fbpx

Apple has issued an emergency patch to fix a vulnerability that left iOS devices at risk of being attacked via WiFi.

Just days after the release of iOS 10.3, Apple has pushed out an update for iOS 10.3.1 in order to fix a significant security issue that made iOS devices vulnerable to attacks sent via Wi-Fi.

The emergency patch addresses a vulnerability that would allow an attacker within range of an at-risk device to exploit a flaw in the operating system that would allow for arbitrary code execution that could attack the Wi-Fi chip in the device.

The issue appears to be the residual effect of a similar vulnerability that was supposedly patched with iOS 10.3. That version of the exploit allowed an attacker to execute arbitrary code with kernel privileges, meaning it could affect the entire operating system.

The vulnerability patched by the update to iOS 10.3.1 affected devices with a Wi-Fi chip. That includes the iPhone 5 and later, iPad 4th generation and later and iPod touch 6th generation and later.

In a support documentation for the update, Apple credited Google Project Zero —Google’s team of security researchers—for spotting the issue.

The patch to iOS 10.3.1 also fixes an apparent issue that kept old iOS devices from downloading iOS 10.3 as an over-the-air update. 32-bit devices including the iPhone 5, 5C and fourth-generation iPad were affected, but will now be able to download the update normally.

How To Update To iOS 10.3.1

iOS 10.3.1 can be downloaded directly to your iOS device if you are connected to a Wi-Fi connection. This can be done by going to the Settings app, tapping “General” and tapping “Software Update.” An option to download and install should appear.

However, given the primary issue iOS 10.3.1 fixes has to do with potential security threats for iOS devices connected to Wi-Fi, you may choose to install the update via iTunes. Make sure your iTunes is up to date, then connect your iOS device to your computer via USB.

In iTunes, select your device’s icon from the upper left bar. Click on the Summary tab and click “check for update.” Click “Download” and iTunes will begin downloading the update. A guide of on-screen prompts will lead you through the process to complete the update.

Source : Yahoo.com
 
Categorized in Others

Like computers, human brains may be vulnerable to hackers. Technology is already allowing scientists to read people's thoughts and even plant new ones in the brain.

The latest episode of the Science Channel's "Through the Wormhole," hosted by Morgan Freeman, explores the potential — and dangers — of hacking the mind. The episode premieres tonight (July 3) at 10 p.m. ET.

"We live a world of data," Freeman says in the show. "One day soon, our innermost thoughts may no longer be our own." [Super-Intelligent Machines: 7 Robotic Futures]

Mind reading

Reading people's minds doesn't always require technology. New York psychologist Marc Salem can decipher a person's thoughts using the tiny physical cues in a person's body language. "A scratch of the nose can mean you're lying, or it can mean that your nose itches," Salem told LiveScience. When he's trying to read someone's mind, he looks for what he calls a "packet of signals" that tells him what a gesture means. The show follows Salem as he guesses the cards of professional poker players — a seemingly impossible feat. To do it, Salem relies on context. "I'm able to pick up their nonverbal inflections and cues," he said. "The more I have a context for them, the more I can pick them up."

Of course, technology can give scientists even more direct access to the human brain. Inventor and neurotechnologist Philip Low is developing a portable brain monitor called iBrain that can detect the brain's electrical activity from the surface of the scalp, Freeman explains. People with Lou Gehrig's disease (amyotrophic lateral sclerosis) or other forms of paralysis still have healthy brain activity. Using the iBrain, they could use thoughts to control a virtual hand on a computer screen.

Morgan Freeman hosts the Science Channel's "Through the Wormhole." The July 3 episode covers "Hacking the Brain."
Morgan Freeman hosts the Science Channel's "Through the Wormhole." The July 3 episode covers "Hacking the Brain."

Credit: Through The Wormhole- Science Channel

The show later delves into even more sophisticated forms of mind reading. "Some neuroscientists are already translating the language of the brain to plain English," Freeman says. Neuroscientist Jack Gallant at the University of California, Berkeley is compiling a "brain dictionary" to translate thoughts into pictures and words. Gallant and his colleagues showed people different images while measuring their brain activity via functional magnetic resonance imaging (fMRI). From the brain activity, Gallant's team can reconstruct the approximate images people saw. The scientists are also developing a dictionary of concepts that allows them to guess what people are thinking about the images they're seeing.

