Hacked
now browsing by tag
#Cyber #Security Today: Jan. 7, 2019 — #iPhone call #scam, Germans #hacked and Android #spyware
Watch out for this iPhone call scam, prominent Germans hacked, Android spyware found and an Acrobat update.
Apple iPhone users should be on the lookout for a phone phishing scam. According to security writer Brian Krebs, it works like this: You get a call and when you look at the phone’s screen to see who it is, the Apple logo, real phone number and real address is displayed. The target in this case didn’t answer the call so a message was left asking her to call a 1-866 number. It probably led to a scammer who would have asked for personal information. So iPhone users, ignore calls purporting to be from Apple. Apple won’t phone you. And for those who use other phones, hang up on anyone who tries to get personal information or passwords.
Hackers somehow have gotten access to private emails, memos and financial information of hundreds of German politicians, reporters, comedians and artists. The information was then published through a Twitter account. At this point no one knows if this was the work of a mischievous activist or a foreign country, or exactly how it was done. But British security writer Graham Cluley suspects victims fell for a phishing lure and gave away a password to one of their email or social media accounts. The hacker then went from there. Victims may have also used the same password for different accounts, which also makes a hacker’s job easier. If so, it’s another example of why you shouldn’t use the same password on more than one site, and, where possible enable two-factor authentication to make sure someone else can’t log into your account. Two factor authentication usually sends a six-digit number to your smart phone that you have to enter in addition to your password. Check your applications’ settings to see if you have it.
UPDATE: According to the Associated Press, a popular German YouTube contributor who was victimized said the perpetrator somehow first gained access to his email account and then convinced Twitter to disable a second security check — presumably two-factor authentication — required to take control of his account on the social networking site.
Twitter didn’t immediately respond to a request for comment and it wasn’t clear how many of those affected by the leak had such “two-factor authentication” enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
As hard as Google tries to keep malware out of the Google Play store, criminals manage to find ways to evade detection. Trend Micro reports it discovered spyware hidden in six seemingly legitimate Android applications including a game called Flappy Bird, a presumably copycat called Flappy Birr Dog, FlashLight, Win7Launcher and others. All have been removed from the app store. The spyware would have stolen information like user location, text messages, contact lists and device information as well as try to phish for passwords. Owners of any computing device have to be cautious when deciding what to download, advises Trend Micro.
Finally, Adobe usually issues security updates on the second Tuesday of the month, which is tomorrow. However, it has already issued an emergency patch for Acrobat and Acrobat Reader. So if you use either of these applications check you have the latest versions.
Source: https://www.itworldcanada.com/article/cyber-security-today-jan-7-2019-iphone-call-scam-germans-hacked-and-android-spyware/413736
View full post on National Cyber Security
Local #company’s #system #hacked; employee #info #stolen
Source: National Cyber Security – Produced By Gregory Evans
Green Bay Police say they are investigating the hacking of a local corporation’s computer network, resulting in the theft of “significant amounts of money” from victims in the organization.
Police did not immediately identify the company that was attacked. Action 2 News will work to find that out.
Officers say the hackers stole human resources information.
“In this case, it appeared the cyber actors utilized a known vulnerability to access the company’s computer systems and human resources software to steal personal identifying information from employees,” reads a statement from Capt. Jeremy Muraski.
Police say the vulnerability was a known issue and a security patch had not been installed and updated.
“This incident demonstrates how vital it is to maintain public facing computer systems with the latest security patches from the server companies as cyber actors will attempt to use exploits as long as they are finding vulnerable systems,” reads the statement from Capt. Muraski.
The post Local #company's #system #hacked; employee #info #stolen appeared first on National Cyber Security .
View full post on National Cyber Security
When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company
When hackers get hacked” should become the tagline of 2018. After several other similar incidents, it is now the turn of an Android spyware maker that advertises its spyware to be used against children and employees. A target of a vigilante hacker, the company known as SpyHuman offers surveillance software for Android devices that enables its users to intercept phone calls, text messages, track GPS locations, read messages on WhatsApp and Facebook, and use the target device’s microphone.
It now appears that a hacker has stolen customer text messages and call metadata from the spyware company. Call metadata includes phone numbers the target devices dialled or received calls from along with their duration and dates. Hackers managed to access over 440,000,000 call details through exploiting a basic security flaw in the website.
“These spy apps should be out of market, most people spy on girls and [their] data image […] always sensitive,” the hacker wrote in a message that was obtained by Motherboard. “No one have rights to do that and same these apps and provider making money by doing this.”
While SpyHuman sells its spyware as a tool to monitor children and employees, it’s mostly used to illegally spy on partners and spouses without their consent. “Several review websites and social media posts do push the app for such purposes, and archives of particular SpyHuman pages include phrases such as ‘know if your partner is cheating on you,’ and suggests monitoring your husband’s texts in case he is having an affair,” the publication reports.
