now browsing by tag


#school | #ransomware | Like Voldemort, Ransomware Is Too Scary to Be Named — ProPublica

Source: National Cyber Security – Produced By Gregory Evans

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.

On Aug. 21, Lumber Liquidators’ corporate and store-level computer systems began to shut down. Without them, the flooring company’s retail employees couldn’t check product prices or inventories. They had to send in orders to distribution centers by phone or from their personal email accounts and write down customers’ credit card information on paper. Each transaction took up to half an hour. Amid the chaos, sales took a hit. So did morale, since sales factored into employee bonuses.

“You couldn’t really sell or haggle anything,” said Trevor Sinner, then a store manager in Los Angeles. “You couldn’t see inventory, you couldn’t see cost, you couldn’t see anything.”

Once most of the computer systems were back online six days later, the Virginia-based retailer reported what it called a “network security incident” showing “symptoms of malware” to the Securities and Exchange Commission. But Sinner got a different explanation from a divisional vice president, who confided that the real culprit was ransomware — malicious software that freezes computer files and demands payment to decrypt them.

“We knew it was ransomware a long time ago,” Sinner said. “I don’t think the company disclosed it was ransomware to anybody, even now.”

Each year, millions of ransomware attacks paralyze computer systems of businesses, medical offices, government agencies and individuals. But they pose a particular dilemma for publicly traded companies, which are regulated by the SEC. Because attacks cost money, affect operations and expose cybersecurity vulnerabilities, they sometimes meet the definition used by the SEC of a “material” event — one that a “reasonable person” would consider important to an investment decision. Material events must be reported in public filings, and failure to do so could spur SEC action or a shareholder lawsuit.

Yet some companies worry that acknowledging a ransomware attack could land them on the front page, alarm investors and drive down their share price. As a result, although many companies cite ransomware in filings as a risk, they often don’t report attacks or describe them in vague terms, according to experts in securities law and cybersecurity.

Weak or no disclosure to the SEC is one of several omissions that hamper federal monitoring of ransomware assaults on U.S. businesses. Companies seldom choose to alert the FBI, fearing that the attacks would become public, that agents might investigate unrelated problems or that the bureau would discourage them from paying ransoms. And at least two data recovery firms that some victimized businesses hire to pay the hackers have not registered with a bureau of the U.S. Department of the Treasury that tracks financial transactions involving suspected criminals.

These gaps become more glaring as the ransomware danger grows. In an October announcement, the FBI warned that attacks “are becoming more targeted, sophisticated, and costly,” and that losses from them “have increased significantly.” Some recent ransomware attacks have resulted in the theft of victims’ sensitive data and threats to sell or publish it — a breach of security that could undermine one of the most common corporate rationales for lack of disclosure. John Reed Stark, a former SEC enforcement attorney, said companies have leaned on the notion that ransomware attacks aren’t material because there’s little evidence that personally identifiable information — the release of which may trigger reporting requirements in various states — is stolen.

“The general consensus is that data was not exfiltrated, so we don’t have to say anything,” said Stark, now a consultant for businesses dealing with ransomware and other cyber issues. He added later, “Ransomware attacks have now evolved into data breaches, and it is terrifying.”

Even when companies do allude to an attack in SEC filings, they typically resort to euphemisms rather than the very word that best describes what paralyzed their business and caused millions of dollars in losses. Just as wizards in the Harry Potter books speak of evil Lord Voldemort as “He Who Must Not Be Named,” so companies are loath to refer to dreaded ransomware.

“They specifically avoid saying it,” said Bill Siegel, chief executive of Coveware, a Connecticut-based firm that analyzes ransomware victims’ options and often pays the ransom on their behalf. “They generally don’t use the word ‘ransomware’ for obvious reasons. It’s an ugly term. It scares people.” By using more generic terms, “You can put it out there, and you’ve officially said something, but you’ve also said nothing that can get you in any sort of trouble any which way.”

Siegel said Coveware works with as many as six publicly traded companies a month, which he declined to identify. “Any company that uses a phrase like ‘malware that encrypted’ or ‘malware that caused system disruption or downtime’ is likely referring to ransomware. Because malware is everywhere, it’s constant, and you don’t stop doing business because of malware,” he said. “I think you can feel very, very confident that … anybody that phrases it as a malware or IT security incident that causes a disruption is likely referring to ransomware.”

