hacking
Auto Added by WPeMatico
Auto Added by WPeMatico
I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.
I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.
But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.
Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.
A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.
Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.
Take notes, because this is how to handle a data breach.
Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.
Powered by WPeMatico
With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm that says the bug is now fixed.
Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they entered their password.
Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.
The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.
Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)
“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.
Here’s how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.
“If the victim user is not logged into the game, he or she would have to log in first,” said Vanunu. “Once that person is logged in, the account can be stolen.”
Epic Games has since fixed the vulnerability.
“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”
“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.
When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.
Powered by WPeMatico
Security company Armis has found a collection of eight exploits, collectively called BlueBorne, that can allow an attacker access to your phone without touching it. The attack can allow access to computers and phones, as well as IoT devices. “Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and… Read More
Powered by WPeMatico
The business of hacking has dealt a huge blow to our democracy, not to mention a plethora of organizations and individuals, and our collective sense of sanity. One silver lining, however, has been that it has led to the emergence of a number of security startups that are building and deploying a range of tools to try to track and stop the nefarious activity. One of the larger of these… Read More
Powered by WPeMatico
It was a big day for IBM today as it opened its shiny new security headquarters in Kendall Square in Cambridge, MA, complete with what the company is calling the first commercial cyber range. A cyber range is a network security testing environment, and is typically run by the military or military contractors. This one, dubbed X-Force Command, however, is much more than a couple of terminals in… Read More
Powered by WPeMatico
The mobile security market is taking off due to high-profile hackings. Is there such a thing as an unhackable phone? Consider this: The smartphone in your pocket is 10 times more powerful than the fastest supercomputers of just 20 years ago. The complexity is mind-boggling — and so are all the security vulnerabilities. Anyone claiming to sell an “unhackable phone” is… Read More
Powered by WPeMatico
People are trying to steal your credentials or trick you into giving them important information. They are exploiting unpatched operating systems, locating security holes in applications and hacking into unprotected hardware. You’re not paranoid, you’re told. Hackers, con artists and social engineers really are out to get you, and frankly you’re pretty helpless to stop them.… Read More
Powered by WPeMatico
vArmour, a security startup that has been in stealth mode for the past three years, is today announcing not one but two more rounds of funding as it finally gears up for a launch later this year. The startup, based out of Mountain View, has raised $36 million in Series B and Series C rounds. The first of these, a $15 million tranche from December 2013, was led by Menlo Ventures (which has led… Read More
Powered by WPeMatico