over

now browsing by tag

 
 

Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked

Want to delete that embarrassing message you just sent? WhatsApp will let you, and so will Instagram — but if you’re using Facebook, then you’re out of luck.

Unless you’re Mark Zuckerberg, the CEO and cofounder of Facebook.

TechCrunch reported Thursday that some old messages sent by Zuckerberg and senior executives have disappeared from recipients’ Facebook Messenger inboxes, proven by the original email receipts sent at the time.

The company appeared to confirm the unique arrangement, telling TechCrunch the change was made in response to an uptick in hacking.

“After Sony Pictures’ emails were hacked in 2014 we made a number of changes to protect our executives’ communications. These included limiting the retention period for Mark’s messages in Messenger. We did so in full compliance with our legal obligations to preserve messages,” the company said.

The Sony hack targeted the emails of Sony film executives, which revealed a side of Hollywood rarely seen by outsiders, and the decision to name the event as a catalyst for Facebook’s message purge indicates how troubling the incident was in Silicon Valley — and that Facebook was concerned about being hacked.

The company also raised the idea of a “retention period,” though there is no such thing for normal users. If a user long presses a private message on Facebook a “Delete Message” pop up confirms that the function will “delete your copy of the message,” and the recipients’ copy will remain.

Facebook-owned Instagram has long had the option to “unsend” direct messages, while Facebook-owned WhatsApp recently launched a deletion function where unread messages can be deleted “for everyone.” A message is then displayed to all participants that content has been deleted.

But Zuckerberg’s deleted messages didn’t leave behind any such message, probably because they had already been read, many years ago.

The messages were originally sent to former employees and people outside of Facebook. According to TechCrunch, the recipients of the now-deleted messages were not informed at any stage that correspondence they received had been erased.

Zuckerberg may be the CEO of Facebook, but it’s unclear how the decision to remove senior executives’ messages would be allowed under the company’s terms of service. The terms only allow Facebook to remove content if the company believes “that it violates this Statement or our policies” or for infringing copyright.

Deleting messages quietly, and selectively, also appears to fly in the face of Facebook’s campaign to “make the world more open and transparent.” Its own policies say that the company “should publicly make available information about its purpose, plans, policies, and operations.”

Facebook appears to have not followed these policies in this instance, and it raises questions about the recipient’s right to privacy.

The news comes just weeks after the Cambridge Analytica scandal which has seen Zuckerberg admit that tens of millions of users probably had their data scraped.

advertisement:

The post Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Tinder #vulnerability allows #hackers to take over #accounts with just one #phone number

Source: National Cyber Security News

After it was reported last month that online dating app Tinder had a security flaw, which allows strangers to see users’ photos and matches, security firm, Appsecure has now uncovered a new flaw which is potentially more damaging.

Infiltrators who exploit the vulnerability will be able to get access to users’ account with the help of their login phone number. The issue has, however, been fixed after Tinder was alerted by Appsecure.

Appsecure says, the hackers could have taken advantage of two vulnerabilities to attack accounts, with one being Tinder’s own API and the other in Facebook’s Account Kit system which Tinder uses to manage the logins.

In a statement sent to The Verge, a Tinder spokesperson said, “Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”

The vulnerability exposed the access tokens of the users. If a hacker is able to obtain a user’s valid access token then he/she can easily take over a user account.

“We quickly addressed this issue and we’re grateful to the researcher who brought it to our attention,” The Verge quoted a Facebook representative as saying.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Man, 30, held over #hacking attacks on two #Hong Kong #travel #agencies

Source: National Cyber Security – Produced By Gregory Evans

Officers raid IT worker’s flat on Cheung Chau and also seize two desktop computers, two laptops, one tablet, three hard disks and five mobile phones

A 30-year-old Hong Kong man was arrested in connection with cyberattacks in which the computers of two travel agencies in the city were hacked and their clients’ sensitive personal information held for ransom, with payouts in bitcoin sought last week.

The two travel agencies reported the incidents to police on January 1 and 2.

One bitcoin (HK$123,735 or US$15,819) was demanded as a ransom in each hacking case, according to police.

Officers from the force’s Cyber Security and Technology Crime Bureau raided a flat in the outlying island of Cheung Chau and arrested the man on Saturday.

