Security news

Hackers steal data of 100 million Quora users

Hackers steal data of 100 million Quora users

Quora hack exposes data of about 100 million users

Quora, the question-and-answer sharing website, announced yesterday that data of about 100 million of its users was compromised as a result of unauthorized access to one of their systems by a “malicious third party”.

“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” Quora CEO Adam D’Angelo said in a security update blog post. “We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing.  We have notified law enforcement officials. We are notifying affected Quora users. We have already taken steps to ensure the situation is contained, and we are working to prevent this type of event from happening in the future. Protecting our users’ information and fostering an environment built on trust remains our top priority so that together we can continue to share and grow the world’s knowledge.”

Quora discovered the breach on Friday, November 30, when they found that user’s data was accessed by an unauthorized third-party.

According to Quora, the following information may have been compromised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

However, as a safety measure, the company is currently notifying users whose data was compromised and logging out all affected Quora users. It has also notified law enforcement officials and has retained a leading digital forensics and security firm to assist them.

The users who wrote questions and answers anonymously were not affected by this breach, as the website does store information of people who post anonymous content. Currently, it is unknown how the attacker gained access to Quora’s systems.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust,” Dylan added.

Quora has advised its users to not reuse the same password as Quora across multiple services, and suggested them to change it if they are doing so. Also, we would advise our readers to use unique passwords for every site that you visit to avoid being a victim of data breach.

read more announces potential cyber security breach announces potential cyber security breach resets all customer passwords after a network breach

Dell Inc., the U.S. based hardware giant, announced yesterday that the company had suffered a security breach earlier this month, on November 9, 2018. However, the company said that it managed to stop hackers who were looking to access data such as customer names, email addresses and hashed passwords.

“Dell is announcing that on November 9, 2018, it detected and disrupted unauthorized activity on its network attempting to extract customer information, which was limited to names, email addresses and hashed passwords,” the company said in its press release.

“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”

According to reports, Dell did not inform its customers about the breach when it forced the password resets for all customer accounts on November 14, 2018. Also, the company did not mention how the hackers were able to breach its network.

“Our investigations found no conclusive evidence that any information was extracted,” Dell said in its press release. “Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services.”

Dell said that it is still investigating the incident, but said the breach wasn’t extensive one, as the company’s engineers were able to detect the intrusion on the same day it took place.

While a Dell spokesperson refused to provide the number of affected accounts, he said that “it would be imprudent to publish potential numbers when there may be none.”

Following the security breach, the company has encouraged its customers to change password for their account and also for other online services if they use the same or similar passwords.

read more

Hack Facebook or Instagram accounts and get paid up to $40,000

Hack Facebook or Instagram accounts and get paid up to $40,000

Facebook to pay up to $40,000 for finding ways to hack Facebook or Instagram accounts

Facebook has been going through a rough patch this year after suffering two severe security breaches that affected millions of its users.

While every year, Facebook pays millions of dollars to researchers and bug hunters to find security holes in its products and organization, it is still facing security breaches. Facebook has been running its Bug Bounty program since 2011.

Now, in order to step up its efforts to tighten the security of the platform, Facebook on Tuesday announced in a post that it has increased the average payout for account takeover vulnerabilities so as “to encourage security researchers to work on finding high-impact issues”.

The announcement further read, “The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or
* $25,000 if minimum user interaction is required.

“This change applies to all products owned by Facebook, including Instagram, WhatsApp, and Oculus.

“Further, we will not require a full exploit chain in cases where leveraging the vulnerability requires bypassing our Linkshim mechanism.

“While monetary reward may not be the strongest incentive for why bug bounty researchers hack, we believe it remains a strong motivator for our white hat researchers to invest time in helping us identify and mitigate vulnerabilities. We encourage researchers to share their proof of concept reports with us without having to also discover bypasses for Facebook defense mechanisms.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high-quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.”

For those unaware, earlier this year, it was the Facebook–Cambridge Analytica data scandal where the personal information of 87 million Facebook users was harvested by Cambridge Analytica without their consent and used for political purposes.

Later, in September this year, Facebook discovered a major security issue that allowed hackers to access information, which could allow them to take over around 50 million accounts.

Source: Facebook 

read more

Instagram Bug Accidentally Exposed Passwords Of Many Users

A few months ago Instagram rolled out the “Download Your Data” feature to comply with the new European data privacy regulations, General Data Protection Regulation (GDPR). Well, this helpful feature had a major bug that accidentally exposed user’s password and made it vulnerable. So here’s everything you need to know about the issue.

