Home / Tag Archives: hack

Tag Archives: hack

Animoto hack exposes personal information, geolocation data

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach. The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general. Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but it wasn’t clear if the hackers gained the private key, which could be used to reveal the passwords in plain text. The company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.” Payment data is not thought to be affected as it’s stored in a separate system, the company said. Animoto did not immediately return a request for comment. TechCrunch will update once we learn more. The New York City-based company did not say how many users were affected by the breach, but last August claimed more than 20 million users on its platform. Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users , exposing their names, email addresses, gender and dates of birth . Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services. Animoto didn’t say how its breach occurred but pointed to “suspicious activity” on its systems. The company also said it reset employee passwords and reduced employees’ access to critical systems.

Read More »

Animoto hack exposes personal information, geolocation data

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach. The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general. Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but it wasn’t clear if the hackers gained the private key, which could be used to reveal the passwords in plain text. The company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.” Payment data is not thought to be affected as it’s stored in a separate system, the company said. Animoto did not immediately return a request for comment. TechCrunch will update once we learn more. The New York City-based company did not say how many users were affected by the breach, but last August claimed more than 20 million users on its platform. Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users , exposing their names, email addresses, gender and dates of birth . Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services.

Read More »

Animoto hack exposes personal information, geolocation data

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach. The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general. Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but it wasn’t clear if the hackers gained the private key, which could be used to reveal the passwords in plain text. The company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.” Payment data is not thought to be affected as it’s stored in a separate system, the company said. Animoto did not immediately return a request for comment. TechCrunch will update once we learn more. The New York City-based company did not say how many users were affected by the breach, but last August claimed more than 20 million users on its platform. Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users , exposing their names, email addresses, gender and dates of birth . Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services. Animoto didn’t say how its breach occurred but pointed to “suspicious activity” on its systems. The company also said it reset employee passwords and reduced employees’ access to critical systems.

Read More »

Hackers on new ‘secure’ phone networks can bill your account for their roaming charges

I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g. when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes. One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network , which connected five Scandinavian phone systems in 1991, using the SS7 protocol suite secured entirely by mutual trust, has grown into a massive global “private internet” connecting more than 2,000 companies and other entities. It is this private network-of-networks that lets you fly to another country and use your phone there, among many other services. The quote which stood out most starkly from her slides regarding IPX was this: “Security awareness only recently started (2014).” That’s … awfully late to start thinking about security for a massive semi-secret global network with indirect access to essentially every phones, connected car, and other mobile/SIM-card enabled device on the planet. He understated grimly.

Read More »

Hack the planet: vulnerabilities unearthed in satellite systems used around the globe

So this is bad. Black Hat, the king of enterprise security conventions, kicked off today, and most noticeable amid the fusillade of security research was some impressive work from Ruben Santamarta of IOActive, whose team has unearthed worrying vulnerabilities in satellite communication systems, aka SATCOM, used by airplanes, ships and military units worldwide. Now, it’s not catastrophically bad: In particular, while attackers could mess with or disable your in-flight Wi-Fi, conceivably try to hack into devices connected to them and/or disable all in-flight satellite comms, they couldn’t actually affect any systems that control the airplane. The bigger worries are in the military or maritime spheres, because these are remote vulnerabilities — anyone on the internet can hack into a connected vulnerable SATCOM device. Which is to say, presumably most of them, since communication is their whole reason for being. In the former case, in addition to the risk of attackers modifying or disabling satellite communications, devices with onboard GPS could leak the location of military units. And in both cases, this opens up the prospect of “cyber-physical attacks,” a brilliantly dystopic phrase if ever there was one; basically, if you crank enough power through a satellite antenna, it can radiate energy powerful enough that it affects biological tissue and electrical systems. Same general principle as a microwave oven. But wait, it gets worse! These are embedded systems. In general there’s no easy way to beam a remote upgrade to them; in some cases the only upgrade is a wholesale replacement. And while there are mitigations (not fixes per se, but approaches that will reduce the severity and likelihood of attacks) for aviation and military SATCOM, maritime systems are … more problematic. So. Don’t worry too much if you’re not a sailor or a soldier, your airplane won’t plunge or divert because of this … but someone sitting at a computer far away on the ground might be able to take over your in-flight Wi-Fi. Santamarta (who has a history of this kind of thing ) and IOActive are working with vendors and unspecified “government agencies” to address these vulnerabilities, but it sounds like, at least on the high seas, this problem is going to be with us for a while. (The full technical talk regarding these vulnerabilities is tomorrow; today’s press conference was merely a teaser