Less than half of Siegel’s publicly traded clients pay a ransom, while the rest usually restore data from backups, he said. “Some of these [situations] are pretty messy and sometimes take weeks or longer to fully recover from,” he said. “We’ve had public companies that have literally rebuilt every computer from scratch.”

In a November filing, Lumber Liquidators said that its computer freeze was “caused by malware,” and that it “implemented our business continuity plan and undertook actions to recover the affected systems.” It estimated a $6 million to $8 million revenue loss. In an accompanying earnings call, the company’s chief executive said that a “network attack” had “encrypted certain IT systems.” Encrypted files are characteristic of ransomware.

Asked whether the company was attacked by ransomware, and if so why the company hadn’t used the term, Lumber Liquidators spokesman Nathan Bowie didn’t respond.

A ProPublica review of SEC filings found that companies typically attribute computer mishaps to malware. For example, Illinois-based trucking company Roadrunner Transportation Systems blamed a “malware attack” in September for quarantined servers and invoice delays that reduced revenue by more than $7 million. Another Illinois company, Ingredion, a maker of sweeteners and starches, said “suspicious activity” and a “malware incident” took servers offline in October, with an expected delay in transactions with customers and suppliers. Indiana-based Patrick Industries, which makes components for recreational vehicles, spent $1.5 million to repair damage from a “highly-sophisticated third-party malware cyberattack” this year that disrupted operations for two business days. Spokeswomen for the companies declined to respond to questions.

Companies sometimes cite ransomware in filings as a potential risk. Last February, Massachusetts-based beverage company Keurig Dr Pepper warned in an SEC filing that a ransomware attack could breach its cybersecurity. In that same filing, it said that an “organized malware attack” had disrupted its coffee systems division, and that it had “taken actions to address this attack,” but offered no other details. A company spokeswoman declined to comment.

ProPublica could not determine if Roadrunner, Ingredion, Patrick Industries or Keurig Dr Pepper were hit by ransomware.

Steven Chabinsky, a Washington, D.C., attorney who focuses on privacy and cybersecurity matters, said that such disclosures satisfy the materiality rule. There is “no reason to think the SEC would look for magic words like ransomware as long as the incident was described accurately,” he said.

SEC spokesman Christopher Carofine declined to comment on companies’ avoidance in filings of the word “ransomware.” However, in cyber disclosure guidance last year, the SEC appealed for more candor. Companies “should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors,” it said.

In a speech last year at the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson expressed concern that companies aren’t reporting cyberattacks, though he didn’t single out ransomware. The commission “relies heavily on the judgments of corporate counsel to make sure investors get the information they need” on cyber incidents, he said. “I worry that these judgments have, too often, erred on the side of nondisclosure, leaving investors in the dark and putting companies at risk.”

Without knowing about the existence or extent of ransomware attacks and any subsequent payments, investors cannot make informed decisions about stock ownership or proposals that could boost a company’s cybersecurity, Rhode Island Congressman Jim Langevin said in an interview. Companies need to “err on the side of reporting,” and the SEC must be “more proactive” in enforcing regulations, he said.

“Investors certainly have a right to know if a ransomware attack happened, how it was handled and whether or not the ransom was actually paid,” said Langevin, a Democrat who is co-chair of the Congressional Cybersecurity Caucus and has called on the SEC to require companies to disclose their cybersecurity practices.

“We don’t know what we don’t know,” he continued. “When breaches have occurred, if companies are silent about it, investors don’t know, policyholders don’t know, regulators don’t know. It sends the message that everything is fine here, there’s nothing to worry about, and they just go on with business as usual. That’s wrong.”

Internal debates within corporations over whether to disclose a ransomware attack typically involve discussions about two groups that might challenge a material omission in the filings, Stark said. “You worry about the Division of Enforcement at the SEC, and you worry about the plaintiff’s bar,” he said.

Failing to disclose material events to investors and the SEC can spur backlash from both directions. After Yahoo failed to promptly report a data breach (not ransomware) affecting hundreds of millions of accounts, it settled a shareholder lawsuit in 2018 for $80 million and SEC charges for an additional $35 million. Yahoo, now called Altaba, denied the shareholder allegations and neither admitted nor denied the SEC charges.

