A US court has sentenced a programmer to 30 months in a federal prison in connection with software that claimed to be a legitimate tool for Windows sysadmins to remotely manage computers, but was actually used by criminals to backdoor PCs and secretly spy on victims.
The post RAT author jailed for 30 months, ordered to hand over $725k worth of Bitcoin appeared first on The State of Security.
Yes, it’s the 100th edition of the “Smashing Security” podcast.
There’s a little celebration at both ends of this week’s podcast - but the meat of the sandwich is our normal look at the security stories of the last week - including an alarming IoT failure and a dating app disaster for Donald Trump devotees.
A former high school teacher is to plead guilty to hacking into the online accounts of celebrities and stealing naked photographs and other private information.
Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!
More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.
In today’s digital era, more and more organizations choose e-Signature technology as part of their digitization process.
OneSpan Sign is the white-labeled solution behind some of the most trusted brands and security-conscious organizations in the world. The last ten industry reports show that OneSpan Sign received the highest overall customer satisfaction score among e-signature products. 99% of users rated it four or five stars.
Try sending and e-signing documents now, free of charge, and discover how to:
Start e-signing in minutes on web and mobile, by signing-up for an Unlimited 30-Day Trial now!
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
The Pentagon has admitted that up to 30,000 military workers and civilian personnel have had their personal information and credit card data exposed following a security breach.
The security breach occurred at a third-party vendor which provides travel management services to the Department of Defense.
The vendor, which has not as yet been publicly identified due to security concerns and ongoing contracts, was not however responsible for informing the Pentagon of the breach. Instead it appears that the DoD’s own computer security team which discovered a breach had occurred.
According to an Associated Press report, it it possible that the breach happened “some months ago,” and that further investigations may uncover that even more staffers were exposed.
The Department of Defense says that it has started notifying individuals affected by the security breach, and that those impacted will be offered prepaid identity theft monitoring services.
Pentagon spokesperson Lt. Col. Joseph Buccino issued a statement confirming the breach does not affect all staff who have used travel management services:
“The Department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the Department. This vendor was performing a small percentage of the overall travel management services of DoD.”
The one piece of good news is that it appears no classified material is likely to have been put at risk through the breach.
News of the breach does, however, come at an awkward time for the US Department of Defense which is currently smarting from a report issued last week by the US Government Accountability Office (GAO).
That report concluded that poor security has made next-generation weapons systems easy to hack.
In one case, it was reported that it was possible for unauthorised users to gain access to a weapons system within just one hour, and that the Pentagon was not following basic security practices such as changing default passwords.
“One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed.”
There have, of course, been US government data breaches that have affected a far larger number of individuals than the 30,000 estimated to be impacted in this latest incident.
But that doesn’t make it any less important for organisations like the Department of Defense to consider not only how they best protect their systems, but also how well their third-party service suppliers are securing sensitive DoD data.
The Pentagon has admitted that up to 30,000 military workers and civilian personnel have had their personal information and credit card data exposed following a security breach.
The security breach occurred at a third-party vendor which provides travel management services to the Department of Defense.
The vendor, which has not as yet been publicly identified due to security concerns and ongoing contracts, was not however responsible for informing the Pentagon of the breach. Instead it appears that the DoD’s own computer security team which discovered a breach had occurred.
According to an Associated Press report, it it possible that the breach happened “some months ago,” and that further investigations may uncover that even more staffers were exposed.
The Department of Defense says that it has started notifying individuals affected by the security breach, and that those impacted will be offered prepaid identity theft monitoring services.
Pentagon spokesperson Lt. Col. Joseph Buccino issued a statement confirming the breach does not affect all staff who have used travel management services:
“The Department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the Department. This vendor was performing a small percentage of the overall travel management services of DoD.”
The one piece of good news is that it appears no classified material is likely to have been put at risk through the breach.
News of the breach does, however, come at an awkward time for the US Department of Defense which is currently smarting from a report issued last week by the US Government Accountability Office (GAO).
That report concluded that poor security has made next-generation weapons systems easy to hack.
In one case, it was reported that it was possible for unauthorised users to gain access to a weapons system within just one hour, and that the Pentagon was not following basic security practices such as changing default passwords.
“One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed.”
There have, of course, been US government data breaches that have affected a far larger number of individuals than the 30,000 estimated to be impacted in this latest incident.
But that doesn’t make it any less important for organisations like the Department of Defense to consider not only how they best protect their systems, but also how well their third-party service suppliers are securing sensitive DoD data.
A Turkish newspaper claims that audio files of journalist’s death were recorded on his Apple Watch. Such a claim, if true, would be rather convenient for the intelligence services in Turkey - who might not want to reveal their methods.
Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.
The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.
Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.
The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.
You can bet mischievous hackers are right now trying to crack into Kanye West’s online accounts with equally diabolical passwords.
Passwords - everything you need to know about how to make them safer, and better secure your online accounts. In this replay of our podcast from February 2017, Graham Cluley, Carole Theriault and Vanja Švajcer discuss the perennial problem of passwords and offer some advice and tips for computer users.
Getting rid of hardcoded default passwords is not enough. There is a long way to go before we can feel confident that IoT devices have become significantly safer.
Read more in my article on the Bitdefender BOX blog.
The really big news today is not that Google is shutting down Google Plus (who cares?), but rather that Google knew months ago that user data had been exposed and kept the fact quiet.
Assassin’s Creed Odyssey, the action role-playing video game set in Ancient Greece, had its launch on Friday disrupted by crippling distributed denial-of-service attacks.
The US Department of Homeland Security and UK’s GCHQ have rallied behind the vigorous denials issued by Amazon and Apple, after Bloomberg BusinessWeek reported China had planted malicious computer chips on systems used by the tech giants.
New research has revealed that business email compromise is being made easier for any criminal to add to their arsenal. Is your company doing enough to protect itself?
Read more in my article on the Tripwire blog.
An extraordinary report released by Bloomberg BusinessWeek, which claims that China has been exploiting the supply-chain, planting a tiny microchip on servers which ended up in the server rooms of almost 30 companies, including the likes of Apple and Amazon.
Millions of Facebook user accounts put at risk after hack! The UK Conservative party’s conference app causes a privacy omnishambles! And Facebook (again) has been doing something naughty with the phone numbers you give it for security reasons! Oh, and Maria gets very excited about something to do with Star Trek.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Once again, a way of bypassing the iPhone’s passcode lock to expose users’ photos and contacts has been discovered.
Read more in my article on the Hot for Security blog.
It’s been a bad week for Facebook and its two billion-plus users.
Not only was it revealed that millions of users had their accounts exposed by a vulnerability, but the site has been up to dirty tricks with mobile phone numbers you gave them to supposedly enhance your security.
Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!
More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.
The fraud detection and prevention market offers a wide range of tools with a wide range of capabilities, but fraud is an ever-evolving threat. Not every tool can keep up with the new fraud schemes in play today.
Download this guide from OneSpan to gain expert insight on the essential capabilities you need in a fraud detection tool. From machine learning and an advanced rule engine to dynamic authentication flows, learn the nine key requirements to look for when comparing fraud solutions.
Inside, you’ll discover:
Download OneSpan’s “Buyer’s Guide to Evaluating Fraud Detection & Prevention Tools”.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
A Taiwanese bug hunter says that he will livestream his attempt to delete Mark Zuckerberg’s Facebook page this weekend.
Read more in my article on the Hot for Security blog.
An Australian teenager who hacked into Apple's network on multiple occasions over several months, and stole sensitive files, has been told that he will not be imprisoned.
The post Australian teen who hacked into Apple and stole 90 GB of files avoids jail appeared first on The State of Security.
Graham Cluley will be chairing the 19th National Information Security Conference (NISC) in Glasgow, Scotland, between 10th-12th October. Register for your ticket now.
Why was Zoho’s website taken offline by its own domain registrar? How are dash cams making you less secure? And why are robocalls on the rise in the United States?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.
Women’s fashion retailer SHEIN has suffered a major security breach that has exposed the personal information and passwords of over six million customers.
Read more in my article on the Hot for Security blog.
Women’s fashion retailer SHEIN has suffered a major security breach that has exposed the personal information and passwords of over six million customers.
In a press statement, SHEIN reveals that it discovered on August 22 2018 that malicious hackers had compromised its computer network, and that between June and early August 2018 customer email addresses and “encrypted password credentials” had been stolen.
According to the company, malware had opened backdoors on corporate servers through which the attackers had stolen data associated with approximately 6.42 million customers.
What hasn’t been disclosed is how the malware came to be planted on SHEIN’s servers, and says it is against its policy to discuss the specific details, but SHEIN does say that the security holes exploited by the hackers have now been closed.
From the description, the attack against SHEIN does not appear to bear the hallmarks of the Magecart attacks which have impacted a number of sites in recent months, including Ticketmaster.
Fortunately, SHEIN says that it does not typically store payment card information on its systems, and there is no evidence to suggest that customers’ credit card details might have been stolen.
SHEIN says that it is reaching out to customers advising that passwords are changed, and is offering one year’s worth identity threat monitor for “affected customers in certain markets.”
