Hacking, Security & Privacy - Page 12

A recent announcement has come out from Capital One, who has admitted that there servers experienced a breach recently that has disclosed roughly 100 million American's personal information.

According to the announcement by Capital One, credit card information that they contained between the years of 2005 and 2019 has been disclosed. This potential of this information leak includes: "names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income, credit scores, credit limits, balances, payment history, contact information."

On top of that information leaking, the report also says that Capital One is also estimating that roughly 140,000 Social Security numbers were potentially compromised in the U.S, as well as 80,000 linked bank account numbers. The U.S Department of Justice has said that Seattle engineer, Paige A. Thompson has been arrested and indicted on accounts of having a connection to the breach.

A hacking group that goes by the nickname '0v1ru$' has disclosed some secret Russian spy projects, some of these projects were designed to store, monitor and decipher Tor users data.

The company that got hacked by 0v1ru$ is SyTech, a contracting company to the Federal Security Service of the Russian Federation. SyTech had its servers hijacked and 0v1ru$ managed to extract a whopping 7.5TB worth of data. Within the extracted data was several different security projects, the most notable one that was found was a project called 'Nautilus-S'.

The goal of the Nautilus-S project was to deanonymize Tor traffic while also creating a database of Tor users and their data. The disclosure revealed that this project begun way back in 2012, and was initialized in 2014 when Swedish researchers discovered Russian Tor nodes attempting to sift Tor users data. Since the hack has taken place, SyTech has taken down their website and has refused to contact the press regarding these disclosed projects.

A new report has been posted to the official United States Department of Justice website that has detailed a man who has pleaded guilty to the hacking of celebrities' Apple ID accounts.

According to the Department of Justice report, Kwamaine Jerell Ford has said he is guilty of hacking to the Apple accounts of certain professional athletes such as NBA players, NFL players musicians such as rappers. The report says that Jerell managed to gain access to these peoples accounts through tricking his victims into handing over their personal information by posing as a Apple customer support worker.

Once the account was compromised, Ford attempted to change the sign-in details of the account and scrape the credit card details that are attached to it. Ford then proceeded to pay "thousands of dollars" of travel and furniture for himself and was then indicted on six counts of computer fraud and aggravated identity theft. Ford has only pleaded guilty to one of these counts and his sentencing is scheduled to take place on June 24th. The high-profile people that were victims of Ford was not disclosed within the report.

NCIX is in some big effing trouble with a story breaking over the weekend that someone had access to their old servers that went for auction and were purchased, after the Canadian retailer went bankrupt in 2017.

The servers that were previously owned by NCIX somehow ended up on Craigslist, with Travis Doering from Privacy Fly access the servers and pretending to be someone called "Jeff" for privacy (fly) reasons. Doering was after the data on the NCIX server, making is clear he was after the contents of the HDD alone and not the juicy server hardware. Doering met with the seller multiple times, confirming that they were ex-NCIX servers and that they indeed had NXIC user and business data on it.

The used servers were sold because NCIX reportedly didn't pay their warehouse storage bills in late-2017 with over $115,000 owed, where the servers were given to the warehouse owner to sell to recoup costs. Yeah well, the NCIX servers weren't wiped and millions of customers private detailed were exposed, as well as business customers who used to buy many millions worth of goods.

This is a hard one to explain because people think that most security is done either on your PC (with software) or on your router (hardware protection). But, this is where Bitdefender steps in with their hardware offering in the Bitdefender BOX 2, the successor to the original BOX device.

The new BOX is the same hardware security appliance that the original one was, which works with your modem or router, but it can also function as the router if you don't already have one.

BOX can protect your various devices that are running Windows, Mac OS or Android... but it can also protect iOS devices, Kindle-based devices, smart TVs, consoles, smart thermostats, and any other internet-connected device. It's not just a simple solution, it's an all-round security solution.

Amazon have their evil tentacles in as many places as you can imagine, including a huge $10 billion deal with The Pentagon, so the news of a 1984-style facial recognition technology system shouldn't surprise you, at all.

The new surveillance system is reportedly called "Rekognition", with Amazon having a huge library of "tens of millions of faces" that will see it track up to 100 individuals in a given image, and then analyze their identity. Don't worry about your privacy as this is all for security and your personal safety.

Don't think that Amazon's super-secret Rekognition system is just a pipe dream, it is already deployed in some US cities. Washington County Sheriff's Office is already using Rekognition to reduce the time suspect identification takes, down from multiple days to a few minutes.

Intel is set to go through another battle with security holes in its CPUs with a revised version of Spectre found, with 8 new Spectre-like issues discovered.

Spectre Next Generation, or Spectre NG is what it's called, with Intel recently being notified of the security holes. 4 of them were rated high, while the remaining 4 were medium severity. The technical details behind Spectre NG haven't been announced, but we know that they will be similar or worse than the original Spectre, which was bad enough.

