Tag: hackers

By Jack Morse for Mashable 

A million hacked Facebook accounts isn’t cool. You know what’s even less cool? Fifty million hacked Facebook accounts.

A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them were “directly affected,” anyway.

The so-called “security update” is light on specifics, but what it does include is extremely troubling.

“We did see this attack being used at a fairly large scale.”

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” reads the statement. “[It’s] clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”

That’s right, almost 50 million accounts were vulnerable to this attack. As for how many were actually exploited?

“Fifty million accounts were directly affected,” explained Facebook VP of product management Guy Rosen on a Friday morning press call, “and we know the vulnerability was used against them.”

“We did see this attack being used at a fairly large scale,” added Rosen. “The attackers could use the account as if they are the account holder.”

The statement itself didn’t provide much additional insight.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” continues the statement. “We also don’t know who’s behind these attacks or where they’re based.”

Facebook says it’s fixed the vulnerability, and that 90 million people may suddenly find themselves logged out of their accounts or various Facebooks apps as a result.

The disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.

So, yeah, this is big.

“Security is an arms race,” Facebook CEO Mark Zuckerberg dryly noted on the press call.

Facebook is working with law enforcement, and, at least for now, says you don’t need to change your password. But maybe go ahead and log out of your account, everywhere, just to be safe.

“[If] anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in settings,” advises the warning. “It lists the places people are logged into Facebook with a one-click option to log out of them all.”

So yeah, click through that link and log out of your account on all webpages and apps at once. After that, maybe think long and hard about whether it’s even worth logging back in.

2018’s worst cyber-security breaches

By Lily Hay Newman for Wired 

Looking back at the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

Russian grid hacking
In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

US universities
In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Rampant data exposures
Data breaches have continued apace in 2018, but their quiet cousin, data exposure, has been prominent this year as well. A data exposure, as the name suggests, is when data is stored and defended improperly such that it is exposed on the open internet and could be easily accessed by anyone who comes across it. This often occurs when cloud users misconfigure a database or other storage mechanism so it requires minimal or no authentication to access. This was the case with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The trove didn’t include Social Security numbers or credit card numbers, but it did comprise 2 terabytes of very personal information about hundreds of millions of US adults—not something you want hanging out for anyone to find. The problem was discovered by security researcher Vinny Troia and reported by WIRED in June. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.

Cloud leaks pop up regularly, but data exposures can also occur when software bugs inadvertently store data in a different format or location than intended. For example, Twitter disclosed at the beginning of May that it had been unintentionally storing some user passwords unprotected in plaintext in an internal log. The company fixed the problem as soon as it found it, but wouldn’t say how long the passwords were hanging out there.

After the revelation of a data exposure, organizations often offer the classic reassurance that there is no evidence that the data was accessed improperly. And while companies can genuinely come to this conclusion based on reviewing access logs and other indicators, the most sinister thing about data exposures is that there’s no way to know for sure what exactly went down while no one was watching.

Under Armour
Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and passwords from the app’s roughly 150 million users. The company discovered the intrusion on March 25 and disclosed it in under a week—some welcome hustle from a large company. And it seems Under Armour had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials. The company had even protected the passwords it was storing by hashing them, or converting them into unintelligible strings of characters. Pretty great, right? There was one crucial issue, though: Despite doing so many things well, Under Armour admitted that it had only hashed some of the passwords using the robust function called bcrypt; the rest were protected by a weaker hashing scheme called SHA-1, which has known flaws. This means that attackers likely cracked some portion of the stolen passwords without much trouble to sell or use in other online scams. The situation, while not an all-time-worst data breach, was a frustrating reminder of the unreliable state of security on corporate networks.

One to watch: VPNFilter
At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks. VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neutrallise the botnet, but researchers are still identifying the full scope and range of this attack.

57-million Uber users hacked

Hackers stole the personal data of 57 million customers and drivers and the ride-hailing company allegedly paid them $100,000 to delete the information and “go away”.

The data was compromised in October 2016, and Uber has managed to conceal the breach for more than a year, according to Bloomberg.

Uber claims they were involved in negotiations with US regulators about separate privacy violations at the time of the breach.

But the company now admits they were legally required to report the hack to regulators and to drivers whose license numbers were taken.

However, Uber reportedly paid the hackers $100,000 to delete the data instead.

Joe Sullivan, Uber’s chief security officer, was fired this week for his role in keeping the hack quiet. One of Sullivan’s deputies was also fired for helping.

Ex-CEO and co-founder, Travis Kalanick, reportedly found out about the hack in November 2016, but at the time Uber had just settled a lawsuit with the New York attorney general over the company’s privacy practices.

Dara Khosrowshahi took over as Uber’s new CEO in September.

‘None of this should have happened, and I will not make excuses for it,’ Khosrowshahi said in a press statement on Tuesday. ‘We are changing the way we do business.’

