Security news

A few months ago Instagram rolled out the “Download Your Data” feature to comply with the new European data privacy regulations, General Data Protection Regulation (GDPR). Well, this helpful feature had a major bug that accidentally exposed user’s password and made it vulnerable. So here’s everything you need to know about the issue.

Instagram Bug Exposed Passwords: The Issue

Instagram and Facebook are two of the most popular social media platforms with billions of users across the globe. Both Instagram and Facebook have been in news this year due to many major security flaws.

The “Download Your Data” feature on Instagram allowed users to download their activity like recent posts, likes, and comments. As a security measure, Instagram asked users to re-enter their passwords.

Due to the security bug, these re-entered passwords were visible and even saved as plaintext in URL and were also saved on Facebook’s server, Instagram’s parent company.

According to Instagram, these saved passwords were recently deleted from Facebook’s server. In addition to that, every affected user was notified about the security bug. That said, a very small number of people were affected by this issue.

Instagram Bug Exposed Passwords: The Solution

Well, if you are one among those affected users its a wise decision to change your Instagram password and even delete your browser’s history. Furthermore, turning on two-factor authentication (2FA) will further secure your account.

Lastly, if you didn’t receive any notification about the security bug then your passwords are completely safe. That said if you still experience any weird activity with your account, you should definitely follow the above-mentioned security measures and secure your account.

According to Instagram, this security bug has been completely fixed now. Furthermore, any sort of information or password was not exposed to anyone else.

Do share your thoughts and opinions on the above-mentioned issues in the comments section below.

This AI-Generated ‘Master’ Fingerprint Can Unlock Any Smartphone

Like a master key that can open any lock, researchers from the University of Michigan and New York University have created an AI-generated ‘master’ fingerprint that is capable of unlocking most of the modern smartphones.

The research team presented their work in a paper titled DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution.

How Are Master Fingerprints Generated?

The fingerprints dubbed as “DeepMasterPrints” by the researchers can be artificially generated using machine learning algorithm.

These can be used to fool databases protected by fingerprint authentication without essentially requiring any information about the user’s fingerprints.

The artificially generated prints were able to accurately replicate more than one in five real fingerprints in a database, which should only have an error rate of one in a thousand.

DeepMasterPrints takes advantage of two flaws in fingerprint-based authentication systems. The first is that many fingerprint scanners do not read the entire finger at once.

Secondly, some different fingertip portions are more common than others, which means that scanners that only read partial prints are more likely to be tricked by common fingerprint characteristics.

The team trained a neural network to create artificial fingerprints and used evolutionary optimization methods to find their best DeepMasterPrints.

They used a common machine learning method, called “generative adversarial network” (GAN) to artificially create new fingerprints that matched as many certain portions of other fingerprints as possible.

The team points out that the attack using their AI-driven method can be distributed against random devices “with some probability of success.”

The researchers used a NIST public database with 54,000 fingerprints and 8640 finger scans as input for learning and improving their neural networks.

However, such attacks may not be able to break into your phone.

“A similar setup to ours could be used for nefarious purposes, but it would likely not have the success rate we reported unless they optimized it for a smartphone system,” lead researcher Philip Bontrager of the New York University engineering school told Gizmodo. “This would take a lot of work to try and reverse engineer a system like that.”

But, if a hacker is able to use such attacks against many fingerprint-accessible accounts, then the success rate of unlocking devices would be much more.

According to Bontrager, “the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis.”

He and his team want their research to motivate companies to step up fingerprint-security efforts. “Without verifying that a biometric comes from a real person, a lot of these adversarial attacks become possible,” Bontrager said. “The real hope of work like this is to push toward liveness detection in biometric sensor.”

Apple Watches bricks after users update to the latest watchOS 5.1, Apple halts the update

All those Apple Watch users who haven’t updated to the latest watchOS 5.1 should refrain from doing so, as Apple has pulled out this software update.

Few users took to Reddit and Twitter to report bricking of Apple Watches after updating to watchOS 5.1. Apparently, the issue seems to only be affecting the new Apple Watch Series 4 models.

After bricking reports, Apple has temporarily removed the watchOS 5.1 software update. In a statement to CNET, Apple said it was aware of the problem and was working on a fix.

“Due to a small number of Apple Watch customers experiencing an issue while installing watchOS 5.1 today, we’ve pulled back the software update as a precaution,” it explained.

“Any customers impacted should contact AppleCare, but no action is required if the update installed successfully. We are working on a fix for an upcoming software update.”

