One of the world’s most popular flight tracking services Flightradar24, which shows real-time aircraft flight information on a map, has suffered a massive data breach that may have compromised email addresses and hashed passwords for more than 230,000 customers.
Without revealing any information about the breach publicly via their blog or social media accounts, Flightradar24 started sending out emails earlier this week with a password reset link, asking them to change their passwords.
The incomplete reference to suddenly announced data breach incident via emails and providing a unique password reset link to each user caused some customers to suspect that they have been a target of a phishing attack.
However, later the company confirmed the breach while responding to its customers’ queries on the official forum and Twitter, saying that the breach notifications they have received via emails are legitimate and that neither payment nor personal information has been compromised.
“The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016),” the company said.
“We have already invalidated your old password and the link in the email will allow you to create a new password.”
The Swedish-based company also confirmed that the security breach was limited to only one of its servers, which has been shut down immediately after the intrusion was detected late last week.
The company claimed that the breached passwords were hashed, though it did not specify the hashing algorithm or if they were protected using a salt, which adds an extra layer of security to your hashed passwords.
To protect accounts of its customers, in case hackers manage to crack some passwords from the list, Flightradar24 has already expired previous passwords for the affected user, forcing them to set a new password before accessing their accounts.
However, it would also be a great idea to change your passwords on other online services and platforms as well, if you share the same credentials.
If you are wondering how to receive latest updates for an Android app—installed via a 3rd party source or peer-to-peer app sharing—directly from Google Play Store.
For security reasons, until now apps installed from third-party sources cannot be updated automatically over-the-air, as Google does not recognize them as Play Store apps and they do not show up in your Google account app list as well.
Late last year, Google announced its plan to set up an automated mechanism to verify the authenticity of an app by adding a small amount of security metadata on top of each Android application package (in the APK Signing Block) distributed by its Play Store.
This metadata is like a digital signature that would help your Android device to verify if the origin of an app you have installed from a third-party source is a Play Store app and have not been tempered, for example, a virus is not attached to it.
From early 2018, Google has already started implementing this mechanism, which doesn’t require any action from Android users or app developers, helping the company to keep its smartphone users secure by adding those peer-to-peer shared apps to a user’s Play Store Library in order to push regular updates.
Additionally, Google yesterday announced a new enhancement to its plan by adding offline support for metadata verification that would allow your Android OS to determine the authenticity of “apps obtained through Play-approved distribution channels” while the device is offline.
“One of the reasons we’re doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” said James Bender, Product Manager at Google Play. “This will give people more confidence when using Play-approved peer-to-peer sharing apps.”
It should be noted that this feature doesn’t protect you from the threat of installing apps from third-party sources; instead, it merely helps you receive latest updates for apps if their origin is Google Play Store.
Last year, as part of its mission, to secure Android ecosystem, Google also added built-in behavior-based malware protection for Android devices, called Google Play Protect, which uses machine learning and app usage analysis to weed out the dangerous and malicious apps.
Google Play Protect not only scans apps installed from official Play Store but also monitors apps that have been installed from third-party sources.
Moreover, Play Protect now also support offline scanning, which suggests that it will take care of newly introduced metadata verification as well.
Although Play Store itself is not completely immune to malware, users are still advised to download apps, especially published by reputable developers, from the official app store to minimize the risk of getting their devices compromised.
Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.
Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.
Researchers from mobile security firm Appthority discovered that many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.
Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.
Sample API URL: https://<Firebase project name>.firebaseio.com/<database.json>
Payload to Access: Data https://<Firebase project name>.firebaseio.com/.json
To find the extent of this issue, researchers scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data.
The vulnerable Android apps alone were downloaded more than 620 million times.
Affected apps belong to multiple categories such as telecommunication, cryptocurrency, finance, postal services, ride-sharing companies, educational institutions, hotels, productivity, health, fitness, tools and more.
Researchers also provided a brief analysis, given below, of the obtained data they had downloaded from vulnerable applications.
All this is happening at the first place because Google Firebase service does not secure user data by default, requiring developers to explicitly implement user authentication on all database rows and tables to protect their databases from unauthorized access.
“The only security feature available to developers is authentication and rule-based authorization,” the researchers explain. What’s worse? There are no “third-party tools available to provide encryption for it.”
Researchers claimed they had already contacted Google and provided a list of all vulnerable app databases, and also contacted a few app developers helping them to patch this issue.
Security researchers have been warning about a simple technique that cyber criminals and email scammers are using in the wild to bypass most AI-powered phishing detection mechanisms implemented by widely used email services and web security scanners.
Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners.
According to cloud security company Avanan, Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique.
Like Microsoft Office 365, many emails and web security services use natural language processing and other artificial intelligence-based machine learning techniques to identify malicious or phishing emails faster.