Whether a ransomware attack that doesn’t expose troves of personal data must be deemed material and reported to the SEC is a closer call. While the ransom demand generally isn’t high enough to be considered material by itself, companies often incur other costs related to the attack — from hiring outside consultants and replacing damaged equipment to paying higher cyber insurance premiums and coping with lost revenues from interrupted operations. There are qualitative considerations as well, from customer dissatisfaction to loss of corporate data. Corporations should weigh “the importance of any compromised information and of the impact of the incident on the company’s operations,” the SEC has said.

The test for materiality is subjective, and companies “absolutely take advantage of the leeway,” said consultant Stephanie Tsacoumis, who teaches a class called Disclosure Under the Federal Securities Laws at Georgetown University’s law school. “I could argue from an investor’s perspective that a ransomware event is significant because it demonstrates that there are flaws in the company’s cybersecurity protections and that’s a threat to their business, and it could be a huge failure of internal controls,” she said. “And therefore it qualitatively is material enough to be disclosed.”

Corporations sometimes warn in filings that they may be affected by ransomware in the future. Tsacoumis said companies may use this generic “risk factor” disclaimer to justify not reporting a specific attack, taking the position that the market already has been alerted about the potential for it, she said. Reporting only a hypothetical risk in the face of real harm, however, can get companies in trouble. In July, Facebook agreed to pay $100 million to settle SEC charges that it disclosed only a hypothetical risk of misuse of user data when actual misuse, not involving ransomware, had already occurred. Facebook neither admitted nor denied the allegations.

From corporate IT employees and senior management to outside auditors, “everybody’s interest is to downplay” an attack, Tsacoumis said. “It’s self-interest. My personal annual evaluation, my bonus, my salary, my promotion. It’s how management looks to the board, and then it’s how the company looks to the public. And they all have an interest in maintaining the stock price. It goes from the individual level to the more macro level and impact on the market.”

John Olson, an attorney who has represented companies before the SEC, said he would advise disclosure when ransomware affects vital business information, finances or customers. “The financial impact could be significant and is certainly embarrassing and does raise questions about how good their cybersecurity is,” he said.

When Beth George was an attorney in the U.S. Justice Department, she worked with the FBI to persuade public companies to cooperate with law enforcement investigations into cyberattacks. Now in private practice in California, she’s one of several former DOJ and FBI officials who don’t recommend to clients that they report ransomware attacks to the bureau.

“I do think the FBI truly believes that they can be helpful to companies when these ransomware attacks happen, but I don’t know in actuality how true that is,” she said. The bureau “lacks the resources to be the cybersecurity responder for every company, and I don’t think they understand their resource constraints. … And as someone who is a former government official, it makes me sad. It’s completely opposite of what we thought our mission was to do in the government, which is to help companies. But the FBI spends a lot of time saying, come to us and we’ll help you, and no time saying, ‘How can we help you?’”

Reporting a crime to the FBI is voluntary. Since 2016, more than 4,000 ransomware attacks have taken place daily, according to statistics posted by the U.S. Department of Homeland Security. Nevertheless, only 1,493 were reported to the FBI in 2018. The bureau said in October that it does not advocate paying ransoms since doing so encourages continued criminal activity, but it added that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” Regardless of whether victims decided to pay ransoms, the FBI urged them to report ransomware incidents. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

Fear that an attack will become public knowledge is one of the biggest deterrents to reporting, said Thomas DiBiagio, a former U.S. attorney in Maryland, who now handles internal investigations for corporations. Other corporate concerns include the FBI’s historical opposition to paying ransoms and its reluctance to share intelligence with victims about who might be behind the attack — information that is often considered classified. Companies can turn instead to private cybersecurity firms, largely staffed by former FBI agents, which have no compunctions about paying ransoms, and typically share findings with clients, George said. Working with a consultant rather than the government may also reduce the chance that the news will leak.

Moreover, many attacks originate in countries that do not cooperate with U.S. law enforcement. Last year, the DOJ delivered its first indictment of alleged cyberattackers for deploying a ransomware scheme. The two Iranian hackers were wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018. This month, the DOJ indicted two Russians in connection with deploying financial malware that cost victims tens of millions of dollars. Later versions of the malware were designed to facilitate ransomware installation, the DOJ said. Neither the Iranians nor the Russians have been arrested.

