It seems we can't go a week without a major breach in security at a huge company, with T-Mobile's website now reportedly hacked and the data from 76 million of its users could be exposed.
Security researcher Karak Saini discovered the bug in the wsg.t-mobile.com API, where if someone searched for someone else's number, the API sending back the data would include that users' data. The data in question included users' email addresses, IMSI network code, billing account data, and more. All hackers had to do was know, or guess a user's phone number, and they could have virtually all of that person's information, and more.
Saini spoke with Motherboard, where he said: "T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users".
VPNs are used in all different ways with all sorts of different people, but 4TFY has hit Kickstarter offering itself as an "easy-to-use, cost-effective VPN service".
The Kickstarter page for 4TFY continues, saying that their VPN service "allows you to hide your browsing activity from both your government and internet service provider, bypass government-imposed censorship, access geo-blocked content, mask your IP address, hide your physical location, and encrypt your internet traffic for greater browsing security".
The reason 4TFY caught my attention is that it is just $89 for a lifetime VPN service, blowing other VPN services out of the water that charge $89 per year on average. 4TFY is very aware of the "mass government surveillance is now the norm", offering the lifetime VPN service so that "your activities are not recorded and that you are able to access any content, anywhere, anytime. We do this by masking your IP address, by encrypting your internet traffic, and by passing this traffic through one on our highly secure servers".
I'm sure that you've heard about the "WannaCry" ransomware that is attacking hundreds of thousands of computers across hundreds of countries, and now Microsoft is chiming in with some fighting words against the NSA, CIA, and other spy agencies.
Microsoft President Brad Smith said that the NSA, CIA, and other spy agencies have been collecting security vulnerabilities, instead of telling Microsoft so they can fix them. Smith said there's an "emerging pattern" of these stockpiles leaking out, adding that some of themt can cause "widespread damage" when that happens. Smith even likened it to a physical weapons being leaked or stolen, comparing it to if the US military had "some of its Tomahawk missiles stolen".
But before we get too deep into this, remember that Microsoft built a freakin' backdoor into Outlook.com for the NSA, with Microsoft working for months to provide the NSA with full access to encrypted chats on Outlook.com, something we reported about in July 2013. Microsoft also worked with the NSA on giving them a backdoor into SkyDrive, their cloud-based storage service. At the time, I reported: "Microsoft worked tightly with the NSA in order to give them access, with the NSA reporting on April 8 of this year that the Redmond-based slave of the NSA built PRISM access into SkyDrive that removes the need for the NSA analysts to request permission to search SkyDrive".
Oh, and Microsoft also gave the NSA access to Skype. In my article from July 2013, I reported: "Work on this began back in November of 2010 with data collection a few months later in February of 2011, with the NSA document stating that the planned systems worked well, with full metadata collection enabled. The NSA thanked Microsoft for their help, saying that "collaborative teamwork was the key to the successful addition of another provider to the Prism system".
Bose are one of the biggest high-end audio companies in the world, a brand that has trust associated with it - but, were we foolish to think so? According to a new lawsuit filed by Kyle Zak in Chicago, Bose's current $350 wireless headphones are spying on you.
The headphones in question require an app to "get the most" out of them, but the app monitors everything you listen to - including the names of the podcasts, the music, videos, and more. It then sends all of that information back to Bose, according to Zak's claim and lawsuit. According to Christopher Dore, Zak's lawyer: "People should be uncomfortable with it. People put headphones on their head because they think it's private, but they can be giving out information they don't want to share".
According to Reuters: "Zak is seeking millions of dollars of damages for buyers of headphones and speakers, including QuietComfort 35, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, SoundLink Color II, SoundSport Wireless and SoundSport Pulse Wireless". Not just that, but Zak also "wants a halt to the data collection, which he said violates the federal Wiretap Act and Illinois laws against eavesdropping and consumer fraud", Reuters reports.
We all know the NSA has the tools to spy on virtually everyone, but now hacking group Shadow Brokers has released a data dump that has allegedly come from the NSA, which details that the US spy agency can hack international banks - and more important,yl the SWIFT network through Windows PCs and servers that are used during global financial transfers.
What is the SWIFT? It's used by banks as a security measure for fraud, as it's used to validate ones back account - and vica versa. There are trillions of dollars per day that get transferred through SWIFT, with over 11,000 banks and securities organizations in over 200 countries using SWIFT. The NSA allegedly claimed in its now hacked and released article that the "box has been implanted and we are collecting", which Wired explains as the "jargon used by the NSA to indicate spyware has been successfully implanted on a computer".
