Information Security Blog | Cyber Security Blog

others

Information Security Blog | Cyber Security Blog
others

others (94)

Read More

The second of Battlefront’s 4 DLC packs is prepared to play now for everyone, and includes 5 new maps and a Cloud Car.

Considering how costly a deteriorate pass is, a initial DLC enlargement for Star Wars: Battlefront didn’t accurately get things off to an moving start. But a second one is out now and does during slightest embody a new location: Bespin’s Cloud City from The Empire Strikes Back.

We’ve only had a discerning go and it contains 5 new maps, a new diversion mode called Sabotage, and a new Twin-Pod Cloud Car to commander in Fighter Squadron (it’s really tiny and comes with a sensor jammer, a bit like a Snowspeeder).

The dual new characters are Lando Calrissian and a annuity hunter Dengar. You also get a new Hutt Contract, new weapons, and new Star Cards.

We don’t consider it’s going to change anyone’s mind about a game, generally as it costs £12 when bought separately, though during slightest it’s some-more estimable than a initial one.

Released during a same time is a giveaway refurbish that increases a turn top to 70, adds new dress options for Rebels and Imperials, and a long list of tweaks and balancing changes.

The third DLC enlargement is due this autumn and will be formed around a Death Star(s). The fourth and final enlargement is due in early 2017 and a essence are now a secret.

It’s ordinarily suspicion that it will deliver elements from this Christmas’ Rogue One movie, though after a proclamation of Battlefront 2 for subsequent year that no longer seems so certain.

Read More

Facebook co-founder Mark Zuckerberg has been increasingly peaceful to share moments from his family and work life.

But a print he posted on Tuesday, dictated to foster Instagram’s user milestone numbers, might have finished adult divulgence a small some-more about Zuckerberg than he intended: Dude hasn’t mislaid any of his hacker counsel when it comes to safeguarding his privacy.

A couple of eagle-eyed observers forked out that a laptop on Zuckerberg’s table not usually has fasten covering a webcam, though there’s also fasten covering a Apple laptop’s twin microphones. That’s right, even one of a many chosen (and richest) coders on a world still takes easy measures to safeguard that nobody is espionage on him.

This unconsidered exhibit comes only weeks after Zuckerberg’s amicable media accounts were hacked, one of that reportedly had a not-so-complicated cue “dadada.”

And if Zuckerberg’s hacker credentials and purpose as a vital tech personality aren’t adequate to remonstrate we that he isn’t only being paranoid, cruise a fact that progressing this year FBI Director James Comey admitted that he puts fasten over his webcam.

This kind of meditative used to be a domain of swindling theorists and a certain multiply of hacker, though Zuckerberg only took it mainstream. In fact, in a run-up to a second deteriorate of Mr. Robot, a uncover about a hacker conspiracy, USA Networks even went so distant as to send out branded webcam covers (which this publisher happily uses).

No, supervision spies substantially don’t caring what you’re observant or doing in front of your computer.

But if it’s good adequate for a creator of a largest amicable network on a planet, maybe it’s value adhering some fasten on your possess webcam. You won’t demeanor paranoid anymore; instead, we can call yourself a billionaire tech noble in training.

Read More

There could be many reasons for hacking someone's Facebook account and it is not as simple as we speak. One should know the fact that there are no direct softwares that can hack Facebook account simply by entering the victim's user id. But it is possible with some methods those really work, out of which phishing, key logging, packet sniffing are most popular and widely used ones. Today, in this tutorial you are going to learn how to perform packet sniffing attack to hack Facebook account using your Android smartphone.

What exactly is packet sniffing?

Hack facebook using android

Let’s make this simple with an example. Consider two persons A and B using the same public WiFi network. The information sent and received between the device and WiFi hot-spot is done in the form of packets. These packets are not secured and can be access by any other device connected to same network. If Person A is using Facebook, his log-in credentials are sent in the form of packets which Person B can access and read them. In fact, Person B can modify them. Not only log-in credentials, everything you use within your browser can be seen and modified by anyone else as long as you are connected to that network.

So, Why Android Phone?

Earlier, when this process is first developed the only way to do packet sniffing is using PC or laptop running on Windows or Linux operating system. But now it can be done using any Android phone with root access (we shall talk about this later). The main reason for using Android phone is simplicity. It works same as PC, in terms of speed and accuracy. It has same number of tools as PC. And when you are in crowd, you can simply take out your mobile and do some hacking anonymously.

Does the Android Phone require any particular specs?

No particular specifications are needed for your Android device to do this. But your device needs to be rooted. For a brief explanation of what rooting is, read the tutorial on "How to Root Any Android Device".

Read More

GitHub has revealed a number of users’ accounts have been accessed by an attacker reusing email addresses and passwords obtained from other internet services that have been compromised.