Chabinsky, a former deputy assistant director of the FBI’s cyber division, said some businesses report ransomware attacks to the bureau because their cyber insurance policies require them to or because they believe cooperating with law enforcement protects their reputation. But many don’t, feeling the FBI can’t offer much assistance and could create a distraction as “one more party asking you for information during a time of crisis management,” he said. Chabinsky has never advised a client hit by ransomware to contact the bureau, he said.

DiBiagio cited another downside of dealing with the FBI. “Not that I’m saying corporate America is dishonest, but the last thing you want is a bunch of FBI agents crawling around your company,” he said. “There is no benefit whatsoever of you reporting. There’s no incentive. And there’s clearly identifiable cost. It’s the cost, the disruption, the risk they talk to some employee and now you’re under investigation. There’s no upside.”

In an emailed response to questions, the FBI said it “protects the confidentiality of sensitive information it receives.” It said it “works closely” with victimized corporations to protect their interests and make sure they “have all the information needed to reconstitute systems, patch vulnerabilities, and prevent additional attacks.”

“Over the course of many responses to ransomware incidents, the FBI has refined its response protocols to ensure that it is able to conduct investigative activity in the least intrusive way possible,” the bureau said. “When a victim decides to voluntarily work with the FBI, we strive to do only the work required to thoroughly investigate the incident and to do so quickly and with minimal impact on the operations of the company we are working with.”

Langevin, the Rhode Island congressman, said the government needs stronger reporting requirements on cyberattacks so officials can compile more accurate incident data. That data could improve cyberdefenses by helping policymakers and companies decide where to focus their resources. One possibility, he said, is requiring insurers to report incidents to the FBI as they process cyber policy claims.

“All too often these ransomware attacks are being swept under the rug, but we don’t know how broad the problem is until we have real data to look at,” he said.

Theoretically, the federal government has another way of tracking ransomware attacks. Corporations hit by ransomware sometimes hire private firms to pay the cryptocurrency ransom on their behalf, taking a fee for the service. These companies should qualify as “money transmitters” regulated by the Financial Crimes Enforcement Network, or FinCEN, a bureau of the U.S. Treasury Department, said Matt Klecka, a former trial attorney in the DOJ’s Bank Integrity Unit, which works with FinCEN. As such, they should file “Suspicious Activity Reports” to FinCEN on ransomware payments since a criminal is known to receive the money, Klecka said.

Once they register, “they’re known quantities,” Klecka said. “They’re on FinCEN’s radar. Then FinCEN will be looking” at the suspicious activity reports.

Sentinel Crypto Holdings, a Florida firm that pays ransoms on behalf of victims, has registered with FinCEN, and its founder told ProPublica that it has regularly submitted suspicious activity reports. Florida-based MonsterCloud and New York-based Proven Data are not registered. ProPublica reported in May that both firms purported to use their own technology to disable ransomware but often just paid the ransom. Through a spokesman, MonsterCloud CEO Zohar Pinhasi declined to comment.

FinCEN spokesman Stephen Hudak declined comment on whether these companies should be considered money transmitters. If they are registered, he said, they should report ransomware transactions as suspicious activities. “Businesses should contact FinCEN if they are unsure of their registration requirements,” he said.

Proven Data did just that in 2016, when it asked FinCEN if its work facilitating ransom payments on behalf of clients required it to register with the agency as a money transmitter, according to correspondence provided by the company. Proven Data argued that registration was not required because its core business was “a suite of data recovery services,” and that it only paid ransoms when no other solution was available. Proven Data also assured FinCEN that, “in all cases, the company encourages the victim to report the incident to the FBI.” FinCEN agreed with Proven Data’s assessment.

Middlemen transacting ransoms is “troubling” and “unseemly,” Langevin said. “This is an area where law enforcement should be looking because it does facilitate the ongoing practice. These firms need to be looked at and regulated,” he said.

