Hacked
now browsing by tag
#cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity
Source: National Cyber Security – Produced By Gregory Evans
A 29-year-old British man has been jailed for nine months after admitting using hacking tools to break into UK National Lottery gambling accounts.
Anwar Batson, of Notting Hill, West London, downloaded the readily-available Sentry MBA hacking tool to launch a credential stuffing attack against the National Lottery website.
Credential stuffing takes lists of usernames and passwords exposed in data breaches and uses the same credentials to see if they will unlock other accounts online. As so many users make the mistake of reusing passwords on different websites, credential stuffing is a technique commonly deployed by attackers and tools such as Sentry MBA make the process even easier for the attacker.
Prosecutors told Southwark Crown Court that after Batson downloaded Sentry MBA he joined a WhatsApp group devoted to hacking under the alias of “Rosegold,” and provided to accomplices a configuration file specifically designed to launch Sentry MBA against the National Lottery website.
The attack, in late 2016, caused National Lottery operators Camelot to issue a warning to thousands of gamblers that their accounts may have been accessed, and forced a password reset on affected accounts.
Batson’s accomplices, Daniel Thompson and Idris Akinwunmi, were jailed in 2018 after admitting their involvement in the attack.
Batson was arrested in May 2017 by the National Crime Agency (NCA), and initially denied that he was involved in the attack – claiming that his devices had been cloned or hacked
by online trolls.
But when NCA officers examined his devices they uncovered the conversations between Rosegold and others on WhatsApp where they discussed hacking, the buying and selling of lists of usernames and password, and more.
In addition, officers found at Batson’s flat clothes which had been addressed to someone calling themself “Rosegold”.
Time and time again, people roll out the adage that “crime doesn’t pay.”
Well, it certainly doesn’t pay in the case of Batson.
As the NCA reports, Batson gave the username and password of one National Lottery player to Akinwunmi, who stole the entire contents of the account – a grand total of £13. Batson’s split of the ill-gotten gains? A mere £5.
Lottery operator Camelot says that responding to the attack cost it £230,000, and that 250 players had closed their accounts due to the negative publicity.
The post #cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity appeared first on National Cyber Security.
View full post on National Cyber Security
Chrome 79 includes anti-phishing and hacked password protection – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.
Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.
Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the ‘Make searches and browsing better’ option in Chrome.
The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. There’s also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.
The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Google’s next move, in which it folded the feature directly into Chrome’s password manager. The service still didn’t check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords you’d stored in the password manager service periodically to see if it found a match.
The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so it’s been pretty clever about how it performs the check. It wants to be clear that it doesn’t get to see your login credentials.
When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.
Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.
This double encryption is part of a technique called private set intersection with blinding. It tries to match the login credentials you entered against Google’s database of hacked usernames and passwords.
For your privacy, Google doesn’t do this matching itself. Instead, it sends a small part of its encrypted hacked credentials database back to Chrome, along with your double-encrypted login credentials (which you’ll remember have now been encrypted twice). Chrome removes the encryption it applied to your login credentials using your own key, leaving only Google’s encryption in place. It then tries to match those hashed encrypted credentials against the small subset of the database that it received from Google. If it finds one, then your credentials have been hacked.
Google knows which small subset of the database to send back because your browser also creates a hash of the username you tried to enter into the website. It sends part of that hash to Google along with the other data. Google uses that snippet of your hashed username to select the part of its database including the same snippet in the index.
It’s an ingenious system, and as long as you feel you can trust the encryption (and Google), then it looks like a good way to automate hacked password detection. It will alert you that your credentials have been pwned at the point in time when you’re most likely to do something about it – when you’re trying to log into the site.
As with all password breaches, you should change your password if Chrome does discover a match, and turn on multi-factor authentication if the hacked site makes it available, to prevent a possible attack. You should also avoid reusing passwords across multiple sites so that attackers won’t be able to unlock your other accounts with a hacked password. You can make that easier by using a password manager with a built-in password generator.
The post Chrome 79 includes anti-phishing and hacked password protection – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Kids’ smartwatch security tracker can be hacked by anyone – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.
On sale for around three years, superficially it’s not hard to understand why the model M2 might appeal to anxious parents or carers.
Costing only $32, it pairs with a smartphone so that adults can track the real-time location of kids via GPS, GSM or Wi-Fi using a simple mapping app and online account. Add a SIM and it can be used to make voice calls and there’s even an SOS button children can press in the event of an emergency.