In an FAQ, SHEIN tells users that they can reset their password by clicking on a link in an email they are sending users, or by manually visiting the SHEIN website, and after logging in, clicking the “Edit Password” link under the “Account Setting” page.
My advice is that you should visit the website to change your password, and *not* click on a link in an email. After all, now the breach is public knowledge it wouldn’t be too surprising if a criminal attempted to cause even more mayhem by spamming customers with a bogus email that *pretends* to come from SHEIN but really points to a site under the control of the hackers.
Furthermore, if you are concerned that your SHEIN password may have been compromised, please please do make sure that you are not using that same password on any other website.
Password reuse is one of the most common errors made by internet users. Every time you use the same password on different websites, you are increasing the chances that a hacker will be able to successfully exploit credentials stolen during an attack on one site to break into other accounts you may own online.
A US court has sentenced the creator of a notorious service that helped malware authors avoid detection by anti-virus software to 14 years in prison.
Read more in my article on the Hot for Security blog.
Online news aggregation service NewsNow has admitted that it has suffered a security breach, potentially exposing users’ passwords.
Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!
Recorded Future believes that every security team can benefit from threat intelligence. That’s why it has launched its new Threat Intelligence Grader — so you can quickly assess your organization’s threat intelligence maturity and get best practices for improving it.
Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. It empowers organizations to reveal unknown threats before they impact business, and enables teams to respond to alerts 10 times faster.
To supercharge the efforts of security teams, Recorded Future’s technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies.
91 percent of the Fortune 100 use Recorded Future.
Try out Recorded Future’s Threat Intelligence Grader for yourself now!
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
Amazon staff are being bribed to delete negative reviews and leak data, deepfakes are getting more dangerous, an update on John McAfee’s bitcoin bet, and our guest gets a shock…
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week (for a while at least) by David Bisson.
Hundreds of thousands of security cameras are believed to be vulnerable to a zero-day vulnerability that could allow hackers to spy on feeds and even tamper with video surveillance recordings.
Read more in my article on the Bitdefender BOX blog.
Three men who operated and controlled the notorious Mirai botnet in October 2016 have been sentenced to five years of probation.
The post The makers of the Mirai IoT-hijacking botnet are sentenced appeared first on The State of Security.
Three men who operated and controlled the notorious Mirai botnet in October 2016 have been sentenced to five years of probation.
The post The makers of the Mirai IoT-hijacking botnet are sentenced appeared first on The State of Security.
If you were to make a list of the most common causes of security breaches, it is phishing attacks that would surely dominate.
Read more in my article on the Bitdefender Business Insights blog.
The US Department of State has confirmed that it has suffered a data breach which exposed the personally identifiable information of some employees.
During the last few months, many of us will have received emails that try to extract a ransom via an anonymous cryptocurrency.
But as email blackmailers make big winnings, others are trying to cash in on the craze.
Officials at Bristol Airport in the UK declined to pay a ransom demand from extortionists who attacked its computer systems late last week, forcing them to resort to whiteboards and public address systems to communicate with travellers.
Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!
More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.
And you can now download OneSpan’s free eBook: “8 Industry Best Practices for a Successful Mobile First Strategy”.
Financial institutions strategically aim for customers to do more with mobile while minimizing fraud exposure tied to untrusted, high-risk devices. To enable growth in the mobile channel, financial institutions need to provide fast, convenient and frictionless high-value services delivered as securely and fraud-proof as possible. Building trust between the bank and the customer is priority one in achieving this goal.
Inside OneSpan’s eBook, you’ll discover how to:
Download now: “8 Industry Best Practices for a Successful Mobile First Strategy”.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
A security researcher has revealed a method of crashing and restarting iPhones and iPads, with just a few lines of code that could be added to any webpage.
Read more in my article on the Hot for Security blog.
A security researcher has revealed a method of crashing and restarting iPhones and iPads, with just a few lines of code that could be added to any webpage.
Sabri Haddouche tweeted a link to webpage containing his 15-line proof-of-concept attack, which exploits a vulnerability in the WebKit web rendering engine used by Apple’s Safari browser.
Haddouche, who for a day job works as part of Wire’s security team, demonstrated that the Safari browser could be easily overloaded by applying a CSS background-filter property to over nested 3,000 <div> tags.
As the WebKit’s rendering engine consumes resources, iOS eventually freezes and devices can crash and restart.
The good news is that the weakness can not be exploited to steal information from iPhone and iPad users. However, it could be used by a mischief-maker or malicious attacker in a “denial-of-service” type of attack, effectively stopping a device from working.
Many users would certainly find it a more than trivial inconvenience to have their smartphones power cycle off, and take a few seconds to restart again (requiring a passcode to be entered).
