Hack

Auto Added by WPeMatico

More than 1 million T-Mobile customers exposed by breach

T-Mobile has confirmed a data breach affecting more than a million of its customers, whose personal data (but no financial or password data) was exposed to a malicious actor. The company alerted the affected customers but did not provide many details in its official account of the hack.

The company said in its disclosure to affected users that its security team had shut down “malicious, unauthorized access” to prepaid data customers. The data exposed appears to have been:

  • Name
  • Billing address
  • Phone number
  • Account number
  • Rate, plan and calling features (such as paying for international calls)

The latter data is considered “customer proprietary network information” and under telecoms regulations they are required to notify customers if it is leaked. The implication seems to be that they might not have done so otherwise. Of course some hacks, even hacks of historic magnitude, go undisclosed sometimes for years.

In this case, however, it seems that T-Mobile has disclosed the hack in a fairly prompt manner, though it provided very few details. When I asked, a T-Mobile representative indicated that “less than 1.5 percent” of customers were affected, which of the company’s approximately 75 million users adds up to somewhat over a million.

The company reports that “we take the security of your information very seriously,” a canard we’ve asked companies to stop saying in these situations.

The T-Mobile representative stated that the attack was discovered in early November and shut down “immediately.” They did not answer other questions I asked, such as whether it was on a public-facing or internal website or database, how long the data was exposed and what specifically the company had done to rectify the problem.

The data listed above is not necessarily highly damaging on its own, but it’s the kind of data with which someone might attempt to steal your identity or take over your account. Account hijacking is a fairly common tactic among cyber-ne’er-do-wells these days and it helps to have details like the target’s plan, home address and so on at one’s fingertips.

If you’re a T-Mobile customer, it may be a good idea to change your password there and check up on your account details.

Malicious websites were used to secretly hack into iPhones for years, says Google

Security researchers at Google say they’ve found a number of malicious websites which, when visited, could quietly hack into a victim’s iPhone by exploiting a set of previously undisclosed software flaws.

Google’s Project Zero said in a deep-dive blog post published late on Thursday that the websites were visited thousands of times per week by unsuspecting victims, in what they described as an “indiscriminate” attack.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.

He said the websites had been hacking iPhones over a “period of at least two years.”

The researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-realtime. The “implant” could also access the user’s on-device bank of saved passwords.

The vulnerabilities affect iOS 10 through to the current iOS 12 software version.

Google privately disclosed the vulnerabilities in February, giving Apple only a week to fix the flaws and roll out updates to its users. That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.

Apple issued a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.

Beer said it’s possible other hacking campaigns are currently in action.

The iPhone and iPad maker in general has a good rap on security and privacy matters. Recently the company increased its maximum bug bounty payout to $1 million for security researchers who find flaws that can silently target an iPhone and gain root-level privileges without any user interaction. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.

When reached, a spokesperson for Apple declined to comment.

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.

Korean crypto exchange Bithumb says it lost over $30M following a hack

Just weeks after Korean crypto exchange Coinrail lost $40 million through an alleged hack, another in the crypto-mad country — Bithumb — has claimed hackers made off with over $30 million in cryptocurrency.

Coinrail may be one of Korea’s smaller exchanges, but Bithumb is far larger. The exchange is one of the world’s top ten ranked based on trading of Ethereum and Bitcoin Cash, and top for newly-launched EOS, according to data from Coinmarketcap.com.

In a now-deleted tweet, Bithumb said today that 35 billion won of tokens — around $31 million — were snatched. It didn’t provide details of the attack, but it did say it will cover any losses for its users. The company has temporarily frozen deposits and trading while it is in the process of “changing our wallet system” following the incident.

Days prior to the hack, Bithumb said on Twitter that it was “transferring all of asset to the cold wallet to build up the security system and upgrade” its database. It isn’t clear whether that move was triggered by the attack — in which case it happened days ago — or whether it might have been a factor that enabled it.

[Notice for the restart of service]
We are transferring all of asset to the cold wallet to build up the security system and upgrade DB. Starting from 15:00 pm(KST), we will restart our services and notice again as soon as possible. Appreciate for your support.

— Bithumb (@BithumbOfficial) June 16, 2018

A tweet sent days before Bithumb said it had been hacked

There’s often uncertainty around alleged hacks, with some in the crypto community claiming an inside job for most incidents. In this case, reports from earlier this month that Bithumb was hit by a 30 billion won tax bill from the Korean government will certainly raise suspicions. Without an independent audit or third-party report into the incident, however, it is hard to know exactly what happened.

That said, one strong takeaway, once again, is that people who buy crypto should store their tokens in their own private wallet (ideally with a hardware key for access) not on an exchange where they could be pinched by an attacker. In this case, Bithumb is big enough to cover the losses, but it isn’t always that way and securely holding tokens avoids potential for trouble.

Certain Sonos and Bose models can be accessed by hackers to play sound remotely

 Researchers at Trend Micro have discovered a potential hack opening key speakers from Sonos and Bose to remote access. As first reported by Wired, the Sonos Play:1, Sonos One, and Bose SoundTouch systems can be located and taken over through an online scan, letting hackers play music through the system. For now, the access appears to be largely prank-based. The researchers, naturally, used… Read More

Equifax may have been hacked again and it’s not even funny anymore

TwitterFacebook

Equifax, the credit rating reporting agency that exposed personal data of nearly 150 million people, appears to have been hacked — again.

The (probable) hack was noticed by security researcher Randy Abrams and first covered by Ars Technica. While visiting Equifax’s website, Abrams noticed that some pages redirect to a site offering a fake, malware-bearing Flash update. 