The company gave the following (non)explanation when asked about how it makes sure its software isn’t being used for illegal surveillance:
“As a precaution, at an initial stage of our app installation, we always ask users that for what purposes they are installing this app in the target device. If they select child or employee monitoring then our app stays hidden and operate in stealth mode. Otherwise, it will create visible Icon so that one can know that such app is installed on his/her devices.”
As is apparent, since its users can always select a child or an employee – which in itself raises several questions – they don’t necessarily have to reveal if they are using the product for spying on people, mostly partners, without their consent.
– If you are a victim of spyware or technology-facilitated abuse, this is a very comprehensive resource list offering guidelines and help.
The post When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Man who #hacked #nude photos of #Jennifer Lawrence, #Kate Upton, pleads #guilty
A Connecticut man has pleaded guilty to hacking into the iCloud accounts of Hollywood stars and others so he could steal personal information, including private photographs and videos.
Federal prosecutors say 26-year-old George Garofano, of North Branford, pleaded guilty Wednesday to unauthorized access to a protected computer to obtain information.
The charge stemmed from the investigation into the 2014 scandal in which the private photos of Jennifer Lawrence, Kirsten Dunst, Kate Upton and others were made public.
Prosecutors say Garofano sent emails that appeared to be from Apple encouraging victims to disclose usernames and passwords. He then used the information to illegally access nearly 250 iCloud accounts.
Garofano, who remains free on $50,000 bond, faces up to five years in prison at sentencing at a date to be determined.
The post Man who #hacked #nude photos of #Jennifer Lawrence, #Kate Upton, pleads #guilty appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Buggy #Verge #crypto-cash gets #hacked, #devs go fork #themselves, #hard
Alt-currency’s value tumbles amid malicious mining mishaps
The Verge cryptocurrency has seen its value drop by 25 per cent after hackers exploiting a bug in the alt-coin’s software forced its developers to hit the reset button and hard-fork the currency.
Programmers on Wednesday confirmed that the fun-bux had been on the receiving end of a “small hash attack” that caused its value to drop from $0.07 to $0.05 per XVG. The developers claimed they had cleared up what was portrayed as a minor hiccup.
According to netizens observing the attack from the Bitcointalk forums, however, the shenanigans were anything but minor. Rather, bugs were present in the XVG code that allowed miscreants to mine blocks with bogus timestamps, messing up the currency’s blockchain.
The programming blunders were leveraged by persons unknown to generate new blocks at a rate of roughly one per second. This, in turn, allowed the attackers to net an estimated $1m.
“Usually to successfully mine XVG blocks, every ‘next’ block must be of a different algorithm,” explained forum poster OCminer, of the Suprnova Mining Pools. “So, for example, scrypt, then x17, then lyra, etc.
“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago. Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.”
OCminer added it was a 51 per attack, in which miscreants seize control of the majority of miners on a cryptocurrency’s network.
We’ve asked the Verge currency team for comment on the matter, but have yet to hear back at the time of publication.
In addition to the attack, the handling of the aftermath is also drawing criticism. To remedy the issue, the developers hard forked XVG, effectively creating a new blockchain.
“The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync,” noted cryptocurrency news site The Merkle.
“When the team was made aware of their mistake, they were able to re-sync the network, but still have not completely defeated the issue.”
The post Buggy #Verge #crypto-cash gets #hacked, #devs go fork #themselves, #hard appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked
Want to delete that embarrassing message you just sent? WhatsApp will let you, and so will Instagram — but if you’re using Facebook, then you’re out of luck.
Unless you’re Mark Zuckerberg, the CEO and cofounder of Facebook.
TechCrunch reported Thursday that some old messages sent by Zuckerberg and senior executives have disappeared from recipients’ Facebook Messenger inboxes, proven by the original email receipts sent at the time.
The company appeared to confirm the unique arrangement, telling TechCrunch the change was made in response to an uptick in hacking.
“After Sony Pictures’ emails were hacked in 2014 we made a number of changes to protect our executives’ communications. These included limiting the retention period for Mark’s messages in Messenger. We did so in full compliance with our legal obligations to preserve messages,” the company said.
The Sony hack targeted the emails of Sony film executives, which revealed a side of Hollywood rarely seen by outsiders, and the decision to name the event as a catalyst for Facebook’s message purge indicates how troubling the incident was in Silicon Valley — and that Facebook was concerned about being hacked.
The company also raised the idea of a “retention period,” though there is no such thing for normal users. If a user long presses a private message on Facebook a “Delete Message” pop up confirms that the function will “delete your copy of the message,” and the recipients’ copy will remain.