‘At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.

‘We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,’ Khosrowshahi said.

The hackers stole names, email addresses, and phone numbers from 50 million Uber riders worldwide, said in the statement.

Personal information from 7 million drivers was also compromised. That figure includes about 600,000 US driver’s license numbers that were stolen.

Uber claims that no one’s Social Security numbers, credit card details, or trip location information was stolen.

The company said they don’t believe the information was ever used. Uber also declined to release the identities of the hackers.

‘While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,’ Khosrowshahi said.

Dara Khosrowshahi took over as Uber’s new CEO in September. ‘None of this should have happened, and I will not make excuses for it,’ Khosrowshahi (pictured last month) said. ‘We are changing the way we do business’ +5
Dara Khosrowshahi took over as Uber’s new CEO in September. ‘None of this should have happened, and I will not make excuses for it,’ Khosrowshahi (pictured last month) said. ‘We are changing the way we do business’

Uber’s hack joins the ranks of other massive hacks such as Yahoo and Equifax. In September, Equifax reported that the hack compromised the sensitive information of 145.5 million people and the Yahoo hack affected three billion +5
Uber’s hack joins the ranks of other massive hacks such as Yahoo and Equifax. In September, Equifax reported that the hack compromised the sensitive information of 145.5 million people and the Yahoo hack affected three billion

According to Bloomberg, Sullivan, who joined Uber in 2015, was the guy who spearheaded the response to the hack last year.

Last month, an investigation was launched into the activities of Sullivan’s security team. During the investigation, the hack and cover-up were discovered.

Uber said two attackers gained access to private GitHub coding site used by Uber software engineers, according to Bloomberg.

From there, the hackers used login credentials they obtained from GitHub to access data stored on an Amazon Web Services account.

The hackers then found an archive of rider and driver information. Once the information was accessed, the attackers asked Uber for money.

Khosrowshahi said he’s bringing on board Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, for guidance on ‘how best to guide and structure our security teams and processes going forward’.

The company is currently in the process of ‘individually notifying the drivers whose driver’s license numbers were downloaded’. Uber will also provide these drivers with free credit monitoring and identity theft protection.

Uber’s hack joins the ranks of other massive hacks such as Yahoo and Equifax. In September, Equifax reported that the hack compromised the sensitive information of 145.5 million people.

And last month, Yahoo admitted that three billion Yahoo users were affected by the 2013 data theft that the company originally said had only affected 1 billion users.

By Valerie Edwards for Daily Mail

Hackers, trolls and other tech nightmares of 2017

Remember last year, when Samsung Galaxy Note 7 devices were blowing up in people’s pockets, on nightstands and even on a commercial airplane?

That seemed like a tech nightmare for the ages. Turns out that was nothing compared to what’s happened in 2017 — so far.

No, the terminators haven’t come for us yet, though Saudi Arabia did just grant citizenship to a robot named Sophia that literally said it would kill human beings. But it still feels like we’re in some weird alternate dimension filled with a steady stream of shocking revelations, from massive government hacking programs to troll armies ruining people’s lives to the Russian government using Facebook and Twitter to interfere in last year’s presidential election.

Don’t bother pinching yourself. It’s all real. Here’s a quick recap of the year’s most gruesome tech tales.

Nonstop hacking
You’d think mega-corporations with everything to lose from a massive hack would do anything they could to prevent attacks. Think again.

Equifax, the data collection company that has your financial information whether you want it to or not, announced in September that more than 140 million people’s information had been compromised. That includes names, addresses, Social Security numbers, bank info and so on.

Worse, it turned out that Equifax knew about the hack for weeks before telling us. And when it did, the company set up a terrible website, filled with security problems like poor passwords. And, ultimately, the site itself was also hacked.

If you think these were well-meaning mistakes and not selfish blundering, keep in mind that two high-level Equifax executives sold stock just before the announcement.

It’s no wonder Equifax CEO Richard Smith suddenly retired. But don’t worry, he made out with a pay package worth as much as $90 million.

Yahoo, already synonymous with embarrassing cybersecurity failures after revelations in 2016 that the accounts of 1 billion users had been compromised, saw Equifax’s screw-up and said: We can top that.

Yahoo’s new owner, Verizon, admitted earlier this month that the attack was even worse than we thought. It turns out every single one of the 3 billion accounts in Yahoo’s system had been compromised. All of them.

That cackling you hear? That’s former CEO Marissa Mayer, who still got her golden parachute worth more than $23 million.

Oh, and if that’s not enough to keep you up at night, we learned from a cache of documents leaked from the Central Intelligence Agency that, among other things, the government could be using our TVs to spy on us. That’s right out of the plot of George Orwell’s dystopian classic, “1984.”

Trolls taking over
Internet trolls have been having one of their best years, and politicians have finally taken notice.

