Author Archives: Travis Taylor

Google Glitch Left Passwords Unprotected for 14 Years

Google announced a glitch that stored unencrypted passwords belonging to several business customers, a situation that had been exploitable since 2005.

In a blog post released this week, the company admitted the passwords of “some” of its G Suite customers had been stored on internal servers without cryptographic protection, also known as a hash.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident,” announced the blog.

While the unprotected passwords were, according to Google, still protected within their “secure encrypted infrastructure,” the amount of time the issue went undetected is cause for concern for many security experts.

“[E]ven if it’s only internal it still creates a substantial privacy and security concern,” said TrustedSec CEO David Kennedy to Wired Magazine.

Google has begun contacting system administrators whose organizations would have been affected by the glitch to encourage them to change their passwords.

The post Google Glitch Left Passwords Unprotected for 14 Years appeared first on Adam Levin.

Data Leak Exposes Instagram Influencers

A leaked database has compromised the personal information of more than 49 million Instagram users, including celebrities and “influencers.”

The information was found on an unsecured database hosted on an Amazon cloud server and includes public-facing information from Instagram accounts as well as personal details, including email addresses and phone numbers. Techcrunch, the website that initially broke the story, traced the database back to Chtrbox, a social media marketing firm based in Mumbai.

The database appears to have been initially compiled to determine relative costs and overall influence of each Instagram account.

The chief executive of Chtrbox declined to comment on the story.

See the initial Techcrunch news article here.

 

The post Data Leak Exposes Instagram Influencers appeared first on Adam Levin.

Feds Break Up Major SIM-Hijacking Ring

The U.S. Department of Justice announced that it has arrested and charged members of a major cybercriminal ring in connection with $2.4 million worth of wire fraud and identity theft.

The hacking group, called “The Community” primarily used social engineering (trickery) and SIM card hijacking to steal funds and cryptocurrency from their victims.

SIM swapping or hijacking is an attack that often deploys personal information gleaned from other sources (such as social engineering) to authenticate a fraudster to a mobile phone company. Once authenticated, the mobile phone number of the target victim is moved to the criminal’s phone. Possession of the target’s phone number allows the criminal to access calls and texts intended for the target, therefore making it possible to bypass his or her 2-Factor authentication and thus gain access to the victim’s financial accounts.

Members of The Community face charges of wire fraud and aggravated identity theft. Three former mobile provider employees are also charged with accepting bribes to facilitate SIM-card hijacks for the group.

Read more about the story here.

 

 

 

The post Feds Break Up Major SIM-Hijacking Ring appeared first on Adam Levin.

WhatsApp Compromised by Spyware

WhatsApp disclosed a major security vulnerability that allowed hackers to remotely install spyware on mobile devices.

The vulnerability, discovered earlier this month, allowed third parties to see and intercept encrypted communications. The spyware deployed has been traced back to NSO Group, an Israeli cyber company alleged to have enabled Middle East governments to surveil its citizens.

“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp announced in a statement.

NSO Group has denied involvement.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said in a press release.

WhatsApp, which is owned by Facebook, has released a patch to fix the vulnerability and urges all users to update as soon as possible.

“Given the limited information we collect, it is hard for us to say with certainty the impact to specific users,” WhatsApp said in a statement. “Out of an abundance of caution we are encouraging all users to update WhatsApp as well as keep their mobile OS up to date.”

The post WhatsApp Compromised by Spyware appeared first on Adam Levin.

Access and Source Code to Samsung Apps Left Unprotected on Public Server

The source code and security keys associated with a number of Samsung apps and projects have been discovered on unprotected server. Samsung’s SmartThings home automation platform was among the projects exposed in the compromise.

The exposed server contained a code repository that was misconfigured and publicly available. In addition to the underlying code of several major Samsung apps was a security token that allowed unfettered access to 135 projects and applications.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” said Mossab Hussein, the cybersecurity researcher who discovered the server.

Samsung is one of the world’s biggest technology manufacturers, and the ability to compromise its software would represent a cyber threat of monumental proportions. The company’s SmartThings app alone boasts 100 million installs worldwide. Alerted to the data compromise by Hussein April 10th, 20 days went by before the company revoked access to its security keys.

“[W]hile we have yet to find evidence that any external access occurred, we are currently investigating this further,” a spokesman for the company said.

Read more about the story here.

 

The post Access and Source Code to Samsung Apps Left Unprotected on Public Server appeared first on Adam Levin.

U.S. Energy Grid Experiences Possible Cyberattack

An apparent denial of service attack caused a disruption in a segment of the U.S. energy grid affecting Utah, Wyoming, and Southern California.

Little is currently known about the incident. It occurred March 5th, disabling several security devices. An unnamed utility company reported the incident to the Department of Energy.