Instagram Bug Exposed Passwords: The Issue

Instagram and Facebook are two of the most popular social media platforms with billions of users across the globe. Both Instagram and Facebook have been in news this year due to many major security flaws.

The “Download Your Data” feature on Instagram allowed users to download their activity like recent posts, likes, and comments. As a security measure, Instagram asked users to re-enter their passwords.

Due to the security bug, these re-entered passwords were visible and even saved as plaintext in URL and were also saved on Facebook’s server, Instagram’s parent company.

According to Instagram, these saved passwords were recently deleted from Facebook’s server. In addition to that, every affected user was notified about the security bug. That said, a very small number of people were affected by this issue.

Instagram Bug Exposed Passwords: The Solution

Well, if you are one among those affected users its a wise decision to change your Instagram password and even delete your browser’s history. Furthermore, turning on two-factor authentication (2FA) will further secure your account.

Lastly, if you didn’t receive any notification about the security bug then your passwords are completely safe. That said if you still experience any weird activity with your account, you should definitely follow the above-mentioned security measures and secure your account.

According to Instagram, this security bug has been completely fixed now. Furthermore, any sort of information or password was not exposed to anyone else.

Do share your thoughts and opinions on the above-mentioned issues in the comments section below.

read more

Unlock Any Smartphone With AI-generated ‘Master’ Fingerprints

Unlock Any Smartphone With AI-generated ‘Master’ Fingerprints

This AI-Generated ‘Master’ Fingerprint Can Unlock Any Smartphone

Like a master key that can open any lock, researchers from the University of Michigan and New York University have created an AI-generated ‘master’ fingerprint that is capable of unlocking most of the modern smartphones.

The research team presented their work in a paper titled DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution.

How Are Master Fingerprints Generated?

The fingerprints dubbed as “DeepMasterPrints” by the researchers can be artificially generated using machine learning algorithm.

These can be used to fool databases protected by fingerprint authentication without essentially requiring any information about the user’s fingerprints.

The artificially generated prints were able to accurately replicate more than one in five real fingerprints in a database, which should only have an error rate of one in a thousand.

DeepMasterPrints takes advantage of two flaws in fingerprint-based authentication systems. The first is that many fingerprint scanners do not read the entire finger at once.

Secondly, some different fingertip portions are more common than others, which means that scanners that only read partial prints are more likely to be tricked by common fingerprint characteristics.

The team trained a neural network to create artificial fingerprints and used evolutionary optimization methods to find their best DeepMasterPrints.

They used a common machine learning method, called “generative adversarial network” (GAN) to artificially create new fingerprints that matched as many certain portions of other fingerprints as possible.

The team points out that the attack using their AI-driven method can be distributed against random devices “with some probability of success.”

The researchers used a NIST public database with 54,000 fingerprints and 8640 finger scans as input for learning and improving their neural networks.

However, such attacks may not be able to break into your phone.

“A similar setup to ours could be used for nefarious purposes, but it would likely not have the success rate we reported unless they optimized it for a smartphone system,” lead researcher Philip Bontrager of the New York University engineering school told Gizmodo. “This would take a lot of work to try and reverse engineer a system like that.”

But, if a hacker is able to use such attacks against many fingerprint-accessible accounts, then the success rate of unlocking devices would be much more.

According to Bontrager, “the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis.”

He and his team want their research to motivate companies to step up fingerprint-security efforts. “Without verifying that a biometric comes from a real person, a lot of these adversarial attacks become possible,” Bontrager said. “The real hope of work like this is to push toward liveness detection in biometric sensor.”

read more

Apple pulls watchOS 5.1 update after multiple reports of bricked devices

Apple pulls watchOS 5.1 update after multiple reports of bricked devices

Apple Watches bricks after users update to the latest watchOS 5.1, Apple halts the update

All those Apple Watch users who haven’t updated to the latest watchOS 5.1 should refrain from doing so, as Apple has pulled out this software update.

Few users took to Reddit and Twitter to report bricking of Apple Watches after updating to watchOS 5.1. Apparently, the issue seems to only be affecting the new Apple Watch Series 4 models.

After bricking reports, Apple has temporarily removed the watchOS 5.1 software update. In a statement to CNET, Apple said it was aware of the problem and was working on a fix.