Mental modification

But these technologies are already raising ethical issues. "We don't know how fast the technology's going to progress," Gallant says. Freeman goes on to explore an even more startling possibility: If thoughts can be decoded, could they also be altered?

For example, imagine if you could turn an amateur into an expert in a single day. This is the mission of neuroscientist and entrepreneur Chris Berka. Athletes, performers or other experts can tap into a state of extreme mental focus, called being "in the zone." The zone state (which amateurs can achieve too) has a particular signature in the brain activity. The neurotech company Berka runs is developing technology to monitor people's brain activity during a task, such as archery, and notify them when they have reached their "peak performance state," aka, the zone. Essentially, the technology gives people the ability to hack into their own brains in order to improve their performance. [10 Surprising Facts About the Brain]

But what if other people could hack into a person's brain and plant thoughts there? Computer programmers break into secure systems using "cracks," Freeman says. In humans, sense of smell could be a crack for the brain. Ilana Hairston, a psychologist at The Academic College of Tel-Aviv Yaffo in Israel, uses smell to plant information in people's brains while they sleep. She trains snoozing people to associate certain pleasant or foul odors with particular sounds. The notion sounds like sci-fi, but it relies on a brain pathway that allows senses like smell to enter the brain without conscious awareness.

On the show, Freeman explores all of these mind-probing efforts with his characteristic gravitas. Many of the methods described aim to restore or improve human abilities. But some imply a future that is spooky indeed.

Author : Tanya Lawis

Source : livescience.com

Categorized in Others

In 2016, the number of hacked websites rose by 32%, according to a recent blog post from Google. And, unfortunately, the search giant said it believes that number will continue to rise as hackers become more sophisticated.

 

While 84% of webmasters who "apply for reconsideration" were able to clean up their sites, the post said, 61% were never alerted by Google that they had been hacked. The primary reason for this disconnect for more than half of hacked webmasters is that their sites weren't verified in Google's Search Console, which the company uses to communicate information about websites.

In the post, Google outlined some of the common hacks that are affecting websites today, such as the Gibberish Hack, the Japanese Keywords Hack, and the Cloaked Keywords Hack. Citing the old adage "a chain is only as strong as its weakest link," Google said that prevention is key in keeping these hacks at bay.

To improve prevention, it is important to know how these attacks are being carried out. In aseparate post, Google outlined the following six ways that websites get hacked by spammers:

1. Compromised passwords

Whether an attacker is using guessing techniques to obtain a password, or simply trying out common variations of passwords, compromised account credentials are a serious issue. It's important to create a strong password, not use the same password across multiple web properties, and use additional security tools like two-factor authentication, the post said.

2. Missing security updates

Old software that hasn't been updated may be missing an essential patch to account for a serious vulnerability, the post said. Make sure your web server software, CMS, plugins, and other essential software are all set to update automatically. If that isn't an option, set up a cadence by which you'll manually check for updates.

3. Insecure themes and plugins

In addition to making sure your plugins and themes are patched, be sure to "remove themes or plugins that are no longer maintained by their developers," the post said. Also, be careful when using free plugins, or ones that may only be available through an unfamiliar website.

 

This paper describes the multi-vector nature common to most high-profile security breaches in retail enterprises. IT directors and security officers will learn about several of the characteristics common to recent breaches..

White Papers provided by SonicWALL

"It's a common tactic for attackers to add malicious code to free versions of paid plugins or themes," the post said. "When removing a plugin, make sure to remove all its files from your server rather than simply disabling it."

4. Social engineering

Social engineering attacks, like phishing, try to trick the user into thinking they are providing needed information to an actual webmaster or account manager, for example. Check to make sure the email address matches perfectly to a person you know, and never give out personal information to someone you aren't familiar with.

5. Security policy holes

Bad security policies, such as allowing users to create weak passwords, giving admin access too freely, and not enabling HTTPS on your site can have negative consequences, the post said. To better protect your site, Google recommends making sure you have the highest security controls configured, that user access and privileges are properly managed, that logs are checked, and that encryption is used.

6. Data leaks

When data is mishandled, or improperly uploaded, it can become available as part of a leak. One method, "dorking," can utilize common search engines to find the compromised data. Make sure only trusted employees have access to the data they need, and use URL removal tools to make sure that sensitive URLs don't display in Google search reults, the post said.