The technology helps security companies to analyze, understand and derive meaning from unstructured text embedded in an email or web page by identifying text-based indicators, like email scams mimicking a popular company, phrases used to request for payments or password resets, and more.
However, by adding random zero font-size characters between the indicator texts present in a phishing email, cybercriminals can transform these indicators into an unstructured garbage text, hiding them from the natural language processing engine.
Therefore, the email looks normal to a human eye, but Microsoft reads the entire garbage text, even if some words are displayed with a font size of “0.”
“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version,” reads Avanan’s blog post. “Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user.”
Besides the ZeroFont technique, Avanan also detected hackers using other similar tricks that involve Punycode, Unicode, or Hexadecimal Escape Characters in their phishing attacks.
Last month, researchers from the same company reported that cybercriminals had been splitting up the malicious URL in a way that the Safe Links security feature in Office 365 fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site.
Remember the ‘Olympic Destroyer’ cyber attack?
The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia.
Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018, held in South Korea, using a destructive malware that purposely planted sophisticated false flags to trick researchers into mis-attributing the campaign.
Unfortunately, the destructive malware was successful to some extent, at least for a next few days, as immediately after the attack various security researchers postmortem the Olympic Destroyer malware and started attributing the attack to different nation-state hacking groups from North Korea, Russia, and China.
Later researchers from Russian antivirus vendor Kaspersky Labs uncovered more details about the attack, including the evidence of false attribution artifacts, and concluded that the whole attack was a masterful operation in deception.
Now according to a new report published today by Kaspersky Labs, the same group of hackers, which is still unattributed, has been found targeting organisations in Russia, Ukraine, and several European countries in May and June 2018, specifically those organizations that respond to and protect against biological and chemical threats.
New Attack Shares Similarities With Olympic Destroyer
During their investigation, researchers found that the exploitation and deception tactics used by the newly discovered campaign share many similarities with the Olympic Destroyer attack.
“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past,” the researchers said. “They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.”
Just like Olympic Destroyer, the new attack also targets users affiliated with specific organisations using spear-phishing emails that appear as coming from an acquaintance, with an attached document.
If the victims open the malicious document, it leverages macros to download and execute multiple PowerShell scripts in the background and install the final 3rd-stage payload to take remote control over the victims’ system.
Researchers found that the technique used to obfuscate and decrypt the malicious code is same as used in the original Olympic Destroyer spear-phishing campaign.
The second-stage script disables Powershell script logging to avoid leaving traces and then downloads the final “Powershell Empire agent” payload, which allows fileless control of the compromised systems over an encrypted communication channel.
Hackers Target Biological and Chemical Threat Prevention Laboratories
According to the researchers, the group has attempted to gain access to computers in countries, including France, Germany, Switzerland, Russia, and Ukraine.
Researchers found evidence of hackers primarily targeting people affiliated with an upcoming biochemical threat conference, called Spiez Convergence, held in Switzerland and organized by Spiez Laboratory.
Spiez Laboratory played an essential role in investigating the poisoning in March of a former Russian spy in the UK. The U.K. and the U.S. both said Russia was behind the poisoning and expelled dozens of Russian diplomats.
Another document targeted Ministry of Health in Ukraine.
It is not yet known that who behind these attacks, but Kaspersky advises all biochemical threat prevention and research organizations to strengthen their IT security and run unscheduled security audits.
A 29-year-old former CIA computer programmer who was charged with possession of child pornography last year has now been charged with masterminding the largest leak of classified information in the agency’s history.
Joshua Adam Schulte, who once created malware for both the CIA and NSA to break into adversaries computers, was indicted Monday by the Department of Justice on 13 charges of allegedly stealing and transmitting thousands of classified CIA documents, software projects, and hacking utilities.
Schulte has also been suspected of leaking the stolen archive of documents to anti-secrecy organization WikiLeaks, who then began publishing the classified information in March 2017 in a series of leaks under the name “Vault 7.”
It is yet unconfirmed whether Schulte leaked documents to WikiLeaks and if yes, then when, but he had already been a suspect since January 2017 of stealing classified national defense information from the CIA in 2016.
According to the indictment, after stealing the classified documents, Schulte tried to cover his tracks by altering a computer operated by the US Intelligence Agency to grant him unauthorized access to the system in March and June of 2016 and then deleting records of his activities and denying others access to the system.
In March 2017, during when WikiLeaks began releasing some of the CIA’s hacking tools, the FBI agents searched Schulte’s apartment as part of an ongoing investigation to find the mastermind behind the Vault 7 leaks.
However, instead, the FBI found images of children being molested by adults on a server he created in 2009 while he was a student at the University of Texas. The maximum penalty for this is 130 years in prison.
Schulte was arrested in August 2017 with possession of child pornography, but prosecutors had been unable to bring charges of “disclosure of the classified information” against him until now.
