Prevention

Auto Added by WPeMatico

Fortnite bugs put accounts at risk of takeover

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm that says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to log in first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

Powered by WPeMatico

But not a broken man

I’ve been living for the past few years in a limbo between journalist and entrepreneur, trying to build startups the way I saw them being built onstage at Disrupt and discovering that my skill and will to win are no match against the world. That’s fine. These days I’ll take it.

But for a few minutes in Chicago last May, I couldn’t.

That day was normal for me. I woke up, went and met some folks at a cool startup, visited a great guitar store and had a mediocre deep dish pizza. I then went to an event where I gave my usual rant (and pissed people off) about how smaller market cities are having huge trouble innovating, and then went out with some good people to talk about cool stuff.

Then, on my way back to the hotel, I looked both ways on a busy, dark street and thought long and hard about stepping in front of a Chicago city bus.

Why not? I wasn’t helping. My first startup had failed and everything else was a slow burn. I wasn’t thinking about my family. I wasn’t thinking about my existence on a global scale but on a local one. I could turn off this brain once and for all and I thought everyone would be happier.

I got help. I discovered I was anhedonic and chronically depressed — I couldn’t feel happiness. I had been traveling through life in a haze. I drank a lot to hide this from myself — after all, if you’re hosed you don’t worry about not feeling anything — and I traveled obsessively and spoke onstage so I could feel something, anything, better than the flat grey note that played constantly in my head.

I feel better now. I have a lot of digging to do. I wonder if you’re in the same position.

I’m noodling on this because of Colin Kroll. The specifics of Kroll’s story are unclear, but an overdose is definitely in the mental illness wheelhouse. Maybe he was having a blast, flush on investor money and celebrating a win. I won’t judge.

But he’s dead. And I don’t want you to follow him.

Any of us could end up gone for any number of reasons associated with entrepreneurship. There is the stress, the overwork. There is the sense of failure even amid the greatest successes. There is deep frustration and deep anger. Entrepreneurs are high performers who are used to getting As in life. When that same life gives you a D-, you feel that it’s your fault, that your dreams of success are gold foil over a rotten sweet.

This isn’t true. We all have to work to remind ourselves of this. A startup, like any creative endeavor, is doomed to fail, but its very existence is a miracle. We do it not because we want to make millions but because we want to fix something broken in the world. I write to share cool things with you all. I make startups to help bring the next level of innovation. But I let these efforts get in the way of life. I thought my failures were systemic, that I was proving that I was a failure over and over again and that I had visible proof through my failed efforts. My startup wasn’t me, but I didn’t know that.

In the dull, hot blush of a depressive episode, the embarrassing moment you look at yourself and see nothing but junk, we have to remember that we are making real efforts, building real things, moving way ahead of the pack. The world will catch up.

There are lots of ways to get help. Ask around. You’ll be surprised to hear that your friends and family know great shrinks who can help. You’ll be surprised that going to meetings or talking to someone on the phone can be a great way to assuage mental grief. You’ll be surprised to know that there are people out there for you. Email me if you need help: john@techcrunch.com

This shit is hard. Don’t make it harder by letting it fester.

The National Suicide Prevention Lifeline is a 24-hour, toll-free, confidential suicide prevention hotline available to anyone in suicidal crisis or emotional distress. It provides Spanish-speaking counselors, as well as options for deaf and hard of hearing individuals. It is only available in the United States. A 24-hour Online Chat in partnership with Contact USA is also available.

  • The National Suicide Prevention Lifeline can be reached at 1-800-273-8255.
  • The National Suicide Prevention Lifeline (ESP) can be reached at 1-888-628-9454.
  • The National Suicide Prevention Lifeline (Deaf & Hard of Hearing Options) can be reached at 1-800-799-4889.

Powered by WPeMatico

3D-printed heads let hackers – and cops – unlock your phone

There’s a lot you can make with a 3D printer: from prosthetics, corneas, and firearms — even an Olympic-standard luge.