Author : Conner Forrest

Source : http://www.techrepublic.com/article/here-are-the-top-6-ways-websites-get-hacked-according-to-google/

Categorized in Internet Privacy

This comes as no surprise to anyone in our field that when Google published their State of Website Security in 2016 they documented that there was a 32% increase year (2016) over year (2015) of sites that got hacked. Google said they don't expect this trend to slow, in fact, they believe there will be even more hacked sites next year.

Google wrote:

First off, some unfortunate news. We’ve seen an increase in the number of hacked sites by approximately 32% in 2016 compared to 2015. We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites.

Although, Google did share two key points on why it is helpful to register with Google Search Console around hacking:

(1) 84% webmasters who do apply for reconsideration are successful in cleaning their sites.

(2) 61% of webmasters who were hacked never received a notification from Google that their site was infected because their sites weren't verified in Search Console.

So even more of a reason to register with Google Search Console. Obviously, many of the sites that do not spend the time registering and verifying their site with Search Console are those who don't have time to care about if their site is hacked or not.

Here are the more common hacks according to Google:

Gibberish Hack: The gibberish hack automatically creates many pages with non-sensical sentences filled with keywords on the target site. Hackers do this so the hacked pages show up in Google Search. Then, when people try to visit these pages, they’ll be redirected to an unrelated page, like a porn site. Learn more on how to fix this type of hack.

Japanese Keywords Hack: The Japanese keywords hack typically creates new pages with Japanese text on the target site in randomly generated directory names. These pages are monetized using affiliate links to stores selling fake brand merchandise and then shown in Google search. Sometimes the accounts of the hackers get added in Search Console as site owners. Learn more on how to fix this type of hack.

Cloaked Keywords Hack: The cloaked keywords and link hack automatically creates many pages with non-sensical sentence, links, and images. These pages sometimes contain basic template elements from the original site, so at first glance, the pages might look like normal parts of the target site until you read the content. In this type of attack, hackers usually use cloaking techniques to hide the malicious content and make the injected page appear as part of the original site or a 404 error page. Learn more on how to fix this type of hack.

Please take care of your site.

Forum discussion at Google+ and Twitter.

Author : Barry Schwartz

Source : https://www.seroundtable.com/google-hacked-sites-up-23584.html

Categorized in Search Engine

WASHINGTON, United States — Google painted a bleak picture of cybersecurity trends Monday, saying the number of websites hacked rose 32 percent last year, with little relief in sight.

“We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites,” Google said in a post on its webmaster blog.

Google, which inserts security warnings when it detects hacked sites, said most of those warned can clean up their pages, but that 61 percent are not notified because their sites are not verified by the search engine.

“As always, it’s best to take a preventative approach and secure your site rather than dealing with the aftermath,” the blog said. “Remember a chain is only as strong as its weakest link.”

The news comes amid growing concerns over cybersecurity in the wake of massive hacks affecting Yahoo, the US government and major e-commerce firms.

Google said certain website hacks often follow similar patterns — some insert “gibberish” on a page, while others create Japanese text that links to fake brand merchandise sites.

“Hacking behavior is constantly evolving, and research allows us to stay up to date on and combat the latest trends,” Google said. CBB

Source : http://technology.inquirer.net/60132/hacked-websites-rise-google

Categorized in Internet Privacy

Amongst the many, many CIA exploits of Apple, Google and Microsoft consumer technology in today's Wikileaks massive info dump was a particularly novel project to spy on Samsung smart TVs.

According to the Wikileaks-hosted files, CIA agents named their TV malware Weeping Angel that appeared to have been created during a joint workshop with the agency's British counterparts, MI5, in 2014. If the dumped data is legitimate, Weeping Angel runs just like a normal TV app, not unlike YouTube, but in the background, capturing audio but not video. It can, however, also recover the Wi-Fi keys the TV uses to later hack the target's Wi-Fi network, and access any usernames and passwords stored on the TV browser, explained Matthew Hickey, a security researcher and co-founder of Hacker House, a project to encourage youngsters to get into cybersecurity. There was also a feature dubbed "Fake Off" where the TV would continue recording even when shut down.