Intel is reportedly working on getting Spectre Next Generation problems fixed, with Microsoft and others working on OS level adjustments. There will reportedly be two new waves of updates, with the first coming soon and another reportedly in August, but these dates could vary depending on how bad Spectre NG really is.

Twitter has been hit in a big way today, with the social networking giant urging all of its 330 million users to change their passwords immediately after they were exposed in a bug in plain text.

The company wasn't hacked at all, with Twitter recommending people change their passwords out of an "abundance of caution". Twitter wants you to change your password on the site itself, and anywhere else that you've used that password, including third-party Twitter apps.

How did it happen? Well, Twitter says that the bug occurred through an issue in the hashing process, where it masks passwords by replacing them with a random string of characters that then get sorted on Twitter's system. An error in this process happened, so the passwords were then saved in plain text to an internal log. Twitter says they found the bug on their own, and removed the passwords and is working on it so it doesn't happen again.

It looks like hackers have breached the armor of Under Armour, the athletic apparel brand, with the data breach exposing details of over 150 million MyFitnessPal users.

The data breach exposes MyFitnessPal users' usernames, email addresses, and hashed passwords. Government-issued identifiers such as social security numbers and drivers licenses weren't exposed, as the app doesn't collect that sort of data, including credit cards.

The intrusion was detected in late-February, but Under Armour began working with authorities on March 25. Under Armour purchased MyFitnessPal in 2015 for $475 million.

As we get closer to the next Olympics, Japan is searching for new ways to beef up the security of their facilities but at the same time make sure that the increase of security doesn't hinder the process of getting inside of the Olympic venues.

The Japan Times has reported that sources close to the Olympic committee have said that there is speculation of facial recognition type technology to be used as security for the expected 300,000 to 400,000 attendees. If chosen as the select approach it has been said that it will not be used on spectators but instead could reduce the wait time of attendees such as officials and coaches.

There has been no official confirmation of if this technology will be implemented, so all concerns revolving around privacy have not been addressed yet. As we move closer to the beginning of the 2020 Olympics it is assumed that we will be updated with a confirmation announcement for if facial recognition is go or not.

TIO Networks is a telecom, wireless, cable and utility network operator in North America that also offers bill payment services, earlier this year PayPal purchased this company for $233 million and now it has come out that TIO network has had their data compromised. PayPal announced on November 10th that there was a potential breach in the TIO network but now has later confirmed that they "identified a potential compromise of personally identifiable information for approximately 1.6 million customers."

Thankfully PayPal's systems are not linked in anyway to that of TIO Networks as PayPal reassures customers that their data remains in secure hands.

"A review of TIO's network has identified a potential compromise of personally identifiable information for approximately 1.6 million customers. The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal's customers' data remains secure."

Nghia Pho, a former NSA employee has pleaded guilty to taking home classified information that was soon after linked to a hack from Russian intelligence. Pho will be sentenced on April 6th and has had his maximum penalty capped at 8 years, which would usually be 10 years.

According to sources of The New York Times, Pho stole the information both in physical and digital form between 2010 and 2015, then proceeded to intentionally use this information to then rewrite his resume. The hack came through exploited Kaspersky anti-virus software which the company was not aware of at the time. Kaspersky was aware that it has held NSA data but it is not clear whether it was that specific data or not.

Recently the NSA has had to deal with many leaks, scrambling to fix all these leaks could either motivate others to come forward and blow the whistle, or they could see Pho be made an example of, putting fear into others that were considering coming forward because of the penalty.

Back in 2014 Yahoo experienced a hack that exposed close to 500 million accounts, and now a Canadian citizen has just recently pleaded guilty to assisting a Russian intelligence officers in the hack. 22-year-old Karim Baratov has been arrested while another three individuals are facing charges back in Russia.

Prosecutors have stated that two of the Russian hackers are working for the Russian spy agency FSB, while the third is known Russian hacker Alexsey Belan. Dmitry Dokuchaev and Igor Sushchin are believed to have directed the attack and are also the ones that contacted Baratov when their targets were compromised with email accounts outside of Yahoos system. California's U.S Attorney's Office dives deeper into the details of the case, fleshing out the scope of abundant charges.

"According to his plea agreement, Baratov's role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts' passwords to Dokuchaev in exchange for money. As alleged in the indictment, Dokuchaev, Sushchin, and Belan compromised Yahoo's network and gained the ability to access Yahoo accounts. When they desired access to individual webmail accounts at a number of other internet service providers, such as Google and Yandex (based in Russia), Dokuchaev tasked Baratov to compromise such accounts."

For a spy agency that has the word 'security' in its title, the National Security Agency seems to be worse than a teenager downloading MP3s from LimeWire. The NSA has been busted again exposing top secret data to people, this time on the cloud.