Security researcher Matt Suiche said that the IP addresses that are next to the financial institutation in the documents do not line up with the real IP addresses of the machines at the institutions. The IP addresses that were listed were to machines at EastNets, which is the largest SWIFT branch in the Middle East, which manages all of the payments for financial clients. Suiche explains: "This is the equivalent of hacking all the banks in the region without having to hack them individually".
So, it looks like most of Apple's products are bugged by the CIA - if the latest claims from WikiLeaks are to be believed. The new "Dark Matter" release from "Vault 7" has documentation for "several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware".
WikiLeaks has exposed the interestingly named "Sonic Screwdriver" project, something that CIA calls a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting". This hack provides its attacker, so in this case the CIA, to deploy its attack software from a USB flash drive - and scarily "even when a firmware password is enabled".
The CIA's "Sonic Screwdriver" infector is reportedly stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter, says WIkiLeaks.
WikiLeaks' report continues, with "DarkSeaSkies" also detailed as "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants".
The full report is available on WikiLeaks' website, with the final paragraph stating: "While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise".
Yahoo has confirmed that over 1 billion user accounts have been compromised, with the breach dating back to August 2013.
The stolen user data includes names, email addresses, phone numbers, dates of birth, hashed passwords, and even unencrypted security questions. Thankfully, financial information such as bank account and credit card data is held in a different server, with Yahoo saying that server was not affected - hopefully.
The company is now in the process of notifying all affected users, asking them to change their passwords - but as for the unencrypted security questions, Yahoo has invalidated them. It was only back in September that we reported over 500 million Yahoo account details were leaked in a breach in 2014, with forensic experts stating that the two hacks aren't related.
However, Yahoo knew about the hacks in 2014 - and didn't say anything. The bigger question is the $4.8 billion acquisition of Yahoo by Verizon, but I'm sure with this recent data breach of 1 billion user accounts, Yahoo will have to drop that price considerably. Also, if I were Verizon, I'd rename Yahoo to FFS.
The US Navy has waited until Thanksgiving to announce news that one of their employees had their laptop "compromised", with personal data of 130,000 sailors being stolen, back on October 27.
Chief of Naval Personnel Vice Admiral Robert Burke said in the US Navy's press release: "The Navy takes this incident extremely seriously - this is a matter of trust for our Sailors. We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach".
The Navy continued in its press release: "For those affected by this incident, the Navy is working to provide further details on what happened, and is reviewing credit monitoring service options for affected Sailors".
The data of 134,386 current and former sailors and service members' personal data leaked - the news of it arriving on Thanksgiving doesn't sit well with me either, with Motherboard reporting: "It's pretty bad to lose the personal information of 134,386 current and former sailors and service members, but letting them-and the rest of the world-know this happened the night before Thanksgiving, in what could easily be construed as an attempt to bury the bad news, certainly doesn't make the Navy look good".
The Belgian Big Brother Awards 2016 yesterday unanimously granted the title of 'ultimate privacy villain of the year' to Facebook, as decided by the public and a professional jury.
"We nominated Facebook for the award because their default settings are noxious for privacy," explained Joe McNamee, Executive Director of European Digital Rights. He later remarked, "Facebook is a multi-billion dollar company that has one commodity - you!"
Digital rights and freedoms association EDRi describes Facebook as having "access to a wide range of personal data, and it tracks your movements across the web, whether you are logged in or not."
It shouldn't be surprising - but it really is, that Yahoo secretly build a custom software program to search through all of its users' incoming emails for information - all on behalf of the US intelligence sector. Yeah... Yahoo spied on your emails, before you had even read them, for the NSA, according to sources of Reuters.
Yahoo complied with classified US government demand, scanning hundreds of millions of Yahoo Mail accounts "at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events", reports Reuters. The site continues: "Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real-time".
Yahoo boss Marissa Mayer gave the order, which pissed some senior executives off to the point that in June 2015, Chief Information Security Officer Alex Stamos, left the company, joining Facebook. Yahoo said to Reuters: "Yahoo is a law abiding company, and complies with the laws of the United States". Yeah Yahoo, you sure are - a snitching little traitor (my words).