Hacking, Security & Privacy News - Page 18

A hacker named Peace has their hands-on the login credentials of 200 million Yahoo accounts, throwing them onto a dark web marketplace 'The Real Deal' for just three Bitcoins, or around $1800 USD.

Yahoo said in a statement to Motherboard that they "are aware of a claim" that Yahoo login credentials were on The Real Deal, but Yahoo has said that while it's aware of the hack, it hasn't confirmed or denied its legitimacy. Motherboard got its hands-on a sampling of the data, which includes usernames, hashed passwords, birth dates and even some backup email addresses.

The data was reportedly stolen in 2012, with the hacker adding they have traded the data privately for a while, but only decided to put it on the market recently. Yahoo hasn't pushed out a mandatory password reset announcement, which is definitely strange.

The US government requested a new record of user data from Google in the second half of 2016, with 40,677 requests impacting as many as 81,311 user accounts, reports ZDNet.

From July through to December 2015, the US government requested the 40.677 requests, an 18% increase from the first half of the year. Most of the requests are coming from the US, with 12,523 data requests in the three-month period, with requests impacting 27,157 users or accounts.

Google says it has been reporting the number of user data requests in a 6-month period going back to the second half of 2009, while it has been detailing the users and accounts it has impacted in the first half of 2011. Google notes: "Usage of our services have increased every year, and so have the user data request numbers".

Privacy is a perpetual concern with Facebook and Facebook Messenger, but it gets a little less so today as the company rolls out its 'Secret Conversations' feature.

Secret Conversations means you can create a conversation with someone that can only be seen by you and on the device of the person you're talking to, as opposed to Facebook or any potential hackers. As well, you can set your messages to disappear within a set amount of time.

As for downsides, you have to take extra action to start such a conversation, you can't view the conversation on multiple devices like you can currently, and fancy features like GIFs, videos, payments aren't supported.

Even social media CEOs are susceptible to being hacked, it seems. Over the weekend, a couple of Facebook founder Mark Zuckerberg's social media accounts were compromised by Saudi Arabian hacking group OurMine Team.

OurMine is said to have found Zuckerberg's information in a recent LinkedIn dump, which they then used to gain control of his Twitter and Pinterest accounts. The group claims his password for both accounts was the surprisingly simple 'dadada', but there's reason to be skeptical of this as it also claimed it had overtaken his Instagram account, which Facebook has denied.

Both the Twitter and Pinterest account haven't been terribly active, at least not recently; Zuckerberg's Instagram account hasn't been too active either, although it has been used on a regular basis and multiple times in the last week.

Cellular networks are already pretty insecure as they are. Voice is sent unencrypted and in the clear despite having the necessary hardware to support even light encryption methods. Spoofing cellular towers, too, isn't exactly the most difficult thing to do either, but that's small potatoes compared to a vulnerability in the Signalling System No. 7 telephony protocol that can allow a potential malefactor to track you across the globe, with relative ease. Congress is now taking an interest and investigating these vulnerabilities.

The interest in the issue began with the airing of a 60 Minutes piece where Sharyn Alfonsi and a German computing enthusiast who specializes in nefarious programming techniques, showed off just how easy it is to exploit the SS7 protocol to track cellphone users. To demonstrate their point, the pair recruited US Representative Ted Lieu and asked him to use a new, not modified, iPhone when conducting staff phone calls. With just the phone number, they were able to pinpoint the location of the US Representative wherever he had the phone, and they were even able to record conversations he was having as well. It apparently didn't take much effort on the part of the researchers, either.

Mr. Lieu, following the demonstration he took part in, called for an official full investigation into the matter so that the vulnerabilities can be addressed. The flaw is something that potentially affects quite a few different markets, within the US and abroad, which could pose serious privacy issues. Not to mention if someone should use the flaw to target individuals as part of pre-meditated actions.