On Columbus Day weekend, ransomware struck Connecticut-based Pitney Bowes. Its clients — which include most Fortune 500 companies — realized something was wrong when they had trouble using the company’s postage meters and some of its e-commerce shipping services. As the Pitney Bowes technical team and outside consultants scrambled to restore operations, chief communications officer Bill Hughes spent the holiday weekend combing through SEC filings to see how other publicly traded companies disclosed ransomware attacks. He didn’t find much.

“I knew there were way more incidences than what was being reflected in the news and in SEC filings,” said Hughes, adding, “In the two or three examples that I found on Saturday or Sunday morning when I researched, it was always ‘malware.’ It was never ‘ransomware.’”

Following precedent, Pitney Bowes first told investors in an Oct. 15 filing that it had been “affected by a malware attack.” But company executives soon decided to be more forthcoming. In an Oct. 17 webinar, the company’s chief data protection officer referred to the attack as ransomware. Posted updates cited the “Ryuk virus.” Ryuk is a notorious ransomware strain that hackers use to encrypt files and command six- or seven-figure ransoms. Pitney Bowes said in a November filing that the “ransomware attack” could reduce annual revenue by 1⁄2%.

A few companies besides Pitney Bowes have dared to invoke the R word. California-based Fluidigm, a maker of biotechnology tools, said in an SEC filing that it had “experienced a ransomware attack” in March that encrypted some systems “containing critical business data.” Agnes Lee, who handles investor relations for Fluidigm, said the company tried “to be accurate and transparent to the extent that we can be.”

Maryland-based media company Urban One said in an earnings call this year that it was “hit by a ransomware attack” costing more than $1 million in recovery expenses and lost revenue. The company’s general counsel, Kris Simpson, told ProPublica that the company was penetrated by the Ryuk strain and did not pay the ransom.

“It really is going on every day, and I think part of the thought process is that everyone is getting hit so it’s kind of ordinary course,” Simpson said. “But I think that we tend to be conservative in our disclosure, so we tend to over-disclose. We just think it’s the right thing to do.”

Source link

The post #school | #ransomware | Like Voldemort, Ransomware Is Too Scary to Be Named — ProPublica appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Don’t let these scary cyber safety risks creep up on you | Features/Entertainment

Source: National Cyber Security – Produced By Gregory Evans THE CONCERN: October is National Cybersecurity Awareness Month, and the Better Business Bureau is scaring up the latest on cyber security risks and ways to avoid them. Watch out for these spooky dangers lurking in the corners of our everyday digital lives. HOW THE SCAM WORKS: […] View full post on AmIHackerProof.com

#deepweb | What it is and why it’s not so scary

Source: National Cyber Security – Produced By Gregory Evans

What you don’t know about the dark web might be exploited by a ‘dark web intelligence’ vendor. Forrester’s Josh Zelonis offers a simple explanation and some helpful pointers.

The dark web is nothing fancy. It’s really just a different series of protocols.

Commonly, when surfing the web, transport layer security (TLS) is the cryptographic protocol that provides confidentiality for your communication with the server. The green lock on your URL bar is an assurance, but not a guarantee, that you’re communicating confidentially with who you think you are.

While TLS is designed to provide confidentiality and identity, dark web protocols are designed to provide confidentiality and anonymity. There are many of these dark net protocols, but Tor is by far the most common, likely because of its use of exit nodes to allow a user to obtain anonymity on the public internet by routing traffic across the Tor network.

Don’t trust anything

The quality of your collection strategy dictates how confident you can be in your analysis – garbage in, garbage out. This is an often-ignored part of dark web marketing.

Anonymous networks help segment your actual identity from the persona (or avatar) you develop on these dark nets. Because of this, the reputation of your developed persona is the only currency you truly have. On anonymous networks, reputation is everything.

Also, remember that there’s no guarantee the person behind the persona you are interacting with isn’t a criminal, a threat intelligence company or possibly even law enforcement. The story of the Besa Mafia is a great example of criminals scamming criminals, getting hacked themselves, and then law enforcement arresting people who were trying to hire these fake hitmen. It’s also not uncommon for law enforcement to take control of a hidden site and continue hosting it in the hope of de-anonymising users.

Basically, trust nothing on the dark web.

‘There is some really bad stuff on dark nets, but they also are a critical resource’

Developing personas to obtain and, more importantly, maintain access is time-consuming and most of the work involved with good tradecraft on the dark web. Be wary that some ‘dark web intelligence’ offerings skip the hard part and are just using technical collection to scrape information from essentially public markets and forums.

