Leading US audio equipment company Bose has been taken to court for allegedly using its smartphone application to collect personally identifiable information on users. Having harvested the listener’s personal details through its Bose Connect app, it is apparently selling on the data to third parties.
Most people won’t be too concerned about having their taste in music – however dubious – broadcast to all and sundry, though they may object to the general principle of personal data being sold on unbeknownst to them. However, the complainant makes the valid point that someone listening to Islamic prayers through their Bose headphones could be, correctly or incorrectly, identified as Muslim – which might have an impact on their right to privacy within the current political climate.
Ironically for a company that makes its living from audio, Bose is keeping stumm on this.
Read more at http://www.ibtimes.co.uk/your-premium-bose-headphones-may-be-spying-you-1617747
Gone are the days when it was adequate to use the name of your first pet or mother’s maiden name as a universal proof of identity. The need for increasingly complicated passwords is growing, as is the sheer number of them, as every app, online system and platform requires unique access credentials. But fear not, Facebook has come to our collective rescue with claims to have thought up a clever solution.
Its new Delegated Account Recovery system allows apps or websites to store an account recovery ‘token’ on Facebook’s servers. If a user forgets their password or loses a device used for two-factor authentication, they can retrieve the token by proving their identity to Facebook and then use it to reach the account they couldn’t access. Facebook, in turn, offers several different methods for authentication, including ‘social CAPTCHA’, which asks users to identify friends by name from randomly selected photos on their account. (Yet another reason to unfriend your old high school buddy from 20 years ago – or could you still remember their name??)
While this looks like a valuable service available to everyone, there are inevitable questions about whether it’s a stealthy way for Facebook to collect ever more detailed personal information on users. Or, shock horror, what happens to the poor sod who loses their 2-factor authentication token and access to their Facebook account – not to mention those individuals who choose to delete their accounts altogether.
Read more at https://www.wired.com/2017/04/facebook-offers-better-way-get-back-locked-apps/
A security researcher has brought new attention to an old way for scammers to lure unsuspecting internet users onto bogus sites. The secret lies in the use of the Unicode computer text handling system.
While Unicode offers the benefit of standardising text across most of the world’s writing systems, it also has the potential to allow malicious actors to create fake URLs by using characters in other alphabets that look similar to Latin ones. The problem stems from the fact that the global network’s addressing system was built entirely on English – and the Latin script that goes with it. Through some rather hasty work-arounds engineers created codes which were used in place of letters, to allow for a wider variety of symbols in addresses – Unicode was born.
The reaction from the leading web browsers to the researcher’s proof-of-concept domain has been varied. Apple’s Safari and Microsoft’s Edge both succeeded in detecting the spoof domain, whereas Google’s Chrome and Mozilla’s Firefox failed to pick up on the phoney URL. The Chrome team is taking steps to fix it, but Mozilla has dismissed it as an Apple problem.
To insure against this problem, also known as ‘homograph attacks’, it has been suggested to use a password manager and keep on the lookout for potential phishing attacks before clicking on any links. If in doubt, the recommendation is to type in URLs manually or navigate to the site via a search engine.
Read more at https://www.theguardian.com/technology/2017/apr/19/phishing-url-trick-hackers
UK-based hotel group InterContinental (IHG), the world’s second largest hospitality business, has discovered that the malware attack it suffered in autumn 2016 has affected more than a fifth of its 5000 plus properties – rather than the mere dozen or so it initially announced in February. The attack infected cash registers with malicious malware designed to steal customer debit and credit card data.
IHG was quick to claim that rapid implementation of its Secure Payment Solution (SPS) has limited the damage and that the malware has been eradicated across its estate – which includes Holiday Inn, Crowne Plaza, Kimpton and Staybridge Suites. However, according to cybersleuth Brian Krebs, some of InterContinental’s franchises have so far declined the offer of a forensic health check, meaning the true number could be much higher. Customers have been advised to check their payment card statements for any rogue activity.
These types of hacks are by no means rare, in recent years many hotel chains have been the targets of malware designed to filch sensitive credit card information from guests. Interestingly, Trump Hotels is one of several other high-profile hospitality chains to attract unwelcome attention from hackers in recent times. We wonder why.
Read more at http://www.ibtimes.co.uk/over-1200-intercontinental-hotels-infected-payment-card-stealing-malware-1617851
An unpleasant new strain of malware capable of destroying unprotected devices linked to the Internet of Things is now in circulation.
Cyber security firm Radware has identified that the malware, known as BrickerBot.1 and BrickerBot.2, forces its way into IoT systems through configuration errors in the firmware, meaning a simple change of password won’t afford much protection. It then performs a series of Linux commands aimed at corrupting the device’s flash storage and disrupts settings in the kernel at the heart of the operating system – damaging the device’s internet connectivity and wiping all files. Due to its destructive nature, Radware views this as a Permanent Denial of Service (PDoS) attack.