Earlier this week, Apple had released watchOS 5.1 update alongside iOS 12.1. watchOS 5.1 brings support for fall detection, Group FaceTime audio, new emoji, and a new color full-screen watch face. Besides these, the watchOS 5.1 update also included 14 security fixes.

For those who have downloaded the latest watchOS 5.1 update before it was pulled but have not installed it, it is advisable to not do so and wait for Apple to re-release the update.

New iOS Passcode Bypass Found Hours After Apple Releases iOS 12.1

Apple considered as the highly secured device was bypassed shortly after the Cupertino giant released the latest version of its mobile operating system, iOS 12.1 on Tuesday.

Jose Rodriguez, a Spanish security researcher, and an iPhone enthusiast has managed to find a passcode bypass bug that allows attackers to access the contacts list on a locked iPhone.

Rodriguez shared a video (see below) with The Hacker News to show how the bug works.

As detailed in the video, the passcode bypass bug is present in a new feature introduced in iOS 12.1 called Group FaceTime. This bug can be exploited by either receiving a phone call or asking Siri to make a phone, and by changing the call to FaceTime.

Once switched to a FaceTime call, go to the bottom right menu and select “Add Person.” This will give access to the complete contact list of the targeted iPhone in spite of the device being locked. Further, by using the 3D Touch feature, you can see additional information of every contact in the contact list.

According to Rodriguez, the new passcode bypass bug would work on only those iPhone models that support Apple’s Group FaceTime added in the iOS 12.1 release, as the attack utilizes Apple’s Facetime.

The researcher also found that the hack works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone.

Last month, a similar passcode bypass bug was discovered by Rodriguez in iOS 12 that takes advantage of Siri and VoiceOver screen reader and allows an attacker to access photos and contact details on a locked iPhone XS as well as other Apple devices.

GrayKey password cracking tool can no longer break into by Apple’s iOS 12 update

Apple has finally managed to stop GrayKey devices from working on iPhones running last month’s release of iOS 12, according to a report from Forbes.

For those unaware, GrayKey is an iPhone unlocking device created by Atlanta-based firm Grayshift. This tool helps law enforcement agencies around the world to break passwords on iPhones involved in criminal investigations. The tool attracted widespread concern from security experts as well as the public when the device was unveiled in March.

Apple for the past six months has been continuously setting up hurdles to block GrayKey’s ability to access user data without permission. However, Grayshift managed to jump each barrier and continued to grow.

With iOS 12, however, GrayKey can no longer break a password of any iPhone. “On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said, reports Forbes. “That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.”

However, it is unclear as to how Apple managed to restrict GrayKey. Vladimir Katalov, chief of forensic tech provider Elcomsoft, said “it could be everything from better kernel protection to stronger configuration-profile installation restrictions.”

Captain John Sherwin, Police officer of the Rochester Police Department in Minnesota confirmed that iOS 12 was blocking GrayKey from unlocking iPhones: “That’s a fairly accurate assessment as to what we have experienced.

“Give it time and I am sure a ‘workaround’ will be developed … and then the cycle will repeat. Someone is always building a better mousetrap, whether it’s Apple or someone trying to defeat device security.”

Neither Apple nor Grayshift has commented on the report.

Source: Forbes

Windows 10 October update ZIP files overwrite confirmation bug spotted months before release

Microsoft has started the month of October on a rocky note, to say the least. First, it was the file deletion bug in the Windows 10 October 2018 update (version 1809) that forced Microsoft to pause the rollout until it could fix the issue after users started complaining of data loss. The Redmond giant received a lot of flak for not being able to fix the bug that was already spotted in its preview stages.

According to some users who did get the Windows 10 October 2018 Update have now found another bug that does not allow the system to display the ZIP files overwrite confirmation popup when copying files.

One 1809 user reported on Reddit, that the version of Windows 10 is missing the “Do you want to replace these files” dialog box while copying from a ZIP archive to another folder containing another file with the same file name. Although the file is not replaced, it instead modifies the date of the destination folder file. This bug just affects the built-in ZIP tool in Windows File Explorer, it has no impact on third-party programs.

Another Reddit user added that the bug also has Windows File Explorer show file transfer progress when copying from ZIP to show as if files are being copied.

A thread dedicated to the issue has been created on the Feedback Hub, where Microsoft employees normally respond to complaints and other bugs.

While the ZIP bug is in no way as severe as the file deletion bug, it can cause users to inadvertently remove or delete files. It also misinforms users into believing there was no file in the destination folder that was identical to the files in the ZIP archive.

