estimated that more than 20% of Microsoft users surf the net using IE8, making it an even more dangerous vulnerability. For a hacker to exploit this flaw, he would need to trick his potential victim into visiting a website that has been specially crafted for this purpose, in IE8 of course. Conventional methods (phishing e-mails, instant messages containing fraudulent links etc) may help a hacker to launch his attack. This vulnerability was discovered in October 2013 by Peter Van Eeckhoutte, a Belgian researcher, during the Zero Day Initiative program. Despite this discovery, Microsoft has still not done anything ever since then to fix the flaw. Microsoft has communicated on the subject by asking its users to install the patch released urgently at the beginning of the month. Arkoon+Netasq’s ExtendedXP allows protecting workstations running on Windows XP and using Internet Explorer 8.

WikiLeaks: the NSA allegedly recorded all communications in Afghanistan
The famous whistle-blowing website WikiLeaks has just revealed that Afghanistan is the second country in which the NSA has recorded all cell phone communications. This is the country that the media such as The Washington Post and The Intercept had preferred not to name for security reasons. WikiLeaks has stated that it does not wish to name the source of this revelation in order to protect it. Julian Assange’s service therefore continues to stand up to state censorship, going as far as to claim that to date, no proof has been submitted by any government organization to show that any of the eight million publications revealed by WikiLeaks has prejudiced anyone in particular. For WikiLeaks, hiding such information would therefore condone and participate in this organized censorship.

Weekly Cybernote #6

For today’s Weekly Cybernote, we will focus on two security-related current events that have been highly discussed on the web for more than a month and a half now: the end of support for Windows XP and the Heartbleed flaw. We will also talk about Adobe, whose Creative Cloud experienced a huge outage last week.

Attacks on Windows XP and still no fix from Microsoft
The Redmond vendor remains firm on its decision to end support for Windows XP and refuses to fix a bug in Internet Explorer that has already been exploited by hackers. Microsoft and external security experts have indicated that hackers had been exploiting a vulnerability in Internet Explorer under Windows XP and on the last Patch Tuesday, no fix was provided to resolve the issue, in line with the decision to cease all support for the system. The bug, which has been identified with the reference CVE-2014-1815, is one of two critical vulnerabilities affecting IE6, IE7, IE8, IE9, IE10 and IE11 and patched by Microsoft last Tuesday. In the Security Advisory, the vendor pointed out that the vulnerability was already known and was already exploited by hackers even before this update. However, since Windows XP has stopped being supported since April, XP users did not receive a security patch for IE, unlike users of Windows Vista, Windows 7 and Windows 8. Arkoon+Netasq’s ExtendedXP allows keeping Windows XP workstations safe in the best security conditions.

Heartbleed: errors observed in the application of certificates and bug fixes
Despite the swift measures taken by certain sites to protect themselves from the Heartbleed attack, some of them realized that they were not better protected than before, and in some cases, found themselves even more exposed. After having fixed their version of OpenSSL following the Heartbleed attack on April 7th, many sites also went on to revoke their compromised SSL certificates by replacing them with new certificates. But according to a survey, 30 000 sites received replacement certificates based on the same compromised private key used in previous certificates. This means that anyone who managed to steal the private key of one of these servers before it was patched can still use the key to trick the server by launching a man-in-the-middle attack.

Adobe’s Creative Cloud hit by a huge outage
Almost all the services and solutions in Adobe’s Creative Cloud suite were inaccessible throughout several regions worldwide, including Europe. At the time of writing, the problem was still unresolved and Adobe’s teams are looking into the cause of the malfunction. Only the file synchronization service escaped unharmed from this giant outage. At the same time, new accounts (Adobe ID) still cannot be created, as is the case with all Creative Cloud subscriber services. This is Adobe’s first major breakdown since the launch of Creative Cloud in June 2013.

Weekly Cybernote #5

For this latest edition of the Weekly Cybernote, we will first of all look at the data theft that took place last week at Orange, then go on to how a German hacker was able to prove that even the website of a giant such as the NSA can present obvious security flaws. To conclude, we will return to the topic of data theft, the cost of which has gone up by 9% in the US in 2014.