“There was a denial-of-service attack…and that basically led operators to not be able to see what was going on in the grid,” said journalist Blake Sobczak, who initially reported the story. “As long as nothing crazy happens, you should be fine, but it certainly constitutes a disruption and a reportable event here to the Department of Energy.”

While the potential cyberattack did not lead to any known outages or interruptions in service and used a relatively unsophisticated method, it is noteworthy for being the first known incident to successfully target the nation’s energy infrastructure. Hackers targeting the U.S. energy grid have been theoretical up to this point, but security experts have long maintained that the infrastructure is poorly secured and that many utility companies are unprepared when it comes to cyber defense.

Fears of an attack on utilities have increased in the wake of Russian infiltration of U.S. critical infrastructure announced in 2018 by the Department of Homeland Security.

The post U.S. Energy Grid Experiences Possible Cyberattack appeared first on Adam Levin.

Putin Signs Nationwide Internet Censorship Into Law

Russian President Vladimir Putin has signed a bill to create a separate Russian national internet.

The legislation is primarily focused on establishing an autonomous national system, separate from the internet used globally, which would have its own DNS system and would require all traffic in the country to pass through online government monitoring. Putin has justified the move as being due to mitigating the threats of interference from foreign governments in Russian politics.

The bill comes on the heels of several other measures passed by Putin’s government, largely aimed at curtailing internet freedom, including one passed in March that granted it the power to punish Russian citizens for insulting public officials, and another targeting “unreliable socially significant information.”

Civil libertarians and security experts alike say Putin’s project mirrors China’s massive censorship of the Internet, which is called the “Golden Shield Project” and the “Great Firewall.”

“It’s about being able to cut off certain types of traffic in certain areas during times of civil unrest,” said Russian author Andrei Soldatov.

The intended separation from the wider internet has also proven unpopular with Russians. A recent poll conducted showed only 23% approve of the legislation, and thousands of protestors demonstrated in Moscow in opposition to it earlier this year.

Read more about the story here.

 

The post Putin Signs Nationwide Internet Censorship Into Law appeared first on Adam Levin.

Adam Levin Discusses Mobile Banking and Security with TicToc

Adam Levin was featured on a short video on TicToc by Bloomberg, where he discussed the trade-offs between security and convenience for mobile banking and payment apps.

“As business tries in its technological innovation to make things more convenient, you end up with the conundrum between convenience and security.” Levin said.

See the video below, or on Bloomberg.com:

The post Adam Levin Discusses Mobile Banking and Security with TicToc appeared first on Adam Levin.

Facebook Braces for Multibillion Dollar Fine

Facebook announced that it was preparing for a massive fine from the Federal Trade Commission for its mishandling of user privacy. The fine could be as much as $5 billion.

The social media giant revealed the fine as a one-time expense in its annual earnings statement, explaining a 51% decline in income, “in connection with the inquiry of the FTC into our platform and user data practices.”

“We estimate that the range of loss in this matter is $3.0bn to $5.0bn,” the company’s statement explained. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook has been the target of an FTC investigation to determine if it had violated a 2011 consent decree following the 2018 revelation that it improperly shared data with Cambridge Analytica.

Despite the size of the fine, the company showed continuous growth and an expansion of its ecosystem of apps.

Read more about the story here.

The post Facebook Braces for Multibillion Dollar Fine appeared first on Adam Levin.

French Government App Shows Difficulties with Secure Communications

A messaging app released by the French government to secure internal communications has gotten off to a troubled start.

Tchap was released in beta earlier this month as a secure messaging app exclusively for government officials. Its development and release was made to address security concerns and data vulnerabilities in more widely used apps including WhatsApp and Telegram (a favorite of French Prime Minister Emmanuel Macron).

WhatsApp Meet “What Were You Thinking?”

Tchap was built with security in mind, and was initially touted as being “more secure than Telegram.” Man plans and God laughs. The app was hacked within less than a day of its release. Elliot Alderson, the hacker who discovered the initial security vulnerability, subsequently found four more major flaws in its code, and confirmed with the app’s developer that no security audit was performed on the app prior to release.

DINSIC, the government agency responsible for Tchap, issued a press release stating that the software “will be subject to continuous improvement, both in terms of usability and security,” and has since announced a bug bounty for further vulnerabilities.

The French government’s attempts at creating a secure messaging alternative highlights a cybersecurity conundrum. Recent incidents including the allegations of Chinese government “backdoors” in telecom giant Huawei’s hardware and confirmed NSA backdoors in Windows software have left governments and businesses increasingly wary of using software or hardware developed or data stored internationally. At the same time, development of in-house or “proprietary” solutions are significantly more resource-intensive and not necessarily more secure than their more widely used counterparts.

 

The post French Government App Shows Difficulties with Secure Communications appeared first on Adam Levin.