Apparently, a Windows Insider Preview tester had spotted the presence of ZIP file bug three months ago and reported it to the Feedback Hub. However, this report failed to attract more than a few upvotes and was overlooked by Microsoft when collecting the Windows 10 October 2018 (version 1809) Update.

BleepingComputer points out this bug was fixed in the Windows 10 Insider Preview Build 18234 (19H1) that was released on September 6, a month before the public rollout of the October 2018 Update, confirms an engineer for Microsoft’s Windows Insider Program.

This means that the next patch for Windows 10 October 2018 Update will probably have a fix for the new bug. However, there is no word yet from Microsoft on when the update will be publicly rolled out.

Also Read-

• Blue Screen Windows 10 WDF_VIOLATION Error After Update- Fix
• How to fix No Audio Output Device Is Installed error In Windows 10

Following Microsoft’s 1809 data-loss bug, the company has updated its Feedback Hub that will allow bug reporters to add a severity rating to grab the attention of Microsoft’s Windows engineers over severe issues.

“We believe this will allow us to better monitor the most impactful issues even when feedback volume is low,” Brandon LeBlanc, Senior Program Manager on the Windows Insider Program Team said in a blog post.

This SIM Card Directs Your Mobile Data Through Tor

Although technology has overall made life easier, it has made things a lot less private. As a result, you need to be extra careful when you are browsing online, as it very difficult to maintain privacy out there. It is even possible that your ISP or VPN provider is maintaining a log of everything that you do online.

So, how do we protect our online privacy? Brass Horns Communications, a UK-based non-profit internet service provider that focuses on privacy and anti-surveillance services, has an answer for this. The company is currently beta-testing a SIM card that will automatically route your data through Tor, thereby securing online privacy and evading surveillance.

For those unaware, Tor (originally known as The Onion Router) is a free piece of software for enabling anonymous communication. Tor directs Internet traffic through a free, volunteer-operated network of computers around the world to hide a user’s location and usage from anyone conducting network surveillance or traffic analysis. While Tor protects a user’s privacy, it does not hide the fact that someone is using Tor. The most common method through which people access Tor is the Tor Browser Bundle on desktop, or with the Orbot app on Android.

Brass Horn’s founder, Gareth Llewelyn, told Motherboard that his venture is “about sticking a middle finger up to mobile filtering, mass surveillance.”

According to Brass Horn’s Onion3G service site, it claims that the “The Onion3G design is a closed network between your 3G device/MiFi/modem and the Brass Horn Comms Tor bridges, this may make the collection of Internet Connection Records (and by extension other forms of bulk surveillance) less effective.”

It also claims that it’s a safer mobile provider because it only issues “private IP addresses to remote endpoints which if ‘leaked’ won’t identify you or Brass Horn Communications as your ISP.”

Brass Horn Onion3G SIM card only has 3G connectivity. In order to use this Tor-dedicated SIM card, it is necessary to install Orbot app on the device. Further, only apps that have a proxy feature, like Twitter, are compatible. Also, it is available only for Android users.

The Tor-SIM card will cost £2.00 per month for a prepaid account. Further, £0.025 will be charged for per Megabyte (MB) transferred over the network. Pre-payment can be topped up at any time using a credit card like Visa, Mastercard, or cryptocurrencies like Bitcoin, ZCash or Monero.

Currently, the service is offered in the UK only and is likely to be made available to the public in 2019. Those interested in joining the beta phase can find more information here.

UK watchdog fines Facebook £500,000 over Cambridge Analytica data scandal

Britain’s privacy watchdog has fined Facebook £500,000 ($645,000) over Cambridge Analytica data scandal. This is the maximum possible fine that can be imposed by UK’s Information Commissioner’s Office (ICO) for breaching data protection rules.

The ICO had issued a Notice of Intent to Fine to Facebook in July following an investigation into the company’s data sharing policies that exploited the data of 87 million users.

“The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had,” the ICO said confirming the fine.

“Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organizations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US.

“Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

During its investigation, ICO found that personal information of at least one million UK users was among the harvested data that was subsequently put at risk of further misuse. The information was used to help Donald Trump during his 2016 presidential election campaign.

“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data,” ICO said. “A company of its size and expertise should have known better and it should have done better.”

The penalty of £500,000 is the maximum allowed under the Data Protection Act 1998 at the time of the breach. This fine represents 0.00001 percent of Facebook’s CEO Mark Zuckerberg’s £43 billion ($61.5 billion) fortune. However, it could have been a lot worse had the data breach taken place under the General Data Protection Regulation (GDPR) law passed in May.