The code-hosting platform, which claims millions of users around the world, revealed a series of “unauthorized attempts” to log-in to many accounts on GitHub.com on Tuesday evening. “This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” explained Shawn Davenport VP of Security at GitHub, in a blog post.

While Davenport was quick to stress that GitHub itself had not been hacked, he did concede that the attacker was successful in gaining entry to “a number” of GitHub accounts, though didn’t specify how many.

There has been a number of high-profile “hacks” across the tech realm of late, perhaps the most notable one being LinkedIn. The professional social network, which was acquired by Microsoft for $26.2 billion this week, hit the headlines last month after it reset passwords on millions of accounts as new data-leak reports began to surface. The compromised account details reportedly stemmed from a leak dating all the way back to 2012 when 6.5 million passwords were pulled from the social network, with the account credentials put up for sale on the so-called “dark web” four years later. Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts were subsequently hacked, an event blamed on the LinkedIn password dump.

GitHub likely doesn’t know the origins of the passwords and email addresses used to compromise the accounts in question on GitHub.com, but it does serve as a stark reminder that reusing the same password across multiple online services is never a good idea.

GitHub says that it will be sending notifications to the individuals affected on how they can reset and restore access to their accounts. Davenport also has a dose of good advice to mete out: “We encourage all users to practice good password hygiene and enable two-factor authentication to protect your account,” he said.

Read More

A judge in Helsinki, Finland has ordered one of the founders of notorious file-sharing site The Pirate Bay to pay $395,000 to several record labels. The Finnish divisions of Sony Music, Universal Music, Warner Music and EMI had sued Peter Sunde, accusing Pirate Bay of illegally sharing the music of 60 of their artists.

Sunde, who left The Pirate Bay in 2009,said on Twitterthat he didn’t even know about the court case. "The record companies know that I have not had any part of TPB for ages, still suing," he wrote. "Bullying is the new black."

Finland’sDigiTodayreports that the labels hold Sunde responsible for the pirated material found on The Pirate Bay, even though he know longer works there, and the judgement includes a million-euro fine if the content is not taken down. He also must pay roughly $62,000 to the International Federation of the Phonographic Industry. (The IFPI did not immediately respond to a request for comment.)

Pirate Bay Co-Founder Creates Art Project to 'Bankrupt' the Record Business

Sunde called it "another frivolous court case" and is floating the idea of crowd funding his legal fees. Asked what would happen if he fails to pay, he said flatly, "I can’t pay. I dunno. I get more debt. And also, I’ll just get more debt. Add debt to debt. Maybe prison, dunno?!"

The Pirate Bay is already being blocked by several ISPs in Finland, including Elisa and TeliaSonera.

Sunde doesn’t hide his disdain for the recording industry, and last December launched a symbolicproject called kopimashinthat continually copies a song, then tallies the damages that arise for each instance of copyright infringement. "The goal of the kopimashin is to make the audio track the most copied in the world and while doing so bankrupting the record industry," he said at the time. 

Read More

Instant messaging is a blessing and a curse. It’s a convenient way to keep in touch with friends from all over the world but it also means whatever you say will stay online forever. You can’t exactly erase anything you regret sending, especially not from the receiver’s end. Or can you? Researchers from security vendor Check Point found a way to do so through a vulnerability on Facebook’s popular Messenger app.

How many times have you said something stupid, be it carelessly or in a fit of rage, over a message online that you regretted almost instantly after pressing the send button? You desperately want to retract it, but you can’t. Even if you delete it off your own chat log, the recipient still has it on their chat history. There’s really no way to erase a sent message on your own on most if not all online chatting apps and Facebook Messenger is no exception.

But researchers at Check Point found a vulnerability that could let someone do this. According to the company, the security flaw gives attackers a way to change conversation threads on Facebook Online Chat and Messenger App. You can modify or remove any sent messages, photos and files from somebody’s chat history.

Having said that, if you’ve had foot-in-mouth and really hurt someone with your words, it’s probably not wise to hack their account to wipe away the evidence.

From a more practical perspective, considering Facebook wants to turn Messenger into a serious business tool, this could give attackers incentive to exploit these types of security flaws. According to Check Point, here are some potential scenarios:

  • Malicious users can manipulate message history as part of fraud campaigns. A malicious actor can change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
  • Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.
  • The vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.
Read More

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.

Remote code execution bug was possible due to two weaknesses: The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like change me, instagram, password) in just a few minutes.

Read More

Social media giant Facebook has paid a $10,000 reward to a 10-year-old Finnish boy for finding a glitch in its picture sharing app Instagram.

Jani, whose last name was not released for privacy reasons, is the youngest ever recipient of Facebook's "bug bounty", paid to users who find bugs or weaknesses in its platforms.

"I wanted to see if Instagram's comment field could stand malicious code. Turns out it couldn't," Jani told Finland's 
Iltalehti newspaper.