Read More »

FCC admits it was never actually hacked

The FCC has come clean on the fact that a purported hack of its comment system last year never actually took place, after a report from its inspector general found a lack of evidence supporting the idea. Chairman Ajit Pai blamed the former chief information officer and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.” The semi-apology and finger-pointing are a disappointing conclusion to the year-long web of obfuscation that the FCC has woven. Since the first moment it was reported that there was a hack of the system, there have been questions about the nature, scale and response to it that the FCC has studiously avoided even under direct Congressional questioning. It was so galling to everyone looking for answers that the GAO was officially asked to look into it . The letter requesting the office’s help at the time complained that the FCC had “not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems.” That investigation is still going on, but one conducted by the FCC’s own OIG resulted in the report Pai cites. The former CIO, David Bray, was the origin of the theory, but emails obtained by American Oversight in June show that evidence for it and a similar claim from 2014 were worryingly thin . Nevertheless, the FCC has continuously upheld the idea that it was under attack and has never publicly walked it back. Pai’s statement was issued before the OIG publicized its report, as one does when a report is imminent that essentially says your agency has been clueless at best or deliberately untruthful at worst, and for more than a year. To be clear, the report is still unpublished, though its broader conclusions are clear from Pai’s statement. In it he slathers Bray with the partisan brush and asserts that the report exonerates his office: I am deeply disappointed that the FCC’s former CIO, who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office. On the other hand, I’m pleased that this report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes. Although an evaluation of Pai’s “conspiracy theory” idea must wait until the report is public, it’s hard to square this pleasure of the chairman’s with the record. At any time in the last year, especially after Bray had departed, it would have been, if not simple, then at least more simple than maintaining its complex act of knowledgelessness, to say that the CIO had made an error and there was no attack.

Read More »

Virus shuts down factories of major iPhone component manufacturer TSMC

Apple touts the cybersecurity of its iPhone, but less can be said for the exclusive manufacturer who makes the processor for the iPhone. Semiconductor foundry TSMC, or Taiwan Semiconductor Manufacturing Company, was hit by a virus late Friday night, which forced it to shut down several factories according to Debbie Wu at Bloomberg . The virus and the shutdown were confirmed by TSMC representatives. It is not clear at this time which factories were hit, or whether those factories were producing the iPhone’s main processor. Apple is expected to unveil new iPhones this fall , and supply chain disruptions in the critical month of August could have significant adverse consequences for the rapid availability of the new phone before the key Christmas holiday. TSMC has grown to become the largest independent semiconductor foundry in the world, with profits last year of $11.6 billion . The company has benefitted from partnerships with smartphone companies like Apple, which produces the designs for its own A-series chips and then contracts out their manufacturing to foundries. TSMC is a critical partner for the launch of the new iPhone. It announced earlier this year that it had begun volume production of 7mm chips , which will drive performance while limiting energy usage. The origins of the virus are not known, although a statement by the company to Bloomberg said that it wasn’t introduced by a hacker. Cyberattacks are nothing new to the island nation, which has increasingly faced sophisticated cyberattacks, mostly originating from China, which holds deep antipathy for Taiwan’s president Tsai Ing-wen

Read More »