Under the EU’s new data protection laws, Facebook could have faced a maximum fine of £17m or 4% of global turnover – whichever is higher.

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people’s personal data,” ICO said.

“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”

In response to the ICO announcement, Facebook commented that it is “reviewing” the decision.

“While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015,” a Facebook spokesperson said in a statement.

“We are grateful that the ICO has acknowledged our full cooperation throughout their investigation, and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica.”

Google now lets users delete search history more easily

Google announced that it is making it easier for users to understand and control their data from directly within its products, starting with Search.

“Today, we’re making it easier for you to make decisions about your data directly within the Google products you use every day, starting with Search. Without ever leaving Search, you can now review and delete your recent Search activity, get quick access to the most relevant privacy controls in your Google Account, and learn more about how Search works with your data,” said Google’s Eric Miraglia, Director of Product Management, Privacy and Data Protection Office in a blog post.

Also Read- Worried about privacy, forget Google and try these search engines

In other words, Google has made it easy for you to review and delete your most recent Search activity, access privacy controls in the Google Account, and learn more about how Search works with the data you provide. You can access all this information without having to leave Search.

Previously, the only way you could access your data and see how it is used was via your Google Account. This new change allows you quick access to the privacy controls in your Google Account that are most relevant as you use Search.

“For example, to control the ads you see when you search, we give you access to your Ad Settings. Additionally, you can access your Activity Controls to decide what information Google saves to your account and uses to make Search and other Google services faster, smarter and more useful,” Miraglia added.

This new improvement is now rolling out in Google Search on desktop and mobile web and is expected to be available in the Google app for iOS and Android in the coming weeks. This feature will be expanded to Google Maps next year followed by many other Google services.

Source: Google

Yahoo agrees to pay $50 million in data-breach settlement and give affected users free credit monitoring services

Yahoo has agreed to pay $50 million in data-breach settlement to 200 million victims of what is believed to be the biggest data breach ever. The company will also provide two years of free credit-monitoring services to these affected users in the U.S. and Israel.

The security breaches that took place on two separate occasions in 2013 and 2014 was not disclosed by Yahoo until 2016. The data breach exposed usernames, email addresses, phone numbers, birth dates, security questions and answers, backup email addresses, and phone numbers.

“We are pleased that we were able to reach a settlement with Yahoo, which would provide relief to impacted users and ensure that Yahoo improves its security practices going forward,” said John Yanchunis, lead counsel of Morgan & Morgan in Tampa, Florida, in a statement on Tuesday.

The settlement filed late on Monday in a 2-year-old lawsuit that holds Yahoo accountable will see $50 million go to Yahoo users whose accounts were affected by the digital burglaries in 2013 and 2014, as part of the settlement. The company will also pay $35 million in legal fees.

Yahoo accountholders who paid $20 to $50 annually for a premium email account will be able to claim a 25% refund. According to the proposed settlement, the fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent handling issues related to the breach. However, the amount of compensation for those who have documented losses will be capped at 15 hours of lost time, or $375, while those without such information can ask for up to 5 hours, or $125.

Also, those who choose to receive credit monitoring could have it for at least two years. The free credit monitoring service’s value was pegged at about $359 for two years, although the settlement didn’t disclose how much Yahoo said it would pay to provide the coverage.

The lawyers representing Yahoo accountholders have a big incentive to get the settlement approved. If the settlement goes through, Yahoo will pay them up to $37.5 million in fees and expenses.

Verizon, which acquired Yahoo in 2017, will pay half the settlement cost, while Altaba, the company formed from the remainder of the Yahoo business, will pay $35 million imposed by the US Securities and Exchange Commission (SEC) for Yahoo’s failure in disclosing the breach in 2014 to the investors.

It wasn’t until last year that Yahoo admitted that the 2013 hack actually affected all 3 billion user accounts. The data breach is still under investigation, and the U.S. Department of Justice has charged Russian hackers with the 2014 breach that affected 500 million accounts.

A hearing on the proposed settlement is scheduled on Nov. 29 in U.S. District Court before U.S. District Judge Lucy Koh in San Jose, California. If the settlement gets approved, notices will be emailed to affected accountholders and published in People and National Geographic magazines.

Oath, the Verizon subsidiary that now oversees Yahoo, said through a spokesman Tuesday that it does not comment on lawsuits.