Hickey, who reviewed the CIA notes on the project, said it appeared the malware would infiltrate the TV via a USB key, as the notes on Wikileaks indicated USB install methods were disabled in a specific firmware. He said, however, that there's still a chance the CIA has remote infection techniques.

"The tool appears to be under active development. The capabilities it boasts cannot currently capture video, according to the leaked docs. But that is a goal of the project. It can record audio but it does not stream it in real-time to the CIA. Instead it copies it off the TV as files," Hickey added.

He noted that the attacks would likely be limited, in that the CIA would have to be nearby to harvest the stolen data. "Effectively they install an application onto your TV through USB, they go away on their spying business and come back with a Wi-Fi hotspot later on. When the TV sees the CIA Wi-Fi, it uploads all of the captured audio it has recorded of people around the TV, even when they thought it was off.

Protection from the CIA

Samsung hadn't responded to a request for comment at the time of publication, and Forbes has not been able to independently verify the veracity of the claims made on Wikileaks, which released a huge batch of alleged CIA files today under the name Vault 7.

But there's a simple way users can protect themselves, according to Hickey. He said simply updating the TV could well kill the CIA tool, as there's no indication the CIA is able to use the Weeping Angel malware on Samsung TVs running the latest firmware above that specified, namely 1118. As noted in one leaked file: "Updating firmware over internet may remove implant (not tested) or portions of the implant... Firmware version 1118+ eliminated the current USB installation method."

However, in those same engineering notes is a feature to "prevent updates." This could mean the CIA had found a way to prevent the Samsung device from updating automatically, or at all. Where users find they can't update, there's a handy factory reset code in that same Wikileaks file, which should allow updates again.

As shown in recent cases, Samsung Smart TVs have been the subject of both privacy and security concerns. Last month, Forbes revealed the FBI had successfully searched the Samsung TV of a suspect as part of an investigation into child sexual abuse material. In 2015, there was a mini furore about Samsung sharing the conversations recorded by the TV with third parties.

The Shodan search engine for connected devices has also been able to harvest information on some Samsung TVs that are exposed on the web, possibly leaving them open to hackers anywhere on the planet.

There remains the possibility that MI5 had the TV hacking capability before the CIA. "The source code came sanitized from 'the UK' minus comms and encryption," said Pen Test Partners researcher David Lodge. "This is more important to me - it implies that MI5 already had this as a solution."

Got a tip? Email at This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it. for PGP mail. Get me on Signal on +447837496820 or This email address is being protected from spambots. You need JavaScript enabled to view it. on Jabber for encrypted chat.

Author : Thomas Fox-Brewster

Source : https://www.forbes.com/sites/thomasbrewster/2017/03/07/cia-wikileaks-samsung-smart-tv-hack-security/#28f826f34bcd

Categorized in Science & Tech

The malware, developed during a hackathon between British and American spies, turns ordinary smart TVs into listening devices.

Buried in a trove of classified and secret CIA documents leaked earlier on Tuesday are files that show British and American spies worked closely together to hack into smart TVs.

The documents, which can't be independently verified, are part of a trove of files provided by WikiLeaks, which dropped thousands of documents said to be from the CIA's elite hacking unit, dubbed the Center for Cyber Intelligence

Although the CIA has yet to comment, former NSA contractor turned whistleblower Edward Snowden said that the cache "looks authentic," because program and office descriptions named in the documents could only be known by a "cleared insider."

One such program, dubbed "Weeping Angel," allowed spies to turn a regular Samsung smart TV into a listening device.

The "secret" classified program, developed during a hackathon between spies at the CIA and British domestic security service MI5 in mid-2014, is said to act like a regular smart TV app, but it can record audio from its surrounding areas, such as a living room or a busy office.

According to Shodan, the search engine for internet-connected devices, there are at least 11,300 Samsung smart TVs connected to the internet.

In case you didn't know, many Samsung and other smart TVs come with an embedded microphone and camera to power its voice-recognition system and other features.

A review of a number of documents show how crafty the malware is: One file said the malware can suppress the TV's power functionality to make it look like the smart TV is turned off.

The so-called "Fake-Off" mode would trigger when the user uses the remote control to turn the TV off, because the malware "already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off," said one document.

The malware also suppresses the TV's power light to make it look as though the TV was powered down, but it allowed spies to keep recording.