Unlike most hacks, it appears that this is pure vandalism; as the attacker gains no material or strategic benefit from the attack. It does, however, once again highlight the inherent fragility of IoT devices – and its destructive and arbitrary nature could herald far worse things to come.
Read more at http://www.ibtimes.co.uk/brickerbot-new-malware-permanently-damages-internet-things-devices-1616026
Cyber security firm Symantec has used the latest Vault 7 revelations from WikiLeaks, which reveal some of the CIA’s tools and modus operandi, to deduce that forty hacks in sixteen different countries are attributable to the US intelligence agency.
Symantec believes that a group they refer to as Longhorn is a covert CIA hacking team which has infiltrated targets in government, financial, telecoms, energy, aerospace, education, and natural resources sectors in countries across the Middle East, Europe, Asia and Africa. While the CIA is prohibited from any surveillance operations in the USA, it seems that one homeland computer was also briefly infected. Rather amusingly, the investigation has also uncovered Longhorn’s working patterns – which match the Monday to Friday office hours of any old company. You can just about imagine CIA hackers donning the obligatory black hoodie upon arriving at the office.
By linking real world attacks to the CIA tools, tactics and timelines revealed by WikiLeaks, Symantec has built up strong circumstantial evidence to support its claims – in answer to the question ‘who spies on the spies?’
Read more at https://motherboard.vice.com/en_us/article/cias-alleged-hacking-tools-now-linked-to-40-hacks-around-the-world
Alarm bells are ringing in Dallas over a recent hack – literally. Infrastructure hacks are becoming more common in the US and can take many forms, but in this case hackers, whose identity and motivation remains unknown, set off all 156 Dallas emergency sirens late one recent night – a sound normally reserved for tornados and other emergencies.
The system uses radio communication rather than the Internet, so the attackers either managed to manipulate the radio communication or gain control privileges. To achieve this they would have needed radio frequencies, code formats and specific five to eight-digit codes.
While loss of sleep and jamming of the city’s emergency response lines were the only consequences of this attack, the incident does highlight a growing trend in infrastructure hacks – and the potential to compromise more serious targets such as water and sewage systems, power plants and motorway controls.
Read more at https://www.wired.com/2017/04/dallas-siren-hack-wasnt-novel-just-really-loud/
When it comes to robbing a bank, the days of stocking masks and sawn-off shotguns are long gone. Nowadays, it is possible to hijack a bank’s entire online operations from the comfort of your swivel chair.
On a Saturday afternoon in October 2016, a team of ingenious cyber bank robbers seized control of a major – but as yet unnamed – Brazilian bank. They achieved this by changing the Domain Name System (DNS) registrations of all the bank’s online properties and commandeered its desktop and mobile website domains to take users to phishing sites which were perfectly set up to match the official sites.
In other words, anyone visiting the bank’s website URLs were redirected to lookalike sites – which even had valid HTTPS certificates issued in the name of the bank. This allowed them to steal login credentials at sites hosted at the bank’s legitimate web addresses. It is possible that the account details of millions of bank customers have been harvested.
Half of the world’s leading banks don’t manage their own DNS, instead delegating them to hackable third parties. Installing a registry lock and two-factor authentication would go a long way towards preventing this kind of well-executed heist – but even that may not be enough to protect an institution from such a crack team of audacious hackers.
Read more at https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
It looks increasingly likely that the massive attack on the Bangladesh Central Bank via the Swift payment transfer system just over a year ago was the work of state-sponsored North Korean hackers – or ‘information soldiers’ as they are known in Pyongyang.
While in this instance they ‘only’ managed to scoop $81m of their targeted £900m, North Korea’s cyber army is viewed as an increasingly sophisticated international threat – preying on banks, finance and trading companies, casinos and crypto-currency firms. And whilst not all operations are quite as successful as the Swift/Bangladesh Central Bank one, the group does continuously manage to steal millions of dollars across its numerous attacks.
The hackers, code-named Lazarus, have also been linked to previous attacks on Sony Pictures and Polish banks. In the UK, BAE Systems estimates that Lazarus has targeted at least seven British banks, alongside many more in the US, Poland and Mexico. Its toolkit is believed to be extensive and varied, giving it the potential to deliver malicious tools, exfiltrate data and launch destructive attacks. A crucial identifier of their operation is their ability to completely wipe disks, making their attacks all the more damaging – and the tracing of their activities more difficult.
Read more at http://www.ibtimes.co.uk/north-korean-worldwide-hacking-rampage-steals-millions-casinos-banks-1615271