You can even 3D print a life-size replica of a human head — and not just for Hollywood. Forbes reporter Thomas Brewster commissioned a 3D printed model of his own head to test the face unlocking systems on a range of phones — four Android models and an iPhone X.

Bad news if you’re an Android user: only the iPhone X defended against the attack.

Gone, it seems, are the days of the trusty passcode, which many still find cumbersome, fiddly, and inconvenient — especially when you unlock your phone dozens of times a day. Phone makers are taking to the more convenient unlock methods. Even if Google’s latest Pixel 3 shunned facial recognition, many Android models — including popular Samsung devices — are relying more on your facial biometrics. In its latest models, Apple effectively killed its fingerprint-reading Touch ID in favor of its newer Face ID.

But that poses a problem for your data if a mere 3D-printed model can trick your phone into giving up your secrets. That makes life much easier for hackers, who have no rulebook to go from. But what about the police or the feds, who do?

It’s no secret that biometrics — your fingerprints and your face — aren’t protected under the Fifth Amendment. That means police can’t compel you to give up your passcode, but they can forcibly depress your fingerprint to unlock your phone, or hold it to your face while you’re looking at it. And the police know it — it happens more often than you might realize.

But there’s also little in the way of stopping police from 3D printing or replicating a set of biometrics to break into a phone.

“Legally, it’s no different from using fingerprints to unlock a device,” said Orin Kerr, professor at USC Gould School of Law, in an email. “The government needs to get the biometric unlocking information somehow,” by either the finger pattern shape or the head shape, he said.

Although a warrant “wouldn’t necessarily be a requirement” to get the biometric data, one would be needed to use the data to unlock a device, he said.

Jake Laperruque, senior counsel at the Project On Government Oversight, said it was doable but isn’t the most practical or cost-effective way for cops to get access to phone data.

“A situation where you couldn’t get the actual person but could use a 3D print model may exist,” he said. “I think the big threat is that a system where anyone — cops or criminals — can get into your phone by holding your face up to it is a system with serious security limits.”

The FBI alone has thousands of devices in its custody — even after admitting the number of encrypted devices is far lower than first reported. With the ubiquitous nature of surveillance, now even more powerful with high-resolution cameras and facial recognition software, it’s easier than ever for police to obtain our biometric data as we go about our everyday lives.

Those cheering on the “death of the password” might want to think again. They’re still the only thing that’s keeping your data safe from the law.

Powered by WPeMatico

Want to reduce fraud? Make a better password, dummy!

Researchers at Indiana University have confirmed that stringent password policies – aside from being really annoying – actually work. The research, led by Ph.D. student Jacob Abbott, IU CIO Daniel Calarco, and professor L. Jean Camp. They published their findings in a paper entitled “Factors Influencing Password Reuse: A Case Study.”

“Our paper shows that passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites,” said Abbott. “Other universities with fewer password requirements had reuse rates potentially as high as 40 percent.”

To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including their home institution, IU. Next, they extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to a university’s domain, passwords were compiled and compared against a university’s official password policy.

The findings were clear: Stringent password rules significantly lower a university’s risk of personal data breaches.

In short, requiring longer passwords and creating a truly stringent password policy reduced fraud and password reuse by almost 99%. Further, the researchers found that preventing users from adding their name or username inside passwords it’s also pretty helpful. Ultimately, having a stringent password policy is far better than have none at all. It’s a no-brainer but it could be an important data point for your next tech project.

Powered by WPeMatico

Alphabet’s Chronicle launches an enterprise version of VirusTotal

VirusTotal, the virus- and malware-scanning service owned by Alphabet’s Chronicle, launched an enterprise-grade version of its service today.

VirusTotal Enterprise offers significantly faster and more customizable malware search, as well as a new feature called Private Graph, which allows enterprises to create their own private visualizations of their infrastructure and malware that affects their machines.