However, now the revised indictment includes 13 counts of charges related to the theft and disclosure of the classified information to WikiLeaks and his possession of child pornography.
Here’s the list of charges against him:
Schulte has pleaded not guilty to the child pornography charges and has repeatedly denied any of his involvement in the Vault 7 case.
The Vault 7 release was one of the most significant leaks in the CIA’s history, exposing secret cyber weapons and spying techniques that the United States used to monitor or break into computers, mobile phones, televisions, webcams, video streams, and more.
For more information on the hacking tools and techniques, you can head on to our previous coverage of the Vault 7 leaks.
BitTorrent, the company which owns the popular file-sharing client uTorrent, has quietly been sold for $140 million in cash to Justin Sun, the founder of blockchain-focused startup TRON.
TRON is a decentralized entertainment and content-sharing platform that uses blockchain and distributed storage technology. It allows users to publish content without having to use third-party platforms such as YouTube or Facebook, and trades in Tronix (TRX) cryptocurrency.
Since BitTorrent is one of the most recognizable brands in the world for decentralized computing and peer-to-peer (P2P) networking, and TRON aims to establish a truly decentralized Internet, BitTorrent would be of great use for Sun to help achieve that goal.
There were reports that the two were in negotiations for at least a month, and just yesterday, Variety reported that BitTorrent Inc. was sold to Sun last week, but the report did not disclose the deal price.
Now, TechCrunch is reporting that TRON’s founder has agreed to pay $140 million to acquire BitTorrent, without revealing any further details on how exactly Sun would utilize the company for TRON’s business.
Sun first started talking to BitTorrent about a possible acquisition late last year and even signed a letter of intent to acquire the company in January with a ‘no-shop’ clause, which meant BitTorrent was not allowed to negotiate any other deals while the letter was valid.
BitTorrent reportedly violated the clause and Sun ended up suing the company in January, but the lawsuit was eventually dropped, and Sun created a new company called Rainberry Acquisition Inc.
Around the same time, BitTorrent Inc. renamed its corporate entity to Rainberry Inc., and on the same day, both filed paperwork reflecting a merger.
Neither TRON nor BitTorrent has shared Sun’s plans for the future of BitTorrent’s technology, but reportedly the move is aimed at shielding TRON’s technology from allegations of plagiarism.
Also, the technology can be used in creating a potential network to help TRON mine cryptocurrencies using BitTorrent’s P2P architecture and its vast user base of over 170 Million, as its popular µTorrent client was previously caught doing so.
Security researchers are warning of almost a decade old issue with one of the Apple’s macOS feature which was designed for users’ convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.
Earlier this month, security researcher Wojciech Regula from SecuRing published a blog post, about the “Quick Look” feature in macOS that helps users preview photos, documents files, or a folder without opening them.
Regula explained that Quick Look feature generates thumbnails for each file/folder, giving users a convenient way to evaluate files before they open them.
However, these cached thumbnails are stored on the computer’s non-encrypted hard drive, at a known and unprotected location, even if those files/folders belong to an encrypted container, eventually revealing some of the content stored on encrypted drives.
Patrick Wardle, chief research officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, “however the fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”
To prove his claim, Regula created two new encrypted containers, one using VeraCrypt software and the second with macOS Encrypted HFS+/APFS drives, and then saved a photo in each of them.
As explained in his post, after running a simple command on his system, Regula was able to find the path and cached files for both images left outside the encrypted containers.
“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” Regula said.
In a separate blog post, Wardle demonstrated that macOS behaves same for the password-protected encrypted AFPS containers, eventually exposing even encrypted volumes to potential snooping.
“If we unmount the encrypted volume, the thumbnails of the file are (as previously mentioned) still stored in the user’s temporary directory, and thus can be extracted,” Wardle said.
“If an attacker (or law enforcement) has access to the running system, even if the password-protected encrypted containers are unmounted (as thus their contents ‘safe’), this caching ‘feature’ can reveal their contents.”
Wardle also noted that if you connect a USB drive with your Mac computer, the system will create thumbnails of files residing on the external drive and store them on its boot drive.
Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.
Until and unless Apple resolves this issue in future, Wardles advises users to manually delete the QuickLook cache when they unmount an encrypted container.
Given Fortnite’s current popularity and craziness across the globe, we understand if you have been searching the web for download links to Fortnite APK for Android phone.
However, you are not alone, thousands of people out there are also searching tutorials and links for, “how to install Fortnite on Android” or “how to download Fortnite for Android” on the Internet.
The app has taken the world by storm since its launch in the same way Minecraft and Pokemon Go took before it. The fortnite game spent the first third of 2018 breaking records with an astonishing 3.4 million players playing the game at a time in February.
However, you should keep this in mind—Fortnite for Android smartphones is not available yet and, is still under development.
