Instagram has steadily been growing to become one of the most prominent social media platform over the last couple of years. With user base numbers easily crossing several hundreds of millions, there will always be “bad company”. Potential hackers that seek to harm or exploit are found in every major website or social platform. However, Instagram in its bid to strengthen its defences against these parties is now making accounts safer and easier than before to recover.
Numerous people had gone online to voice their grievances regarding their accounts that were broken into by hackers in 2018. Instagram now seeks to make the process of recovering users account easier in case of future attacks. The company is testing a new in-app account recovery process that will streamline the process while making it harder it to be hacked into.
Previously, users had to wait for an email or fill out support forms but now a new approach is being taken. The app will now ask for different types of information (like users original email address or even phone numbers). A six-digit code will then be sent on the details provided, and Instagram will thereon prevent hackers from accessing the user’s account using the email or phone number from a different device.
This method seeks to ensure users account recovery even if the thief has changed usernames and contact data. Instagram has also added a small period of time in which the original username cannot be claimed after being changed regardless of whether or not it was intended or unintended. This feature is already accessible to all Android and iOS users, however, the availability of the new in-app recovery system is still not certain.
Instagram is planning for a full in-app account recovery feature in the future without ever needing the security team. The social media giant’s security has been reportedly lax, with various exposed passwords and growing attacks on its systems occurring at frequent intervals. This new security feature cannot actually prevent all forms of hacking, but it may make it harder for hackers to take advantages of vulnerabilities in the recovery system that is currently live.
Back in early 2016, WhatsApp introduced end-to-end encryption for WhatsApp chats. However, a new report claims that the group chats in WhatsApp can be easily infiltrated. A group of German cryptographers have discovered flaws in WhatsApp’s encryption that makes this possible.
The cryptographers from Ruhr University Bochum in Germany announced this at the “Real World Crypto Security Conference in Zurich, Switzerland on the 10th of January. The report from Wired says:
Anyone who controls the app’s servers could insert new people into private group chats without needing admin permission. The confidentiality of the group is compromised as soon as the uninvited member can obtain all the new messages and read them.
End-to-end encryption is a secure method of communication where only the people communicating can access messages sent. Cyber-criminals and hackers, telecoms and Internet providers or governments cannot read these communications. Even the company that built and runs the service cannot access messages, and hence cannot easily cooperate with authorities who request these exchanges.
According to the researchers, only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn’t use any authentication mechanism for that invitation that its own servers can’t spoof. This basically means that a server can add any new member to the group without any interaction with the administrator.
Once this happens, the phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages.
A WhatsApp spokesperson confirmed the findings, however, added that “no one can secretly add a new member to a group and a notification does go through that a new, unknown member has joined the group.”
WhatsApp is now expected to give more power to group administrators in the aftermath of these findings. In the coming days, administrators will be able to block any or all group members from sending any kind of text message, voice message or media files.
OnePlus cannot seem to catch a break. A few days after it was revealed that OnePlus left an application that allowed backdoor entry to OnePlus devices, a new application has been found recording sensitive data and storing it unencrypted inside the phone. This app is reportedly called OnePlusLogKit and, like its name suggests, logs an extensive amount of user data.
The same researcher who exposed the EngineerMode app a few days ago has made the new revelation as well. The researcher wrote in a post that all of the user data stored by this app is unencrypted, and also added that this data could also likely be sent to China. The researcher, who goes by the moniker of Elliot Anderson also said that he believes that the app may have been intentionally left on users’ devices by the Chinese smartphone maker.
He said that all one had to do to trigger the app into logging the data and accessing it was to dial *#800# on the smartphone’s dial pad. This action automatically opens up the app’s interface with which one can either switch the logging feature on or off.
<Thread> Hi @Oneplus ?! Remember me? Let's talk about another debug app you left in your device. OnePlusLogKit is a system application which allow you to do a multitude of things: get wifi logs, nfc logs, gps logs pic.twitter.com/HvnErm8rXg
These findings do not come at an ideal time for OnePlus. The Chinese smartphone maker is gearing up to launch the OnePlus 5T on the 16th of November. The device will be OnePlus’ sixth device in its short lifespan and take a design detour from previous OnePlus phones with thin bezels and tall display.
OnePlus was just recently accused of collecting sensitive data of users and the company has barely come out of the aftermath following such serious allegations. It won’t be surprising if OnePlus left the application inside the phones on purpose since it admitted to collecting data from its phones to improve the user experience.
