now browsing by tag
Source: National Cyber Security – Produced By Gregory Evans If you receive a phone call from anyone claiming to be an employee of an online shopping site or ‘buy first – pay later’ business advising you there are issues associated with your account – just hang up and contact the company using an independently verified […] View full post on AmIHackerProof.com
What Mr. Pierson describes is low-hanging fruit — the kind of security flaws that can quickly be fixed with a little knowledge and attention to detail. Even then, he said, it takes time for the true nature of clients’ vulnerability to sink in. “They’re shocked when we give them their password and tell them where we found it, but it doesn’t hit as hard as when we tell them their entire home automation system has been potentially online and viewable for three or five or eight years,” he said.
When it comes to a Bezos-style breach — potentially at the hands of a nation-state’s intelligence service — high-profile targets would likely be even less prepared. As Mr. Bezos’s lengthy investigation into the 2018 attack shows, it’s difficult to get straight answers even when you have the money and resources to run full forensics.
Of course, it’s not just wealth that turns somebody into a person of interest for hackers. Journalists, government employees, workers at energy companies and utilities could all be targets for someone. Those who work for financial firms, airlines, hospitals, universities, Hollywood studios and tech firms are all potentially at risk. To mitigate that risk, there are plenty of things you can do. You can take steps to secure yourself from corporate data collection using privacy settings on your phone. And to protect yourself from cyberattacks there are helpful guides you can use that have been vetted by security professionals.
For most of us, the attack against Mr. Bezos isn’t the death of privacy, but a reminder of the risks of living a connected life. It should be a moment to think as critically about what you do online as you might in the real world. Invest in a password manager. Turn on dual factor authentication. Be skeptical of any communication that looks out of place.
For the ultrarich and influential, the Bezos hack should be a terrifying revelation that, as the former State Department employee and whistle-blower John Napier Tye told me last autumn, “For someone who’s truly a high-value target, there is no way to safely use a digital device.” The stakes are astronomically high. Not just personally, as Mr. Bezos found, but professionally. Company secrets, matters of national security, access to critical infrastructure and the safety of employees could all be compromised by lax security at the top.
The internet has long been thought of as a truly democratic tool, flattening and democratizing the ability to publish and communicate. It’s also the great privacy equalizer. Money can buy a lot of things. But on a dangerous internet full of exploits, flawed code, shady actors and absent-minded humans, total, foolproof security is not one of them.
The post #deepweb | <p> Opinion | Jeff Bezos’s Phone Hack Should Terrify Everyone <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Facebook in October reportedly derailed an investigation into an Islamic State terror suspect by European law enforcement and an Israeli intelligence firm by warning users that their phones had been hacked.
The company’s massively popular messaging platform, WhatsApp, notified some 1,400 users, including the suspect, that an “advanced cyber actor” had gained access to their devices. The suspect, who was believed to be planning a terror attack during the holiday season, disconnected shortly after.
The officials in the unnamed Western European country had hacked the suspect’s phone with software developed by Israel’s NSO group, which they secured with a government contract and the approval of a judge, according to a Wall Street Journal report.
The WhatsApp warning message to users said: “An advanced cyber actor exploited our video calling to install malware on user devices. There’s a possibility this phone number was impacted.”
The company was reportedly unaware of the security investigations.
A Western intelligence official told Channel 12 that the notification had been sent to both Islamic State and Al Qaeda suspects, calling the intelligence breach “a disturbing and dangerous fact,” according to a Sunday report.
The alert foiled investigations into some 20 cases, including into suspected terrorists and pedophiles, the official said.
Investigators breached suspects’ phones “surgically” using a loophole in the app, had been monitoring the suspects for a long time, and following the alert had to start the investigations anew, he said.
The investigation into the Islamic State suspect planning a holiday season attack had relied on the suspect’s phone for information on his activities and communications, and had only had access to the device for a few days — not enough time to complete the probe.
One European intelligence official said that the NSO technology had given his team information on a violent bank-robbing outfit and weapons dealers, which led to arrests. He said that officials in other countries in Western Europe had told him that over 10 investigations may have been thwarted by the WhatsApp message to users.
On October 29, the same day as the alert, WhatsApp sued NSO Group, accusing it of using the platform to conduct cyber-espionage on journalists, human rights activists and others.
The suit, filed in a California federal court, contended that NSO Group tried to infect approximately 1,400 “target devices” with malicious software to steal valuable information from those using the messaging app.
WhatsApp said NSO Group’s hacking was illegal and that it was acting to protect its users.
NSO Group told The Wall Street Journal that its tools were “only licensed, as a lawful solution, to government intelligence and law-enforcement agencies for the sole purpose of preventing and investigating terror and serious crime.”
Most of its clients are Democracies in Europe that use its technology to fight crime and terror, NSO Group said.
NSO Group came to prominence in 2016 when researchers accused it of helping to spy on an activist in the United Arab Emirates.
Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target’s phone camera and microphone, and access data on it.
