now browsing by tag


Clearview AI’s Massive Client List Got Hacked

Source: National Cyber Security – Produced By Gregory Evans

It was the RSA security conference in San Francisco this week, and the security industry descended on Moscone Center for days of handing out free stickers, demoing products, and presenting research. And the week was punctuated by fewer handshakes and more elbow bumps thanks to Covid-19. WIRED looked at research that North Korea is recycling Mac malware, and how it’s indicative of booming malware reuse. Google researchers presented progress using deep learning to catch more malicious document attachments in Gmail.

Longtime vulnerability disclosure advocates Katie Moussouris and Chris Wysopal looked back on progress—as well as frustrating limitations—of disclosure today. And one hacker shared a story of sending his mother to break into a South Dakota prison. For research!

Outside of RSA, Nintendo has been cracking down on game leaks in recent months. A new tool called Dangerzone quarantines new PDFs you receive, combs them for anything sketchy, scrubs them, and spits out a safe version. And we looked at strategies for sharing online accounts like streaming accounts safely.

Plus, there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Soon after the Daily Beast reported that controversial facial recognition company Clearview AI’s client list had been compromised in a breach, Buzzfeed shared details of who exactly was on that list. Among the thousands of listed organizations were law enforcement agencies, as you might expect, but also commercial entities like Best Buy and Macy’s. Some of these groups only took a 30 day trial, rather than having an ongoing relationship. But Clearview’s apparent pervasiveness troubles privacy advocates, who find both the company’s opacity and its apparent willingness to share it far beyond the confines of law enforcement acutely troubling.

Cerberus malware has been around since last summer, but it’s already picking up new tricks. Researchers at security firm ThreatFabric have observed that recent Cerberus samples appear capable of stealing two-factor authentication codes from Google Authenticator. The upgrade hasn’t hit the version of Cerberus currently in use, but if it works it’ll make it even easier for hackers to crack your bank account. If you’re truly skittish, you’ve got plenty of 2FA options beyond Authenticator, a venerable but rarely updated app.

The NSA’s vast phone metadata collection, authorized under Section 215 of the Patriot Act, has been one of the most controversial practices in the intelligence agency’s history since it was exposed in 2013 by the leaks of Edward Snowden. But only now, a year after the program was officially ended, has the public learned not only the sweeping scope of that surveillance but also how expensive it was—and how expensive. A declassified study by the intelligent community’s Privacy and Civil Liberties Oversight Board shared with Congress this week revealed that the metadata program cost $100 million, and only on two occasions produced information that the FBI didn’t already possess. On one of those occasions, the investigation was dropped after the FBI looked into the lead. In another case, the NSA’s findings led to an actual foreign intelligence investigation. For that one case, the report doesn’t reveal the nature of the investigation or what may have resulted. Hopefully whatever happened, it was worth $100 million of taxpayer funds—and an enormous controversy that has tarnished the NSA’s reputation for years.

CNET took a close look this week at Inpixon, a company that provides technology that allows schools to keep track of students’ locations accurate down to a meter. The company touts its safety benefit, but raises obvious surveillance concerns, especially given that the affected group is definitionally minors. Its scanners pick up Wi-Fi, Bluetooth, and cellular signals from student smartphones, smartwatches, tablets, and more. And while it technically anonymizes data, it’s easy enough to pair it with ubiquitous in-school camera systems to tie the individual to the activity.

The Justice Department this week announced the arrest of John Cameron Denton, an alleged former leader of the white supremacist group Atomwaffen Division, in connection with a series of swatting events between November 2018 and April 2019. (Swatting is the practice of calling 911 to report a serious crime at an address where none is occurring to get a heavily armed SWAT team to show up; it has gotten people killed, though not in the instances Denton is alleged to have participated in.) If convicted, Denton faces up to five years in prison.

More Great WIRED Stories

The Original Source For This Story: Source link

The post Clearview AI’s Massive Client List Got Hacked appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Twitter says Olympics, IOC accounts hacked | News

Source: National Cyber Security – Produced By Gregory Evans

(Reuters) – Twitter said on Saturday that an official Twitter account of the Olympics and the International Olympic Committee’s (IOC) media Twitter account had been hacked and temporarily locked.

The accounts were hacked through a third-party platform, a spokesperson for the social media platform said in an emailed statement, without giving further details.

“As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners to restore them,” the Twitter spokesperson said.

A spokesperson for the IOC separately said that the IOC was investigating the potential breach.

Twitter also said Spanish soccer club FC Barcelona’s account faced a similar incident on Saturday.