Some digging into the deep system apps on OnePlus phones has resulted in the exposure of the vulnerability that OnePlus devices possess. A developer has found an application that can be manipulated into to granting a backdoor root access. In a Twitter thread, the developer explained how he was able to gain root access and surprisingly, the app has been pre-installed on all current OnePlus phones, and on OxygenOS for OnePlus One.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build…???? This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
The application is called ‘EngineerMode’ and was developed by Qualcomm for factory testing. It was unveiled that the app potentially renders all OnePlus devices open to backdoor root access. XDADevelopers claim that the application can be accessed through any activity launcher as the app’s activities are exported. OnePlus devices could be rooted on launching ‘DiagEnabled’ activity in the APK with a specified password that was found by decompiling ‘libdoor.so’ with the help of a few cyber-security experts.
OnePlus users can find the app pre-installed by going into Settings > Apps > Menu > Show System Apps and search for EngineerMode in the app list. The user can access manual tests like root status test, GPS test or the main activity by sending a command. Doing this will grant you access to everything including erasing all data. It is alarming how easily someone can get access to your smartphones in this day and age.
OnePlus co-founder Car Lei responded to the tweets:
These findings do not come at an ideal time for OnePlus. The Chinese smartphone maker is gearing up to launch the OnePlus 5T on the 16th of November. The device will be OnePlus’ sixth device in its short lifespan and take a design detour from previous OnePlus phones with thin bezels and tall display.
OnePlus was just recently accused of collecting sensitive data of users and the company has barely come out of the aftermath following such serious allegations. It won’t be surprising if OnePlus left the application inside the phones on purpose since it admitted to collecting data from its phones to improve the user experience.
Internet warfare and cyber espionage has been going on for a while now. Hackers breaking into secret government records, swindling banks off their money or just simply having a laugh on the internet is something not unheard of at all in contemporary times. Therefore it’s only natural that we talk about some of the most well-executed hacks that made the world sit-up and listen.
1. First Worm on the Internet (1990):
I only wanted to see the size of the web -is what Robert Morris said in 1988 when he was caught for creating what would be known as the first worm on the Internet. He tried hiding his online trail by releasing the worm from MIT, instead of Cornell where he was a student.
A design flaw ensured that the worm replicated itself in way larger numbers than Morris had planned or expected, until it had caused significant and noticeable damage to confidential files all over the country.
Robert Morris was the son of a famous former NSA scientist.
Robert Morris became the first person to be convicted under the Computer Fraud and Abuse Act in 1990. He was also sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and had to cover the costs of his supervision.
2. Citibank Loses Millions to Russian Hacker (1995):
One of the most important and earliest hacking scandals of banks was in 1995 when Vladimir Levin illegally transferred $3.7 million from Citibank into bank accounts of his criminal organisation.
The criminal ring-leader conducted this incredibly well-planned hack using a computer based in London. Using a list of customer codes and passwords, Levin logged into bank accounts numerous times and transfer funds to his own.
Vladimir Levin
Levin was finally tracked down by FBI at a London airport. Following his arrest, he was tried and convicted in the U.S. and was sentenced to three years in jail in 1998. A penalty of $240,015 was also levied against him by Citibank to be paid as restitution.
3. When New York Times Was Hacked by a Teenager (2002):
Hacking of tabloids and newspapers is one of the most common incidents of cyber-crime. Everyone is dying to spill the beans on the deep, dark secrets of tinsel town’s ‘who’s who’. The year 2002 saw hacking of voicemail accounts of celebrities like actress Sienna Miller, and even people of the British Royal Family. However, this NYT hack is especially important because it involves a 19 year old who broke into the records of one of the biggest daily newspapers in the world.
Adrian Lamo, the “homeless hacker”
Adrian Lamo gained access to some of the most confidential records of the New York Times which included detailed database of op-ed writers the paper had used in the past. This included names, phone numbers, home addresses and payment history of contributors like Democratic strategist James Carville and former secretary of state James Baker.
Because Lamo wasn’t done having fun yet, he added his own name under “experts” and put “Computer hacking, national security, communications intelligence”, under “expertise”. And yes, Adrian Lamo is the same person who turned in Wikieaks’ Bradley Manning to the US authorities, winning himself the title of the “world’s most hated hacker”.
4. Hacking Heist that Involved 100 Banks All Across the Globe (2015):
Hackers pulled a ridiculously high-profile Hollywood-styled heist as they broke in the accounts of about 100 banks over 30 countries, including India, China and the US, and duped them of $1 billion. It was a group of cyber-criminals from all over the world executing this hack over a period of two years.
