A leaked database has compromised the personal information of more than 49 million Instagram users, including celebrities and “influencers.”
The information was found on an unsecured database hosted on an Amazon cloud server and includes public-facing information from Instagram accounts as well as personal details, including email addresses and phone numbers. Techcrunch, the website that initially broke the story, traced the database back to Chtrbox, a social media marketing firm based in Mumbai.
The database appears to have been initially compiled to determine relative costs and overall influence of each Instagram account.
The chief executive of Chtrbox declined to comment on the story.
See the initial Techcrunch news article here.
Elastic, the company developing enterprise search engine Elasticsearch and the Elastic Stack, has decided to make core Elastic Stack security features accessible to all users (and not just those who have a Gold subscription). What is the Elastic Stack? Elasticsearch is the most widely used enterprise search engine in the world. It is usually used for log, business, operational and security intelligence analytics. It is part of the Elastic Stack, an integrated solution that also … More
The post Core Elastic Stack security features now available to all users appeared first on Help Net Security.
The U.S. Department of Justice announced that it has arrested and charged members of a major cybercriminal ring in connection with $2.4 million worth of wire fraud and identity theft.
The hacking group, called “The Community” primarily used social engineering (trickery) and SIM card hijacking to steal funds and cryptocurrency from their victims.
SIM swapping or hijacking is an attack that often deploys personal information gleaned from other sources (such as social engineering) to authenticate a fraudster to a mobile phone company. Once authenticated, the mobile phone number of the target victim is moved to the criminal’s phone. Possession of the target’s phone number allows the criminal to access calls and texts intended for the target, therefore making it possible to bypass his or her 2-Factor authentication and thus gain access to the victim’s financial accounts.
Members of The Community face charges of wire fraud and aggravated identity theft. Three former mobile provider employees are also charged with accepting bribes to facilitate SIM-card hijacks for the group.
Read more about the story here.
WhatsApp disclosed a major security vulnerability that allowed hackers to remotely install spyware on mobile devices.
The vulnerability, discovered earlier this month, allowed third parties to see and intercept encrypted communications. The spyware deployed has been traced back to NSO Group, an Israeli cyber company alleged to have enabled Middle East governments to surveil its citizens.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp announced in a statement.
NSO Group has denied involvement.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said in a press release.
WhatsApp, which is owned by Facebook, has released a patch to fix the vulnerability and urges all users to update as soon as possible.
“Given the limited information we collect, it is hard for us to say with certainty the impact to specific users,” WhatsApp said in a statement. “Out of an abundance of caution we are encouraging all users to update WhatsApp as well as keep their mobile OS up to date.”
Microsoft’s Outlook.com service suffered a major breach earlier this year. The compromise allowed hackers to potentially access user email accounts, and that was the case for more than six months. This news was no shocker. Outlook has always been, and continues to be a perennial target.
Saying that email is a major service of the Internet is a bit like saying Donald Trump doesn’t like CNN. Email is foundational. In fact, it pre-dates the Internet by decades. (Lest we forget, the first email was sent in 1971).
It’s this familiarity and this reliance on email that has made it the target of choice for hackers, and with that a major liability for businesses and consumers alike. If you think social media networks and data mining organizations have juicy digital assets, consider for a moment the El Dorado of information transmitted daily via email, ranging from intimate correspondences to tax information, travel plans, financial transactions, photos, and shopping lists to real-time data on a user’s emotional state and how their important relationships are going.
Because email isn’t deleted from most servers by default, this target-rich digital information environment is often accessible to anyone with a login and password–something that is regularly served up to hackers by the billions.
The cybersecurity threat posed by email isn’t limited to sensitive data sitting passively on account servers. Email is the preferred tool hackers use to access their targets’ networks: 83% of organizations reported phishing attacks in 2018, up from 76% in 2017. Fully two thirds of malware is installed by clicking on an email attachment.
“Just Because” Isn’t a Good Answer
It’s not an original thought to say that email is problematic, or that a replacement of some sort would be welcome. Its obsolescence, if not demise, has been predicted repeatedly over the years. A murderers’ row of newer technologies like SharePoint, Slack, Skype, Messenger, and many, many others have seemed like contenders, but email still dominates in the realm of communication.
