Privacy & Rights News - Page 3
Twitter has been hit in a big way today, with the social networking giant urging all of its 330 million users to change their passwords immediately after they were exposed in a bug in plain text.
The company wasn't hacked at all, with Twitter recommending people change their passwords out of an "abundance of caution". Twitter wants you to change your password on the site itself, and anywhere else that you've used that password, including third-party Twitter apps.
How did it happen? Well, Twitter says that the bug occurred through an issue in the hashing process, where it masks passwords by replacing them with a random string of characters that then get sorted on Twitter's system. An error in this process happened, so the passwords were then saved in plain text to an internal log. Twitter says they found the bug on their own, and removed the passwords and is working on it so it doesn't happen again.
It looks like hackers have breached the armor of Under Armour, the athletic apparel brand, with the data breach exposing details of over 150 million MyFitnessPal users.
The data breach exposes MyFitnessPal users' usernames, email addresses, and hashed passwords. Government-issued identifiers such as social security numbers and drivers licenses weren't exposed, as the app doesn't collect that sort of data, including credit cards.
The intrusion was detected in late-February, but Under Armour began working with authorities on March 25. Under Armour purchased MyFitnessPal in 2015 for $475 million.
Back in 2014 Yahoo experienced a hack that exposed close to 500 million accounts, and now a Canadian citizen has just recently pleaded guilty to assisting a Russian intelligence officers in the hack. 22-year-old Karim Baratov has been arrested while another three individuals are facing charges back in Russia.
Prosecutors have stated that two of the Russian hackers are working for the Russian spy agency FSB, while the third is known Russian hacker Alexsey Belan. Dmitry Dokuchaev and Igor Sushchin are believed to have directed the attack and are also the ones that contacted Baratov when their targets were compromised with email accounts outside of Yahoos system. California's U.S Attorney's Office dives deeper into the details of the case, fleshing out the scope of abundant charges.
"According to his plea agreement, Baratov's role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts' passwords to Dokuchaev in exchange for money. As alleged in the indictment, Dokuchaev, Sushchin, and Belan compromised Yahoo's network and gained the ability to access Yahoo accounts. When they desired access to individual webmail accounts at a number of other internet service providers, such as Google and Yandex (based in Russia), Dokuchaev tasked Baratov to compromise such accounts."
For a spy agency that has the word 'security' in its title, the National Security Agency seems to be worse than a teenager downloading MP3s from LimeWire. The NSA has been busted again exposing top secret data to people, this time on the cloud.
UpGuard Director of Cyber Risk Research Chris Vickery discovered back on September 27 an Amazon Web Services S3 cloud storage bucket that was configured for totally open public access. This means that anyone can enter the URL and see what's inside of trhe bucket, which was located on the AWS subdomain "inscom". This folder had 47 viewable files and other folders inside, three of which could be downloaded.
INSCOM is the intelligence command that is controlled by both the US Army, and the NSA. The worst part of this news is that the folder wasn't password protected, which seems awfully stupid (there are worse words) of the NSA.
Inside of the folder is some super-secret NSA contents, with an Oracle Virtual Appliance (.ova) that was titled "ssdev". Vickery loaded this file in VirtualBox discovering that it contained a virtual HDD with a Linux-based OS that he reports was "likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems - an intrusion that malicious actors could have attempted, had they found this bucket".
Imgur has fallen victim to a data breach attack, following the recent hack and cover up from Uber, usernames and passwords have been compromised, totaling to 1.7 million user accounts.
This breach on Imgur has been reported to of happened in 2014 and only has just come to company's attention now. Responding quickly, Roy Sehgal, Chief Operating Officer released a statement on behalf of Imgur, saying that the company is investigating the origin of the hack and that it is possible that the hack occurred due to an "old algorithm that was used at the time."
"We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year. We recommend that you use a different combination of email and password for every site and application. Please always use strong passwords and update them frequently."
It seems we can't go a week without a major breach in security at a huge company, with T-Mobile's website now reportedly hacked and the data from 76 million of its users could be exposed.
Security researcher Karak Saini discovered the bug in the wsg.t-mobile.com API, where if someone searched for someone else's number, the API sending back the data would include that users' data. The data in question included users' email addresses, IMSI network code, billing account data, and more. All hackers had to do was know, or guess a user's phone number, and they could have virtually all of that person's information, and more.
Saini spoke with Motherboard, where he said: "T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users".
