Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for What to do if someon ...

 Tips

A notification pops up on your smartphone screen: “We detected an unusual login attempt from Rio de Janeiro, Brazil.” Whether the login attempt occurs where you live, halfway around the world, on the kind of phone you use, or from a device you’ve never heard of, what’s really going on here is   show more ...

an attempt to make you panic. Don’t panic. Either someone’s been busted trying to log in to your account or not, and freaking out will not help. To help you remain calm and survive the incident with minimal losses, we are arming you with knowledge of what it might be and what to do. What it might be To begin with, let’s figure out how an outsider could have gained access to your account in the first place. It can happen in one of several ways. Data leak and credential stuffing Data leaks and breaches pop up in the news quite often, and even if Facebook and Instagram weren’t hit directly, if another website is breached and the compromised data included your account info, then cybercriminals possess your credentials. Using a list of e-mail usernames and passwords, they can carry out a credential-stuffing attack — that is, they enter the stolen credentials on other sites. That works because people use the same password for multiple accounts, an unforced but extremely common error. Alternatively, your Facebook or Instagram credentials might have leaked from an associated app. For example, in June of last year, SocialCaptain, a service for growing Instagram following through automation, leaked thousands of Instagram account passwords. The service didn’t encrypt client data, as it turned out. It is reasonable to assume that many SocialCaptain users have since encountered hacking attempts. Phishing You could be looking at the results of a phishing scam, that your username and password landed in the hands of scammers. It happens. Maybe you clicked on a link and entered your credentials on a convincing fake Facebook or Instagram login screen. For example, just recently, our experts uncovered a phishing campaign that lured victims to fake login pages by threatening to block their Facebook account for copyright infringement. Password theft Malware can also steal credentials. For example, many Trojans come with a built-in keylogger, a program that, as the name suggests, logs keystrokes on the keyboard. If you picked up malware that logs keystrokes, then cybercriminals have every username and password you’ve entered since. Access token theft Perhaps someone stole your access token. To avoid having to enter your password every time you sign in to Facebook or Instagram, the app saves a small piece of login information on your computer, known as an access token, or token for short. If a cybercriminal steals a valid token, they can access the account without a username and password. Tokens have been stolen through vulnerabilities in Facebook — for example, in 2018, attackers got hold of access tokens for 50 million Facebook accounts. Tokens can also be stolen through browser extensions. Login from another device Nor is it inconceivable that you logged in to Facebook or Instagram from someone else’s device — at a party, in an Internet café, in a hotel lobby — and did not log out afterwards. Or, for example, if you forget to sign out of your account on a device you later sell or give away, you may be giving someone else access to your account. False alarm (phishing again) Perhaps your account was not hacked at all. It’s also possible someone is trying to do precisely that, using a fake notification about a suspicious login attempt. That is phishing, as discussed above, but a slightly different variation. Instead of threatening to block your account, cybercriminals can use a fake login attempt notification with a link to a phishing site similar to the real login page. The hope is that the panic-stricken victim will go to the fake site and enter their credentials there. What to do Now that you know the possible causes, it is time to act. First, log in to your account — but definitely not through the link in the notification (as we already know, it might point to a phishing site). Use the social network’s mobile app or manually enter the address in your browser. If the password does not work and you are locked out, refer to our detailed guide on what to do if your account has already been hijacked. If you were able to log in, go to your account settings and check the authenticity of the notification. Each social network has its own interface; here’s how Facebook and Instagram manage messages. Then, proceed to Account logins. If you see no suspicious entries, then the message was just phishing; delete and move on. If you do see something suspicious in the list of account logins, take action immediately to mitigate the damage: Immediately sign out of your account on all devices. On Instagram, you will have to end each session manually in the Account logins menu. Facebook can do it with a single click or tap under Security and Login in the settings. Your session on the current device will remain active. Confirm your phone number and e-mail address in the account settings; attackers can change those details to receive links or codes for changing account passwords. If they did, change them back. Set a new password, and make it one that is strong and that you don’t use anywhere else. If you are worried about keeping track, save your passwords in a password manager, which can also help you come up with a strong combination. Enable two-factor authentication to make hacking into your accounts harder for cybercriminals, even if they get your password. Scan all of your devices with a reliable antivirus to ensure they are free of malware. Attention to security settings combined with good protection software will turn your account into a fortress.

image for Is Your Browser Exte ...