During the operation, police seized two desktop computers, two laptops, one tablet, three hard disks and five mobile phones in the flat.

At lunchtime on Monday, police escorted the suspect to his workplace on Hoi Yuen Road in the Kwun Tong district of Kowloon to gather evidence.

The Post understands the suspect, a computer technician, hacked into the computers of the agencies on New Year’s Day through security loopholes on their websites hours before the companies were hit with demands for a ransom to be paid in bitcoin.

“An email was sent to the persons in charge of the companies after the personal information of more than 20,000 customers was stolen from the computer servers of the agencies,” a police source said.

“The companies were told to pay in bitcoin in a newly opened account with threats that their customers’ data would be posted on the internet if the firms failed to pay on Saturday.”

The stolen information included customers’ names, identity card numbers and contact numbers but no credit card information was involved.

Officers from the Cyber Security and Technology Crime Bureau were understood to have worked around the clock and checked tens of thousands of log records to the servers to gather information.

“Investigations showed circuitous routes were used to hack into the computer servers, but officers eventually identified the suspect through his IP address,” another source said.

He said the man was nabbed at home on Cheung Chau hours before the payment deadline.

Officers would carry out a forensic examination of the victims’ computers and hard disks to gather information, he said.

At about 5pm on Monday, the suspect was still being held for questioning and had not been charged.

“We believe his motive was to look for money,” said bureau superintendent Swalikh Mohammed said.

Investigations were continuing and he did not rule out the possibility of further arrests.

“The cyber world is not a lawless place where criminals can hide. A majority of the laws applicable to the real world can also be applied to the internet,” he warned.

He said blackmail was a serious offence that carries a maximum penalty of 14 years in prison.

Travel agency Goldjoy Holidays revealed on Thursday that unauthorised parties accessed its customer database containing personal information such as names and identity card numbers, passport details and phone numbers.

The company apologised to customers and promised it was taking steps to tighten cybersecurity.

The other agency, Big Line Holiday, said on Wednesday night that hackers might have broken into its database a day earlier and gained possession of some of its customers’ personal information.

The data was believed to include ID card numbers, home return permit numbers and phone numbers.

In a statement, Big Line said: “Our company attaches great importance to this incident and deeply apologises to the affected clients.”

Big Line, which has 13 branches and organises tours to mainland China and Asia, said it received a letter from perpetrators demanding a sum of money for the release of the information.

In November, one of the city’s largest travel agencies, Hong Kong-listed WWPKG Holdings, revealed that its customer database had also been hacked, putting at risk personal data such as ID card numbers and credit card information of some 200,000 customers.

The culprits had asked for a seven-figure ransom, to be paid in bitcoin, but the firm did not pay and instead called the police, who later managed to decrypt the data. Because of the hacking incident, all four of the agency’s branches -in Tsim Sha Tsui, Mong Kok, Causeway Bay and Sha Tin – were closed for a day.

The force recorded 653 cases of cybercrimes in 2005, the first year it began tracking such offences, and saw the number reach 5,939 in 2016, with financial losses hitting HK$2.3 billion.

The post Man, 30, held over #hacking attacks on two #Hong Kong #travel #agencies appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Restaurant-goer has #Bitcoins #stolen over #unsecured public #wireless #network

Source: National Cyber Security – Produced By Gregory Evans

AFTER logging on to the public Wi-Fi at a restaurant, a man unwittingly had $155,000 stolen from his digital wallet. This is the real problem with Bitcoin.

AN UNSUSPECTING diner has had $155,000 worth of the digital currency Bitcoin stolen from him while logged on to a restaurant’s unsecured public Wi-Fi network.

The incident reportedly took place in an Austrian restaurant this week with the cyber thieves moving the digital currency to an “unknown, non-traceable account,” police said in a statement.

The 36-year-old victim reportedly logged on to the unsecured network to check the value of his Bitcoin holdings. He later realised that $100,000 euros worth had been stolen.

It remains unclear whether the victim’s account was already hacked before he logged on to the unsecured network, police said.

The incident, while small in nature, highlights the issue of hackers targeting personal Bitcoin accounts as the digital currency has exploded in value in recent years.

While Bitcoin is arguably becoming mainstream, it has had to endure a string of controversies along the way.

