Showing posts with label Security news. Show all posts
Showing posts with label Security news. Show all posts

Data Breach with millions of email addresses and passwords surfaced on the internet

Add Comment
Professionally organized groups use systems to automatically try access data on various portals, from email providers to music services. The problem: Many users use passwords several times and rarely change them. So some of the credentials that Hunt encountered will probably still be up to date.
The case shows that users need to do something to protect their digital identity. So they should check regularly if their email address has been published in case of a data leak. The Hasso Plattner Institute offers the Identity Leak Checker - it uses data that hackers have published as in the current case.

Troy Hunt has also developed such a service: He operates the portal haveibeenpwned.com. He has already integrated the data from the most recent case into the database. If users enter their email address there, they will receive a message as to whether this was affected by one of the known incidents or not.

At the latest when your own e-mail address appears there, you should think about a new password and if possible a two-factor authentication, said Linus Neumann from the Chaos Computer Club of the German Press Agency. A password manager that manages the access data is also helpful ( you will find more tips here ).

DISPLAYCOUNSELOR That's how having your own financial planning is fun
Planning your own finances and saving money can be fun with a few rules. The Fidelity experts will give you five valuable tips on how to manage your financial planning this year. More...

"The year is just two weeks old and it is the second time that we have alarming news," said Neumann in view of the online attack on nearly 1,000 politicians and celebrities, which had become public in early January. "There are no more excuses. Anyone who does not do anything for his safety acts negligently and takes a risk. "

Top 20 Passwords You Should Avoid Using Now | Secure Your Online Account

Add Comment
20 Passwords You Should Avoid
Passwords are those codes that shield access to a huge amount of private information in our personal accounts. Choosing the Best password is vital when it comes to protecting all this data, so it is important to think more than twice before setting a password.Alway try your own password don't use password generator tools

The reality is that not all users do this, that is why they are more common than the due keys such as "1234" or dates of birth. Now, a cybersecurity company called SplashData has compiled the least secure passwords to confirm which ones we should not choose.

The 20 Worst Passwords of 2018 

After analyzing more than 5 million passwords filtered on the network, SplashData has been able to confirm that bad habits are slow to die. Although choosing such a simple password is a serious risk to your mobile, computer or access to Instagram, many users continue to use this type of code for fear of forgetting or laziness to think of a more complicated one.

This is how we arrived at the 20 worst passwords of 2018, compiled by SplashData in this link. The first posts do not disappoint and contain passwords like "123456" or "password". In addition, the top 20 has some surprise that we did not expect, such as "monkey" or "football".

1) 123456
2) password
3) 123456789
4) 12345678
5) 12345
6) 111111
7) 1234567
8) sunshine
9) qwerty
10) iloveyou
11) princess
12) admin
13) welcome
14) 66666
15) abc123
16) football
17) 123123
18) monkey
19) 654321
20)! @ # $% ^ & *

Although it is not among the 20 worst passwords, "Donald", the name of the president of the United States, appears as number 23 on the list. "I'm sorry, Mr. President, but this is not a false story: using your name or any common name as a password is a dangerous decision," said Morgan Slain, CEO of SplashData.

Knowing the keys that we must avoid at all costs to keep all the passwords you use on the Internet safe is vital to protect all the information that we keep with them. Finally, there is only trust in the technology companies with which we work so that they also protect our privacy.

Facebook Bug Exposed Private Photos Of Millions users

Add Comment
Facebook Bug Exposed Private Photos Of Millions users
A Bug in Facebook put without prior consent the photographs of up to 6.8 million users available to software developers, reported on Friday the social network on his blog.

The Bug, which has already been amended by the company's security officers, exposed the images for 12 days, between September 13 and 25 of the same month of 2018, said Facebook's director of engineers, Tomer Bar.

When a user allows an application to access their photos from the social network, this action is usually limited to the images published on their wall, but the Bug caused the developers of the applications to also have access to the images of Stories and Marketplace.

In addition, the snapshots that users had already uploaded to the social network were also affected, but they had not been published, that is, they were stored on Facebook servers but were not visible to the public.

"We feel that this has happened. At the beginning of next week, we will release tools so that developers can determine which users could have been affected by this Bug. We will work with them to eliminate the affected photographs. " the engineer pointed.

The Bug was spread among 1,500 applications built by 876 different developers, and Facebook ensured that all affected users will be notified by means of a notice in the social network.

Facebook Fails Again, Exposing Over 50 Million Users In Security Breach

Add Comment

Facebook Fails Again, Exposing Over 50 Million Users In Security Breach

Facebook can’t seem to get out of its own way when it comes to security. The biggest security issue for the social network was the Cambridge Analytica fiasco that gave the company access to information on 87 million users. In June, Facebook had another security failure when private posts of 14 million users were shared publicly. Today we learn of yet another security breach that resulted in the theft of personal details on 50 million users.
Facebook Fails Again, Exposing Over 50 Million Users In Security Breach
Facebook became aware of the breach on the afternoon of Tuesday, September 25 and said that the attack took advantage of the Facebook code for "View As". The feature lets people see their profile as other users would see it, but an exploit that the attackers used allowed them to steal Facebook access tokens that could be used to take over accounts. Access tokens are likened to digital keys that keep people logged into Facebook to prevent them from having to enter a password each time they come to the site.

