Home / Tag Archives: vulnerability

Tag Archives: vulnerability

Tinder bolsters its security to ward off hacks and blackmail

This week, Tinder responded to a letter from Oregon Senator Ron Wyden calling for the company to seal up security loopholes in its app that could lead to blackmail and other privacy incursions. In a letter to Sen. Wyden, Match Group General Counsel Jared Sine describes recent changes to the app, noting that as of June 19, “swipe data has been padded such that all actions are now the same size.” Sine added that images on the mobile app are fully encrypted as of February 6, while images on the web version of Tinder were already encrypted. The Tinder issues were first called out in a report by a research team at Checkmarx describing the app’s “disturbing vulnerabilities” and their propensity for blackmail: “The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research). “While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.” In February, Wyden called for Tinder to address the vulnerability by encrypting all data that moves between its servers and the app and by padding data to obscure it from hackers. In a statement to TechCrunch at the time, Tinder indicated that it heard Sen. Wyden’s concerns and had recently implemented encryption for profile photos in the interest of moving toward deepening its privacy practices. “Like every technology company, we are constantly working to improve our defenses in the battle against malicious hackers and cyber criminals” Sine said in the letter. “… Our goal is to have protocols and systems that not only meet, but exceed industry best practices.”

Read More »

Datally, Google’s Android app for monitoring and managing mobile data, updated with new features including daily limits, guest mode, unused apps, and…

Sarah Perez / TechCrunch : Datally, Google's Android app for monitoring and managing mobile data, updated with new features including daily limits, guest mode, unused apps, and a WiFi map   —  In November, Google introduced Datally, a data-saving app largely aimed at emerging markets where users often rely on prepaid SIM cards …

Read More »

Sources: Cyber Command’s elevation to independent command and Trump’s move to give commanders more authority has led to a more offensive policy for US…

David E. Sanger / New York Times : Sources: Cyber Command's elevation to independent command and Trump's move to give commanders more authority has led to a more offensive policy for US cyber ops   —  WASHINGTON — The Pentagon has quietly empowered the United States Cyber Command to take a far more aggressive approach …

Read More »

Synack is the latest cybersecurity company to offer state elections its services for free

The cybersecurity firm Synack will offer its penetration testing services to states for free in an effort to secure election systems for the 2018 midterms. Synack , founded by two former NSA analysts, is best known for its bug bounty program that allows its carefully curated stable of researchers to probe a client’s systems for vulnerabilities. The researchers then disclose those soft spots through Synack’s platform. The company’s offerings are already tuned to the needs of sensitive government clients, and Synack has worked with IRS and the Department of Defense through its “Hack the Pentagon” bug bounty program. States wary of bug bounties should have some peace of mind knowing that Synack emphasizes the intense vetting and low acceptance rate of its research team. From now until November 6, Synack will offer free penetration testing for voter registration sites and voter databases through its “Secure the Election” initiative . The offer’s fine print: Each eligible recipient will be limited to one (1) free 14-day Synack Crowdsourced Vulnerability Discovery Test of an online voter registration website or remotely-accessible database that is expected to be used in the November 2018 mid-term election. It’s possible that states wary of the federal government’s involvement in state and local elections will be less skittish of help coming from the private sector. The Department of Homeland security has stepped up its role in securing elections , but federal resources, including cybersecurity audits, remain opt-in. Synack isn’t the only security company talking to states about securing elections. In late 2017, Cloudflare announced that it would extend it DDoS protection for free to states for their voter databases, voter registration sites and election result sites through what it calls “ the Athenian Project .” In April, enterprise security firm Centrify offered states its services at a discount in a similar “ Secure the Vote ” program. “Synack’s pro bono service looks for vulnerabilities in remotely-accessible voter registration databases and online voter registration websites from a hacker’s perspective,” the company said in a press release. “Synack’s crowd of researchers discovers vulnerabilities left undetected by other solutions and then helps to remediate them before an adversary can exploit them on election day.”

Read More »

Ticketfly’s website is offline after a hacker got into its homepage and database

Following what it calls a “cyber incident,” the event ticket distributor Ticketfly took its homepage  offline on Thursday morning. The company left this message on its website, which remains nonfunctional hours later: Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident. Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible. Please check back later. For information on specific events please check the social media accounts of the presenting venues/promoters to learn more about availability/status of upcoming shows. In many cases, shows are still happening and tickets may be available at the door. Before Ticketfly regained control of its site, a hacker calling themselves IsHaKdZ hijacked it to display apparent database files along with a Guy Fawkes mask and an email contact. I sent an email yesterday reporting that the ticketfly website was hacked. All of the user data and site is completely downloadable. They need to come clean on the fact that your data was comprised and still is downloadable at this very moment! #ticketfly #cybercrime #wordpress pic.twitter.com/Ur0AsZpDij — Michael Villado (@mvillado) May 31, 2018 According to correspondence with Motherboard , the hacker apparently demanded a single bitcoin (worth $7,502, at the time of writing) to divulge the vulnerability that left Ticketfly open to attack. Motherboard reports that it was able to verify the validity of at least six sets of user data listed in the hacked files, which included names, addresses, email addresses and phone numbers of Ticketfly customers, as well as some employees. We’ll update this story as we learn more.

Read More »

To aid discovery of Alexa skills, Amazon says it’s testing an interface that lets developers say what kind of questions their skill can answer (Khari…

Khari Johnson / VentureBeat : To aid discovery of Alexa skills, Amazon says it's testing an interface that lets developers say what kind of questions their skill can answer   —  Amazon is introducing a feature that will allow Alexa to suggest voice apps without first being given a name.  Instead, you will be able …

Read More »

French startup Klaxoon, which builds SaaS tools to aid office efficiency and says it has 1M MAUs, raises $50M Series B led by Idinvest Partners (Chris…

Chris O'Brien / VentureBeat : French startup Klaxoon, which builds SaaS tools to aid office efficiency and says it has 1M MAUs, raises $50M Series B led by Idinvest Partners   —  Klaxoon today announced a $50 million round of funding, which the French company hopes will allow it to capitalize on the rapid word-of-mouth growth it has seen over the past two years.

Read More »

Researcher discovers a 10-year-old remote code execution bug within the Steam client library that left all 125M users vulnerable until Valve’s fix in…

Lorenzo Franceschi-Bicchierai / Motherboard : Researcher discovers a 10-year-old remote code execution bug within the Steam client library that left all 125M users vulnerable until Valve's fix in March 2018   —  A security researcher found a serious vulnerability that allowed hackers to take control of a Steam user's computer.

Read More »

What to expect at Apple’s WWDC next week: focus on digital health, ARKit 2.0, small changes to iOS, deeper Mac-iOS integration, and no Mac or iPad…

Mark Gurman / Bloomberg : What to expect at Apple's WWDC next week: focus on digital health, ARKit 2.0, small changes to iOS, deeper Mac-iOS integration, and no Mac or iPad hardware   —  - Company will outline software roadmap for the next year  — Tech giant to more tightly integrate Mac, iPhone software

Read More »

China-based imToken, which claims it’s the world’s largest Ethereum wallet, raises $10M Series A from IDG Capital to expand in Asia and the US…

Catherine Shu / TechCrunch : China-based imToken, which claims it's the world's largest Ethereum wallet, raises $10M Series A from IDG Capital to expand in Asia and the US   —  imToken, which claims to be the world's largest Ethereum wallet, will focus on expanding in Asia and the United States after raising a $10 million Series …

Read More »

Toronto-based smart thermostat maker Ecobee adds additional $36M to its Series C round, bringing total funding for the round to $98M (Matt…

Matt Weinberger / Business Insider : Toronto-based smart thermostat maker Ecobee adds additional $36M to its Series C round, bringing total funding for the round to $98M   —  - Ecobee, a Toronto-based smart thermostat company, has raised $47 million CAD (about $36 million USD) in funding, bringing its Series C round to about $127 million CAD total.

Read More »