Hacked

now browsing by tag

 
 

Buggy #Verge #crypto-cash gets #hacked, #devs go fork #themselves, #hard

Alt-currency’s value tumbles amid malicious mining mishaps

The Verge cryptocurrency has seen its value drop by 25 per cent after hackers exploiting a bug in the alt-coin’s software forced its developers to hit the reset button and hard-fork the currency.

Programmers on Wednesday confirmed that the fun-bux had been on the receiving end of a “small hash attack” that caused its value to drop from $0.07 to $0.05 per XVG. The developers claimed they had cleared up what was portrayed as a minor hiccup.

According to netizens observing the attack from the Bitcointalk forums, however, the shenanigans were anything but minor. Rather, bugs were present in the XVG code that allowed miscreants to mine blocks with bogus timestamps, messing up the currency’s blockchain.

The programming blunders were leveraged by persons unknown to generate new blocks at a rate of roughly one per second. This, in turn, allowed the attackers to net an estimated $1m.

“Usually to successfully mine XVG blocks, every ‘next’ block must be of a different algorithm,” explained forum poster OCminer, of the Suprnova Mining Pools. “So, for example, scrypt, then x17, then lyra, etc.

“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago. Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.”

OCminer added it was a 51 per attack, in which miscreants seize control of the majority of miners on a cryptocurrency’s network.

We’ve asked the Verge currency team for comment on the matter, but have yet to hear back at the time of publication.

In addition to the attack, the handling of the aftermath is also drawing criticism. To remedy the issue, the developers hard forked XVG, effectively creating a new blockchain.

“The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync,” noted cryptocurrency news site The Merkle.

“When the team was made aware of their mistake, they were able to re-sync the network, but still have not completely defeated the issue.”

advertisement:

The post Buggy #Verge #crypto-cash gets #hacked, #devs go fork #themselves, #hard appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked

Want to delete that embarrassing message you just sent? WhatsApp will let you, and so will Instagram — but if you’re using Facebook, then you’re out of luck.

Unless you’re Mark Zuckerberg, the CEO and cofounder of Facebook.

TechCrunch reported Thursday that some old messages sent by Zuckerberg and senior executives have disappeared from recipients’ Facebook Messenger inboxes, proven by the original email receipts sent at the time.

The company appeared to confirm the unique arrangement, telling TechCrunch the change was made in response to an uptick in hacking.

“After Sony Pictures’ emails were hacked in 2014 we made a number of changes to protect our executives’ communications. These included limiting the retention period for Mark’s messages in Messenger. We did so in full compliance with our legal obligations to preserve messages,” the company said.

The Sony hack targeted the emails of Sony film executives, which revealed a side of Hollywood rarely seen by outsiders, and the decision to name the event as a catalyst for Facebook’s message purge indicates how troubling the incident was in Silicon Valley — and that Facebook was concerned about being hacked.

The company also raised the idea of a “retention period,” though there is no such thing for normal users. If a user long presses a private message on Facebook a “Delete Message” pop up confirms that the function will “delete your copy of the message,” and the recipients’ copy will remain.

Facebook-owned Instagram has long had the option to “unsend” direct messages, while Facebook-owned WhatsApp recently launched a deletion function where unread messages can be deleted “for everyone.” A message is then displayed to all participants that content has been deleted.

But Zuckerberg’s deleted messages didn’t leave behind any such message, probably because they had already been read, many years ago.

The messages were originally sent to former employees and people outside of Facebook. According to TechCrunch, the recipients of the now-deleted messages were not informed at any stage that correspondence they received had been erased.

Zuckerberg may be the CEO of Facebook, but it’s unclear how the decision to remove senior executives’ messages would be allowed under the company’s terms of service. The terms only allow Facebook to remove content if the company believes “that it violates this Statement or our policies” or for infringing copyright.

Deleting messages quietly, and selectively, also appears to fly in the face of Facebook’s campaign to “make the world more open and transparent.” Its own policies say that the company “should publicly make available information about its purpose, plans, policies, and operations.”

Facebook appears to have not followed these policies in this instance, and it raises questions about the recipient’s right to privacy.

The news comes just weeks after the Cambridge Analytica scandal which has seen Zuckerberg admit that tens of millions of users probably had their data scraped.

advertisement:

The post Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

SEARCH #ENGINE WITH #MILLIONS OF #HACKED DUTCH #PASSWORDS #ONLINE

A search engine showing 1.4 billion of leaked or hacked passwords, including those of some 3.3 million Dutch, is officially online. On Gotcha.pw Dutch people can now check whether their password was stolen by searching for their email address. If there is a leaked password associated with that email address, the site shows the first two characters of the password, NU.nl reports.