In January 2014, a Japanese-based Bitcoin exchange known as Mt Gox was hacked. It was once the largest bitcoin intermediary and the world’s leading bitcoin exchange before thieves made off with 850,000 BTC. At today’s value, that’s worth a staggering $A 9,147,700,000.

In June this year, South Korea’s largest Ethereum (another popular cryptocurrency) and Bitcoin exchange was breached by hackers who stole customers’ data and targeted their accounts in an effort to drain their digital wallets. According to local media reports, one person claimed to have lost 1.2 billion won, or about $A1.4 million.

And this week, a cryptocurrency start-up specialising in Initial Coin Offerings (ICOs) called Confido raised about $500,000 before the company’s website and founders vanished, along with the cash.

These are just a few examples of the potential dangers posed by operating in the still emerging crypto market. That being said, the threat of hackers certainly isn’t a problem confined to cryptocurrencies as hackers have also targeted central banks, recently fleecing more than $US100 million from the Bangladesh central bank’s account at the US Federal Reserve.

But if you’re going to check how much your Bitcoin wallet is worth, maybe be careful about where you log on.

The post Restaurant-goer has #Bitcoins #stolen over #unsecured public #wireless #network appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How to #give your #parents the #cyber-security #talk over the #holidays

Source: National Cyber Security – Produced By Gregory Evans

Times have changed. Talk around the Thanksgiving table is a lot different in this tech age than it used to be.

I can picture kids gathered with their electronic devices and adults talking about the latest technology at work or their latest game console. All of this is going on while parents and grandparents are trying to keep up and learn this new language and terminology.

While kids are used to parents talking to them about things in their best interest, the tide has turned. It’s now time for us to have that security talk with mom and dad about protecting them in the cyber world.

The talk

You might not want to bring it up while mom or dad takes a bite of turkey and mashed potatoes, but at some point during Thanksgiving Day, you should talk to them about keeping their personal information safe online.

Unfortunately, we’ve seen too many high-profile hacks over the last year. With just the Equifax breach alone, half of Americans were impacted.

So, look at Thanksgiving as a chance to provide security tips to all of your family members. But you might have to explain it in a way they understand. Many don’t know that a virus also infects a computer and you might get a cold stare when you mention the word “phishing.”

Ransomware and varying types of encryption are also words you might want to stay away from, at least in the beginning.

Phishing

Explain to them that phishing is when someone pretends to be someone else in order to steal information such as a credit card number, password or anything else that could be used in another attack. This is usually done through email and often contains a link to a website designed to trick you. Verizon’s data breach investigations report says 91 percent of data breaches happen this way. It’s also the most common way to get hit with viruses.

In simple terms, let your loved ones know that by avoiding phishing emails now they won’t have to deal with a stolen credit card months or even a year down the road.

There are three main ways to spot a phishing email: bad grammar, a thinly-veiled email disguise such as facebookk.com instead of facebook.com and weird links. You can hover your mouse over photos and links to see where they’ll lead you before clicking on them. If an email claiming to be from a legitimate site is actually going to a suspicious website, that’s a good sign it’s a scam.

Password managers

Let your parents know there are password managers that can help you in remembering different passwords for all of your accounts. It’s not necessary for them to keep track of all of them.

You only have to remember one password when you use a password manager. You just simply log onto that and it’ll sync your browsers and devices, creating security and convenience.

Other misc advice

Some of this might be a little complicated to those who are in the beginning stages of learning technology. Instead of going into too much detail, here are simple ways to explain these terms.

HTTPS and SSL: If you see a green lock next to the URL on a website (that means you’re on an HTTPS page), that means you’re on a website that has a Secure Sockets Layer (SSL).

Ransomware: This is a virus that locks up your files and sometimes your entire computer unless you pay the ransom. The best solution is to back up your files regularly.

Patching: If you get sent an update from a company like Microsoft and Apple, go ahead and update your device. This can prevent hackers from accessing your computer.

Two-factor authentication: Think of this as the equivalent of having two locks on your door. It’s an extra layer of security on top of your computer password. The most common version is a code texted to your phone after entering your password. This makes it tougher for hackers to gain access to your accounts.

The best way of explaining computer security to your loved ones is to compare it to things they’d do at home like locking windows and doors. Showing them statistics of all the millions who’ve been impacted by these security breaches is another good method. Statistically, you’re more likely to be robbed online than you are in person.