It is beyond incredible how they left absolutely no virtual trail behind them, despite the humongous size and the long period of time involved in the heist. The attack which took place earlier this year in February was called an “unprecedented cyber robbery.” The criminal gang was dubbed ‘Carbanak’ by a Russian security firm, and is believed to include members from Russia, Ukraine, Chine and Europe.
5. When Irani Hackers Had a Field-trip with American State Secrets (2015):
Iran came up with a phony news agency in 2011 called NewsOnAir and used it to draw important details of American bureaucrats using social media and tactics like phishing (when a user is tricked into revealing personal credentials, like passwords, online). Though it hasn’t been confirmed that the hackers are Iranians, the central domain is located in Iran.
This group of hackers used numerous fake identities, like that of Reuters journalist Sandra Maler, to set an entire network online including social media platforms like Facebook and Twitter, as well as WordPress blogs, to get in touch with important US officials.
Though it is unclear exactly how much data was lost, iSight Partners, a cybersecurity consulting group, comments, “a vast amount of social content was compromised in addition to some number of log-in credentials”. If reports are to be believed, this campaign has definitely been one of the most elaborate hacking operations ever.
Ku Klux Klan is a white supremacist group in the United States of America and Anonymous is a self-proclaimed “hacktivist” group. How are the two even connected? Well, recent reports tell us that Anonymous hacked into KKK’s Twitter account and have furthermore vowed to release the names of about one thousand Ku Klux Klan members.
This is not the first time that Anonymous has taken upon itself the responsibility to reveal the names of members of a secret group or society. Earlier in May 2015, they had named around nine thousand two hundred members of the ISIS terrorist group, in the wake of the Charlie Hebdo case.
This time, they will reveal the KKK names on the day of Operation KKK’s one-year anniversary. The act is seen as a declaration of cyber-war against the Klan following the grand jury’s decision not to indict a police officer Darren Wilson for the death of a black-american boy named Michael Brown in Missouri, USA.
To give you a background, back in November 2014, the KKK had distributed fliers threatening violence against the hacktivists, warning them that they had “awakened a sleeping giant”. This was followed by Anonymous taking over the KKK’s Twitter account in response to the threat. The account remains under Anonymous’ control till date and they have further sent all Klan affiliated sites with DDoS, that is, distributed denial of service attacks. Anonymous is calling this anti-Klux movement Operation KKK and has even changed the logo of the society’s Twitter account to their own.
The transparency of the web obviously has its positives and negatives, however, the web can also be a very dark place to be in. Hacktivists like Anonymous are using the transparency of this ‘cyber age’ and is using it to bring to the fore various social and political issues. As of now, it seems like a good move, but how long do you think it will be until both parties start facing repercussions?
Next time you think of leaving your wired headphones plugged into your iOS or Android phone, think again. The wires of headphones act as antennae which can be used to hack into your phone with the right equipment. Welcome to the world of hacking where radiowaves are the newest tool.
A group of researchers at a French government security unit have figured out a way to send silent commands to phones. All that they needed was a laptop and an antennae -things that fit pretty much in a bag.
Like FM radio chips, the antenna on the headphones catch radiowaves to convey the command of the hacker to your handset. Depending on these commands, your phone can be used to make calls, send messages, open websites, subvert governments or spark a revolution. However, since this specific kind of hacking doesn’t disable the display of the phone, users are highly likely to realise if their phones start obeying ‘silent’ instructions.
This test was conducted from a distance of 6 feet, with above average gadgets. If they throw in slightly fancier gadgets, hacking would be possible from a distance of up to 16 feet. Looks like it’s time for Apple and Google to sit up and listen.
Dow Jones and Co. ran into a security breach when records of over 3,500 employees were broken into. The cyber-attack involved carte blanche access to payment card and contact information of the people involved. The publishing and financial information firm said in an official statement:
“Out of an abundance of caution, we are notifying you that we recently determined there was unauthorized access to our systems. While we recognize that no company is immune to cyberattacks, we are committed to doing everything we can to protect our customers.”
The goal of the hack is mostly assumed to be an attempt to obtain contact information and send fraudulent solicitations to current and former subscribers. Dow Jones Chief Executive William Lewis mentioned in the letter written to customers yesterday that a potential breach had been reported by law-enforcement in late July this year. However, it was confirmed only post investigation that unauthorised access to company records had begun as early as August 2012 and lasted right till July 2015. To read the full letter by William Lewis, click here.
This cyber-attack does not come across as an isolated incident but more like part of a larger scheme that targets other private firms and companies as well. With names like Ashley Madison and Sony that have already been victims of cyber crime, let’s see which company lands itself next in hacking trouble.