New data theft incident at Orange
Within the space of three months, customer data was stolen twice from the telecoms operator Orange in France. In all, at least 1.3 million people are affected by this incident of theft, compared to 700,000 in January. This incident does not affect just subscribers, but prospective clients and other service providers as well. The operator therefore had to activate a crisis communication procedure and inform all parties involved of the risks of phishing attacks that they might encounter. The fact that Orange chose to communicate on the subject was not for the sake of transparency, but simply because operators have a legal duty to notify the CNIL – the French data protection authority – of such thefts and inform the persons involved of the risks they are exposed to when their data is no longer anonymous. New regulations that will soon be in force in France and in Europe are expected to push companies to report data thefts to their clients on a more regular basis and to play the transparency card. Even though Orange was well aware that data had been stolen, many French companies, even the big ones, are not as well-versed in cybersecurity and fall victim to major attacks and data theft without even realizing it.

German hacker detected two vulnerabilities on the NSA website
It is amazing how you can be a giant in electronic intelligence, invest billions in technology and still have a poorly secured website! Matthias Ungethüm, a German security researcher, found and exploited two security flaws on the NSA’s homepage. The first vulnerability allowed him to inject code directly into the page, using cross-site scripting. By clicking on a link specifically created for that purpose, an internet user will not access the actual NSA page but a modified copy that looks exactly the same. As for the second vulnerability, it is more problematic. According to the hacker, it allows injecting SQL code in order to access databases relating to the web server, with the obvious purpose of siphoning them. To avoid attracting legal trouble, the hacker did not go further than just discovering the vulnerabilities. He simply confirmed that they indeed existed, while explaining that it does not take much technical expertise to exploit them. He did nonetheless alert the NSA, but has yet to hear from them.

The cost of data violation went up by 9% in the US in 2014
According to the 9th Cost of a Data Breach report published by the Ponemon Institute, the average cost of each data breach has reached 200 dollars in 2014 in the United States, an increase from $188 in 2013. The report therefore revealed an overall increase of 9% in terms of the cost of data violation in the United States, representing a total of 5.4 million dollars in 2014. 61 American corporations, representing 12 different activity sectors, participated in this survey and were exposed to this type of attack. More than 500 people were interviewed directly in the corporations involved and in government organizations. The industries that were most severely affected were healthcare, transportation, power production, financial services, communications, pharmaceuticals and the manufacturing sector.

Weekly Cybernote #4

For this latest edition of the Weekly Cybernote, we have chosen three hot topics that have made waves this week in the cybersecurity ecosystem. First of all, we will talk about the notorious vulnerability on Internet Explorer that gave Windows XP users quite a scare. Then, we will continue on the subject of browsers with the flaw that targets Safari in Mac OSX. Lastly, we will discuss France’s place in the annual number of cyber-attacks. 

The zero-day vulnerability on Internet Explorer fixed in Windows XP
Microsoft seems to have hogged the headlines this week, with a zero-day flaw targeting Internet Explorer. Having announced the end of support for Windows XP on April 8th, Microsoft had decided not to provide any patches for this vulnerability under the OS. On May 1st, Microsoft obviously had a change of heart and provided a security patch (MS14-021) that is valid for all versions of Internet Explorer (IE6 to IE11), and for all versions of Windows (including XP). Adrienne Hall, General Manager at Microsoft, also explained that the buzz surrounding this vulnerability had been exaggerated, as very few attacks had been launched on this particular flaw. Whatever it is, people are starting to wonder what Microsoft’s position is with regard to Windows XP, which was supposed to no longer be patched since 8 April. 

A security flaw that went unfixed for three weeks on Safari iOS
Safari may not create as much buzz as Internet Explorer due to a smaller following, but security issues have clearly marred Apple’s signature browser. According to a former Apple security engineer, iOS users remained exposed to known security issues – previously patched in Safari for Mac OSX – for more than three weeks. In short, the vendor let three weeks go by between its patch for Safari Mac and the one for Safari iOS. Kristin Paget, the security researcher in question, left Apple in late January to join Tesla Motors. Incidentally, she was a vocal critic of the way Apple delivered fixes.

France one of the top 5 European nations exposed to advanced threats
According to a report published by FireEye, France was in the top 5 European countries most affected by targeted attacks. It even holds the record number of economic sectors hit by professional cybercriminals. From agriculture to finance, and technology and education, all sectors were recently treated to their dose of advanced and targeted attacks, commonly known as APTs. France came in fifth among the European national with the highest number of APTs, behind Germany, the UK, Switzerland and Luxemburg. The sectors that were affected the most were the public sector (25%) and finance (22%).