The Private Graph makes it easier for enterprises to create an inventory of their internal infrastructure and users to help security teams investigate incidents (and where they started). In the process of building this graph, VirtusTotal also looks are commonalities between different nodes to be able to detect changes that could signal potential issues.

The company stresses that these graphs are obviously kept private. That’s worth noting because VirusTotal already offered a similar tool for its premium users — the VirusTotal Graph. All of the information there, however, was public.

As for the faster and more advanced search tools, VirusTotal notes that its service benefits from Alphabet’s massive infrastructure and search expertise. This allows VirusTotal Enterprise to offer a 100x speed increase, as well as better search accuracy. Using the advanced search, the company notes, a security team could now extract the icon from a fake application, for example, and then return all malware samples that share the same file.

VirusTotal says that it plans to “continue to leverage the power of Google infrastructure” and expand this enterprise service over time.

Google acquired VirusTotal back in 2012. For the longest time, the service didn’t see too many changes, but earlier this year, Google’s parent company Alphabet moved VirusTotal under the Chronicle brand and the development pace seems to have picked up since.

Powered by WPeMatico

Ransomware technique uses your real passwords to trick you

A few folks have reported a new ransomware technique that preys upon corporate inability to keep passwords safe. The notes – which are usually aimed at instilling fear – are simple: the hacker says “I know that your password is X. Give me a bitcoin and I won’t blackmail you.”

Programmer Can Duruk reported getting the email today.

Woah. This is cool. A Bitcoin ransom with using what I think is passwords from a big leak. Pretty neat since people would be legit scared when they see their password. The concealed part is actually an old password I used to use. pic.twitter.com/clEYiFqvHY

— can (@can) July 11, 2018

The email reads:

I’m aware that X is your password.

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google) .

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

To be clear there is very little possibility that anyone has video of you cranking it unless, of course, you video yourself cranking it. Further, this is almost always a scam. That said, the fact that the hackers are able to supply your real passwords – most probably gleaned from the multiple corporate break-ins that have happened over the past few years – is a clever change to the traditional cyber-blackmail methodology.

Luckily, the hackers don’t have current passwords.

“However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers,” wrote researcher Brian Krebs. In short, the password files the hackers have are very old and outdated.

To keep yourself safe, however, cover your webcam when not in use and change your passwords regularly. While difficult, there is nothing else that can keep you safer than you already are if you use two-factor authentication and secure logins.

Powered by WPeMatico

Matroid picks up $10M Series A to automate video stream monitoring

 As computer vision and object recognition technology continue to mature, we’re edging closer to automating away the exceedingly boring task of monitoring closed circuit TV cameras. Matroid is one of the startups leading the democratization of this variety of machine intelligence. The company is announcing a $10 million Series A this morning from NEA and Intel Capital that brings… Read More

Powered by WPeMatico

A perfect storm of corporate idiocy

 At this point in the game there should be a single page on every corporate website, preferably accessible from its front page, that includes the name and all contact details for the Chief Security Officer, including the last four digits of her social security number. It should be her responsibility to ensure that no one uses this information for nefarious purposes in addition to her daily… Read More

Powered by WPeMatico

It’s time to build our own Equifax with blackjack and crypto

 The private data of 143 million Equifax “customers” is now available for download. Have no doubt: This means you will be hacked. This means your SIM card can be spoofed. This means someone will try to get into your email and online accounts. This means someone will try to open a credit card in your name. This crass, callow, and lazy treatment of our digital data cannot stand.… Read More

Powered by WPeMatico

Matt Mitchell of CryptoHarlem is building an open source tool to help organizations prepare for data breaches

 This morning on the stage of TC Sessions: Justice, Matt Mitchell of CryptoHarlem discussed his views on the link between surveillance and minority oppression and the importance of taking a preventative approach to security and privacy. Mitchell, a specialist in digital safety and encryption, is dedicating time to creating Protect Your Org, a free, open source, tool for all organizations… Read More

Powered by WPeMatico