The firm has been adamant that it only licenses its software to governments for “fighting crime and terror,” and that it investigates credible allegations of misuse, but activists say the technology has been instead used for human rights abuses.
The post #hacking | Facebook reportedly derailed Europe terror probe by alerting users of phone hack appeared first on National Cyber Security.
View full post on National Cyber Security
“Please don’t go!” Jared’s mother, Kathy Bowling, begged him. “This is why I don’t want you to go!”
“This is why I have to go,” he told her.
Two months after he graduated, in May 2012, Jared packed his bags to join the Army. In his spare time during training, he recorded videos of himself in his camouflage uniform, singing pop songs and Christian hymns, which he uploaded to his YouTube channel. He was deployed to Afghanistan less than a year later, manning a .50-caliber gun atop a Buffalo, a moving-truck-sized armored vehicle.
Jared had wanted to see combat, but the reality of it hit him harder than he’d imagined. He was terrified one night when his base came under rocket fire. Two of his buddies were blown up in a truck. But that wasn’t the worst of it. Jared told his brother about one particular firefight where he was blasting away with the .50-caliber gun. “I don’t know for sure, but I might have killed a child,” he told Jacob. He didn’t want to say much more about it.
After a patrol in Kandahar Province one day, Jared injured his back while getting off the Buffalo. He was flown to a hospital on a base in Germany. There, the doctors put him on painkillers and told him he couldn’t go back into combat. After barely six months in the field, he was done as war-fighter.
Stuck on base, his ambitions crushed, Jared started coming unglued. He hit the bars every night, drinking heavily. He got a local woman pregnant. He was caught driving drunk and confined to barracks. He made a clumsy suicide attempt with pills, which got him placed in psychiatric care for a few days. By October 2015 he was discharged and back home in Greenville.
Though his parents, sister, and two brothers gave him a hero’s welcome, Jared was lost. “All my life I wanted to be a soldier, and now I can’t do that,” he told Jacob. “I just feel worthless.” He bounced from job to job and between his divorced parents’ houses. As the months went by, his once muscular physique turned soft. Jared had nightmares and occasional panic attacks and got into bar fights. He was diagnosed with PTSD and prescribed antidepressants. Stuck for a job, he bought a Jeep and started driving for Uber. Over Kathy’s objections, he also bought a stubby black 9-mm pistol to keep in the car, for protection.
By mid-2018, though, things were looking up. He was dating a local girl. He had a dog, a lively German shepherd he called Tex. He’d landed a great job for a chatterbox like him, selling phones and internet service plans at the local AT&T store, and he and Jacob had moved into an apartment with a balcony overlooking the complex’s pool. The brothers would cook, watch football games, stream Netflix with their girlfriends. Once a week they’d have dinner with their mom and then go into town to drink tequila and sing at DT’s, their favorite karaoke bar. Just about every time, Jared would wail through his three signature songs—“Drops of Jupiter,” “Bohemian Rhapsody,” and “No Diggity.”
The caller said he was a police detective. He’d been contacted by Caroline’s parents, who were outraged that Jared had sexually propositioned their daughter.
Though he and his girlfriend didn’t mean to get pregnant, Jared was overjoyed when his son Jaxon was born. He stopped taking the antidepressants; he wanted to keep his head clear to be a good dad to the baby.
Before long, however, Jared split with Jaxon’s mom. Suddenly he was a part-time single dad, fighting regularly with his ex. He turned to Tinder and soon started seeing a young woman whom I’ll call Lisa—she doesn’t want her real name published. But from time to time, he still cruised dating sites, and in early September he came across the pretty blonde who said her name was Caroline Harris. The two chatted on the dating app. When she said, “I’ll be 18 in a few weeks,” he replied, “Oh that’s cool when will you be 18?”
The post The War Vet, the Dating Site, and the Phone Call From Hell appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #hackerspace | Apple Confirms iPhone Regularly Gathers Location Data, But Says It Doesn’t Leave the Phone
Source: National Cyber Security – Produced By Gregory Evans Apple confirmed that their latest iPhone 11 phones come with a feature that requires regular geolocation checks, but the company said that information doesn’t leave the phone. Security researcher Brian Krebs noticed that the latest iPhone 11 was making geolocation check seven when all apps that […] View full post on AmIHackerProof.com
Email addresses and phone numbers might have been misused
No personal data was shared externally by Twitter
No reports on the number of people impacted have come out yet
In a recent incident of a data breach, Twitter has confirmed that user data like email addresses and phone numbers provided by users for security purposes may have been unintentionally used for advertising purposes.
According to a news report, currently, Twitter is unable to share with certainty the number of people impacted by the breach. However, the US-based company also asserted that no personal data was ever shared externally with their partners or any other third parties.
In a statement, Twitter highlighted that the personal data, which were provided for safety or security purposes (for example, two-factor authentication) may have been inadvertently used for advertising purposes, specifically in their Tailored Audiences and Partner Audiences advertising system, which helps in creating relevant remarketing campaigns.