Weekly Cybernote #3

For this third edition of the Weekly Cybernote, we shall first talk about a new malware program that has been rampant on the web, targeting jailbroken iPhone users. We will then touch on an Israeli start-up that may have developed a technology capable of detecting Stuxnet-like attacks. To conclude, we will go over the Interior Minister’s plan to create, among other things, an online portal to report potential wannabe cyber-terrorists.

Malware steals the Apple IDs of users of jailbroken iPhones
When someone tells you that jailbreaking an iPhone is bad, they’re not kidding! Indeed, some iOS users have recently come across an illicit library of unknown origin on their online devices, which has turned out to be a malware program that targets Cydia Substrate, a specially designed framework for jailbroken terminals that allows developers to build modifications for iOS. This platform makes it possible to extend the behavior and use of iOS in ways that Apple has formally prohibited, using key system functions. Called Unflod or Baby Panda, this new malware program takes the form of a dynamic library on the framework, intercepting the SSL Write function on iOS to read data even before it is encrypted and sent over a secure SSL connection. It monitors traffic in order to detect authentication requests to Apple services, and extracts logins and passwords before sending them to an IP address. Based on the earliest analyses, it would appear that everything points to the attack originating in China.

An Israeli start-up may have developed a system for detecting Stuxnet-like attacks
In Israel, the start-up ThetaRay has developed in conjunction with General Electric a security technology that detects attacks similar to the one launched by the infamous Stuxnet worm on critical infrastructure systems used for energy production. The system uses algorithms invented by two Israeli university professors. For the moment, this technology only monitors power-production installations and industrial SCADA systems. Expected to be generally available around September, the technology could also be applied to other industries, such as financial services. The Stuxnet worm, reputed for its sophistication and complexity, was initially developed by American and Israeli intelligence services. For a very long time, the worm managed to carry on its existence unnoticed by creating false data that did not arouse suspicions. Reputed also for being uncontrollable, all power-production installations are in a state of alert, even today, months after its discovery. ThetaRay’s solution would be able to identify this type of attack in industrial systems. It is currently being tested in a power plant in New York.

Toward the creation of a portal to inform on potential cyber-terrorists
Intervening before young adolescents fall prey to cyber-terrorism is one of the main objectives unveiled by the French Interior Minister Bernard Cazeneuve on April 23rd in his anti-radicalization and anti-terrorism plan. One of the plans underway is the creation of an internet portal. You might already be acquainted with the Pharos platform that allows reporting inappropriate or illegal content on the web. Now it is possible to directly report users who look up such content to the Interior Ministry. According to this plan and to the daily Libération, the possibility of gathering internet data remotely from terrorists should be extended.

Weekly Cybernote #2

For this second edition of the Weekly Cybernote, we will obviously be covering once again the notorious Heartbleed flaw, which has been extensively discussed online. We will then talk about a project developed by Google which aims to push up the appearance of encrypted websites in search results. Lastly, we will conclude on the topic of the exploitation of a flaw in casinos that has allowed its perpetrators to plunder 10 million euros.

First Heartbleed hack arrest
Heartbleed certainly has not stopped being a hot topic on the web. Indeed, this week saw this first arrest relating to the exploitation of the bug ever since it was discovered. A 19-year-old living in Canada was arrested under suspicion of being behind the leak of 900 social insurance numbers on the website of the Canada Revenue Agency. In Canada, a social insurance number allows making applications to public administrations, as well as banking organizations or medical and social service providers, or even applying for a job. Needless to say, the hacker turned the Heartbleed flaw to his advantage to accomplish his goals. Stephen Arthuro Solis-Reyes, a Western University student living in London, Ontario, was arrested on Tuesday by local authorities who seized his computer equipment as evidence. The Royal Canadian Mounted Police (RCMP), who had been keeping tabs on the hacker, took only four days to find him. The accused apparently was not a professional hacker, who would have been more adept at hiding his tracks and delaying his arrest.