Facebook said the glitch was fixed in February and the reward was paid in March.

Jani, who is still too young to have a Facebook or Instagram account of his own, said he learned coding from Youtube videos and found a way to delete user comments from Instagram accounts.

"I could have deleted anyone's comments from there. Even Justin Bieber's," he told Iltalehti.

He said he was thinking about a career in data security, but for now his plans include buying a new bike and a football with his reward money.

Read More

Facebook is in trouble once again regarding its users' privacy.

  Facebook is facing a class-action lawsuit in Northern California over allegations that the company systematically scans its users' private messages on the social network without their consent and makes the profit by sharing the data with advertisers and marketers.

  According to the lawsuit filing, Facebook might have violated federal privacy laws by scanning users' private messages.

  Facebook routinely scans the URLs within users' private messages for several purposes like anti-malware protection and industry-standard searches for child pornography, but it has been claimed that the company is also using this data for advertising and other user-targeting services.

   Also Read: Google to Face a Record $3.4 Billion AntiTrust Fine in Europe

   The plaintiffs, Matthew Campbell, and Michael Hurley argue that the Facebook is scanning and collecting URLs-related data in a searchable form, violating both the Electronic Communications Privacy Act and California Invasion of Privacy Act, reported the Verge.

  Facebook argues that the company scans users' private messages in bulk, and maintains the URL records in an anonymized way, which is only used in aggregate form.

  However, according to a technical analysis done on behalf of the plaintiffs, each URL-related message is stored in "Titan," a private message database that displays the date and time the message was sent, along with the user IDs of both the sender and the recipient.

  However, it turns out that Facebook used this practice in past, but the company claimed to have stopped such practices a long time ago.

   "We agree with the court's finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis," a Facebook spokesperson told CNET.

  "The remaining claims relate to historical practices that are entirely lawful, and we look forward to resolving those claims on the merits."

  However according to the plaintiffs, Facebook is still continuing to collect links from users' private messages.

  "Facebook's source code not only reveals that Facebook continues to acquire URL content from private messages, but that it also continues to make use of the content it acquires."

   Meanwhile, you can check out the lawsuit here. The lawsuit was originally filed in 2012 and for now, the case is expected to proceed.

  Plaintiffs have until June 8 to file an amended complaint, following a scheduled conference toward the end of the month.

Read More

SWIFT has issued its first-ever information security guidance to banks, telling them to get their act together.

The guidance was issued as finger-pointing has intensified over who's responsible for the failures that led to the theft of $81 million from the Bangladesh central bank's New York Federal Reserve account in February.

Bangladeshi police have publicly blamed Brussels-based SWIFT, a bank-owned cooperative founded in 1973, for introducing vulnerabilities into its IT infrastructure that attackers later exploited. But SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, says in a statement that those are "baseless allegations" and that the bank is responsible for the security of all systems that interface with its network, "starting with basic password protection practices."

As part of the audacious online heist - one of the largest in history - hackers attempted to transfer $1 billion out of Bangladesh Bank's account at the Federal Reserve Bank of New York and successfully transferred about $100 million. Most of that money was then laundered via casinos in the Philippines and disappeared, investigators say, although about $20 million has since been recovered.

SWIFT Guidance

In the wake of the theft, SWIFT acknowledged that Bangladesh Bank wasn't the first user to be targeted with malware that was designed to subvert the cooperative's messaging platform (see SWIFT Confirms Repeat Hack Attacks).

And for the first time in the cooperative's history, earlier this month SWIFT issued information security guidance to all of its users, urging them to review their security policies and procedures, Reuters reports. "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," according to a copy of the letter, dated May 3, and shared by a bank with Reuters for review on May 10.

"As a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments," the letter says. "We urge you to take all precautions."

SWIFT confirmed the authenticity of that report but declined to share a copy of the letter.

Greater Cooperation Pledged

Bangladesh officials had previously stated that they believe that the New York Fed and SWIFT share at least some responsibility of the February attacks. Of 35 transfer orders created by the hackers and submitted to the New York Fed, the Fed stopped most for being suspicious, but did let five through.

But on May 10, representatives from SWIFT met with the Bangladesh Bank, including its governor, and the New York Fed, including its president, to discuss the February attack, and they agreed to work more closely together. "The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks," the three parties said in a jointly issued statement.

FBI investigators now suspect that at least one bank employee acted as an accomplice, Bangladesh Bank officials say they have received no related intelligence from the bureau.

Meanwhile, an investigation by digital forensic investigation firm FireEye, which was hired by the bank to investigate the breach, found evidence that three different hacking groups had penetrated the bank's system, Bloomberg reports. Two of those groups have suspected ties to nation states - one to North Korea, the other to Pakistan - but FireEye said it suspects that a third, as yet unidentified group of hackers committed the heist.

FireEye didn't immediately respond to a request for comment about that report.