— Sabri (@pwnsdx) September 16, 2018
According to reports, the attack works on a variety of versions of iOS, including the latest iOS 12 beta.
But it’s not just iOS users that are potentially at risk.
For instance, Some have even produced videos which appear to demonstrate that Apple Watches are also vulnerable.
Furthermore, Haddouche told ZDNet that he had found that (although not as dramatic) the weakness could be targeted on the macOS version of Safari:
“With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down. You will be able to close the tab afterward.”
“To make it work on macOS, it requires a modified version containing Javascript. The reason why I did not publish it is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user’s session as the malicious page is executed once again.”
And if WebKit itself is vulnerable then it’s likely that there are many apps besides Safari that are at risk if they user WebKit for rendering webpages.
Haddouche has informed Apple about the vulnerability, which is believed to be investigating.
For now, without a patch available, there’s not much that users can do to prevent themselves from becoming the unwitting victims of the attack.
As always, be suspicious of links sent to you in unsolicited emails, and at least feel some consolation that this particular vulnerability is not going to lead to your private data being stolen.
Often the biggest problem is not the threat of external hackers, but rather internal staff to whom you have granted access to sensitive data and who might be tempted to exploit it for financial gain.
A man wanted for his part in a lucrative criminal operation that spread scareware via the Minnesota Star Tribune website, who spent years on the run from the FBI, has finally been sent to prison.
Read more in my article on the Tripwire State of Security blog.
Malicious script is being blamed for the British Airways hack, Trend Micro’s apps are booted out of the Mac App Store for snaffling private data, and Paul Manafort’s daughter wants Twitter to remove a link.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Emm of Kaspersky Lab.
The official UK TV licensing website was allowing licence purchasers to submit their personal identifiable information and bank details in unsafe, unencrypted plaintext.
Trend Micro has confirmed reports that some of its Mac consumer products were silently sending users’ browser history to its servers, and apologised to customers for any “concern they might have felt.”
But apparently it’s the users’ fault anyway for not reading the EULA.
Within hours of British Airways admitting that it had suffered a serious security breach, with hackers accessing customer data and the full details of 380,000 payment cards, a British law firm announced that it was launching a £500m group action against the airline.
Apple has removed “Adware Doctor” from the macOS App Store amid claims that the program was uploading browser histories to China. And it turns out that wasn’t the only popular app stealing users’ private information.
Read more in my article on the Tripwire State of Security blog.
Graham Cluley Security News is sponsored this week by the folks at Nehemiah Security. Thanks to the great team there for their support!
Coming this fall, Nehemiah is releasing their newest ebook, “Cyber as a Business Enabler: Operationalizing Cyber Risk Analytics”. This introductory guide arms the modern day cybersecurity leader to put cyber risk into motion and transform cybersecurity operations into a business enabler.
Topics covered in this book include:
Follow this link for a sneak peek into the content and to reserve your copy when the full book is released!
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
British police have announced that they have arrested a 19-year-old man in connection with a series of hoax bomb threats and distributed denial-of-service (DDoS) attacks.
Read more in my article on the Hot for Security blog.
Hackers have stolen the personal and payment card information of hundreds of thousands of British Airways passengers from its website.
Unpopular podcasts are manipulating Apple Podcasts to artificially inflate their ranking, and get themselves a coveted place towards the top of the charts.
What’s the danger when browser extensions go bad? Is Twitter sharing your online status a boon for stalkers? And which of the show’s hosts is going to admit to cheating in their exams?
All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist David McClelland.
Ran Levi of “Malicious Life” interviewed me about the early days of the anti-virus industry, how my career started, how cybercrime has changed, and why I’ve got a very good personal reason to abhor Facebook.
The official Chrome browser extension for Mega.nz was compromised with a malicious update, stealing passwords and private keys.
Keep your browser extensions to a minimum, and always be wary if they ask for elevated permissions.
A class-action lawsuit against a hacked health insurer is claiming that a crucial computer was wilfully destroyed, erasing critical evidence that could prove the severity of the security breach.
Read more in my article on the Hot for Security blog.
30 years may have passed since the advent of the computer virus problem, but there is still malware fighting malware for control of your PC.
Good news for stalkers! Bad news for privacy. Twitter is working on a feature which will reveal when a user is currently online.
Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!
More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.
OneSpan has produced a free report on the top six e‑signature use cases in banking. With it you can learn the most common starting points for e‑signatures, plus the top targets for expanding across the enterprise.
E-signatures are being used in all areas of the bank, from customer-facing transactions to B2B and internal processes.