According to another document, the malware can also extract Wi-Fi passwords and install a root certificate to carry out man-in-the-middle attacks.

That could allow further exploitation of the network that the smart TV is connected to.

A future version of the malware appears to look into recording images and video from the smart TV (if it comes with an embedded camera) as well as live streaming of audio.

It's not the first time smart TVs have been targeted for surveillance.

Samsung's smart TVs were known to be streaming back continuous recordings as early as 2015 after security researchers found the devices were transmitting outbound data. Samsung since updated its privacy policy to warn that personal and other sensitive information can be picked up by the TV's microphone.

Kenneth White, a security researcher and cryptographer, told The Intercept that smart TVs are a "historically pretty easy target," and that there is "zero chance" that the CIA targeted only Samsung.

Author : Zack Whittaker

Source : http://www.zdnet.com/article/how-cia-mi5-hacked-your-smart-tv-to-spy-on-you/

Categorized in Internet Privacy

2016 was the banner year for cyber security – and not in a good way. But what does 2017 have in store?

There is no denying that 2016 was a big year for cybercrime. From the Bank of Bangladesh/SWIFT heist in February to the Dyn DDoS attack a few weeks ago, there was plenty of proof that hackers are getting smarter and their innovation is on a growth trajectory.

If there is one good thing derived from these hacks, it is that they have made alarm bells ring loud and true for consumers and organisations alike. This is the starting point for five cyber security predictions for the year ahead.

1. Consumers will prioritise security when deciding which companies to do business with

Following high-profile data breaches in 2016, including Yahoo and Three Mobile, consumers are more anxious than ever about the downstream financial crime that follows a cyber attack.

As the realisation of what a criminal can achieve once they have taken our data sinks in, consumers are beginning to demand guarantees that their services providers are safe.

In 2017, a trend will emerge around customers wanting to understand more about the security of the organisations they do business with.

Just as companies promote ‘seals of approval’ for accomplishments like being ‘green’, promoting gender equality or having accident-free workplaces, customers will look for some sort of seal of assurance that the companies they do business with have a strong cybersecurity posture.

In fact, Ofcom has recently highlighted that broadband providers such as BT are worse at customer service than financial services providers and must do more to deliver a reliable internet connection.

2. Consumers will take ownership of their own cybersecurity

The great doorbell hack of 2016 kicked off the year with a loud ding-dong. Hackers have figured out that smart home devices, such as doorbells and refrigerators, are gateways to home Wi-Fi networks and email logins.

Similarly, to how they developed new and more inventive scams to get hold of consumers’ data in the ‘90s, this is just the beginning of consumer-targeted cybercrime.

As people add more Internet of Things (IoT) devices to their smart homes and take more of their daily affairs online, the security of their online environment will become even more important.

In 2017, new services will emerge that allow consumers to evaluate their own cyber security as they work to protect their data and savings from criminals, and strive to take ownership of our cybersecurity.

3. Consumers and businesses will acknowledge the threat potential of IoT devices

Beyond hacked doorbells and refrigerators, certain IoT devices, like self-driving cars, can present serious security threats. Expect more attacks to follow, especially as it is currently easier for a hacker to create an IoT botnet to compromise a device than it is to phish for data in traditional ways. There is a serious lack of security features in the code developed for IoT devices which needs to be addressed.

Due to the risk some of these devices pose to human life, it should be no surprise to hear that the security of IoT coding will come under stricter scrutiny than ever before.

As IoT devices become widely used by businesses and individuals alike, people and organisations will make security considerations a priority in their decisions to use smart devices, not an afterthought.

4. Businesses will assess the cyber security of their own and partners’ networks

Led by the Office of the Comptroller of the Currency (OCC) directive requiring banks to manage risks – including cybersecurity risk – in their third-party relationships, companies in all industries will start paying a lot more attention to their business partners’ cybersecurity posture in 2017.

 

Most businesses have large and complex networks of partners, suppliers, vendors and other stakeholders with whom they exchange information on a regular basis. This means that the web of risk is incredibly wide, and a security breach in any link of the chain can expose the entire network.

Boardrooms across all industries have brought concerns about partner network security to the top of their agenda, so in 2017 we will see growth in the adoption of tools that assess risk across the entire network and bring a company’s security status to the forefront for partners, enterprises, and insurers.