You can also search domain names on the site. In this way organizations can see which of their employees’ email addresses and passwords are on the street. Passwords from the National Coordinator for Counter-terrorism and Security, among others, can be found on the site, according to the newspaper. It is not clear whether these are old or current passwords.

The Gotcha.pw site administrator collected these passwords from previous data leaks and bundled them into a search engine. Such search engines have existed for some time. The Dutch police offer a similar service, and people can also use Have I Been Pwned to find out if their password is not safe.

The arrival of the Gotcha.pw search engine was announced with great fanfare last week – in a front page story on AD. The search engine was online for a short time last week Friday, but was taken down again. It initially showed the full hacked password, which is illegal. The administrator therefore adjusted the site to only show the first two letters of the passwords, according to NU.nl.

advertisement:

The post SEARCH #ENGINE WITH #MILLIONS OF #HACKED DUTCH #PASSWORDS #ONLINE appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Under Armour #admits 150 #million #MyFitnessPal #accounts were #hacked

Under Armour said on Thursday that data from some 150 million MyFitnessPal diet and fitness app accounts was compromised in February, in one of the biggest hacks in history, sending shares of the athletic apparel maker down 3 percent in after-hours trade.

The stolen data includes account user names, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.

It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.

Larger hacks include 3 billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by California-based FriendFinder Networks Inc in 2016, according to breach notification website LeakedSource.com.

Under Armour said it is working with data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.

While the breach did not include financial data, large troves of stolen email addresses can be valuable to cyber criminals.

Email addresses retrieved in a 2014 attack that compromised data on some 83 million JPMorgan Chase customers was later used in pump-and-dump schemes to boost stock prices, according to U.S. federal indictments in the case in 2015.

Under Armor said in an alert on its website that it will require MyFitnessPal users to change their passwords, and it urged users to do so immediately.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” the company said, adding that it was bolstering systems that detect and prevent unauthorized access to user information.

Under Armour said it started notifying users of the breach on Thursday, four days after it first learned of the incident.

Under Armour bought MyFitnessPal in 2015 for $475 million. It is part of the company’s connected fitness division, whose revenue last year accounted for 1.8 percent of Under Armour’s $5 billion in total sales.

advertisement:

The post Under Armour #admits 150 #million #MyFitnessPal #accounts were #hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

A #15-year-old #hacked the #secure Ledger #crypto #wallet

A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a “supply chain attack” – meaning a hack that could compromise the device before it was shipped to the customer – and another attack that could allow a hacker to steal private keys after the device was initialized.

Rashid is not affiliated directly with any Ledger competitors although there was some suggestion that he did some work on Trezor and other competing hardware wallets. His response:

Former #Tennessee Gov. #Bredesen’s Senate #campaign fears it was #hacked

Source: National Cyber Security News

Former Tennessee Gov. Phil Bredesen’s Senate campaign told the FBI in a letter Thursday that it fears it was hacked.

The revelation comes as intelligence experts predict a widespread threat of cyberattacks on campaigns and election systems from both domestic and foreign hackers.
According to a copy of the letter obtained by CNN, Bredesen’s campaign “received multiple emails that appeared to be from the campaign’s media buyer” on February 28, which included specific details about a planned media buy and “urged the campaign to wire funds to an international bank account.”
    The letter, written by the campaign’s counsel Robert Cooper and sent to the FBI’s Memphis division, also detailed another email received on the same day which “purport(ed) to be from a principal in the media team that produced the TV commercial, urging transfer of the funds.”
    An FBI official confirmed that the Memphis field office received the letter but declined to comment further.
    Following the phishing attempt, the campaign hired a security firm “to determine the extent of any breaches and review security protocols,” according to the letter.

    Read More….

    advertisement:

    View full post on National Cyber Security Ventures

    Russian group #hacked German #government’s secure #computer #networks

    Source: National Cyber Security News

    A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.

    Dpa cited unidentified security sources saying the group APT28 hacked into Germany’s foreign and defence ministries and managed to steal data.

    The attack was noticed in December and may have lasted a year, dpa reported.

    The Interior Ministry said in a statement that “within the federal administration the attack was isolated and brought under control.” The ministry said it was investigating.

    A spokesman wouldn’t give further details, citing the ongoing analysis and security measures being taken.

    “This case is being worked on with the highest priority and considerable resources,” the ministry statement said.

    APT28, which has been linked to Russian military intelligence, has previously been identified as the likely source of an attack on the German Parliament in 2015, as well as on NATO and governments in eastern Europe.