“Due to a small number of Apple Watch customers experiencing an issue while installing watchOS 5.1 today, we’ve pulled back the software update as a precaution,” it explained.

“Any customers impacted should contact AppleCare, but no action is required if the update installed successfully. We are working on a fix for an upcoming software update.”

Earlier this week, Apple had released watchOS 5.1 update alongside iOS 12.1. watchOS 5.1 brings support for fall detection, Group FaceTime audio, new emoji, and a new color full-screen watch face. Besides these, the watchOS 5.1 update also included 14 security fixes.

For those who have downloaded the latest watchOS 5.1 update before it was pulled but have not installed it, it is advisable to not do so and wait for Apple to re-release the update.

read more

Hacker discovers iPhone Passcode Bypass in iOS 12.1 just hours after its release

Hacker discovers iPhone Passcode Bypass in iOS 12.1 just hours after its release

New iOS Passcode Bypass Found Hours After Apple Releases iOS 12.1

Apple considered as the highly secured device was bypassed shortly after the Cupertino giant released the latest version of its mobile operating system, iOS 12.1 on Tuesday.

Jose Rodriguez, a Spanish security researcher, and an iPhone enthusiast has managed to find a passcode bypass bug that allows attackers to access the contacts list on a locked iPhone.

Rodriguez shared a video (see below) with The Hacker News to show how the bug works.

As detailed in the video, the passcode bypass bug is present in a new feature introduced in iOS 12.1 called Group FaceTime. This bug can be exploited by either receiving a phone call or asking Siri to make a phone, and by changing the call to FaceTime.

Once switched to a FaceTime call, go to the bottom right menu and select “Add Person.” This will give access to the complete contact list of the targeted iPhone in spite of the device being locked. Further, by using the 3D Touch feature, you can see additional information of every contact in the contact list.

According to Rodriguez, the new passcode bypass bug would work on only those iPhone models that support Apple’s Group FaceTime added in the iOS 12.1 release, as the attack utilizes Apple’s Facetime.

The researcher also found that the hack works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone.

Last month, a similar passcode bypass bug was discovered by Rodriguez in iOS 12 that takes advantage of Siri and VoiceOver screen reader and allows an attacker to access photos and contact details on a locked iPhone XS as well as other Apple devices.

read more

Apple’s iOS 12 update blocks GrayKey iPhone cracking tool

Apple’s iOS 12 update blocks GrayKey iPhone cracking tool

GrayKey password cracking tool can no longer break into by Apple’s iOS 12 update

Apple has finally managed to stop GrayKey devices from working on iPhones running last month’s release of iOS 12, according to a report from Forbes.

For those unaware, GrayKey is an iPhone unlocking device created by Atlanta-based firm Grayshift. This tool helps law enforcement agencies around the world to break passwords on iPhones involved in criminal investigations. The tool attracted widespread concern from security experts as well as the public when the device was unveiled in March.

Apple for the past six months has been continuously setting up hurdles to block GrayKey’s ability to access user data without permission. However, Grayshift managed to jump each barrier and continued to grow.

With iOS 12, however, GrayKey can no longer break a password of any iPhone. “On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said, reports Forbes. “That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.”

However, it is unclear as to how Apple managed to restrict GrayKey. Vladimir Katalov, chief of forensic tech provider Elcomsoft, said “it could be everything from better kernel protection to stronger configuration-profile installation restrictions.”

Captain John Sherwin, Police officer of the Rochester Police Department in Minnesota confirmed that iOS 12 was blocking GrayKey from unlocking iPhones: “That’s a fairly accurate assessment as to what we have experienced.

“Give it time and I am sure a ‘workaround’ will be developed … and then the cycle will repeat. Someone is always building a better mousetrap, whether it’s Apple or someone trying to defeat device security.”

Neither Apple nor Grayshift has commented on the report.

Source: Forbes

read more

Windows 10 October 2018 Update’s ZIP Data-Loss Bug Could Delete Your Files

Windows 10 October 2018 Update's ZIP Data-Loss Bug Could Delete Your Files

Windows 10 October update ZIP files overwrite confirmation bug spotted months before release

Microsoft has started the month of October on a rocky note, to say the least. First, it was the file deletion bug in the Windows 10 October 2018 update (version 1809) that forced Microsoft to pause the rollout until it could fix the issue after users started complaining of data loss. The Redmond giant received a lot of flak for not being able to fix the bug that was already spotted in its preview stages.