5. Biometric security data may become the biggest security vulnerability of all

It started with the innovative Apple TouchID, developed to make it easier for consumers to unlock their phones. But, in 2016, we have seen biometric identification go mainstream – even three year old kids’ fingerprints are being captured when they visit Disney World.

Many believe that biometric security data is safer than digit-based passwords and, if used correctly, it may be so. However, in the wrong hands, biometric security data also has explosive potential.

In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints may be a big problem in the future.

This is especially the case if biometric technology is used to verify bank accounts, home security systems and even travel verifications.

Author:  Ben Rossi

Source:  http://www.information-age.com/5-cyber-security-predictions-2017-123463528

Categorized in Internet Privacy

BY NOW IT’S hard to keep track of which companies have been hacked and which haven’t. Remember the FourSquare hack? What about Adobe? Even breaches that were high-profile at the time are fading into obscurity as bigger and scarier ones crop up. (Ahem, Yahoo.) And if you can’t remember what’s been hacked, you’re probably struggling to keep track of which leaks have included your personal data. That’s where “the Google of data breaches” comes in.

LeakedSource is a service that sends email notifications about new breaches and offers a database of information stolen in hacks. Its basic services—the ability to sign up for email notifications and search the database—are free, but users can pay to access more advanced search functionality. LeakedSource also provides a paid tool for businesses, so that they can notify users who have been affected by a breach. The project started in late 2015, and with just days to go in 2016, the group that runs LeakedSource is planning to release roughly 100 million more records from a “Chinese mega site” that hasn’t yet announced the hack, according to a LeakedSource representative. That will bring LeakedSource’s total for the year to a whopping three billion. It plans to publish 105 million more in early 2017, a combined total from 20-30 hacked sites.

Its mission is as much to tell users that their information is at risk as it is to pressure companies to disclose when they’ve been compromised—something that often happens far too slowly, if at all. Logging the data in breaches also allows users (individuals or large entities) to keep track of which of their accounts have been compromised and which pieces of their data are permanently out in the open. At the very least, it helps you keep track of which passwords you have to change. But it also allows people to see whether data points like their phone numbers are bouncing around in the wild connected to their name. You give so much information to the services you interact with, sometimes without even really consciously registering what you’re putting out there. It’s necessary to take back whatever control you can.

“It can admittedly get tiring to be ignored by breached companies 95 percent of the time and staring at database after database,” says a LeakedSource spokesperson. “We originally started this because people were asking where they could see if they are affected by XYZ breach, but they had no good answer since companies just don’t tell users about hacks.”

Team Effort

A small group of anonymous international members operates LeakedSource from an undisclosed location—the group says that “if nobody knows who we are or where our site is located, bad people can’t attack us.” Contributors use their varied skills to help run the site, administer the database, and analyze data. A spokesperson for LeakedSource said in a separate interview that some group members “have other sources of income and others are still in school.”

Some of the site’s biggest troves this year include over 360 million aging Myspace accounts, and more than 339 million users affected in the Adult Friend Finder hack. It’s like a more comprehensive, and more secretive, version of researcher Troy Hunt’s Have I Been Pwned, which has collected just under two billion records since 2013.

“While this project began as a hobby it has also turned into a very crucial public service and we believe we’ve educated much of the general public on the poor state of internet security,” the group explains in a FAQ published on Monday. “As an added bonus, we force the hands of breached companies to actually notify their users instead of sweeping it under the rug which [we] accomplish by notifying media outlets.”

Importantly, LeakedSource says that it only publishes information that is already publicly available online, and doesn’t publish data that hasn’t been posted anywhere else. A spokesperson also said that LeakedSource doesn’t pay for data dumps. “Over two billion of ‘our’ records are literally a Google search away. Go ahead and Google ‘download myspace database’ and it’ll be in the top five results, for example,” the representative says. “All we do is combine it in one easy to use location.” Records that aren’t obtained from the mainstream web come from “underground groups.” The service has operated for a little more than a year at this point, and LeakedSource says that it has had no interactions of any kind with law enforcement thus far.

Public Service (For Some Profit)

Its business model is not without controversy, though. The group doesn’t just maintain the databases, it also decrypts passwords and other data that comes out of hacks when possible. In one sense, that makes LeakedSource’s offerings more useful to companies and users alike, since it lets both search for specific data. LeakedSource says it offers this mechanism to, “satiate [user] curiosity which is a natural human tendency. For example if it’s not enough that we tell you your username was leaked from MySpace, for a couple dollars we’ll tell you WHICH username was leaked or which email, etc.”