The colour screen, cartoon icons, and baby-blue or pink colour scheme is almost guaranteed to appeal to younger children.
The punchline?
AV-Test’s investigations reveal that the M2 also happens to be an unmitigated security disaster.
Naked Security has covered numerous security screw-ups over the years but it’s hard to imagine a more face-palming charge sheet than that levelled at the makers of the M2 by AV-Test.
To illustrate the point, the testers use the example of a girl called Anna who lives in Dortmund, Germany.
She vacations with her grandparents in a coastal town called Norderney, where she regularly visits the local harbour around 2 o’clock to spot seals for an hour.
The company knows all of this because Anna is wearing an M2 smartwatch which has been leaking this information along with that of another 5,000 children via a public system whose security would be non-existent for any competent hacker.
AV-Test was able to find the names and addresses of these children, their age, images of what they looked like, as well as voice messages transmitted from the watch.
In a development that would be ironic if it weren’t so serious, they were able to discover children’s current locations. Warns AV-Test’s Maik Morgenstern:
We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland.
Authentication fail
The epic fail starts with the fact that communication with the online system is unencrypted and its authentication is weak.
Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative.
Perhaps worse, the smartphone app’s poorly secured web API makes it possible to borrow any user’s account ID and log into that account.
An attacker could not only track and contact a child but lock legitimate adults out of the account.
Remember, this is a device that is supposed to be a security tracker for carers that turns out to do the same job for anyone.
This is surely worse than no security trackers because at least using nothing wouldn’t lull its users into a false sense of security.
What to do
If you own one of these watches, our advice would be to stop using it immediately.
It’s not clear how many children might be wearing one – AV-Test detected users in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the UK, The Netherlands, and China – but it’s likely to be a lot more than the 5,000 the researchers identified.
The maker, SMA, has been told of the flaws while the product’s German distributor has removed it from sale.
The troubling part of this story is that AV-Test has been looking at this type of children’s smartwatch for some years, and this is only the latest and worst example in a sector that seems to have treated security as little more than a tick box – if it looks secure then it probably is.
Indeed, Naked Security has covered security problems with this class of device many times before. In 2017, Germany even reportedly banned the devices over spying worries. Then there’s this week’s case of the baby monitor hacked by a stranger.
Until IoT products like this can demonstrate better security, it’s wise to shop with great caution.
The post Kids’ smartwatch security tracker can be hacked by anyone – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
#infosec | Hacked Disney+ Accounts on Sale for $1
Source: National Cyber Security – Produced By Gregory Evans Disney’s new video-on-demand streaming service has been compromised within a week of its being launched, with hacked Disney+ accounts offered for sale online for just $1. According to The Daily Dot, the hugely popular Disney+ service, which amassed over 10 million subscribers on its first day alone, was […] View full post on AmIHackerProof.com
#Cyber #Security Today: Jan. 7, 2019 — #iPhone call #scam, Germans #hacked and Android #spyware
Watch out for this iPhone call scam, prominent Germans hacked, Android spyware found and an Acrobat update.
Apple iPhone users should be on the lookout for a phone phishing scam. According to security writer Brian Krebs, it works like this: You get a call and when you look at the phone’s screen to see who it is, the Apple logo, real phone number and real address is displayed. The target in this case didn’t answer the call so a message was left asking her to call a 1-866 number. It probably led to a scammer who would have asked for personal information. So iPhone users, ignore calls purporting to be from Apple. Apple won’t phone you. And for those who use other phones, hang up on anyone who tries to get personal information or passwords.
Hackers somehow have gotten access to private emails, memos and financial information of hundreds of German politicians, reporters, comedians and artists. The information was then published through a Twitter account. At this point no one knows if this was the work of a mischievous activist or a foreign country, or exactly how it was done. But British security writer Graham Cluley suspects victims fell for a phishing lure and gave away a password to one of their email or social media accounts. The hacker then went from there. Victims may have also used the same password for different accounts, which also makes a hacker’s job easier. If so, it’s another example of why you shouldn’t use the same password on more than one site, and, where possible enable two-factor authentication to make sure someone else can’t log into your account. Two factor authentication usually sends a six-digit number to your smart phone that you have to enter in addition to your password. Check your applications’ settings to see if you have it.
UPDATE: According to the Associated Press, a popular German YouTube contributor who was victimized said the perpetrator somehow first gained access to his email account and then convinced Twitter to disable a second security check — presumably two-factor authentication — required to take control of his account on the social networking site.