Facebook-owned Instagram has long had the option to “unsend” direct messages, while Facebook-owned WhatsApp recently launched a deletion function where unread messages can be deleted “for everyone.” A message is then displayed to all participants that content has been deleted.
But Zuckerberg’s deleted messages didn’t leave behind any such message, probably because they had already been read, many years ago.
The messages were originally sent to former employees and people outside of Facebook. According to TechCrunch, the recipients of the now-deleted messages were not informed at any stage that correspondence they received had been erased.
Zuckerberg may be the CEO of Facebook, but it’s unclear how the decision to remove senior executives’ messages would be allowed under the company’s terms of service. The terms only allow Facebook to remove content if the company believes “that it violates this Statement or our policies” or for infringing copyright.
Deleting messages quietly, and selectively, also appears to fly in the face of Facebook’s campaign to “make the world more open and transparent.” Its own policies say that the company “should publicly make available information about its purpose, plans, policies, and operations.”
Facebook appears to have not followed these policies in this instance, and it raises questions about the recipient’s right to privacy.
The news comes just weeks after the Cambridge Analytica scandal which has seen Zuckerberg admit that tens of millions of users probably had their data scraped.
The post Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
SEARCH #ENGINE WITH #MILLIONS OF #HACKED DUTCH #PASSWORDS #ONLINE
A search engine showing 1.4 billion of leaked or hacked passwords, including those of some 3.3 million Dutch, is officially online. On Gotcha.pw Dutch people can now check whether their password was stolen by searching for their email address. If there is a leaked password associated with that email address, the site shows the first two characters of the password, NU.nl reports.
You can also search domain names on the site. In this way organizations can see which of their employees’ email addresses and passwords are on the street. Passwords from the National Coordinator for Counter-terrorism and Security, among others, can be found on the site, according to the newspaper. It is not clear whether these are old or current passwords.
The Gotcha.pw site administrator collected these passwords from previous data leaks and bundled them into a search engine. Such search engines have existed for some time. The Dutch police offer a similar service, and people can also use Have I Been Pwned to find out if their password is not safe.
The arrival of the Gotcha.pw search engine was announced with great fanfare last week – in a front page story on AD. The search engine was online for a short time last week Friday, but was taken down again. It initially showed the full hacked password, which is illegal. The administrator therefore adjusted the site to only show the first two letters of the passwords, according to NU.nl.
The post SEARCH #ENGINE WITH #MILLIONS OF #HACKED DUTCH #PASSWORDS #ONLINE appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Under Armour #admits 150 #million #MyFitnessPal #accounts were #hacked
Under Armour said on Thursday that data from some 150 million MyFitnessPal diet and fitness app accounts was compromised in February, in one of the biggest hacks in history, sending shares of the athletic apparel maker down 3 percent in after-hours trade.
The stolen data includes account user names, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.
It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.
Larger hacks include 3 billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by California-based FriendFinder Networks Inc in 2016, according to breach notification website LeakedSource.com.
Under Armour said it is working with data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.
While the breach did not include financial data, large troves of stolen email addresses can be valuable to cyber criminals.
Email addresses retrieved in a 2014 attack that compromised data on some 83 million JPMorgan Chase customers was later used in pump-and-dump schemes to boost stock prices, according to U.S. federal indictments in the case in 2015.
Under Armor said in an alert on its website that it will require MyFitnessPal users to change their passwords, and it urged users to do so immediately.
“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” the company said, adding that it was bolstering systems that detect and prevent unauthorized access to user information.
Under Armour said it started notifying users of the breach on Thursday, four days after it first learned of the incident.
Under Armour bought MyFitnessPal in 2015 for $475 million. It is part of the company’s connected fitness division, whose revenue last year accounted for 1.8 percent of Under Armour’s $5 billion in total sales.
The post Under Armour #admits 150 #million #MyFitnessPal #accounts were #hacked appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A #15-year-old #hacked the #secure Ledger #crypto #wallet
A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a “supply chain attack” – meaning a hack that could compromise the device before it was shipped to the customer – and another attack that could allow a hacker to steal private keys after the device was initialized.
Rashid is not affiliated directly with any Ledger competitors although there was some suggestion that he did some work on Trezor and other competing hardware wallets. His response:
advertisement:The post A #15-year-old #hacked the #secure Ledger #crypto #wallet appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Former #Tennessee Gov. #Bredesen’s Senate #campaign fears it was #hacked
Source: National Cyber Security News
Former Tennessee Gov. Phil Bredesen’s Senate campaign told the FBI in a letter Thursday that it fears it was hacked.
View full post on National Cyber Security Ventures
D5 Creation | Powered by: WordPressPowered by Yahoo! Answers