According to some users who did get the Windows 10 October 2018 Update have now found another bug that does not allow the system to display the ZIP files overwrite confirmation popup when copying files.

One 1809 user reported on Reddit, that the version of Windows 10 is missing the “Do you want to replace these files” dialog box while copying from a ZIP archive to another folder containing another file with the same file name. Although the file is not replaced, it instead modifies the date of the destination folder file. This bug just affects the built-in ZIP tool in Windows File Explorer, it has no impact on third-party programs.

Another Reddit user added that the bug also has Windows File Explorer show file transfer progress when copying from ZIP to show as if files are being copied.

A thread dedicated to the issue has been created on the Feedback Hub, where Microsoft employees normally respond to complaints and other bugs.

While the ZIP bug is in no way as severe as the file deletion bug, it can cause users to inadvertently remove or delete files. It also misinforms users into believing there was no file in the destination folder that was identical to the files in the ZIP archive.

Apparently, a Windows Insider Preview tester had spotted the presence of ZIP file bug three months ago and reported it to the Feedback Hub. However, this report failed to attract more than a few upvotes and was overlooked by Microsoft when collecting the Windows 10 October 2018 (version 1809) Update.

BleepingComputer points out this bug was fixed in the Windows 10 Insider Preview Build 18234 (19H1) that was released on September 6, a month before the public rollout of the October 2018 Update, confirms an engineer for Microsoft’s Windows Insider Program.

This means that the next patch for Windows 10 October 2018 Update will probably have a fix for the new bug. However, there is no word yet from Microsoft on when the update will be publicly rolled out.

Also Read-

Following Microsoft’s 1809 data-loss bug, the company has updated its Feedback Hub that will allow bug reporters to add a severity rating to grab the attention of Microsoft’s Windows engineers over severe issues.

“We believe this will allow us to better monitor the most impactful issues even when feedback volume is low,” Brandon LeBlanc, Senior Program Manager on the Windows Insider Program Team said in a blog post.

read more

This Tor Enabled Sim Card Will Keep Your Communication Anonymous

This Tor Enabled Sim Card Will Keep Your Communication Anonymous

This SIM Card Directs Your Mobile Data Through Tor

Although technology has overall made life easier, it has made things a lot less private. As a result, you need to be extra careful when you are browsing online, as it very difficult to maintain privacy out there. It is even possible that your ISP or VPN provider is maintaining a log of everything that you do online.

So, how do we protect our online privacy? Brass Horns Communications, a UK-based non-profit internet service provider that focuses on privacy and anti-surveillance services, has an answer for this. The company is currently beta-testing a SIM card that will automatically route your data through Tor, thereby securing online privacy and evading surveillance.

For those unaware, Tor (originally known as The Onion Router) is a free piece of software for enabling anonymous communication. Tor directs Internet traffic through a free, volunteer-operated network of computers around the world to hide a user’s location and usage from anyone conducting network surveillance or traffic analysis. While Tor protects a user’s privacy, it does not hide the fact that someone is using Tor. The most common method through which people access Tor is the Tor Browser Bundle on desktop, or with the Orbot app on Android.

Brass Horn’s founder, Gareth Llewelyn, told Motherboard that his venture is “about sticking a middle finger up to mobile filtering, mass surveillance.”

According to Brass Horn’s Onion3G service site, it claims that the “The Onion3G design is a closed network between your 3G device/MiFi/modem and the Brass Horn Comms Tor bridges, this may make the collection of Internet Connection Records (and by extension other forms of bulk surveillance) less effective.”

It also claims that it’s a safer mobile provider because it only issues “private IP addresses to remote endpoints which if ‘leaked’ won’t identify you or Brass Horn Communications as your ISP.”

Brass Horn Onion3G SIM card only has 3G connectivity. In order to use this Tor-dedicated SIM card, it is necessary to install Orbot app on the device. Further, only apps that have a proxy feature, like Twitter, are compatible. Also, it is available only for Android users.

The Tor-SIM card will cost £2.00 per month for a prepaid account. Further, £0.025 will be charged for per Megabyte (MB) transferred over the network. Pre-payment can be topped up at any time using a credit card like Visa, Mastercard, or cryptocurrencies like Bitcoin, ZCash or Monero.

Currently, the service is offered in the UK only and is likely to be made available to the public in 2019. Those interested in joining the beta phase can find more information here.

read more