Some banks start by introducing e-signatures as part of a branch transformation initiative. Others begin in the online channel with high volume, self-serve transactions.
As digitalization efforts mature, it is becoming common for organizations such as U.S. Bank, BMO (Bank of Montreal), RBC (Royal Bank of Canada) and even non-bank lenders like OneMain Financial to expand e-signature capability across all channels, lines of business, mobile apps and more.
OneSpan’s free paper offers guidance to banks of all sizes seeking to answer questions like:
Download the OneSpan White Paper “Top e-Signature Use Cases in Banking” now.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
All 1.7 million users of Air Canada’s mobile app have had their passwords reset by the company following a security breach which saw hackers compromise up to 20,000 accounts last week.
Read more in my article on the Hot for Security blog.
How do fraudsters exploit abandoned domains to steal your company’s secrets? How can you better protect your privacy when looking for love online? And who has the longest arms in the animal kingdom?
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Instagram has entered the 21st century, and finally added support for third-party 2FA apps like Google Authenticator, Duo Mobile, and Authy.
Please turn it on.
Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.
The app, which was free to download, promoted itself as helping users keep themselves and their data safe when you go online, “blocking potentially harmful websites and securing your personal information.”
What users of Onavo may not have realised was that the app was also being used by Facebook to collect information about other apps installed on a user’s iPhone.
Under Apple developer guidelines, such information is not allowed to be collected by apps for analysis or marketing. However, data collected by Onavo is used to provide valuable market intelligence about marketshare and usage of apps.
In the words of the app’s own store description:
“Onavo may collect your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps, and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.”
According to a report in the Wall Street Journal, Apple and Facebook met last week to discuss concerns about the behaviour of the app, where the iPhone maker suggested that it be withdrawn from the App Store. Facebook, seemingly recognising that it would look better to choose to withdraw the app than be kicked out of the store, agreed.
A Facebook spokesperson claimed that the company has been upfront about how Onavo works:
“We’ve always been clear when people download Onavo about the information that is collected and how it is used. As a developer on Apple’s platform we follow the rules they’ve put in place.”
In the past, Facebook chief Mark Zuckerberg and Apple boss Tim Cook have publicly disagreed over their respective companies’ different approaches to user privacy.
Although the Onavo Protect app has now been withdrawn from the App Store, it’s possible that there are still plenty of users still relying on the service. In light of the accusations of data-harvesting, users would be wise to uninstall it from their devices.
Even if you aren’t concerned about the data collection, the app will no longer be receiving updates including, if they were made available, security updates. So the only sensible step is to remove the app and find an alternative VPN service which respects your privacy.
One other thing. Facebook has only pulled its controversial Onavo Protect VPN app from Apple’s app store. It is still available from the Google Play Android marketplace, where it has been downloaded over 10 million times.
Unlike Apple, Google may not be kicking up a stink about Facebook’s Onavo app but that’s not a reason for Android users to be any less concerned. Think carefully about what apps you install on your smartphone, and always consider how app developers might be planning to monetise your private data.
An Australian teenager has admitted hacking into Apple’s internal network and stealing 90 GB worth of files.
The 16-year-old, who cannot be named for legal reasons, has pleaded guilty to breaking into Apple’s systems on multiple occasions over the course of a year, from his parent’s home in Melbourne’s suburbs.
According to a report in The Age, the young hacker claimed to be a “fan” of the company, who “dreamed” of working for Apple one day.
The teen is thought to have attempted to hide his identity using a variety of tools, such as VPN software. But after Apple eventually spotted the unauthorised access of their internal systems they informed the FBI, who in turn worked with the Australian Federal Police to track down the intruder.
A search of the teenager’s home last year saw law enforcement officers seize two Apple laptops with serial numbers that “matched the serial numbers of devices which accessed the internal systems”, according to a prosecutor.
In addition, a mobile phone and hard drive was also seized.
According to the report, the boy is thought to have successfully accessed authorised login keys, and stored files in a folder labelled “hacky hack hack”.
In what is perhaps an indication of his immaturity, the teenage hacker is alleged to have bragged about his actions to others via WhatsApp.
An official statement from Apple, provided to the BBC, attempts to reassure Apple customers that their personal data was not at risk:
“We vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats.
“In this case, our teams discovered the unauthorised access, contained it, and reported the incident to law enforcement.
“We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.”
Apple is understandably very sensitive to headlines that its systems may have been hacked, and there will no doubt be even greater embarrassment that it may have been successfully compromised for over a year by a boy aged just sixteen.
The boy is due to be sentenced on 20 September, and might serve as a warning to others: if you want to work for a company, it’s generally not a good idea to hack into it first.