“FC Barcelona will conduct a cybersecurity audit and will review all protocols and links with third party tools, in order to avoid such incidents,” the soccer club said in a tweet after the hack.

Last month, the official Twitter accounts of several U.S. National Football League (NFL) teams, including the San Francisco 49ers and Kansas City Chiefs, were hacked a few days ahead of the Super Bowl.

Earlier this month, some of Facebook’s official Twitter accounts were briefly compromised.

(Reporting by Akshay Balan in Bengaluru, Editing by Rosalba O’Brien)

Source link

The post #nationalcybersecuritymonth | Twitter says Olympics, IOC accounts hacked | News appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | What happens when satellites get hacked?

Source: National Cyber Security – Produced By Gregory Evans

Last month, SpaceX became the operator of the world’s largest active satellite constellation. As of the end of January, the company had 242 satellites orbiting the planet, with plans to launch 42,000 over the next decade. This is part of its ambitious project to provide internet access across the globe. The race to put satellites in space is on, with Amazon, U.K.-based OneWeb, and other companies chomping at the bit to place thousands of satellites in orbit in the coming months.

These new satellites have the potential to revolutionize many aspects of everyday life—from bringing internet access to remote corners of the globe to monitoring the environment and improving global navigation systems. Amid all the fanfare, a critical danger has flown under the radar: the lack of cybersecurity standards and regulations for commercial satellites, in the U.S. and internationally. As a scholar who studies cyberconflict, I’m keenly aware that this, coupled with satellites’ complex supply chains and layers of stakeholders, leaves them highly vulnerable to cyberattacks.

If hackers were to take control of these satellites, the consequences could be dire. On the mundane end of the scale, hackers could simply shut satellites down, denying access to their services. Hackers could also jam or spoof the signals from satellites, creating havoc for critical infrastructure. This includes electric grids, water networks, and transportation systems.

Some of these new satellites have thrusters that allow them to speed up, slow down, and change direction in space. If hackers took control of these steerable satellites, the consequences could be catastrophic. Hackers could alter the satellites’ orbits and crash them into other satellites or even the International Space Station.

Commodity parts open a door

Makers of these satellites, particularly small CubeSats, use off-the-shelf technology to keep costs low. The wide availability of these components means hackers can analyze them for vulnerabilities. In addition, many of the components draw on open-source technology. The danger here is that hackers could insert backdoors and other vulnerabilities into satellites’ software.

[Photo: Flickr user Becky Stern]

The highly technical nature of these satellites also means multiple manufacturers are involved in building the various components. The process of getting these satellites into space is also complicated, involving multiple companies. Even once they are in space, the organizations that own the satellites often outsource their day-to-day management to other companies. With each additional vendor, the vulnerabilities increase as hackers have multiple opportunities to infiltrate the system.

Hacking some of these CubeSats may be as simple as waiting for one of them to pass overhead and then sending malicious commands using specialized ground antennas. Hacking more sophisticated satellites might not be that hard either.

Satellites are typically controlled from ground stations. These stations run computers with software vulnerabilities that can be exploited by hackers. If hackers were to infiltrate these computers, they could send malicious commands to the satellites.

A history of hacks

This scenario played out in 1998 when hackers took control of the U.S.-German ROSAT X-ray satellite. They did it by hacking into computers at the Goddard Space Flight Center in Maryland. The hackers then instructed the satellite to aim its solar panels directly at the sun. This effectively fried its batteries and rendered the satellite useless. The defunct satellite eventually crashed back to earth in 2011. Hackers could also hold satellites for ransom, as happened in 1999 when hackers took control of the U.K.’s SkyNet satellites.

Over the years, the threat of cyberattacks on satellites has gotten more dire. In 2008, hackers, possibly from China, reportedly took full control of two NASA satellites, one for about two minutes and the other for about nine minutes. In 2018, another group of Chinese state-backed hackers reportedly launched a sophisticated hacking campaign aimed at satellite operators and defense contractors. Iranian hacking groups have also attempted similar attacks.

Although the U.S. Department of Defense and the National Security Agency have made some efforts to address space cybersecurity, the pace has been slow. There are currently no cybersecurity standards for satellites, and there is no governing body to regulate and ensure their cybersecurity. Even if common standards could be developed, there are no mechanisms in place to enforce them. This means responsibility for satellite cybersecurity falls to the individual companies that build and operate them.