Stagefright, Android’s media playback system, was found with a bug earlier this year in July. The bug allowed hackers to break into any device by simply sending a specifically structured text message. However Google promptly responded to this and fixed the bug.
You ask how is this news relevant now, in a world of iPhone launches and Google events, about half a year away from Stagefright’s illness? The answer lies with a similar discovery made by Zimperium, the same company which had earlier found this bug. Stagefright is open to two such similar bugs and requires no more than a certain kind of multimedia message this time.
This basically means that a hacker can remotely execute a code of a device by sending an MP3 or MP4 file containing the required malware to the user. Zimperium mentioned in a blog post,
“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue.”
The one way you can protect yourself from malware until these bugs get fixed is to avoid opening messages containing multimedia files from unknown sources.
Heads up, iOS 9 users. In what seems to be another of the many disappointing updates about Apple, it has been revealed that your photos and contact details are open to access by others in seven basic steps. This comes in wake of the recent breach of security in Apple’s iOS App Store.
If you thought your iPhone’s lock code and TouchID can protect your data from hacking, it’s time to burst that little bubble with the following seven steps:
The first step requires you to enter a wrong password four times on your PIN-protected Apple device which runs on iOS 9.
Next, the fifth time that is, first three numbers should be entered, and then press and hold down the home button to launch Siri instantly. Right after this, enter the 4th digit.
On getting a response, ask Siri for the time. Add a new Clock now by tapping on the Clock icon.
Once the new clock has been added, write anything in the Choose a City field, followed by a double tap to get the copy and paste option.
Next you choose the ‘All’ option, followed by ‘Share’, and then the ‘Message’ icon in the Share option, where, once again you type anything.
Now tap ‘Return’, and double tap on the top contact name.
And finally, finish off by selecting ‘Create New Contact’, followed by ‘Add Photo’, and at the end ‘Choose Photo’.
And in this manner, a hacker would have gained access to your entire phone library. However, there is a way to protect your data against this. Disabling Siri on the lock screen by going to the Settings Menu is a way to prevent it. From Settings, select Touch ID and Passcode and then disable Siri. The device would now have to be necessarily unlocked for Siri to work.
While iOS 9 tries to set its feet amidst the quicksands of tech-glitches, it’s better to stay wary of hacking-threats looming overhead. Let’s see what is the next exciting piece of news we get to hear about Apple’s newest devices.
A few days back, Sony Pictures faced an unprecedented cyber attack where all the computers connected to its servers got hacked. All the computers of this major studio were rendered inaccessible. The hackers warned that if their demands weren’t met, they would release sensitive data. They had released .zip files that showed all the data that they had acquired by their contemptible doxxing of the company’s systems. The hackers have now released many upcoming and recently leaked movies from the production house online, along with other important documents. The hacker group, which calls itself Guardians of Peace or #GOP, is now linked to the hermit kingdom of the Democratic People’s Republic of Korea (DPRK) or as they are better known, North Korea.
The country had previously threatened US of ‘merciless retaliation’ if a movie by Seth Rogen and James Franco was released. The movie called ‘The Interview’ shows the Hollywood duo in characters of a reporter and producer going to North Korea to assassinate Kim Jong-Un, the hereditary tyrannical leader of the secluded country. The country said that the release of the movie would be perceived as an act of war. The country’s diplomat though denies any role of Pyongyang in the high-level hack.
Right now, FBI is working with the studio to track down the culprits who purported the hack. It was Re/code that first reported on the possibility of North Korea’s involvement in the hack. After this even a former top US expert on North Korea said that circumstantial evidence including the extremely vocal denouncement of the movie points the arrow towards the country.
North Korea had taken serious offense against the movie and threatened merciless retaliation.
DPRK had previously taken serious offense against another movie called ‘Team America’ that parodied its previous ruler Kim Jong-Il. The country is also blamed for several hack attacks including an attack last year in which more than 30,000 PCs at South Korean banks and broadcasting companies were hit. Cyber-security experts at Kaspersky Labs claimed to have found technical links between attacks on Sony and other cyber-attacks that occurred in the Middle-East and South Korea. The experts are also considering an internal hand in hack amongst other possibilities.
Well, the identities of the hackers are still shrouded in mystery, but they have managed to cause major damage. The hackers have released four films from the studio into the wild that are getting downloaded actively. These include – Mr. Turner, To Write Love on Her Arms, a reboot of Annie produced by Jay-Z and Still Alice, along with the recently released Brad Pitt movie called Fury. They also leaked a 210-page document which allegedly contains the budget of ‘The Interview’ and salaries of Seth Rogen and James Franco.