The post How to #give your #parents the #cyber-security #talk over the #holidays appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

IS #militants #hack into #Swedish #radio station in #Malmo, take over #broadcast

Source: National Cyber Security – Produced By Gregory Evans

The attack occurred Friday morning in the southern city of Malmo, but went unnoticed until listeners began calling in. Experts say it is unlikely the prepetrators will be caught.

Islamic State militants hacked into a Swedish radio station Friday, taking over its transmission and broadcasting an English language propaganda song aimed at recruiting more militants.

The song entitled, “For the Sake of Allah” played for about 30 minutes on the Mix Megapol station in Malmo. Mix Megapol is an FM and internet-based radio station that is part of a private radio network.

Jakob Gravestam, a Marketing Director for the Bauer Media Group, which operates the Malmo-based station, issued a statement that said “Somebody interfered with our frequency using a pirate transmitter.”

Mix Megapol is one of Sweden’s biggest radio stations, and has about 1.4 million listeners daily. But the pirated transmission was only heard in parts of the southern city of Malmo, Sweden’s third largest metropolis, with a population of about 350,000.

The song features male voices singing, in English, such lyrics as: “For the sake of Allah we will march to gates of the paradise where our maidens await. We are men who love death just as you love your life, we are soldiers who fight in the day and the night.”

Preventing such attacks

The hack occurred during a popular morning show ‘Anders & Gry with Friends’ but the hosts didn’t notice anything was askew until listeners called in and asked what was going on.

“A lot of people have called us about this,” Gravestam told the 24Malmo website. “We are very happy that people are vigilant and we treat this very seriously.”

Gravestam said the attack highlights the need for broadcasters to discuss how to “prevent” such incidents. He added that Bauer Media will organize such a discussion and invite other broadcasters, as well as the Swedish Post and Telecom Authority (PTS), which monitors the electronic communications and postal sectors, to the meeting.

The post IS #militants #hack into #Swedish #radio station in #Malmo, take over #broadcast appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Florida #man gets 16 months over #bitcoin bank #hacker scheme

Source: National Cyber Security – Produced By Gregory Evans

Florida #man gets 16 months over #bitcoin bank #hacker scheme

NEW YORK – A Florida software engineer was sentenced to 16 months in prison for helping run an illegal Bitcoin exchange suspected of laundering money for a group of hackers who targeted financial and publishing firms including JPMorgan Chase & Co. and Dow Jones & Co.

Yuri Lebedev, 39, helped operate Coin.mx, which tricked banks into processing bitcoin transactions by disguising them as restaurant-delivery charges and online purchases of collectible items. He was convicted in March of conspiracy and fraud following a month-long trial in Manhattan.

Lebedev, wearing a black suit, stood before sentencing to tell the judge he regretted his actions. He said he joined Coin.mx to create “cutting edge technology” and build something “that would make me exceptional.”

“I got carried away,” he said, adding he realizes now “there are no shortcuts.”

U.S. District Judge Alison J. Nathan in New York said Lebedev used his “impressive technology skills” to trick banks, making them “unwilling participants in the scheme.”

Prosecutors said the unregistered exchange sold bitcoins that were used in illegal online transactions and as payment in ransomware attacks. To help dodge regulators, Lebedev also conspired with his boss to bribe a New Jersey pastor to let them take over a credit union that was run out of a church and use it to help legitimize the exchange’s corrupt operations.

The operator of Coin.mx, Anthony Murgio, was sentenced to 5½ years in June. He admitted in January that he ran Coin.mx for the hacking scheme’s main Israeli architect, Gery Shalon, the self-described founder of a sprawling criminal enterprise that hacked at least nine companies.

Lebedev was born in Russia and raised in Ukraine before moving in with a host family in the U.S. state of Georgia. His attorney, Eric Creizman, cited the wide-ranging nature of the scheme to portray his client as a husband and doting father of three who was been caught up in something too big for him to recognize. In court papers, he described Lebedev as an “unlikely criminal defendant.”

“This case in which Lebedev was tried and convicted as a defendant involved a far broader scope of criminality than the conduct that Lebedev purposefully involved himself in or even knew about,” Creizman said in a court filing.

Lebedev wasn’t accused of money laundering and wasn’t involved in the hacking scheme. Creizman emphasized his technology role and said he wasn’t involved in the three-way calls with banks in which customers lied about the nature of their transactions.