Congress is summoning Google, Twitter and Facebook to Capitol Hill to talk about how their online services were used by the Russian government to interfere in the US presidential election. The meetup is starting on Halloween and continues Wednesday. Do you have your Thriller popcorn yet?

The specter of Russian interference in the 2016 presidential election has forced the once-high flying tech industry back to Earth. Facebook CEO Mark Zuckerberg has faced repeated questions after he initially dismissed concerns about Russian meddling. Twitter, meanwhile, last week began banning ads from Russian-linked sites.

Did we all dance a collective time warp back to the days of the cold war?

Unfortunately, Russia isn’t the tech industry’s only problem.

Nonstop vicious and all-encompassing online harassment was another theme this year, due in some part to the troll armies that supported Donald Trump during his rise to the presidency. Twitter has declined to have its CEO, Jack Dorsey, answer even basic questions to reporters about the service’s handling of harassment among its 330 million tweeters, leading to additional pressure for the company to meaningfully change its policies.

Fake news
What, you thought we were done talking about trolls?

Maybe the most depressing part of 2017 was how much of it we spent debating what facts even are. With some people calling real stories fake and fake conspiracies real, the tech industry has been under increasing pressure to solve the problem.

And right, these companies should. After nearly a year of nonstop drumbeat debate and promises to better weed out hoax stories, the computer programs that highlight “news” on Facebook, Twitter and Google failed during the October shootings in Las Vegas. Trolls published tweets purporting to be the shooter or missing persons even as hoax stories and irresponsibly reported pieces that misidentified the shooter were prominently displayed on Google and Facebook.

So far, Facebook and a few others have promised changes, like beefing up the teams of people who monitor bad behavior on their services. They’ve also vowed to more carefully monitor ads so they don’t give a platform to misleading info.

It’s all enough to keep me quaking in my boots until 2018.

It can’t get any worse. Right?

By Ian Sherr for CNet

The rapidly evolving story about Moscow-based Kaspersky Lab’s involvement in helping Russian government hackers steal sensitive National Security Agency materials has taken yet another turn, as The Wall Street Journal reports that the assistance could have come only with the company’s knowledge.

Wednesday’s report, citing unnamed current and former US officials, said the help came in the form of modifications made to the Kaspersky antivirus software that’s used by more than 400 million people around the world. Normally, the programs scan computer files for malware. “But in an adjustment to its normal operations that the officials say could only have been made with the company’s knowledge, the program searched for terms as broad as ‘top secret,’ which may be written on classified government documents, as well as the classified code names of US government programs, these people said.”

The report is the latest to detail a 2015 event in which an NSA worker—described as a contractor by the WSJ and an employee in articles from The Washington Post—sneaked classified materials out of the agency and onto an Internet-connected computer that had Kaspersky AV installed on it. The WSJ, WaPo, and The New York Times have all reported that hackers working for the Russian government were able to home in on the documents with the help of the Kaspersky software.

On Tuesday, the NYT was first in reporting that NSA officials first learned of the help provided by Kaspersky AV from Israeli intelligence officials who had hacked into Kaspersky’s corporate network and witnessed the assistance in real time.

Wednesday’s report is the first to explicitly say the assistance wasn’t the result of a covert hack or the exploitation of an inadvertent weakness but rather likely came with the knowledge of at least one Kaspersky official.

“There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this,” the WSJ quoted a former US official with knowledge of the 2015 event saying. The official went on to explain that the Kaspersky software was designed in a way that it would have had to be programmed to look for specific keywords. Kaspersky employees, the official continued, “likely” would have known such a thing was happening. The evidence, Wednesday’s report said, has now caused many US officials to believe the company was a “witting partner” in locating the materials on the home computer.

In a statement issued Wednesday, Kaspersky officials wrote:

Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside US authorities to address any concerns they may have about its products as well as its systems.
The company has long maintained it has no inappropriate ties to any government, including Russia’s, and vigorously defends against all malware threats.

Meanwhile, Reuters reported that German officials had no evidence to back the reports Kaspersky AV played a role in the theft of the NSA materials and had no plans to warn against the use of the software. Last month, the US Department of Homeland Security took the unprecedented step of banning all federal government agencies and departments from using any Kaspersky goods or services.

The WSJ went on to report that US intelligence agencies spent months studying and experimenting with Kaspersky software to see if they could trigger it into behaving as if it had discovered classified materials on a computer being monitored by US spies. “Those experiments persuaded officials that Kaspersky was being used to detect classified information,” Wednesday’s report said.

By Dan Goodin for ARS Technica 

In an age of superfast computers and interconnected everything, the only sure way to protect the integrity of sensitive data, such as election results, is to return to paper and pen.

That is the view of Sijmen Ruwhof, an ethical or “white hat” hacker, who last month revealed that the Dutch election’s commission computer software was riddled with vulnerabilities.

Continue reading

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top