Hijacking some pages on a hacked site to target visitors is a common tactic amongst malicious hackers. Often, you won’t see the malware-infested links on every page, and nothing else on the site will indicate that something’s wrong. But click on the link, and boom — your computer is infected.  Read more…

More about Hackers, Malware, Hack, Hacked, and Equifax

Powered by WPeMatico

It's official: Your old password is totally worthless

TwitterFacebook

Old habits die hard, and old passwords die harder. 

But if you ever needed extra motivation to forget that ancient password you’ve been reusing for years, you’ll find it in Yahoo’s recent admittance that a 2013 security breach affected all 3 billion user accounts on the site. 

Think about that number. That’s 3 billion passwords. There weren’t 3 billion people on the internet in 2013, but there were that many Yahoo accounts because some people had several Yahoo accounts at the time. But, roughly, because Yahoo was so huge, basically everyone had a Yahoo account at some point (just like basically everyone had a Google account at some point). And somewhere, there’s a database with all those usernames and passwords.  Read more…

More about Yahoo, Hack, Passwords, Online Security, and Breach

Powered by WPeMatico

Russia targeted election systems in 21 states, successfully hacking some

 On Friday, the Department of Homeland Security notified nearly half of the U.S. states that their election systems were targeted by Russia-affiliated hackers in an attempt to influence the 2016 election. In most of the states targeted, the hackers were engaged in preliminary activities like scanning. In other states hackers attempted to infiltrate systems and failed, but in a small selection… Read More

Powered by WPeMatico

Prominent Twitter accounts compromised after third-party app Twitter Counter hacked

 A number of prominent Twitter accounts were hacked to tweet Nazi messages after Twitter Counter, a popular tool for analyzing Twitter followers, was hacked. Official Twitter accounts belonging to Amnesty International, Forbes and other prominent organizations, not to mention many regular users, were accessed to post swastikas and other Nazi-related messages in a move thought to be… Read More

Powered by WPeMatico

How hackers turned a Cape Cod fishing guide’s site into a host for e-commerce fraud

Eric Stapelfeld, the fishing guide Cape Cod fishing guide Eric Stapelfeld trusted me to look after his website the same way that I trust him to find fish. Until a few weeks ago, I believed I had the easier part of the bargain. After all, what’s hard about maintaining a simple WordPress site with a phone number and lots of striped bass pictures? As it turns out, everything is hard, really hard, when hackers go to work on… Read More

Powered by WPeMatico

Why a cybersecurity solution for driverless cars may be found under the hood

spiral-road1 Autonomous vehicles were one of the most talked about technologies in 2016. Ever since Tesla, Google and Uber put these vehicles on the consumer trend map, I’ve been daydreaming of the day I might own one. Unfortunately for me, and the auto industry, that day might not be coming too soon — if they can’t keep the cars and their drivers safe, I’ll never have one sitting in… Read More

Powered by WPeMatico

Crunch Report | Judge Rules CRISPR-Cas9 Belongs to Broad Institute

Verizon is reportedly getting a $250 million discount on its Yahoo deal, judge rules CRISPR-Cas9 belongs to the Broad Institute and not UC Berkeley, Pixar teaches the art of storytelling on Khan Academy and MakerBot cuts 30% of its workforce. All this on Crunch Report. Read More

Powered by WPeMatico

This airline took to Facebook to announce its Twitter account has been hacked

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f366951%2f82aae70e-4e38-402d-8c40-438f3c353207

Feed-twFeed-fb

Twitter has a security problem — and businesses are paying the price for it.

The official Twitter account of Indian airline IndiGo has been hit with a breach. The verified account, which previously had over 100,000 followers and several hundred thousands of tweets, now appears to be in possession of a user who goes by the handle @activevibezzz1. 

Image: screengrab/twitter

Earlier Tuesday morning, IndiGo’s Twitter handle was changed to “activevibezzz1”. Twitter allows users — including businesses — to change their username. As part of the transition, all existing followers of IndiGo airline are now unwittingly also following the compromised account. The compromised account posted a few mysterious tweets Tuesday. Read more…

More about Security, Hack, Twitter, India, and Airlines

Powered by WPeMatico

Netflix engineers hacked a brain-controlled interface

screen-shot-2017-01-30-at-7-11-27-pm This is pretty much the definition unnecessary, but then, that’s part of the fun of hack days. A quartet of Netflix designers have given the world “MindFlix,” by way of a short video, highlighting the hack’s use of a the Muse headband to control the movie streaming site’s familiar interface. “Instead of implanting chips in our brain for Hack Day,”… Read More

Powered by WPeMatico

This sneaky 'Super Mario World' hack has been in hiding for 26 years

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f346412%2f140a7029-83a1-41eb-9744-8225c96695b2

Feed-twFeed-fb

For anyone who grew up playing the Super NES, there are few things more nostalgic than the sight of Mario’s adorably pixelated little face bobbing along beneath that charming red cap of his.

There are also few sights more frustration-invoking than that of Big Boo — the highly irritating, seemingly impossible-to-kill baddie who’d follow you around the ghost house whenever your back was turned.

Well, according to the clip below, it looks like there was an easy way to get rid of Boo the whole time:

You…can kill Big Boos with a slide…wha…all this time…
(Credit to Supper Mario Broth) pic.twitter.com/uCi0GsT66x

— SomecallmeJohnny (@Somecallmejon) January 10, 2017 Read more…

More about Secret, Hack, Gaming, Super Mario World, and Nintendo

Powered by WPeMatico