To say this is a commodity capability would be a major understatement as the ability to automate the scraping of websites is as old as the internet and, as we’ve established, dark networks really just reflect a difference in protocol selection.

The use of the iceberg metaphor is a clever bit of psychological warfare – I mean, ‘marketing’ to remind you that they have access to all this stuff under the surface that you don’t. As someone who evaluates these vendors, many of them don’t either. You mind find yourself saying, ‘I registered for access and all I got was this low-confidence assessment’.

Intelligence v collection

Any company selling you on dark web intelligence is only talking about its collection strategy, and there are big problems with that.

After collection, the next challenge would be processing and exploitation. Processing is frequently discussed as stripping out things such as HTML tags from the raw data that has been collected. If you think that is a big deal, I have a regular expression (regex) to sell you.

Where things get interesting is trying to exploit this data to get something useful on an analyst’s desk. For example, very few, if any, public sector vendors have swathes of analysts translating everything on the dark web on a daily basis from languages such as Arabic, Farsi, Spanish, Russian and Mandarin. How is this being done at the same scale as collection?

Furthermore, how does your translation software handle slang? Without specific knowledge of a particular group, you would have no idea if they are using the code name ‘Iowa’ when describing a target in Iran.

Then there’s something I call ‘the Target problem’. Target is a retail chain with stores in the US, Canada and India – many of you may be familiar with the brand. Now, imagine the data problem created in attempting to parse out relevant chatter about the Target brand from the rest of the noise on the internet. Incidentally, the string ‘target’ appears five times in this article and only three times in the context of the retailer.

A vendor cannot have an appreciation of these problems and not talk about their solution to them. If they are just trying to sell you on their ability to collect data from the dark web and then show you their platform, you don’t need to see the platform.

The bright side of the dark web

There is some really bad stuff on dark nets, but they also are a critical resource. Anonymous networks are critical to journalists, whistleblowers, survivors of domestic abuse, people with sensitive medical conditions, the politically oppressed and more.

I’m going to wrap this piece with a bit of a personal appeal. Please consider supporting projects such as the Tor Project or Tails. And, if you’re in a decision-making position at an organisation where people might assemble or seek to obtain information, please ensure that your site is useable when coming from a Tor exit node with JavaScript turned off.

Unlike so much that we do in the cyberdomain, this can actually save lives.

By Josh Zelonis

Josh Zelonis is a principal analyst at Forrester serving security and risk professionals by helping them continuously adapt their architecture, policies and processes to evolving threats. His research focuses on threat intelligence, vulnerability assessment and management, malware analysis and incident response.

A version of this article originally appeared on the Forrester blog.

Source link

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference

The post #deepweb | What it is and why it’s not so scary appeared first on National Cyber Security.

View full post on National Cyber Security

Tinder hacked? #Scary #security #flaws discovered in #raft of popular #dating apps

Source: National Cyber Security – Produced By Gregory Evans

Tinder hacked? #Scary #security #flaws discovered in #raft of popular #dating apps

A bevy of mobile dating apps including the infamous Tinder, have vulnerabilities that could reveal a user’s messages and the people they have viewed in the apps.

Researchers from security firm Kaspersky Lab found that it was very easy to effectively online stalk Tinder, Bumble and Happn users due to the amount of information the apps display about their users, such as jobs and education, as well as linking to easily accessed Instagram accounts.

With this data, the researchers found that in 60% of cases, they were able to find a user’s social media profile on sites such as Facebook and LinkedIn, which reveal the person’s full or real name.

Furthermore, stalkers with a bit of technical nous and plenty of time on their hands can use location based apps like Tinder and Happn to work out a user’s exact location.

“Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them,” the researchers explained.

“This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.”

But more alarming still is that in a clutch of dating apps data flowing between them and the social media sites they connect to in order to authenticate user’s, mainly Facebook, is vulnerable to interception.

Authentication tokens from Facebook can be stolen by hackers and used to gain access to the victim’s dating app account. From there the hackers can access messages and other user-specific content and activities.