 A Little Sunshine

A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an   show more ...

extension can be such a risky proposition. Singapore-based Infatica[.]io is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions — desktop and mobile device software add-ons available for download from Apple, Google, Microsoft and Mozilla designed to add functionality or customization to one’s browsing experience. Some of these extensions have garnered hundreds of thousands or even millions of users. But here’s the rub: As an extension’s user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author’s time. Yet extension authors have few options for earning financial compensation for their work. So when a company comes along and offers to buy the extension — or pay the author to silently include some extra code — that proposal is frequently too good to pass up. For its part, Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica’s computer code can earn anywhere from $15 to $45 each month for every 1,000 active users. An Infatica graphic explaining the potential benefits for extension owners. Infatica’s code then uses the browser of anyone who has that extension installed to route Web traffic for the company’s customers, including marketers or anyone able to afford its hefty monthly subscription charges. The end result is when Infatica customers browse to a web site, that site thinks the traffic is coming from the Internet address tied to the extension user, not the customer’s. Infatica prices its service based on the volume of web traffic a customer is seeking to anonymize, from $360 a month for 40 gigabytes all the way to $20,000 a month for 10,000 gigabytes of data traffic pushed through millions of residential computers. THE ECONOMICS OF EXTENSIONS Hao Nguyen is the developer behind ModHeader, an extension used by more than 400,000 people to test the functionality of websites by making it easier for users to modify the data shared with those sites. When Nguyen found himself spending increasing amounts of his time and money supporting the extension, he tried including ads in the program to help offset costs. ModHeader users protested loudly against the change, and Nguyen removed the ads — which he said weren’t making him much money anyway. “I had spent at least 10 years building this thing and had no luck monetizing it,” he told KrebsOnSecurity. Nguyen said he ignored multiple requests from different companies offering to pay him to insert their code, mainly because the code gave those firms the ability to inject whatever they wanted into his program (and onto his users’ devices) at any time. Then came Infatica, whose code was fairly straightforward by comparison, he said. It restricted the company to routing web requests through his users’ browsers, and did not try to access more sensitive components of the user’s browser experience, such as stored passwords and cookies, or viewing the user’s screen. More importantly, the deal would net him at least $1,500 a month, and possibly quite a bit more. “I gave Infatica a try but within a few days I got a lot of negative user reviews,” he said. “They didn’t like that the extension might be using their browser as a proxy for going to not so good places like porn sites.” Again he relented, and removed the Infatica code. A TARGET-RICH ENVIRONMENT These days, Nguyen is focusing more of his time on chrome-stats.com, which provides detailed information on more than 150,000 extensions. The service is free for limited use, but subscribers who pay a monthly fee can get access to more resources, such as older extension versions and details about their code components. According to chrome-stats.com, the majority of extensions — more than 100,000 of them — are effectively abandoned by their authors, or haven’t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation and their user base. Image: chrome-stats.com The vast majority of extensions are free, although a handful that have attracted a large and loyal enough following have been able to charge for their creations or for subscription services tied to the extension. But last year, Google announced it was shutting down paid Chrome extensions offered on its Chrome Web Store. Nguyen said this will only exacerbate the problem of frustrated developers turning to offers from dodgy marketing firms. “It’s a really tough marketplace for extension developers to be able to monetize and get reward for maintaining their extensions,” he said. “There are tons of small developers who haven’t been able to do anything with their extensions. That’s why some of them will go into shady integration or sell the extension for some money and just be done with it.” A solicitation sent by Infatica to the developer of the SponsorBlock extension. Image: sponsor.ajay.app WHO IS INFATICA? It is unclear how many extensions currently incorporate Infatica’s code. KrebsOnSecurity searched for extensions that invoke several domains tied to Infatica’s Web proxy service (e.g., extendbalanc[.]org, ipv4v6[.]info). This research was conducted using Nguyen’s site and crxcavator.io, a similar extension research site owned by networking giant Cisco Systems. Those searches revealed that Infatica’s code has been associated with at least three dozen extensions over the past few years, including several that had more than 100,000 users. One of those is Video Downloader Plus, which at one point claimed nearly 1.4 million active users. The founder and director of Infatica — a resident of Biysk, Russia named Vladimir Fomenko — did not respond to multiple requests for comment. Infatica founder Vladimir M. Fomenko. Fomenko is the sole director of the iNinja VPN, another service that obfuscates the true Internet address of its more than 400,000 users. It stands to reason that iNinja VPN also is not only offering its customers a way to obfuscate their Internet address, but is actively using those same systems to route traffic for other customers: A Chrome browser plugin and ad blocker by the same name whose code includes Infatica’s “extenbalanc” domain has 400,000 users. That would put Infatica in line with the activities of another major controversial VPN/proxy provider: Luminati, a.k.a. “HolaVPN.” In 2015, security researchers discovered that users of the HolaVPN browser extension were being used to funnel Web traffic for other people. Indeed, in the screenshot above, Infatica’s marketing team can be seen comparing its business model to that of HolaVPN. Fomenko has appeared in two previous KrebsOnSecurity stories; both concerned King Servers (a.k.a. “Hosting Solution Ltd.“), a hosting company he has operated for years which caters mostly to adult websites. In 2016, hackers suspected of working for Russian state security services compromised databases for election systems in Arizona and Illinois. Six of the eight Internet addresses identified by the FBI as sources of the attack traced back to King Servers. In an interview with The New York Times several months later, Fomenko flatly denied having any ties to the hacking. According to the Russian daily Novaya Gazeta, revelations about the 2016 hacking incident’s ties to King Servers led to treason charges against Sergey Mikhaylov, the former deputy chief of Russia’s top anti-cybercrime unit. Russian authorities charged that Mikhaylov had tipped off the FBI to information about Fomenko and King Servers. In 2019, Mikhaylov was convicted and sentenced to 22 years in a penal colony. BE SPARING IN TRUSTING EXTENSIONS Browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. The powers granted to each extension are roughly spelled out in its “manifest,” basically a description of what it will be able to access once you incorporate it into your browser. According to Nguyen’s chrome-stats.com, about a third of all extensions for Chrome — by far the most widely-used Web browser — require no special permissions. But the remainder require the user to place a good deal of trust in the extension’s author. For example, approximately 30 percent can view all of your data on all or specific websites, or index your open tabs and browsing activity. Image: chrome-stats.com More than 68,000 Chrome extensions allow the execution of arbitrary code in the context of webpages, effectively allowing the extension to alter the appearance and functionality of specific sites. I hope it’s obvious by this point, but readers should be extremely cautious about installing extensions — sticking mainly to those that are actively supported and respond to user concerns. Personally, I do not make much use of browser extensions. In almost every case I’ve considered installing one I’ve been sufficiently spooked by the permissions requested that I ultimately decided it wasn’t worth the risk, given that any extension can go rogue at the whims of its author. If you’re the type of person who uses multiple extensions, it may be wise to adopt a risk-based approach going forward. Given the high stakes that typically come with installing an extension, consider carefully whether having the extension is truly worth it. This applies equally to plug-ins designed for Web site content management systems like WordPress and Joomla. Do not agree to update an extension if it suddenly requests more permissions than a previous version. This should be a giant red flag that something is not right. If this happens with an extension you trust, you’d be well advised to remove it entirely. Also, never download and install an extension just because some Web site says you need it to view some type of content. Doing so is almost always a high-risk proposition. Here, Rule #1 from KrebsOnSecurity’s Three Rules of Online Safety comes into play: “If you didn’t go looking for it, don’t install it.” Finally, in the event you do wish to install something, make sure you’re getting it directly from the entity that produced the software. Google Chrome users can see any extensions they have installed by clicking the three dots to the right of the address bar, selecting “More tools” in the resulting drop-down menu, then “Extensions.” In Firefox, click the three horizontal bars next to the address bar and select “Add-ons,” then click the “Extensions” link on the resulting page to view any installed extensions.