While explaining how the breach occurred, Twitter is a statement said, “When an advertiser uploaded their marketing list, it may have matched people on our platform to that list based on the email or phone number that the user had provided for safety and security purposes.”
As of September 17, Twitter has acknowledged the problem and claimed that it has stopped using numbers or email addresses collected for safety or security purposes, for advertising.
Although Twitter apologised for this error, it also shared that they have no idea how many people were impacted by this. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” the microblogging site added in the statement.
Twitter’s average monetisable daily active usage (mDAU) has grown from 122 million in 2018 June quarter to 139 million (29 Mn in the US and 110 Mn from international markets) in 2019 June quarter. Even in the previous quarter, it had a mDAU of 134 million.
Data Breach On Rise: How Is India Protecting Itself?
Indian Prime Minister Narendra Modi has touted data as the new oil and new gold and rightly so as it has become very lucrative for hackers to steal and sell the same. Earlier, online food delivery startups Zomato, and FreshMenu, fintech startup EarlySalary, McDonald’s India, Oyo, Ashley Madison, Sony, and many others have been the victims of data breaches.
Social media sites like Instagram and Facebook have also been affected by a data breach by advertisers. Recently, Instagram Ad partner was banned for scraping user data without consent. Even Facebook-linked phone numbers of over 419 Mn users were found on unsecured servers.
Whatsapp, which was planning to introduce its payments feature WhatsApp Payments by the end of this year, is also facing difficulties because of the government’s concerns over the messaging platform’s data localisation compliance. In September, National Payments Corporation of India (NPCI) had asked WhatsApp to make changes in its policy to get the final approval for the launch of payments in India. NPCI had asked the instant messaging app to make changes in its data-compliance framework that prohibits storing payment data outside of India.
In May, India was reported as the second most cyberattacks affected country between the years 2016 to 2018. With the average cost for a data breach in India increased to 7.9% since 2017, the average cost per breached record has mounted to INR 4,552 ($64).
The Reserve Bank of India too recorded a total of 2,059 cases of cyber fraud in 2017-18 as compared to 1,372 cyber fraud cases in 2016-17.
The post #cyberfraud | #cybercriminals | Twitter Admits User Phone Numbers, Email Data Used For Ads appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security News
After it was reported last month that online dating app Tinder had a security flaw, which allows strangers to see users’ photos and matches, security firm, Appsecure has now uncovered a new flaw which is potentially more damaging.
Infiltrators who exploit the vulnerability will be able to get access to users’ account with the help of their login phone number. The issue has, however, been fixed after Tinder was alerted by Appsecure.
Appsecure says, the hackers could have taken advantage of two vulnerabilities to attack accounts, with one being Tinder’s own API and the other in Facebook’s Account Kit system which Tinder uses to manage the logins.
In a statement sent to The Verge, a Tinder spokesperson said, “Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”
The vulnerability exposed the access tokens of the users. If a hacker is able to obtain a user’s valid access token then he/she can easily take over a user account.
“We quickly addressed this issue and we’re grateful to the researcher who brought it to our attention,” The Verge quoted a Facebook representative as saying.
View full post on National Cyber Security Ventures
The cyber security community is still reeling after the revelation of the KRACK security vulnerability that breaks down Wi-Fi encryption. Now it seems another Wi-Fi-based bug has also been discovered.
Presented at the global Pwn2Own hacking contest in Tokyo, a team of researchers demonstrated how a separate Wi-Fi bug could be exploited to gain entry to iPhones and install malicious apps on them without the owners knowledge.
The details of the threat haven’t been made public yet as Apple hasn’t had time to patch the flaw. It’s discovery was enough to net the Tencent Keen Security Lab the top prize of $110,000.
The hacking contest is set up and run by the Zero Day Initiative, which seeks to find vulnerabilities in popular products and services and alert the manufacturers in time.
According to the official event page , the Tencent Keen Security Lab team used “code exectution through a WiFi bug” to escalate “privileges to persist through a reboot.” Effectively breaking through an iPhone’s lock screen through a Wi-Fi network.
The flaw will be relayed to Apple which could offer a software patch to close the gap.
“Once we verify the research presented is a true 0-day exploit, we immediately disclose the vulnerability to the vendor, who then has 90 days to release a fix,” explains the Zero Day Institute.
“Representatives from Apple, Google, and Huawei are all here and able to ask questions of the researchers if needed.
“At the end of the disclosure deadline, if a vendor is unresponsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect users.”
As ever, from a security standpoint it is always advisable to make sure your phone is running the latest OS version and you closely vet the permissions you give to certain apps.
View full post on National Cyber Security Ventures
Source: National Cyber Security – Produced By Gregory Evans Hackers have proven just how urgently a gaping flaw in the global telecoms network, affecting what’s known as Signalling System No. 7 (SS7), needs to be fixed. In a video demonstration, shown to Forbes ahead of publication today, benevolent hackers from Positive Technologies were able to […] View full post on AmIHackerProof.com | Can You Be Hacked?