Facebook notes that it has already acted on the breach by fixing the vulnerability and has informed law enforcement about the attack. Tokens on the almost 50 million accounts known to have been affected were reset, and Facebook reset tokens for another 40 million accounts that had been used with "View As" in the last year. This means that about 90 million Facebook users will have to log in again the next time they visit the website.

The accounts that must log back in will have a notification at the top of the screen that explains what happened. Facebook is turning off the "View As" feature while a security review is performed. The social giant has also given insight into what exactly happened, saying that the attack exploited a "complex interaction of multiple issues in our code." These changes stemmed from a setting the social giant changed in July 2017 related to video uploading that just so happened to impact "View As."

The investigation into the breach is underway now, and Facebook notes that it hasn’t determined if the accounts were misused or if the information was accessed. Despite the breach and potential to access accounts, Facebook indicates no reason for people to reset passwords. Facebook also notes that you can log out of your account on all devices via the "Security and Login" section in settings.

Man-in-the-Disk attack leaves millions of Android phones vulnerable

Add Comment

The man-in-the-disk attack leaves millions of Android phones vulnerable

Recently, our researchers came across a shortcoming in the way Android apps use storage resources. Careless use of External Storage by applications may open the door to an attack resulting in any number of undesired outcomes, such as silent installation of unrequested, potentially malicious, apps to the user’s phone, denial of service for legitimate apps, and even cause applications to crash, opening the door to possible code injection that would then run in the privileged context of the attacked application.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize 'External Storage' system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.
It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage

How Android Man-in-the-Disk Attack Works?
Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative "would lead to harmful results."
researchers found that Xiaomi web browser downloads its latest version on the external storage of the device before installing the update. Since app fails to validate the integrity of the data, the app's legitimate update code can be replaced with a malicious one.
"Xiaomi Browser was found to be using the External Storage as a staging resource for application updates," the researchers said in a blog post.
"As a result, our team was able to carry out an attack by which the application’s update code was replaced, resulting in the installation of an alternative, undesired application instead of the legitimate update."
In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user's smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them.

The attack can also be abused to install another malicious app in the background without the user's knowledge, which can eventually be used to escalate privileges and gain access to other parts of the Android device, like camera, microphone, contact list, and more.

Man-in-the-Disk Attack Video Demonstrations

Check Point researchers also managed to compromise files and crash Google Translate, Google Voice-to-Text, and Yandex Translate because those apps also failed to validate the integrity of data used from the Android's external storage.

Among the apps that Check Point researchers tested for this new MitD attack were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech, and Xiaomi Browser. Google, which itself doesn't follow its security guidelines, acknowledged and fixed some affected applications and is in the process of fixing other vulnerable apps as well, Check Point said.

WhatsApp Vulnerability Lets Hacker Modify Group Chats to Spread Fake News

Add Comment

What's new in WhatsApp Vulnerability Lets Hacker Modify Group Chats to Spread Fake News

A group of Security Reachers Found New Vulnerability in What's app Let's Hacker To Modify Group Chats To Spread Fake News.
Check Point Research, however, lately unveiled new vulnerabilities in the famous messaging application that ought to permit hazard actors to intercept and manipulate messages despatched in both non-public and group conversations, giving attackers immense power to create and spread misinformation from what shows up to be depended on sources.

Our crew located three viable strategies of the attack exploiting this vulnerability – all of which involve social engineering strategies to fool end-users. A hazard actor can:

  • Use the ‘quote’ function in a group dialog to alternate the identification of the sender, even if that person is now not a member of the group.
  • Alter the textual content of any individual else’s reply, essentially placing phrases in their mouth.
  • Send a private message to another crew participant that is disguised as a public message for all, so when the centered person responds, it’s visible to all of us in the conversation.

Following the procedure of Responsible Disclosure, Check Point Research knowledgeable WhatsApp of their findings. From Check Point Research’s view, we consider these vulnerabilities to be of the utmost significance and require attention.

WhatsApp Protocol Decryption Burp Tool

About WhatsApp Protocol Decryption Burp Tool

This extension allows you to view and manipulate the actual data that sent via WhatsApp.

First, you have to run the parser.py file (which is in helper dir).
Second, you have to add the file burpWhatsapp.py to your pursuit extensions.

Functionality Of WhatsApp Protocol Decryption Burp Tool

Decrypt incoming data, you have to paste the data as base64 to the extension ctrl+b
Encrypt incoming data, after you decrypt the data you can encrypt and put it back to burp by copy paste the base64 and ctrl+shift+b
Decrypt outgoing data, to decrypt outgoing data you have to take it from AesCbcEncrypt function in list format.
Encrypt outgoing data, after the extension encrypts the data back you have to put it back via the console.
you can use the following helper function to do that:

function str2unit8(str) {
  var buf = new ArrayBuffer(str.length);
  var bufView = new Uint8Array(buf);

  for (var i=0, strLen=str.length; i < strLen; i++) {
    bufView[i] = str[i];
  return buf;

WhatsApp Vulnerability Lets Hacker Modify Group Chats to Spread Fake News Tools

The BurpExtension currently can decrypt and encrypt only the message related functionality, in order to add more function you have to map the protobuf and add it to our protobuf file.