Security

Twitter bug sent user direct messages to third-party developers for over a year

Twitter said that a “bug” sent user’s private direct messages to third-party developers “who were not authorized to receive them.” The social media giant began warning users Friday of the exposure with a message in the app. “The issue has persisted since May 2017, but we resolved it immediately upon discovering it,” the message said, which was posted on Twitter by a Mashable reporter. “Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused.” Twitter said discovered the exposure on September 10, but took almost two weeks to inform users. The company said that the bug affected less than 1 percent of users on Twitter. The company had 335 million users as of its latest earnings release. “If your account...

AdGuard resets all user passwords after account hacks

Popular ad-blocker AdGuard has forcibly reset all of its users’ passwords after it detected hackers trying to break into accounts. The company said it “detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe,” in what appeared to be a credential stuffing attack. That’s when hackers take lists of stolen usernames and passwords and try them on other sites. AdGuard said that the hacking attempts were slowed thanks to rate limiting — preventing the attackers from trying too many passwords in one go. But, the effort was “not enough” when the attackers know the passwords, a blog post said. “As a precautionary measure, we have reset passwords to all AdGuard accounts,” said Andrey Meshkov, AdGuard’s co-founder and chie...

This is what Americans think about the state of election security right now

A wide-ranging new poll yields some useful insight into how worried the average American feels about election threats as the country barrels toward midterms. The survey, conducted by NPR and researchers with Marist College, polled 949 adult US residents in early September across regions of the country, contacting participants through both landlines and mobile devices. The results are a significant glimpse into current attitudes around the likelihood of foreign election interference, election security measures and how well social media companies have rebounded in the public eye. Attitudes toward Facebook and Twitter As the most recent dust settles around revelations that Russia ran influence campaigns targeting Americans on social media platforms, just how much do US voters trust that Faceb...

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage. The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe. The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device. “This is particularly devastating because not only is an att...

Facebook is hiring a director of human rights policy to work on “conflict prevention” and “peace-building”

Facebook is advertising for a human rights policy director to join its business, located either at its Menlo Park HQ or in Washington DC — with “conflict prevention” and “peace-building” among the listed responsibilities. In the job ad, Facebook writes that as the reach and impact of its various products continues to grow “so does the responsibility we have to respect the individual and human rights of the members of our diverse global community”, saying it’s: … looking for a Director of Human Rights Policy to coordinate our company-wide effort to address human rights abuses, including by both state and non-state actors. This role will be responsible for: (1) Working with product teams to ensure that Facebook is a positive force for human rights and apply the lessons we learn from our inve...

A new CSS-based web attack will crash and restart your iPhone

A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code. Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link. The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as <div> tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage. “Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a li...

FEMA to send its first ‘Presidential Alert’ in emergency messaging system test

The Federal Emergency Management Agency will this week test a new “presidential alert” system that will allow the president to send a message to every phone in the US. The alert is the first nationwide test of the presidential alert test, FEMA said in an advisory, which allows the president to address the nation in the event of a national emergency. Using the Wireless Emergency Alert (WEA) system, anyone with cell service should receive the message to their phone. “THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed,” the message will read, due to be sent out on Thursday at 2:18pm ET. Minutes later, the Emergency Alert System (EAS) will broadcast a similar test message over television, radio, and wireline video services. Emergency alerts aren’t new and warni...

Three years later, Let’s Encrypt has issued over 380 million HTTPS certificates

Bon anniversaire, Let’s Encrypt! The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate. Since then, the numbers have exploded. To date, more than 380 million certificates have been issued on 129 million unique domains. That also makes it the largest certificate issuer in the world, by far. Now, 75 percent of all Firefox traffic is HTTPS, according to public Firefox data — in part thanks to Let’s Encrypt. That’s a massive increase from when it was founded, where only 38 percent of website page loads were served over an HTTPS encrypted connection. “Change at that speed and scale is incredible,” a spokesperson told TechCrunch. “Let’s Encryp...

North Korea skirts US sanctions by secretly selling software around the globe

Fake social media profiles are useful for more than just sowing political discord among foreign adversaries, as it turns out. A group linked to the North Korean government has been able to duck existing sanctions on the country by concealing its true identity and developing software for clients abroad. This week, the US Treasury issued sanctions against two tech companies accused of running cash-generating front operations for North Korea: Yanbian Silverstar Network Technology or “China Silver Star,” based near Shenyang, China, and a Russian sister company called Volasys Silver Star. The Treasury also sanctioned China Silver Star’s North Korean CEO Jong Song Hwa. “These actions are intended to stop the flow of illicit revenue to North Korea from overseas information technology workers disg...

UK warns of satellite and space program problems in case of Brexit ‘no deal’

The U.K. government says that access to satellites and space surveillance programs will suffer in the event of a “no deal” departure from the European Union . Britain has less than six months to go before the country leaves the 28-member state bloc, after a little over half the country voted to withdraw membership from the European Union in a 2016 referendum. So far, the Brexit process has been a hot mess of political infighting and uncertainty, bureaucracy and backstabbing — amid threats of coups and leadership challenges. And the government isn’t even close to scoring a deal to keep trade ties open, immigration flowing and airplanes taking off. Now, the government has further said that services reliant on EU membership — like access to space programs — will be affected. The reassuring ne...

Cryptocurrency mining attacks using leaked NSA hacking tools are still highly active a year later

It’s been over a year since highly classified exploits built by the National Security Agency were stolen and published online. One of the tools, dubbed EternalBlue, can covertly break into almost any Windows machine around the world. It didn’t take long for hackers to start using the exploits to run ransomware on thousands of computers, grinding hospitals and businesses to a halt. Two separate attacks in as many months used WannaCry and NotPetya ransomware, which spread like wildfire. Once a single computer in a network was infected, the malware would also target other devices on the network. The recovery was slow and cost companies hundreds of millions in damages. Yet, more than a year since Microsoft released patches that slammed the backdoor shut, almost a million computers and networks...

Alibaba’s Ant Financial denies stealing from Equifax

Ant Financial has denied claims that it covertly raided Equifax — the U.S. credit firm that was hit by a hack last year — to grab information, including code, confidential data and documents to help recruit staff for its own credit scoring service. The Alibaba affiliate, which is valued at over $100 billion, launched Sesame Credit in China in 2015, and a report this week from The Wall Street Journal suggests that it leaned heavily on Equifax to do so. Ant Financial hired China-born Canadian David Zou from Equifax and the Journal claims that Zou looked up employee information to gauge potential hires and squirreled away confidential documents via his personal email account. Ant was said to have offered Chinese staff at Equifax lucrative raises — reportedly tripling their salaries — with a f...