Google wishes to boost encrypted websites in its search results
At the SMX West marketing conference, Google engineer Matt Cutts hinted at a potential tweak to Google’s search algorithm within the next few months with the aim of favoring encrypted websites in its search results in order to add a layer of security for its web users. The objective of the project is clear – to force companies to encrypt their websites’ data so as to offer internet users a more secure online experience. In the face of upsurges in cyberattacks and government spying, projects like these no longer come as a surprise in 2014. The latest vulnerabilities discovered on the OpenSSL protocol have shown that current security measures, established on a large majority of websites, were not the most reliable.

They exploited a flaw in slot machines and plundered 10 million euros
Slot machines are not spared from bugs, some of which are even critical and can cause heavy financial loss. The German company Paul Gauselmann, one of the largest suppliers of slot machines in Germany, learned that the hard way recently. A large group of people, in an organized operation, managed to con more than 100 000 such machines spread out in gaming areas throughout Germany. In total, the amount stolen from the “one-armed bandits” is estimated at 10 million euros. To pull off such a heist, the players exploited a software vulnerability on the roulette game offered on these machines. A simple combination of buttons allowed winning the jackpot, regardless of the results of the draw. This causes one to wonder if the thieves actually stumbled upon this bug by pure chance, or whether an employee of Paul Gauselmann was part of the scheme.

Weekly Cybernote #1

Today we are inaugurating a new section on the blog. Every week, the aim of the Weekly Cybernote will be to synthesize the top security news of the week in France and abroad, so we will choose 3 leading topics that are not to be missed. We will cover the notorious Heartbleed vulnerability that has sent waves of panic through the web this week, as well as the end of support for Windows XP, and lastly, the story of a 5-year-old boy who managed to find a flaw in the Xbox One’s system.

Heartbleed: critical security flaw on OpenSSL
The fear over the internet this week was almost palpable. Information security experts have advised administrators to fix a critical vulnerability that was identified on OpenSSL, an open source library of encryption protocols. This library is used mainly by some of the biggest names such as Google or Yahoo. This vulnerability has been named “Heartbleed”. For the average user, it affects web pages that are displayed in the browser with a padlock in the address bar. Initially, this vulnerability was discovered in December 2011, but was fixed only this week by version 1.0.1g of OpenSSL. Affected versions range from 1.0.1 to 1.0.1f (except the 1.0.0 branch and 0.9.8). Once it is exploited, this critical vulnerability will allow hackers to monitor all the information sent between a user and a web service, and to decrypt the information gathered in this manner. The hacker can then go on to spy on communications or directly steal private data from websites or from individual users. In terms of process, this vulnerability allows hackers to exploit only 64KB of memory data in a single attack, but attempts to obtain several sequences of 64KB may be successful by maintaining an active TLS link. Affecting even the biggest players on the web, this vulnerability was under the media spotlight, and fortunately, immediately set straight by the most critical infrastructures.

April 8th 2014: Microsoft officially put an end to Windows XP
The bell had been tolling for several months and has now become a reality: ever since April the 8th, Microsoft has stopped support for Windows XP. After 13 years of good and loyal service, the time has come for the Redmond firm to bid goodbye to its signature operating system. Even though Microsoft’s best recommendation was to migrate to later versions of Windows, certain critical infrastructures had no other choice but to stick with Windows XP. Nonetheless, Microsoft offers high-level support for certain privileged clients, although this remains a costly alternative even for large infrastructures. Moreover, about 30% of PCs online worldwide still run on Windows XP. Among all the alternatives to migration, we are proud to present ExtendedXP, which allows you to keep the security of your workstations in Windows XP intact even after the fateful date.

A young boy of 5 hacked his father’s Xbox One
It is said that wisdom does not come with age, and this case proves this proverb true once again. Kristoffer is a young boy of 5 living in San Diego, California. Behind this name hides what must be the youngest hacker in history. While trying to play games that his father prohibited him from playing, the young boy stumbled upon a security flaw that allowed him to break into his father’s Xbox account. By entering the wrong credentials once, and then filling the second password entry screen with spaces and pressing Enter, Kristoffer was able to gain full access to a prohibited zone in the system, thereby granting access to the Holy Grail. Microsoft acknowledged the young boy’s discovery of this flaw by rewarding him with a year-long subscription to the Xbox Live service. As for his dad, who happens to work in information security, he admitted to being proud of his son despite it all, and for a very good reason! This is one little boy whose future has already been mapped out in the field of security…