In March when Epic Games released Fortnite game for iOS, the company also announced that the world’s most famous battle royale game with more than 125 million players is also coming to Android this summer.
We know many of you are excited about the release, but the news did catch the attention of nefarious scammers and cybercriminals as well who are trying their best to fool smartphone users with fake and malicious apps.
YouTube Videos Sharing Fortnite Android APKs Get Millions of Views
Due to the massive interest of users surrounding the Fortnite game, many gaming and tutorial websites have started taking advantage of Android users’ impatience with frighteningly convincing scams, which is all over Google and YouTube as well.
Just search for “Fortnite Android App” on YouTube and the front page will display a long list of videos on “How to install Fortnite on Android,” claiming to include links to actual Fortnite APK files, which have been viewed millions of times.
The videos offered tutorials recommending Android users to “install a few other apps” to unlock the Fortnite game. If downloaded, the malicious apps generate revenue for their developers.
“Millions of views on YouTube for fake “How to install Fortnite on Android” videos including links to actual APK files. Don’t install #Fortnite for Android, it’s all fake or malicious! The official app is not released yet. They mostly generate revenue for developers,” Lukas Stefanko, the malware researcher at ESET tweeted.
The apps could eventually help its creators even to compromise your Android device completely.
A quick Google search also reveals many links that purport to be official Fortnite app downloads, but they are crafted either to target Fortnite players specifically or Android users in general.
The Bottom Line:
The Fortnite Battle Royale game is currently available on Xbox One, PC, PS4 and iOS, and its official Android release has been set to “this summer.”
So, people searching for ‘How to install Fortnite on Android?’ need to calm down and wait for the official release, and most importantly, stay away from malicious apps being offered by third-party developers.
Downloading apps from other popular sites than Google’s official Play Store do not always end up with malware or viruses, but it certainly increases the risk of getting your phone fully compromised as well.
Even if you see the Fortnite Android release in the official Google Play store, I would recommend you to download it if and only if official developer Epic Games posts it.
In short, until the official release, anything you see claiming to be a Fortnite APK downloads is a scam.
A security researcher has discovered a critical vulnerability in some of the world’s most popular and widely used email encryption clients that use OpenPGP standard and rely on GnuPG for encrypting and digitally signing messages.
The disclosure comes almost a month after researchers revealed a series of flaws, dubbed eFail, in PGP and S/Mime encryption tools that could allow attackers to reveal encrypted emails in plaintext, affecting a variety of email programs, including Thunderbird, Apple Mail, and Outlook.
Software developer Marcus Brinkmann discovered that an input sanitization vulnerability, which he dubbed SigSpoof, makes it possible for attackers to fake digital signatures with someone’s public key or key ID, without requiring any of the private or public keys involved.
The vulnerability, tracked as CVE-2018-12020, affects popular email applications including GnuPG, Enigmail, GPGTools and python-gnupg, and have now been patched in their latest available software updates.
As explained by the researcher, the OpenPGP protocol allows to include the “filename” parameter of the original input file into the signed or encrypted messages, combining it with the GnuPG status messages (including signature information) in a single data pipe (literal data packets) by adding a predefined keyword to separate them.
“These status messages are parsed by programs to get information from gpg about the validity of a signature and other parameters,” GnuPG maintainer Werner Koch said in an advisory published today.
During the decryption of the message at recipient’s end, the client application splits up the information using that keyword and displays the message with a valid signature, if the user has the verbose option enabled in their gpg.conf file.
However, the researcher finds that the included file name, which can be up to 255 characters, does not properly get sanitized by the affected tools, potentially allowing an attacker to “include line feeds or other control characters in it.”
Brinkmann demonstrates how this loophole can be used to inject arbitrary (fake) GnuPG status messages into the application parser in an attempt to spoof signature verification and message decryption results.
“The attack is very powerful, and the message does not even need to be encrypted at all. A single literal data (aka ‘plaintext’) packet is a perfectly valid OpenPGP message, and already contains the ‘name of the encrypted file’ used in the attack, even though there is no encryption,” Brinkmann says.
The researcher also believes that the flaw has the potential to affect “a large part of our core infrastructure” that went well beyond encrypted email, since “GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git.”
Brinkmann also shared three proofs-of-concept showing how signatures can be spoofed in Enigmail and GPGTools, how the signature and encryption can be spoofed in Enigmail, as well as how a signature can be spoofed on the command line.
Since maintainers of three popular email clients have patched the issue, users are advised to upgrade their software to the latest versions.
If you are a developer, you are recommended to add –no-verbose” to all invocations of GPG and upgrade to python-gnupg 0.4.3.
Applications using GPGME as the crypto engine are safe. Also, GnuPG with –status-fd compilation flag set and –verbose flag not set are safe.