Last day for Disrupt SF Virtual Hackathon submissions

If you’re still working on your submission to the first Virtual Hackathon at  TechCrunch Disrupt San Francisco 2018  on September 5-7, then you’d best start praying to the caffeine gods and chug another Red Bull. The deadline you need to hit rolls in tonight, August 2 at midnight PST — no second chances on this one, folks. Give your coded creation a final round of tweaks and tests and then submit your hack right here . Previous TechCrunch Hackathons lasted 24 hours, took place on-site, showcased incredible talent and generated some amazing winners, including: Quick Insurance  — the easiest way to purchase an insurance product for all your valuable stuff (Disrupt Berlin 2017) Alexa Shop Assist  — lets you ask Alexa where to find products in a store (Disrupt SF 2017) reVIVE  — a VR solution that provides both a diagnostic and treatment mechanism for ADHD (Disrupt NY 2017) In this, our first, Virtual Hackathon, literally thousands of talented developers, programmers, hackers and tech makers from around the world have been hard at work since June to show how they’d creatively produce and apply technology to solve various challenges. We cannot wait to see what comes from their efforts. Here’s how the judging works. We’ve recruited a top-notch panel of experts to review all eligible submitted hacks and rate them on a scale of 1-5. The 100 top-scoring teams each receive up to five Innovator Passes  to TechCrunch Disrupt SF 2018. Out of that group, the top 30 teams will enter the semi-finals and get to demo their hack at Disrupt SF next month. The judges then select the best 10 teams, and they will present and demo their product on  The Next Stage . One team will be crowned the first TC Disrupt Virtual Hackathon champion and take home the $10,000 grand prize. In a classic, “but wait, there’s more” moment, our sponsors have created some incredible challenge hacks, and they’ve put plenty of cash and prizes on the table.

Read More »

Reddit breach exposes non-critical user data

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method. A post by Reddit CTO Chris Slowe (as KeyserSosa, naturally) explained that they discovered the hack on June 19, and estimated it to have taken place between June 14 and 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” he wrote, gaining “read-only access to some systems that contained backup data, source code and other logs.” Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to be used instead of an authenticator app or token. SMS has some major inherent security flaws, and this method was declared unacceptable by NIST back in 2016. But it is far from eliminated, and many services still use it as a main or backup 2FA method. NIST declares the age of SMS-based 2-factor authentication over Reddit itself, it is worth noting, only provides 2FA via token. But at least one provider of theirs didn’t, it turns out, and the attackers took advantage of that. (Slowe said they know no phones were hacked, which suggests the SMS authentication codes were intercepted otherwise, possibly via spoofing a phone or scamming the provider.) Although a complete inventory of what was accessed by the hackers isn’t made available, Slowe said that there were two main areas of concern as far as users were concerned: A complete copy of Reddit data from 2007, comprising the first two years of the site’s operations. This includes usernames, salted/hashed passwords, emails, public posts and private messages. June’s email digests, with usernames and associated emails. Reddit is a different and much, much bigger place today than it was in 2007; anyone who remembers the big migration from Digg in those days will also remember how small and limited it was. Still, these data together could still be useful to malicious actors looking to scam people on this list — if I were them, I’d be sending fake email digests asking them to log in, or building a list of username-email pairs and matching those to other sites. And of course you might want to, as Slowe put it, “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.” If you’re one of the people affected, you should be receiving an email or PM that should inform you of your risk — for example, if your password hasn’t been changed since 2007, which would be its own security risk. I joined in July 2007 and haven’t received either, as a data point

Read More »

What can we learn from the Dixons data breach that blew up after disclosure

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact  considerably worse than it first reported  suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”. Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed. Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June , saying it had discovered the unauthorized access to its systems during a security review. However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year. “They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday.  The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly.  Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk. In the case of this Dixons 2017 breach (NB: it’s  not the only breach the Group has suffered ), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force. A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.” While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018 ) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data. The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.) Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year  before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty.

Read More »

Idaho Inmates Hacked Prison Tablets & Stole $225000 – Ubergizmo

Ubergizmo Idaho Inmates Hacked Prison Tablets & Stole $225000 Ubergizmo In a report from the Associated Press, it appears that 364 prison inmates from Idaho were recently caught in a scheme discovered earlier this month which involved hacking the prison tablets and stealing nearly a quarter of a million dollars by ... and more »

Read More »