VPNs are used in all different ways with all sorts of different people, but 4TFY has hit Kickstarter offering itself as an "easy-to-use, cost-effective VPN service".
The Kickstarter page for 4TFY continues, saying that their VPN service "allows you to hide your browsing activity from both your government and internet service provider, bypass government-imposed censorship, access geo-blocked content, mask your IP address, hide your physical location, and encrypt your internet traffic for greater browsing security".
The reason 4TFY caught my attention is that it is just $89 for a lifetime VPN service, blowing other VPN services out of the water that charge $89 per year on average. 4TFY is very aware of the "mass government surveillance is now the norm", offering the lifetime VPN service so that "your activities are not recorded and that you are able to access any content, anywhere, anytime. We do this by masking your IP address, by encrypting your internet traffic, and by passing this traffic through one on our highly secure servers".
I'm sure that you've heard about the "WannaCry" ransomware that is attacking hundreds of thousands of computers across hundreds of countries, and now Microsoft is chiming in with some fighting words against the NSA, CIA, and other spy agencies.
Microsoft President Brad Smith said that the NSA, CIA, and other spy agencies have been collecting security vulnerabilities, instead of telling Microsoft so they can fix them. Smith said there's an "emerging pattern" of these stockpiles leaking out, adding that some of themt can cause "widespread damage" when that happens. Smith even likened it to a physical weapons being leaked or stolen, comparing it to if the US military had "some of its Tomahawk missiles stolen".
But before we get too deep into this, remember that Microsoft built a freakin' backdoor into Outlook.com for the NSA, with Microsoft working for months to provide the NSA with full access to encrypted chats on Outlook.com, something we reported about in July 2013. Microsoft also worked with the NSA on giving them a backdoor into SkyDrive, their cloud-based storage service. At the time, I reported: "Microsoft worked tightly with the NSA in order to give them access, with the NSA reporting on April 8 of this year that the Redmond-based slave of the NSA built PRISM access into SkyDrive that removes the need for the NSA analysts to request permission to search SkyDrive".
Oh, and Microsoft also gave the NSA access to Skype. In my article from July 2013, I reported: "Work on this began back in November of 2010 with data collection a few months later in February of 2011, with the NSA document stating that the planned systems worked well, with full metadata collection enabled. The NSA thanked Microsoft for their help, saying that "collaborative teamwork was the key to the successful addition of another provider to the Prism system".
Bose are one of the biggest high-end audio companies in the world, a brand that has trust associated with it - but, were we foolish to think so? According to a new lawsuit filed by Kyle Zak in Chicago, Bose's current $350 wireless headphones are spying on you.
The headphones in question require an app to "get the most" out of them, but the app monitors everything you listen to - including the names of the podcasts, the music, videos, and more. It then sends all of that information back to Bose, according to Zak's claim and lawsuit. According to Christopher Dore, Zak's lawyer: "People should be uncomfortable with it. People put headphones on their head because they think it's private, but they can be giving out information they don't want to share".
According to Reuters: "Zak is seeking millions of dollars of damages for buyers of headphones and speakers, including QuietComfort 35, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, SoundLink Color II, SoundSport Wireless and SoundSport Pulse Wireless". Not just that, but Zak also "wants a halt to the data collection, which he said violates the federal Wiretap Act and Illinois laws against eavesdropping and consumer fraud", Reuters reports.
We all know the NSA has the tools to spy on virtually everyone, but now hacking group Shadow Brokers has released a data dump that has allegedly come from the NSA, which details that the US spy agency can hack international banks - and more important,yl the SWIFT network through Windows PCs and servers that are used during global financial transfers.
What is the SWIFT? It's used by banks as a security measure for fraud, as it's used to validate ones back account - and vica versa. There are trillions of dollars per day that get transferred through SWIFT, with over 11,000 banks and securities organizations in over 200 countries using SWIFT. The NSA allegedly claimed in its now hacked and released article that the "box has been implanted and we are collecting", which Wired explains as the "jargon used by the NSA to indicate spyware has been successfully implanted on a computer".
Security researcher Matt Suiche said that the IP addresses that are next to the financial institutation in the documents do not line up with the real IP addresses of the machines at the institutions. The IP addresses that were listed were to machines at EastNets, which is the largest SWIFT branch in the Middle East, which manages all of the payments for financial clients. Suiche explains: "This is the equivalent of hacking all the banks in the region without having to hack them individually".