“In addition, almost all the apps store photos of other users in the smartphone’s memory. This is because apps use standard methods to open web pages: the system caches photos that can be opened. With access to the cache folder, you can find out which profiles the user has viewed,” the researchers added.

This situation isn’t helped with some of the apps found to be transmitting unencrypted sensitive data, for example Mamba transmits message data in an unencrypted format.

Kaspersky Lab has alerted the app makers, who should move to fix the vulnerabilities, but in the meantime the researchers suggest users of dating apps don’t put their job or place of work on their profiles and avoid unsecured public Wi-Fi networks.


The post Tinder hacked? #Scary #security #flaws discovered in #raft of popular #dating apps appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Why Online Dating Will ONLY Work If You Also Do THIS (Sorta Scary) Thing, Too

Are you willing to take the risk? Dating is hard. Even in today’s modern age with so many options for online dating — from simple apps where you swipe to online matchmaking services that use complex algorithms — finding the right person can still be a serious challenge. Some people spend years typing their info into apps and dating sites only to ask, “Does online dating even work?!” In the latest In-Depth video from YourTango Experts, neuroscientist Lucy Brown and biological anthropologist Helen Fisher talk about whether online dating is enough to find love. Read More…. View full post on Dating Scams 101

Streaming Scary Movies for Halloween

View full post on Common Sense Blog – Parenting, media, and everything in between – No name

#pso #htcs #b4inc

Read More

The post Streaming Scary Movies for Halloween appeared first on Parent Security Online.

View full post on Parent Security Online

How to Deal with Scary News About Social Media

View full post on Common Sense Blog – Parenting, media, and everything in between – No name

#pso #htcs #b4inc

Read More

The post How to Deal with Scary News About Social Media appeared first on Parent Security Online.

View full post on Parent Security Online

Wanted teen hacker says it’s ‘scary’ how easily he was able to leave Australia

Source: National Cyber Security – Produced By Gregory Evans

Wanted teen hacker says it’s ‘scary’ how easily he was able to leave Australia

At a time of heightenedSECURITY fears, a teenage hacker has left authorities red-faced and raised serious questions about borderSECURITY. Dylan Wheeler was just 17 when police charged him with being part of a group that allegedly hacked into theCOMPUTERS ofMICROSOFT and the US Army. He ended up fleeing the country, facing a possible 10-year jail sentence, even though he’d been ordered to surrender his passport. Now he’s told Lauren Day he has no regrets and no plans to return. DYLAN WHEELER, HACKER: To be honest, I don’t see it as on the run. I mean, what’s coming out of Australia now, I don’t really want to be associated with the politics. All these draconian laws, I don’t feel comfortable calling myself Australian. Really, I feel a lot better being free. LAUREN DAY, REPORTER: Dylan Wheeler’s not your average opinionated 19-year-old on a gap year. He’s wanted by police and his name is on a Europol list. If found guilty, he faces up to 10 years in jail. DYLAN WHEELER: At this point in time, I don’t plan to return to Australia. This is on the advice of human rights lawyers I’ve spoken to. Basically because I am not guaranteed a […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Wanted teen hacker says it’s ‘scary’ how easily he was able to leave Australia appeared first on National Cyber Security.

View full post on National Cyber Security

We Spoke To A North Korean Defector Who Trained With Its Hackers — What He Said Is Pretty Scary Read more: http://www.businessinsider.com/north-korean-defector-jang-se-yul-trained-with-hackers-2014-12#ixzz3Mw6LRx8J

We Spoke To A North Korean Defector Who Trained With Its Hackers — What He Said Is Pretty Scary  Read more: http://www.businessinsider.com/north-korean-defector-jang-se-yul-trained-with-hackers-2014-12#ixzz3Mw6LRx8J

Whether North Korea was responsible for the Sony hack or not, the consensus is that North Korea has some of the best hackers in the world. There have been some reports recently about North Korea’s special cyber warfare unit, known […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

View full post on National Cyber Security

Israeli hackers ‘scary talented,’ says security expertNational Cyber Security

nationalcybersecurity.com – Israeli hackers are young and scary — scary talented, that is. That’s the observation of a man who knows what hacking is all about. Antonio Forzieri. EMEA Cyber Security head for security firm Syma…

View full post on Hi-Tech Crime Solutions Weekly