    Also known by other names including “Fancy Bear,” APT28 has also been blamed for hacks of the U.S. election campaign, anti-doping agencies and other targets.

    Read More….

    advertisement:

    View full post on National Cyber Security Ventures

    The #Trick To #Winning At #Cybersecurity? Expect To Get #Hacked

    Source: National Cyber Security News

    When the ATM started spewing cash at the Citizens Bank in Cromwell, Conn. on Jan. 27, it was no freak mechanical accident.

    Instead, this is one of the first instances in the U.S. of so-called “jackpotting,” where thieves attempt to hack into ATMs by installing malware, causing money to fly out spontaneously. That day, Cromwell Police officers arrested two men who were found near an ATM as it was dispensing $20 bills — the suspects allegedly possessed more than $9,000 in $20 bills, according to the U.S. Attorney’s Office in the District of Connecticut. And while it may sound like a scene lifted from a Hollywood caper, it is no anomaly: the U.S. Secret Service reportedly warned about this new technological capacity in the U.S. last month, previously seen overseas. Other instances have been reported in Hamden and Guilford, Conn. as well as Providence, Rhode Island.

    These are some of the latest examples of one of the growing worries of our increasingly interconnected and wired world. Just ask Dr. Eric Cole. Cole is a former member of the Commission on Cyber Security and chief technology officer of McAfee, whose mounting concerns about risks to consumers prompted him to write his new book Online Danger:

    Read More….

    advertisement:

    View full post on National Cyber Security Ventures

    1.4 #billion #hacked #passwords leaked #online, now you’re at #risk

    Source: National Cyber Security – Produced By Gregory Evans

    Staying protected from cybercriminals is something everyone needs to stay on top of now that we’re living in a digital world. New data breaches, malware and phishing scams are popping up constantly.

    Having sensitive information fall into the hands of criminals is the last thing that we need. You definitely don’t want your identity stolen or hackers having access to your bank accounts.

    Unfortunately, a massive archive of stolen credentials was recently discovered online that could put you at risk.

    Have your credentials been exposed?

    Security researchers at 4iQ recently discovered a 41GB archive that contains more than 1.4 billion stolen user credentials. The credentials, including passwords, are unencrypted on the Dark Web.

    The database includes email addresses, passwords and usernames. This isn’t actually a new data breach, it’s a collection of information that had been stolen in previous data breaches.

    Researchers who discovered the file said, “While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials–the largest aggregate database found in the dark web to date.”

    More than 250 previous data breaches contributed to this collection of stolen credentials. The stolen information was well organized, even indexed alphabetically by the criminal who put it together.

    Anytime there is a massive data breach, there are steps that you need to take to make sure your information is secure. Keep reading for suggestions.

    Change your password

    Whenever you hear news of a data breach, it’s a good idea to change your account passwords. This is especially true if you use the same credentials for multiple websites, which is a bad idea.

    If your credentials are stolen from a breach, criminals can test them on other sites to log into those accounts as well.

    Keep an eye on your bank accounts 

    You should already be frequently checking your bank statements, looking for suspicious activity. It’s even more critical when sensitive information has been exposed through a data breach.

    If you see anything that seems strange, report it immediately. It’s the best way to keep your financial accounts safe.

    Set up two-factor authentication 

    Two-factor authentication, also known as two-step verification, means that to log into your account, you need two ways to prove you are who you say you are. This is an extra layer of security that will help keep your accounts safe.

    Investigate your email address 

    This is a critical step and it will only take a few seconds of your time. You need to find out if your credentials are part of any recent data breach. The best way to find out if you’re impacted is with the Have I Been Pwned website. 

    It’s an easy-to-use site with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest breaches. You can even set up alerts to be notified if your email address is impacted in the future.

    Beware of phishing scams 

    Scammers will try and piggyback on data breaches like this. They will create phishing emails, hoping to get victims to click on malicious links that could lead to more problems. You need to familiarize yourself with what phishing scams look like so you can avoid falling victim to one.

    FROM WEBCAMS, SIGN-INS, TO ALEXA, DON’T MAKE THESE MISTAKES

    When our PCs work normally, we sometimes take them for granted. We recklessly fill up our hard drives with data, download files, install applications and browse the web as we please. But of course, all it takes is one installation of a malicious application to ruin your PC and worse, have all your information stolen.

    The post 1.4 #billion #hacked #passwords leaked #online, now you’re at #risk appeared first on National Cyber Security Ventures.

    View full post on National Cyber Security Ventures