True story: The Internet was not made with security in mind. It was made to communicate fast. While the underlying structures seem naïve, none of it was designed for the general public. Domain names were initially intended as a means of identifying remote academic, military, and government locations. Their corresponding numerical (IP) addresses were limited to roughly 4 billion possible variations. That was more than enough for every single person on the planet at the time of its creation. That this structure didn’t anticipate the rise of Internet-enabled telephones, vacuum cleaners, nuclear reactors, or personal assistants is as much a part of the problem as the fact that they didn’t anticipate every small-time crook switching from convenience store stick-ups and smash and dash crimes to the much less risky practice of email phishing campaigns with the cornucopia of identity-related crimes made possible by them.
Email has none of the strings-attached vibe that the Mark Zuckerbergs of the world have attached to our information, no terms and conditions or privacy policies subject to change, and it doesn’t rely on any specific hardware or software to be able to access it as a service. Looking at its liabilities without understanding its appeal is one of the key factors that has made it a communication mainstay, seemingly against all odds and to the consternation of IT departments around the world.
In this way, email is an object lesson in the cybersecurity quagmire: We’re over-reliant on the idea of technology providing a silver bullet instead of changing our behavior. No Slack or Messenger or any other killer app is going to solve the email problem (although traffic may continue to migrate from email to other modes of communication). The only thing that will change the situation, Yogi Berra might have said, is to change the situation. Meanwhile, he did say this: “If the world were perfect, it wouldn’t be.”
This article originally appeared on Inc.com.
The post Email Is the Biggest Threat to Business, So Why Is Everyone Using It? appeared first on Adam Levin.
The source code and security keys associated with a number of Samsung apps and projects have been discovered on unprotected server. Samsung’s SmartThings home automation platform was among the projects exposed in the compromise.
The exposed server contained a code repository that was misconfigured and publicly available. In addition to the underlying code of several major Samsung apps was a security token that allowed unfettered access to 135 projects and applications.
“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” said Mossab Hussein, the cybersecurity researcher who discovered the server.
Samsung is one of the world’s biggest technology manufacturers, and the ability to compromise its software would represent a cyber threat of monumental proportions. The company’s SmartThings app alone boasts 100 million installs worldwide. Alerted to the data compromise by Hussein April 10th, 20 days went by before the company revoked access to its security keys.
“[W]hile we have yet to find evidence that any external access occurred, we are currently investigating this further,” a spokesman for the company said.
Read more about the story here.
The post Access and Source Code to Samsung Apps Left Unprotected on Public Server appeared first on Adam Levin.
Adam Levin was featured on a short video on TicToc by Bloomberg, where he discussed the trade-offs between security and convenience for mobile banking and payment apps.
“As business tries in its technological innovation to make things more convenient, you end up with the conundrum between convenience and security.” Levin said.
See the video below, or on Bloomberg.com:
The post Adam Levin Discusses Mobile Banking and Security with TicToc appeared first on Adam Levin.
A messaging app released by the French government to secure internal communications has gotten off to a troubled start.
Tchap was released in beta earlier this month as a secure messaging app exclusively for government officials. Its development and release was made to address security concerns and data vulnerabilities in more widely used apps including WhatsApp and Telegram (a favorite of French Prime Minister Emmanuel Macron).
WhatsApp Meet “What Were You Thinking?”
Tchap was built with security in mind, and was initially touted as being “more secure than Telegram.” Man plans and God laughs. The app was hacked within less than a day of its release. Elliot Alderson, the hacker who discovered the initial security vulnerability, subsequently found four more major flaws in its code, and confirmed with the app’s developer that no security audit was performed on the app prior to release.
DINSIC, the government agency responsible for Tchap, issued a press release stating that the software “will be subject to continuous improvement, both in terms of usability and security,” and has since announced a bug bounty for further vulnerabilities.
The French government’s attempts at creating a secure messaging alternative highlights a cybersecurity conundrum. Recent incidents including the allegations of Chinese government “backdoors” in telecom giant Huawei’s hardware and confirmed NSA backdoors in Windows software have left governments and businesses increasingly wary of using software or hardware developed or data stored internationally. At the same time, development of in-house or “proprietary” solutions are significantly more resource-intensive and not necessarily more secure than their more widely used counterparts.
The post French Government App Shows Difficulties with Secure Communications appeared first on Adam Levin.