UpGuard Director of Cyber Risk Research Chris Vickery discovered back on September 27 an Amazon Web Services S3 cloud storage bucket that was configured for totally open public access. This means that anyone can enter the URL and see what's inside of trhe bucket, which was located on the AWS subdomain "inscom". This folder had 47 viewable files and other folders inside, three of which could be downloaded.

INSCOM is the intelligence command that is controlled by both the US Army, and the NSA. The worst part of this news is that the folder wasn't password protected, which seems awfully stupid (there are worse words) of the NSA.

Imgur has fallen victim to a data breach attack, following the recent hack and cover up from Uber, usernames and passwords have been compromised, totaling to 1.7 million user accounts.

This breach on Imgur has been reported to of happened in 2014 and only has just come to company's attention now. Responding quickly, Roy Sehgal, Chief Operating Officer released a statement on behalf of Imgur, saying that the company is investigating the origin of the hack and that it is possible that the hack occurred due to an "old algorithm that was used at the time."

"We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year. We recommend that you use a different combination of email and password for every site and application. Please always use strong passwords and update them frequently."

It seems we can't go a week without a major breach in security at a huge company, with T-Mobile's website now reportedly hacked and the data from 76 million of its users could be exposed.

Security researcher Karak Saini discovered the bug in the wsg.t-mobile.com API, where if someone searched for someone else's number, the API sending back the data would include that users' data. The data in question included users' email addresses, IMSI network code, billing account data, and more. All hackers had to do was know, or guess a user's phone number, and they could have virtually all of that person's information, and more.

Saini spoke with Motherboard, where he said: "T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users".

The massive breach of Yahoo looks like it was worse than the original stories, which were already bad, but now Yahoo has said that all 3 billion users had their accounts breached.

Yahoo first reported 1.5 billion accounts had been breached in 2013, something that was announced just days before Verizon acquired the search giant. Verizon, which now owns Yahoo, has said that the attack had breached every Yahoo account... which means 3 billion accounts were attacked.

Verizon disclosed the new findings after an internal investigation into the 3 billion account breach, working with the SEC. The filing reads: "Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft".

VPNs are used in all different ways with all sorts of different people, but 4TFY has hit Kickstarter offering itself as an "easy-to-use, cost-effective VPN service".

The Kickstarter page for 4TFY continues, saying that their VPN service "allows you to hide your browsing activity from both your government and internet service provider, bypass government-imposed censorship, access geo-blocked content, mask your IP address, hide your physical location, and encrypt your internet traffic for greater browsing security".

The reason 4TFY caught my attention is that it is just $89 for a lifetime VPN service, blowing other VPN services out of the water that charge $89 per year on average. 4TFY is very aware of the "mass government surveillance is now the norm", offering the lifetime VPN service so that "your activities are not recorded and that you are able to access any content, anywhere, anytime. We do this by masking your IP address, by encrypting your internet traffic, and by passing this traffic through one on our highly secure servers".

Jio, a mobile network operator in India, is currently experiencing what could be the biggest data breach in India.

Jio is one of the fastest growing carriers in India and the whole world and was made famous by their launch of a nationwide LTE network for a very low price. They launched their network in September of last year, and have over 120 million users in less than a year. However, it appears that their speedy launch may have come at a cost.

Jio's customer's data has been leaked revealing many sensitive details, including customer's names, last names, phone numbers, emails, SIM Activation Date and even their Aadhaar Number. Aadhaar is a 12 digit unique identification number issued to all Indian residents based on their biometric and demographic data, and the world's largest biometric ID system, with over 1.154 billion enrolled members as of 11 June 2017.

I'm sure that you've heard about the "WannaCry" ransomware that is attacking hundreds of thousands of computers across hundreds of countries, and now Microsoft is chiming in with some fighting words against the NSA, CIA, and other spy agencies.

Microsoft President Brad Smith said that the NSA, CIA, and other spy agencies have been collecting security vulnerabilities, instead of telling Microsoft so they can fix them. Smith said there's an "emerging pattern" of these stockpiles leaking out, adding that some of themt can cause "widespread damage" when that happens. Smith even likened it to a physical weapons being leaked or stolen, comparing it to if the US military had "some of its Tomahawk missiles stolen".

But before we get too deep into this, remember that Microsoft built a freakin' backdoor into Outlook.com for the NSA, with Microsoft working for months to provide the NSA with full access to encrypted chats on Outlook.com, something we reported about in July 2013. Microsoft also worked with the NSA on giving them a backdoor into SkyDrive, their cloud-based storage service. At the time, I reported: "Microsoft worked tightly with the NSA in order to give them access, with the NSA reporting on April 8 of this year that the Redmond-based slave of the NSA built PRISM access into SkyDrive that removes the need for the NSA analysts to request permission to search SkyDrive".