Family and friends sent letters to the court supporting Lebedev, all of which described him as a man devoted to hard work and to giving his children the kind of opportunities he didn’t have in Ukraine. His host family described how Lebedev tutored their child in math, while a college friend relayed how Lebedev washed dishes to avoid using a credit card for living expenses like others did.

Shalon’s global network allegedly stole information on more than 100 million customers of banks and publishing firms and generated hundreds of millions of dollars in illicit proceeds from pump-and-dump stock scams and online gambling.

Murgio operated the exchange with Lebedev from about 2013 to 2015 through a front company, the Collectables Club Private Member Association, which lists Murgio’s West Palm Beach address, court papers show. At Murgio’s sentencing hearing, he wept and said he’d “screwed up badly.”

The men “knowingly exchanged cash for people whom they believed may be engaging in criminal activity,” the government said in court filings.

As part of the scheme, Lebedev was installed on the board of New Jersey-based HOPE Federal Credit Union to bribe Trevon Gross, a pastor who was convicted in the same case, to gain control of the credit union and use it to process corrupt bank transactions that would appear legitimate, court filings show. Gross hasn’t been sentenced.

“Lebedev was one of the handful of co-conspirators involved in the credit union’s processing of over $60 million in risky” transactions, prosecutors said in court papers.

Lebedev’s role was to set up an array of servers that Coin.mx used to process its transactions, a critical element of the scheme that required constant attention to avoid detection by the banks, the U.S. said.

“One of those critical issues that Lebedev handled was the use of separate servers to mislead banks and payment processors into thinking that Coin.mx bitcoin transactions were actually Collectables Club memorabilia and MyXtremeDelivery food transactions,” the U.S. said in court papers.

Lebedev also attempted to obstruct the case by deleting files from a computer, prosecutors said.

Shalon and his alleged top lieutenant, Ziv Orenstein, were arrested in Israel in July 2015 and extradited to the U.S. last year. They have pleaded not guilty. An American who allegedly conspired with them, Joshua Aaron, who attended Florida State University with Anthony Murgio, was detained by Russian authorities in 2015 and returned to the U.S. to face charges. He denies wrongdoing.

The post Florida #man gets 16 months over #bitcoin bank #hacker scheme appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Ethereum #heist: New #phishing scam sees #hackers rake in over $15,000 in just two hours

Source: National Cyber Security – Produced By Gregory Evans

Ethereum #heist: New #phishing scam sees #hackers rake in over $15,000 in just two hours

A new Ethereum phishing campaign, targeting users of the online Ethereum wallet website Myethereumwallet.com, has been uncovered. The scam saw hackers make away with over $15,000 (£11,308) in just two hours.

According to security researcher Wesley Neelen, who identified the campaign when he received a phishing email from the cybercriminals, the scam involved hackers sending out phishing emails purporting to be from the Myetherwallet.com website. The email was designed to trick victims into clicking on malicious links that would redirect them to a fake version of the website. The victims would then be prompted into divulging their account passwords, which the hackers would later use to transfer out all the coins in the victims’ wallet.

Although the fake Myetherwallet.com site was designed to look similar to the legitimate site, keen observers would likely notice that the fake site contained a small comma beneath the “t” in the site’s address. According to Neelen, the cybercriminals used a Unicode trick that allowed them to register domains that looked like Latin characters. This ploy in turn, allowed the hackers to create fake sites that can convincingly look like legitimate sites to unsuspecting users.

According to Neelen, some people have unfortunately already fallen victim to the scam. Neelen and his colleague Rik van Duijn, discovered a log file that contained a list of all the wallets stolen by the hackers. The security experts determined that the cybercriminals had stolen a total of $15,875.65 in Ethereum and had then proceeded to transfer the stolen coins to three different wallets operated by the hackers.

Ethereum’s growing popularity has made it an attractive target for cybercriminals. So far, there have been around four incidents involving hackers stealing millions of dollars worth of ether from various wallets. Oddly, in one such Ethereum heist, a hacker who stole nearly $7m of Ethereum from CoinDash later returned around $3m in stolen funds, sparking further mystery about the heist.

The post Ethereum #heist: New #phishing scam sees #hackers rake in over $15,000 in just two hours appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures