Archive for September 30, 2016

After two years of hack, Yahoo admits

It seems that everything is not going well for Yahoo! After Recode broke the news of hack of  500 million Yahoo users’ private data last Thursday. Now, The New York Times had reported that top executives, including CEO Marissa Mayer, knew about the security lapse and chose to ignore the vulnerabilities.

According to the reports, the security team at Yahoo “Paranoids,” that in 2014, Google and many other technology companies were hit by the attack. While Google chose to disclose about the hack and  investigated the security lapse. They invested   “hundreds of millions of dollars in security infrastructure” to find the solution of the vulnerabilities.

Whereas, the top security officials at Yahoo,  turned down the Paranoids requests to disclose about the hack, and force users to change their passwords, and push for end-to-end encryption for all emails.

Instead of confronting the issue, and taking requisite steps to solve it, the executives decided to bury the news as they felt that this would lead users to seek out to other email clients.

 Nearly after  two years of the hack, Yahoo finally broke the news of the hack, “names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions” were compromised in the hack.

Israeli Firm ‘Cellebrite’ Claims To Hack Any Smartphone

(pc-Google Images)
For any company, the matter of the security of its customers’ data is the highest concern. Breach in this will not only tarnish the company’s reputation but will also hamper the customer’s faith in the company.

Israeli security firm Cellebrite made headlines earlier this year when its services were employed by the FBI to help break into the phone of the San Bernardino shooter. The firm now claims that it can hack any smartphone.

The company said that it has the biggest research and development team in the sector and that the team is up-to-date with the latest technology which can decrypt and extract data from any phone in the world.

A BBC report details how the firm works with top notch software systems to disable security of the devices. The firm even supplies these units to authorities for data extraction in the field.

Yuval Ben-Moshe, senior technical director, didn’t hesitate to take a dig at iPhone 7 as well. "We can definitely extract data from an iPhone 7 as well - the question is what data”, said Moshe.

Moshe claimed that his firm can access data on "the largest number of devices that are out there in the industry".

Facebook Gets A Thumbs Down In Germany Over WhatsApp Data Collection

(pc-Google Images)
The German data protection agency has ordered Facebook to stop collecting and storing user data from its WhatsApp messenger app and delete any data it has already received.

Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar ruled on Tuesday that Facebook “neither has obtained an effective approval from the WhatsApp users, nor does a legal basis for the data reception exist”.

“It has to be [the users’] decision whether they want to connect their account with Facebook. Facebook has to ask for their permission in advance.”

Caspar ordered Facebook to delete any data already received from WhatsApp in Germany, saying that he was acting to protect the privacy of the nation’s 35 million WhatsApp users.

Facebook is to appeal against the order of the German agency. A Facebook spokesperson said: “Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.”

Facebook’s data protection practices have previously been called into question by regulators in several other European countries including Belgium, France, and the Netherlands. 

Is Reliance Jio selling user data in US and Sinapore?

(pc-Google images)
Hacktivist group Anonymous has claimed that Reliance Jio could be making money by selling user call data to targeted ad networks in the US and Singapore without the information of the users.

The group, which claims to hack companies and governments said two Jio apps, including My Jio and Jio Dialer, are sending user information to an ad network called Mad-Me.

Anonymous has also in a blog explained how anyone could test what data Jio is sharing with international servers and recreate the hack themselves.

A Reliance Jio Infocomm spokesperson has denied it: "Jio takes its customers' security and privacy very seriously. In keeping with its highest standards of governance, Jio does not share its customers' data with any other entity. Any information captured by Jio is only for internal analysis to deliver better quality of service and recommend offerings from Jio's product portfolio."

Anonymous said that the Jio app was now relatively more secure than it was last year. The hacktivist group said they tested apps from all other operators as well but only My Jio app and Jio Dialer were found to be sharing information with an ad network outside the country.

Google in rescue of journalist whose website was hacked

Journalist Brian Krebs is being helped by google massive server infrastructure after been victim of cyberattack on his website.

Last week there was a massive distributed denial-of-service(DDoS) attack on Kreb's site, Krebs Security was hugely compromised .There was nearly double the traffic his host Akamai had seen in previous cyberattacks, which was almost a record of its own kind.

Two men were arrested after Krebs reported, and the site was taken offline.
"Why do I speak of DDoS attacks as a form of censorship?" Krebs asks in a post on Sunday. "Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists."

Krebs didn't blame  Akamai for pulling the plug on his site. The company was hosting the website for free, and in the  massive DDoS attack,it affected other paying customers as well.

Google offers Project Shield to independent news organizations, along with human rights and election monitoring sites that are frequently targeted in cyberattacks, the idea being that small websites don't have the money or tech to counter such an influx of traffic. So instead of letting them be taken offline and silenced, Project Shield keeps them online.

Since last Tuesday, Krebs' site had been under sustained distributed denial-of-service, or DDoS, a crude method of flooding a website with traffic to deny legitimate users from being able to access it. The assault flooded Krebs' site with more than 620 gigabits per second of traffic.

To put it more plainly: It's the digital equivalent of jamming a bunch of gunk into a drain pipe. Eventually, water won't be able to pass through.

Now he's back online, though it's unclear whether he is still under assault over at Google.

"I sincerely hope we can address this problem before it's too late," Krebs wrote. "And I'm deeply grateful for the overwhelming outpouring of support and solidarity that I've seen and heard from so many readers over the past few days. Thank you."