Twitter didn’t immediately respond to a request for comment and it wasn’t clear how many of those affected by the leak had such “two-factor authentication” enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
As hard as Google tries to keep malware out of the Google Play store, criminals manage to find ways to evade detection. Trend Micro reports it discovered spyware hidden in six seemingly legitimate Android applications including a game called Flappy Bird, a presumably copycat called Flappy Birr Dog, FlashLight, Win7Launcher and others. All have been removed from the app store. The spyware would have stolen information like user location, text messages, contact lists and device information as well as try to phish for passwords. Owners of any computing device have to be cautious when deciding what to download, advises Trend Micro.
Finally, Adobe usually issues security updates on the second Tuesday of the month, which is tomorrow. However, it has already issued an emergency patch for Acrobat and Acrobat Reader. So if you use either of these applications check you have the latest versions.
Source: https://www.itworldcanada.com/article/cyber-security-today-jan-7-2019-iphone-call-scam-germans-hacked-and-android-spyware/413736
View full post on National Cyber Security
Local #company’s #system #hacked; employee #info #stolen
Source: National Cyber Security – Produced By Gregory Evans
Green Bay Police say they are investigating the hacking of a local corporation’s computer network, resulting in the theft of “significant amounts of money” from victims in the organization.
Police did not immediately identify the company that was attacked. Action 2 News will work to find that out.
Officers say the hackers stole human resources information.
“In this case, it appeared the cyber actors utilized a known vulnerability to access the company’s computer systems and human resources software to steal personal identifying information from employees,” reads a statement from Capt. Jeremy Muraski.
Police say the vulnerability was a known issue and a security patch had not been installed and updated.
“This incident demonstrates how vital it is to maintain public facing computer systems with the latest security patches from the server companies as cyber actors will attempt to use exploits as long as they are finding vulnerable systems,” reads the statement from Capt. Muraski.
The post Local #company's #system #hacked; employee #info #stolen appeared first on National Cyber Security .
View full post on National Cyber Security
When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company
When hackers get hacked” should become the tagline of 2018. After several other similar incidents, it is now the turn of an Android spyware maker that advertises its spyware to be used against children and employees. A target of a vigilante hacker, the company known as SpyHuman offers surveillance software for Android devices that enables its users to intercept phone calls, text messages, track GPS locations, read messages on WhatsApp and Facebook, and use the target device’s microphone.
It now appears that a hacker has stolen customer text messages and call metadata from the spyware company. Call metadata includes phone numbers the target devices dialled or received calls from along with their duration and dates. Hackers managed to access over 440,000,000 call details through exploiting a basic security flaw in the website.
“These spy apps should be out of market, most people spy on girls and [their] data image […] always sensitive,” the hacker wrote in a message that was obtained by Motherboard. “No one have rights to do that and same these apps and provider making money by doing this.”
While SpyHuman sells its spyware as a tool to monitor children and employees, it’s mostly used to illegally spy on partners and spouses without their consent. “Several review websites and social media posts do push the app for such purposes, and archives of particular SpyHuman pages include phrases such as ‘know if your partner is cheating on you,’ and suggests monitoring your husband’s texts in case he is having an affair,” the publication reports.
The company gave the following (non)explanation when asked about how it makes sure its software isn’t being used for illegal surveillance:
“As a precaution, at an initial stage of our app installation, we always ask users that for what purposes they are installing this app in the target device. If they select child or employee monitoring then our app stays hidden and operate in stealth mode. Otherwise, it will create visible Icon so that one can know that such app is installed on his/her devices.”
As is apparent, since its users can always select a child or an employee – which in itself raises several questions – they don’t necessarily have to reveal if they are using the product for spying on people, mostly partners, without their consent.
– If you are a victim of spyware or technology-facilitated abuse, this is a very comprehensive resource list offering guidelines and help.
The post When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Man who #hacked #nude photos of #Jennifer Lawrence, #Kate Upton, pleads #guilty
A Connecticut man has pleaded guilty to hacking into the iCloud accounts of Hollywood stars and others so he could steal personal information, including private photographs and videos.
Federal prosecutors say 26-year-old George Garofano, of North Branford, pleaded guilty Wednesday to unauthorized access to a protected computer to obtain information.
The charge stemmed from the investigation into the 2014 scandal in which the private photos of Jennifer Lawrence, Kirsten Dunst, Kate Upton and others were made public.
Prosecutors say Garofano sent emails that appeared to be from Apple encouraging victims to disclose usernames and passwords. He then used the information to illegally access nearly 250 iCloud accounts.