Market forces work against space cybersecurity

As they compete to be the dominant satellite operator, SpaceX and rival companies are under increasing pressure to cut costs. There is also pressure to speed up development and production. This makes it tempting for the companies to cut corners in areas such as cybersecurity that are secondary to actually getting these satellites in space.

On December 16, 2019, a SpaceX rocket carries JCSAT-18 into orbit. [Photo: SpaceX]

Even for companies that make a high priority of cybersecurity, the costs associated with guaranteeing the security of each component could be prohibitive. This problem is even more acute for low-cost space missions, where the cost of ensuring cybersecurity could exceed the cost of the satellite itself.

To compound matters, the complex supply chain of these satellites and the multiple parties involved in their management mean it’s often not clear who bears responsibility and liability for cyberbreaches. This lack of clarity has bred complacency and hindered efforts to secure these important systems.

Regulation is required

Some analysts have begun to advocate for strong government involvement in the development and regulation of cybersecurity standards for satellites and other space assets. Congress could work to adopt a comprehensive regulatory framework for the commercial space sector. For instance, they could pass legislation that requires satellite manufacturers to develop a common cybersecurity architecture.

They could also mandate the reporting of all cyberbreaches involving satellites. There also needs to be clarity on which space-based assets are deemed critical, in order to prioritize cybersecurity efforts. Clear legal guidance on who bears responsibility for cyberattacks on satellites will also go a long way to ensuring that the responsible parties take the necessary measures to secure these systems.

Given the traditionally slow pace of congressional action, a multistakeholder approach involving public-private cooperation may be warranted to ensure cybersecurity standards. Whatever steps government and industry take, it is imperative to act now. It would be a profound mistake to wait for hackers to gain control of a commercial satellite and use it to threaten life, limb, and property—here on earth or in space—before we address this issue.

William Akoto is a postdoctoral research fellow at the University of Denver. This article is republished from The Conversation under a Creative Commons license. Read the original article.

Source link

The post #nationalcybersecuritymonth | What happens when satellites get hacked? appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity

Source: National Cyber Security – Produced By Gregory Evans

A 29-year-old British man has been jailed for nine months after admitting using hacking tools to break into UK National Lottery gambling accounts.

Anwar Batson, of Notting Hill, West London, downloaded the readily-available Sentry MBA hacking tool to launch a credential stuffing attack against the National Lottery website.

Credential stuffing takes lists of usernames and passwords exposed in data breaches and uses the same credentials to see if they will unlock other accounts online. As so many users make the mistake of reusing passwords on different websites, credential stuffing is a technique commonly deployed by attackers and tools such as Sentry MBA make the process even easier for the attacker.

Prosecutors told Southwark Crown Court that after Batson downloaded Sentry MBA he joined a WhatsApp group devoted to hacking under the alias of “Rosegold,” and provided to accomplices a configuration file specifically designed to launch Sentry MBA against the National Lottery website.

The attack, in late 2016, caused National Lottery operators Camelot to issue a warning to thousands of gamblers that their accounts may have been accessed, and forced a password reset on affected accounts.

Batson’s accomplices, Daniel Thompson and Idris Akinwunmi, were jailed in 2018 after admitting their involvement in the attack.

Batson was arrested in May 2017 by the National Crime Agency (NCA), and initially denied that he was involved in the attack – claiming that his devices had been cloned or hacked
by online trolls.

But when NCA officers examined his devices they uncovered the conversations between Rosegold and others on WhatsApp where they discussed hacking, the buying and selling of lists of usernames and password, and more.

In addition, officers found at Batson’s flat clothes which had been addressed to someone calling themself “Rosegold”.

Time and time again, people roll out the adage that “crime doesn’t pay.”

Well, it certainly doesn’t pay in the case of Batson.

As the NCA reports, Batson gave the username and password of one National Lottery player to Akinwunmi, who stole the entire contents of the account – a grand total of £13. Batson’s split of the ill-gotten gains? A mere £5.

Lottery operator Camelot says that responding to the attack cost it £230,000, and that 250 players had closed their accounts due to the negative publicity.

Source link

The post #cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity appeared first on National Cyber Security.

View full post on National Cyber Security

Chrome 79 includes anti-phishing and hacked password protection – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.

Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.

Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the ‘Make searches and browsing better’ option in Chrome.

The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. There’s also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.

The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Google’s next move, in which it folded the feature directly into Chrome’s password manager. The service still didn’t check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords you’d stored in the password manager service periodically to see if it found a match.

The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so it’s been pretty clever about how it performs the check. It wants to be clear that it doesn’t get to see your login credentials.

When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.

Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.