 Trends, Reports, Analysis

The domains *.gvt1.com and *.gvt2.com, along with their subdomains, are owned by Google and typically used to deliver Chrome software updates, extensions, and related content.

 Expert Blogs and Opinion

Any future real-world conflict between the United States and an adversary like China or Russia will have direct impacts on regular Americans because of the risk of cyber attack, Kevin Mandia said.

 Trends, Reports, Analysis

The attacks increased as academic institutions shifted to remote learning and teaching, leaving their networks vulnerable to threat actors.

 Trends, Reports, Analysis

CrowdStrike revealed that there has been a humongous increase in interactive intrusion activity. There has been a fourfold increase in these activities in the last two years.

 Feed

Red Hat Security Advisory 2021-0671-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a buffer overflow vulnerability.

 Feed

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

 Feed

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

 Feed

Red Hat Security Advisory 2021-0672-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a buffer overflow vulnerability.

 Feed

Red Hat Security Advisory 2021-0681-01 - The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

 Feed

Red Hat Security Advisory 2021-0670-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a buffer overflow vulnerability.

 Feed

Red Hat Security Advisory 2021-0663-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.

 Feed

Red Hat Security Advisory 2021-0669-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a buffer overflow vulnerability.

 Feed

Let's first take a look back at 2020! Adding to the list of difficulties that surfaced last year, 2020 was also grim for personal data protection, as it has marked a new record number of leaked credentials and PI data. A whopping 20 billion records were stolen in a single year, increasing 66% from 12 billion in 2019. Incredibly, this is a 9x increase from the comparatively "small" amount of 2.3

 Feed

Amid heightened border tensions between India and China, cybersecurity researchers have revealed a concerted campaign against India's critical infrastructure, including the nation's power grid, from Chinese state-sponsored groups. The attacks, which coincided with the standoff between the two nations in May 2020, targeted a total of 12 organizations, 10 of which are in the power generation and

 Feed

As cybersecurity researchers continue to piece together the sprawling SolarWinds supply chain attack, top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.  The said password "solarwinds123" was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the

 Feed

A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today. "In recent years

 Data loss

On Friday, popular tech news site Gizmodo published an article with the title: “Go Update Your Passwords Right Now”. The problem is, it's just not good advice...

 Data loss

Gab, the Twitter-like social networking service known for its far-right userbase, has reportedly been hacked - putting more than 40 million public and private posts, messages, as well as user profiles and hashed passwords, at risk of exposure. Read more in my article on the Hot for Security blog.

2021-03
Aggregator history
Monday, March 01
MON
TUE
WED
THU
FRI
SAT
SUN
MarchAprilMay