Garofano, who remains free on $50,000 bond, faces up to five years in prison at sentencing at a date to be determined.
The post Man who #hacked #nude photos of #Jennifer Lawrence, #Kate Upton, pleads #guilty appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Buggy #Verge #crypto-cash gets #hacked, #devs go fork #themselves, #hard
Alt-currency’s value tumbles amid malicious mining mishaps
The Verge cryptocurrency has seen its value drop by 25 per cent after hackers exploiting a bug in the alt-coin’s software forced its developers to hit the reset button and hard-fork the currency.
Programmers on Wednesday confirmed that the fun-bux had been on the receiving end of a “small hash attack” that caused its value to drop from $0.07 to $0.05 per XVG. The developers claimed they had cleared up what was portrayed as a minor hiccup.
According to netizens observing the attack from the Bitcointalk forums, however, the shenanigans were anything but minor. Rather, bugs were present in the XVG code that allowed miscreants to mine blocks with bogus timestamps, messing up the currency’s blockchain.
The programming blunders were leveraged by persons unknown to generate new blocks at a rate of roughly one per second. This, in turn, allowed the attackers to net an estimated $1m.
“Usually to successfully mine XVG blocks, every ‘next’ block must be of a different algorithm,” explained forum poster OCminer, of the Suprnova Mining Pools. “So, for example, scrypt, then x17, then lyra, etc.
“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago. Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.”
OCminer added it was a 51 per attack, in which miscreants seize control of the majority of miners on a cryptocurrency’s network.
We’ve asked the Verge currency team for comment on the matter, but have yet to hear back at the time of publication.
In addition to the attack, the handling of the aftermath is also drawing criticism. To remedy the issue, the developers hard forked XVG, effectively creating a new blockchain.
“The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync,” noted cryptocurrency news site The Merkle.
“When the team was made aware of their mistake, they were able to re-sync the network, but still have not completely defeated the issue.”
The post Buggy #Verge #crypto-cash gets #hacked, #devs go fork #themselves, #hard appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked
Want to delete that embarrassing message you just sent? WhatsApp will let you, and so will Instagram — but if you’re using Facebook, then you’re out of luck.
Unless you’re Mark Zuckerberg, the CEO and cofounder of Facebook.
TechCrunch reported Thursday that some old messages sent by Zuckerberg and senior executives have disappeared from recipients’ Facebook Messenger inboxes, proven by the original email receipts sent at the time.
The company appeared to confirm the unique arrangement, telling TechCrunch the change was made in response to an uptick in hacking.
“After Sony Pictures’ emails were hacked in 2014 we made a number of changes to protect our executives’ communications. These included limiting the retention period for Mark’s messages in Messenger. We did so in full compliance with our legal obligations to preserve messages,” the company said.
The Sony hack targeted the emails of Sony film executives, which revealed a side of Hollywood rarely seen by outsiders, and the decision to name the event as a catalyst for Facebook’s message purge indicates how troubling the incident was in Silicon Valley — and that Facebook was concerned about being hacked.
The company also raised the idea of a “retention period,” though there is no such thing for normal users. If a user long presses a private message on Facebook a “Delete Message” pop up confirms that the function will “delete your copy of the message,” and the recipients’ copy will remain.
Facebook-owned Instagram has long had the option to “unsend” direct messages, while Facebook-owned WhatsApp recently launched a deletion function where unread messages can be deleted “for everyone.” A message is then displayed to all participants that content has been deleted.
But Zuckerberg’s deleted messages didn’t leave behind any such message, probably because they had already been read, many years ago.
The messages were originally sent to former employees and people outside of Facebook. According to TechCrunch, the recipients of the now-deleted messages were not informed at any stage that correspondence they received had been erased.
Zuckerberg may be the CEO of Facebook, but it’s unclear how the decision to remove senior executives’ messages would be allowed under the company’s terms of service. The terms only allow Facebook to remove content if the company believes “that it violates this Statement or our policies” or for infringing copyright.
Deleting messages quietly, and selectively, also appears to fly in the face of Facebook’s campaign to “make the world more open and transparent.” Its own policies say that the company “should publicly make available information about its purpose, plans, policies, and operations.”
Facebook appears to have not followed these policies in this instance, and it raises questions about the recipient’s right to privacy.
The news comes just weeks after the Cambridge Analytica scandal which has seen Zuckerberg admit that tens of millions of users probably had their data scraped.
The post Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
D5 Creation