Google Pixel Hacked in Under 60 Seconds*:
- Google’s new flagship just got hacked by a Chinese team at in less than 60 seconds.
- At PwnFest, a hacking competition in Seoul, South Korea, a team of white-hat hackers known as Qihoo 360 demonstrated an exploit that allowed for remote code execution on the Pixel.
- In less than 60 seconds, the team used a zero-day vulnerability to remotely install code on Google’s sought after device.
- The exploit launched Google Play Store and then Google’s mobile version of Chrome before displaying a messaged that read “Pwned by 360 Alpha Team.”
- The team walked away with $520,000 in cash prizes after demonstrating additional vulnerabilities in Microsoft Edge on Windows 10, and a decade-old exploit that inexplicably still works on Adobe Flash.
*Source: The Next Web, November 12, 2016
UK Parliament Rubberstamps Mass Surveillance Law*:
- A controversial shoring up and expansion of state surveillance powers in the U.K. has been agreed upon by both houses of parliament, clearing the way for the formality of Royal Assent and the passing of the Investigatory Powers bill into law before the end of the year.
- The legislation creates a legal framework authorizing state actors to hack into devices, networks and services; maintain large databases of personal information on U.K. citizens, including individuals suspected of no crime; and force companies to decrypt data on request – effectively placing limits on the use of end-to-end encryption.
- The government argues the incoming law provides intelligence and law enforcement agencies with the powers necessary to fight terrorism and investigate crime.
- Critics disagree, dubbing it the most extreme law ever passed in a democracy because it cements the legality of mass surveillance.
- Others have warned of the hacking risk created by generating and maintaining such a honeypot of sensitive data.
- The risks to the reputation of U.K. companies whose services might be backdoored by state agencies are another concern.
- Widespread concerns are also being voiced about the links between U.K. intelligence agencies and U.S. agencies, especially in the wake of the election of Donald Trump as the next U.S. president.
*Source: Tech Crunch, November 17, 2016
Protecting Your Digital Life in 7 Easy Steps*:
- Major hacks seem ever more frequent; investigators believe that a set of top-secret National Security Agency hacking tools were offered to online bidders this summer.
- In a recent Medium post, Quincy Larson, the founder of Free Code Camp, an open-source community for learning to code, detailed the reasons it might be useful for people to make their personal data more difficult for attackers to access.
- Here are some recommendations for better protecting your data from Mr. Larson and others:
- Download Signal or WhatsApp for text messages so messages are encrypted.
- Protect your computer’s hard drive with File Vault or Bit Locker
- Change passwords regularly and use random words with letters and numbers sprinkled in.
- Protect your email and other accounts with two-factor authentication.
- Use a browser plug-in called HTTPS Everywhere.
- Remember the incognito mode isn’t always private.
- Do sensitive searches in DuckDuckGo.
- Cover your webcam with tape.
*Source: New York Times, November 16, 2016
Websites of 7 Indian Missions Hacked*:
- The websites and databases of seven Indian missions in Europe and Africa were hacked and data from their servers were allegedly dumped online.
- Hackers going by the name Kapustkiy and Kasimierz L on Twitter claimed to have breached the security of the official websites of the Indian missions in South Africa, Libya, Malawi, Mali, Italy, Switzerland and Romania.
- The leaked databases containing admin and login details, names, email IDs, phone numbers and, in some cases, passport numbers of mission staffers were published on pastebin.com (and later removed by pastebin administrators).
- The websites of several other Indian missions are also not secure, the hacker claimed.
- SQL vulnerability is a security flaw in a database and a hacker inserts malicious content into the database using forms on the website, accessing the website code or via email.
- The hackers claimed to be under the age of 18 and from the Netherlands.
- “It’s very odd that multiple websites of embassies can be exploited with an SQL injection,” the second hacker who identifies himself as Kasimierz told HT.
*Source: Hindustan Times, November 07, 2016
Secret Back Door in Some U.S. Phones Sent Data to China*:
- Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages and sends the information to China every 72 hours.
- American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
- International customers and users of disposable or prepaid phones are the people most affected by the software.
- The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices.
- Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server.
- Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable.
- Adups also provides what it calls “big data” services to help companies study their customers, “to know better about them, about what they like and what they use and there they come from and what they prefer to provide better service.”
- A researcher at Kryptowire discovered the problem after he bought an inexpensive phone for a trip overseas and noticed unusual network activity.
*Source: New York Times, November 15, 2016
AdultFriendFinder Network Hack Exposes 412 Million Accounts*:
- A massive data breach targeting adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts.
- The attack happened at around the same time as one security researcher, known as Revolver, disclosed a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server.
- The attack on Friend Finder Networks is the second in as many years; it was also hacked last year, exposing almost 4 million accounts.
- Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources.
- FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.
*Source: ZDnet, November 13, 2016