The story is still in the making, and we’ll keep our eyes on it. This is the new genre of terrorism in the internet-based information age; seems like cyberspace is where the next generation wars will be fought. So it’s finally the time for the nerds of the world to be the soldiers instead of just being technical support. So if you consider yourself a hacker with skills and want to make tons of cash, both sides of the war will now be open for you.
The free text messaging app on your phone can be used to occupy your personal information. Hackers and cyber security professionals have claimed that internet companies can access a mobile user’s chat logs and phone data, which includes location, contacts, mail and much more, through some of the free texting apps.
As per TOI, a team of young hackers demonstrated on Sunday how text messages sent through a Chinese free texting app can be decrypted. They said foreign governments could also be using this method to access data for surveillance or spying.
Participants at The Hackers Conference in Delhi on Sunday said the government wasn’t utilizing the potential of hackers despite its websites increasingly coming under attack.
However, hackers are increasingly becoming part of the IT industry and contributing as security experts. “Hackers are paid around Rs 1 lakh per month by social networking sites, search engines and software companies, he said, adding that some of these hackers are just teenagers, says Kishlay who further said:
“Hacking is like an art which needs skill to master. It is also like science, extremely logical. Today private companies use ethical hackers to make themselves secure. We know of companies that pay hackers more than they spend on developing software,” said Kishlay Bharadwaj, 24, a freelance security analyst and organizing member of the conference.
White hat hackers are for the good, no matter if they work for any company or for safeguarding the nation from cyber threats.
A total of 78 government websites were hacked and 16,035 incidents related to spam, malware infection and system break-in were reported this year so far. Minister of State for Communications & IT Milind Deora said.
As per the information reported to and tracked by Indian Computer Response Team (CERT-In), a total number of 308, 371 and 78 government websites were hacked during the years 2011, 2012 and 2013 (up to June) respectively,” Deora said in a written reply to the Lok Sabha.
The Minister said 16,035 security incidents related to scanning, spam, malware infection, denial of service and system break-in including that of government, Defence and public sector undertakings were reported up to June this year. The number of security breach incidents stood at 13,301 in 2011 and 22,060 in 2012, he added.
It has been observed that attackers are compromising computer systems located in different parts of the world and use masquerading techniques and hidden servers to hide the identity of actual system from which the attacks are being launched. It is difficult to attribute the origin of cyber attacks,” he added.
In order to detect and prevent cyber attacks, the government has taken various measures including release of a National Cyber Security Policy 2013, which addresses protection of information and infrastructure in cyber space and building capabilities to prevent cyber threats.
“All new government websites and applications are to be audited with respect to cyber security prior to their hosting,” Deora said. It has also been mandated that all government websites to be hosted on infrastructure of NIC, ERNET or any other secure infrastructure service provider in the country. The Information Technology Act, 2000 provides legal framework to address the issues connected with cyber attacks, Deora added.
Apple’s promised fix for an iOS 6.1 bug that enables intruders to by-pass a user’s passcode and access certain areas of the phone, could be released this week.
According to a report from German site iFun, which was dead-on about the release of iOS 6.1.1, the iOS 6.1.2 release date could come as soon as next week, possibly by February 20th.
The rollout of iOS 6.1 hasn’t gone as smoothly for Apple as the company would have liked.
Not only did the initial release introduce the security issues and battery problems, in addition to a wallop of a 3G connectivity bug for iPhone 4S users in Europe, the follow-up version, iOS 6.1.1 released last week, introduced a bunch of new issues.
iPhone users are still reporting Exchange connectivity bugs, so severe that Microsoft is suggesting affected devices be booted from the server so as not to slow down the rest of the network.
Earlier this week a video was posted online showing how a complex series of button pushes could nullify the passcode and unlock photo albums, calling logs, voicemail and enable the hacker to modify contacts.
Apple has acknowledged the problem, which is almost identical to one which surfaced in 2010, and said it is hastily working on a fix.
A Turkish hacker’s group called ‘Turkish Ajan Hacker Group’ has hacked the Indian website of leading pizza company Domino’s. The company’s India operations is handled by its franchise Jubilant FoodWorks. The news was first reported by Cyberwarnews.
Post hacking the site, the Group leaked details of around 37,000 accounts on Pastebin.com. These included names, contact details (phone numbers, email id’s, city details) as well as passwords. According to Business Standard, the hackers used the SQL injection method and remote file inclusion for getting the data.
However, the website is still operational and is still allowing users to place orders.