One month after publicly supporting Apple in its fight for encryption, chat app company WhatsApp now features end-to-end encryption in its client. In essence, whether you're calling someone, sending a file, messaging, hosting a group chat, or anything else, you can be rest assured it's completely private from hackers, WhatsApp, and anyone else you might be paranoid about.

"We live in a world where more of our data is digitized than ever before," company CEO and founder Jan Koum says of the change. "Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people's digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities."

"Encryption is one of the most important tools governments, companies, and individuals have to promote safety and security in the new digital age," he continues. "Recently there has been a lot of discussion about encrypted services and the work of law enforcement. While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cybercriminals, hackers, and rogue states."

We reported yesterday that the FBI had broken into the iPhone 5C used by the San Bernardino shooter, without Apple's help. It's now being reported that Appel can't force the FBI to disclose just how it broke into their smartphone.

The FBI reportedly tapped the help of an Israeli security firm, which broke into the iPhone 5C, and with Apple unable to force the FBI to show them how they did that, it could mean that other iPhones could be broken into. Why? Because Apple can't fix the security hole that the FBI went through - mainly for iPhone users, but it's obviously a hole that Apple don't know about, or at least they don't know which method the FBI used. It's quite scary there's an easy hole for a company that's not Apple, nor the FBI, can use to break into iPhones - quite easily, it seems.

Ars Technica talked with a law enforcement official, who said: "We cannot comment on the possibility of future disclosures to Apple. [There] are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," he said while explaining the Vulnerabilities Equities Process". So, there's no legal requirement of the FBI to disclose how it broke through Apple's much-touted security... well now.

Encryption is a very pertinent issue in the modern age. We're at an impasse where certain individuals and groups would rather encryption be the stuff of history, perhaps even segregating encryption strengths like was common during the 80's and 90's. Email encryption isn't exactly the easiest thing to setup and requires a bit of preparation to do right. It can be cumbersome even to those that know what they're doing. A group of tech companies and independent researchers have gotten together to help make encryption of your emails easier, and much more seamless.

The new protocol that has been proposed is called SMTP STS, or Simple Mail Transfer Protocol Strict Transport Security, and is designed to ensure a secure, encrypted connection with email servers. It's not a method of encrypting your emails themselves, which would be best served by any free, or paid, PGP solution, but it adds a measure of security to email that helps to make sure that you're messages are at leat going through real, authentic mail servers to get to their destination.

What it does is talk those email servers that it's traveling through to determine whether or not the connection is secure and that it's who they say they are. If the server can be authenticated (through the use of certificates and a TLS encryption-based connection), then your message will pass along, knowing that at least that server is legit. If no encryption can be used, then there's the option that the message won't be sent.

Last week it became apparent Amazon had not included support for local encryption with Fire OS 5, which would seem to contradict its support of Apple's fight for encryption. Asked for comment on exactly that and why they would drop support when it seems all the work is done by Google anyway, an Amazon spokesperson simply told us, "We will return the option for full disk encryption with a Fire OS update coming this spring."

Amazon initially said its customers "weren't using" local encryption, so it decided not to include support for it, which appeared flimsy reasoning. Whatever the case, the company has wisely decided to change course, likely in light of how it looks currently.

For what feels like forever, Windows users have been at the butt of attacks from Mac users when it comes to "but Windows is open, and gets hit by viruses, malware, and ransomware all the time". Well, that might be something of the past now.

Palo Alto Networks is claiming it's discovered the first known OS X-based ransomware, known as "KeRanger". How do you get it? You download software infected with the nasty code, with BitTorrent client Transmission, where it will encrypt your files after 72 hours, after which it'll demand that you hand over digital currency ransom to get your files back. Nice.

The latest version of Transmission, alongside Apple revoking a security certificate from another developer that KeRanger used to get past OS X's built-in defenses, should keep you safe. But, this should act as a warning: OS X isn't as safe as most people think it is, and this could be the tip of the iceberg in the months, and years to come.