It also, enables queries for other people’s information as well as your own. For people who rotate between a few passwords it’s useful to be able to look up which one was compromised in a breach; that way you know which other accounts you need to adjust and monitor, and which can stand pat. But offering such a service does create another public channel for would-be attackers to access the information, and some in the security community argue that LeakedSource is profiting off of breaches while possibly making security problems worse by doing all the work to groom leaked data.

“They’re basically trying to make some money off public information in a way that aids and abets crime in my opinion,” says John Michener, chief scientist at the security consulting firm Casaba Security. “There’s a lot of value to people knowing they’ve been popped, so if [LeakedSource] were serious about the public benefit part of it they could just send emails to every compromised email saying ‘hey, we picked you up in a compromised database.’ ”

The LeakedSource spokesperson says that the service’s operating costs “exceed the salary of most normal jobs so there has to be some sort of revenue or it just couldn’t function.”

The anonymity, too, has spawned concerns over accountability.

“There are other services like this that I would say are a little more reputable, because you know who’s running them and you know they’re making their money doing something else,” says Jared DeMott, the chief technical officer of the managed security company Binary Defense Systems. “With this one I’m hesitant to even punch my email into it because I don’t know who’s running it and what they do with that data. I think that’s probably why they want to hide because they understand that the data they’re holding is in a very foggy area ethically even though there is a big need for it and there’s a market for it.”

LeakedSource says that “under no circumstances” does it sell data about what people search for on its site. “Unlike free websites we don’t pay our bills with your information, you aren’t the product here,” the group says. It’s also adamant that its motives are completely apolitical. “It is demonstrably hazardous to one’s health to have a political agenda these days,” the spokesperson said, adding that when people try to leak sensitive data, such as government information, to LeakedSource, the group redirects would-be leakers “to more suited organizations such as Wikileaks.”

A Net Good

Despite unease from some corners, LeakedSource has its backers as well. The group says it has collaborated with reporters in the past to unearth breaches, rather than log into or probe services on its own. And it even has an advertiser in Netsparker, a UK-based company that develops a web application security scanner. “Quite frankly, even we don’t know their names” says Robert Abela, marketing manager at Netsparker. “But they’re not doing anything illegal, and if they want to remain anonymous that’s their own business question…As long as they’re providing a good service to the community and raising awareness, we’re behind them.”

It’s also far from the only service providing information about the data in big breaches. Instead, it’s part of what is hopefully a movement to create more tools that help consumers understand the status of their personal data and feel more empowered to defend it. The recent Yahoo breach, which included one billion user records stolen in 2013, is a reminder that the scale of individual breaches is firmly in the billions.

Without services like LeakedSource it would be incredibly difficult, if not impossible, to make any sense of it at all.

Author : LILY HAY NEWMAN

Source : https://www.wired.com/2016/12/inside-leakedsource-database-3-billion-hacked-accounts/

Categorized in Internet Privacy

Netflix’s U.S. Twitter account was hacked Wednesday, with notorious hackers OurMine claiming credit for the attack.

OurMine hacked some high-profile accounts earlier this year, including those of Facebook CEO Mark Zuckerberg — password “dadada” — former Twitter CEOs Dick Costolo and Ev Williams, Google CEO Sundar Pichai and others. Oh, and pop star Katy Perry, too.

According to multiple reports and screenshots, OurMine was in control of the Netflix account this morning for less than an hour, and among other things tweeted that “world security is [expletive].”

While the tweets posted by the hackers have since been taken down, the Netflix customer service account shows traces of what transpired.

OurMine is a group of hackers supposedly from Saudi Arabia, and now calls itself a “security group.” It told Mic earlier this year that it is now hacking people for the purpose of promoting its security services.

A check of Netflix’s U.S. Twitter account, which has 2.48 million followers, shows it’s back to normal. Trailers for “The OA,” “Barry” and other Netflix originals are among the recent tweets.

Author : Levi Sumagaysay

Source : http://www.siliconbeat.com/2016/12/21/netflixs-twitter-account-hacked/

Categorized in Social

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media