Tag Archives: News

Uber cover-up places 57 million people at risk of identity fraud

Ride hailing firm Uber has revealed a major hack last year exposed the personal data of 57 million users. Even worse is the news that Uber’s security chief paid the hackers $100,000 to cover up the incident in the hope of preventing the breach from going public.

The incident was announced by Uber CEO Dara Khosrowshahi who claimed that he had only recently learned about it himself. Two senior managers in charge of IT security where fired shortly afterwards.

A very serious breach

According to the report, two hackers were able to download names, email addresses and mobile phone numbers of 57 million Uber users around the world and the names and driver’s license numbers of 600,000 U.S. drivers. Although credit card numbers and passwords were not included, the stolen details would be enough for cybercriminals to start an identity fraud operation.

Instead of reporting the breach to authorities and services users – as required by US law – Uber decided to pay the hackers to keep quiet. The two individuals involved in the attack were paid $100,000 in return for supplying proof that they had deleted the stolen data.

An ongoing problem

Uber already has a reputation for breaking rules, and for tracking users even after they have closed the app. The sheer volume of valuable personal data held by Uber makes it a very attractive target for hackers, but the company’s attempts to hide their activities increases customer distrust.

Although a data breach is embarrassing and expensive, attempting to cover it up is even more damaging – people simply do not trust the service to handle their personal data safely.

Protecting yourself now

Although Uber claim that login details were not compromised, you should still change your password just in case. Make sure that you create a strong password to further improve security.

And don’t forget, hackers will also try and steal data direct from your mobile phone, not just Uber’s data centre. Protect your smartphone with the free Mobile Security app, blocking the malware that steals passwords, credit card details and other sensitive personal information.

Data Theft Incidents on the Rise

As we informed on a previous post, in the first half of 2017, more data was stolen than in all of 2016.  The 918 security breaches registered by Gemalto’s Breach Level Index led to the theft of almost 2 billion records, which is 164% more than the figures for the whole of last year. For companies to avoid being in that position, the first step is to be aware of the importance of implementing effective security measures and policies.

Download Panda Mobile Security

The post Uber cover-up places 57 million people at risk of identity fraud appeared first on Panda Security Mediacenter.

Read More

Tether Hacked — Attacker Steals $31 Million of Digital Tokens

tether-bitcoin-tokens-hacked

Again some bad news for cryptocurrency users.

Tether, a Santa Monica-based start-up that provides a dollar-backed cryptocurrency tokens, has claimed that its systems have been hacked by an external attacker, who eventually stole around $31 million worth of its tokens.

With a market capitalization of $673 million, Tether is the world’s first blockchain-enabled platform to allow the traditional currency to be used like digital currency.

Tether serves as a proxy for the US dollar, Euro (and soon Japanese yen) that can be sent between exchanges including Bitfinex, Poloniex, Omni, GoCoin and other markets.

According to an announcement on the company’s official website posted today, the unknown hacker stole the tokens (worth $30,950,010) from the Tether Treasury wallet on November 19 and sent them to an unauthorized Bitcoin address.

The stolen tokens will not be redeemed, but the company is in the process of attempting token recovery in order to prevent them from entering the broader cryptocurrency market.

The attacker is holding stolen funds at the following bitcoin address:

16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r

So, in case, you receive any USDT (that’s what Tether calls its platform’s USD currency; 1USDT=1USD) “tokens from the above address, or from any downstream address that receives these tokens, do not accept them, as they have been flagged and will not be redeemable by Tether for USD,” the company warned.

Bitcoin price dropped as much as 5.4 percent, the most since November 13.

To prevent the stolen coins from moving from the attacker’s address, the company has temporarily suspended its back-end wallet service and also provided a new version of its software.

“Accordingly, any and all exchanges, wallets, and other Tether integrators should install this software immediately in order to prevent loss: https://github.com/tetherto/omnicore/releases/tag/0.2.99.s,” the company said.

The Tether Team has also ensured that Tether issuances have not been affected by this attack, and all of its tokens remain fully backed by assets in the Tether reserve.

Instead, the only tokens that won’t be redeemed at this moment are those stolen from Tether treasury yesterday. However, these tokens will be returned to treasury once the software enhancements are in place.

Tether is also undertaking a thorough investigation of the incident in an attempt to prevent similar attacks in the future.

This incident is the latest in a long list of attacks against the cryptocurrency markets. Just last week, about $300 million worth of Ether from dozens of Ethereum wallets was permanently locked up after someone triggered a flaw in Parity multi-sig wallets.

How is virtual reality helping the development of driverless cars?

California’s Department of Motor Vehicles (DMV) had registered slightly less than 50 cases of traffic accidents that involve autonomous vehicles since 2014.

While this may not seem a lot currently there is a limited amount of driverless cars on the streets of California – less than 15 in the state itself, and approximately 50 in the whole continental US.

We are less than five years away from seeing self-driving cars become available for the masses and the numbers of accidents involving autonomous vehicles that have occurred so far are not particularly satisfying. The cars that are currently being tested tend to get involved in a minor crash at least once a year. We sincerely hope the cars that will end up in the hands of the consumers in the next decade will be safer than the ones we see on the roads of California right now. While safety is number one for car manufacturers, inevitably there will be deaths in accidents involving autonomous vehicles.

Meeting the federal standards for public safety for a vehicle that does not require a driver sound complicated, doesn’t it? So how are automobile manufacturers going to achieve it? They are planning to meet the federal motor vehicle safety standards by using the power of virtual reality.

Technology

The sophisticated technology that will be integrated into the driverless cars of the future will have some hard decision to make. Steering the wheel on the left might be aiming towards a pregnant lady crossing the street while turning right might end up endangering a group of children. How does your self-driving vehicle make a choice? Developers are making some tough decisions as the lives of millions are currently in their hands. While the programming experience of software engineers might be great, most of them are unlikely to be professional drivers, nor they have vast fleets of driverless cars to work with. So where do they get usable data? Is it possible for them to experience every obstacle that happens on the road? Not really, this is why they are adding VR to the equation.

Companies have testing vehicles inside virtual reality

Companies such as Toyota and Uber have begun testing vehicles inside virtual reality simulations of the very same cities that we inhabit. Scientists realized there is no need to have plenty of real cars on the roads when there is an option to let virtual cars “drive” the streets of any city photographed by Google on street-view mode. Vehicle tested in the virtual world is harmless but having a car accident in the real one could be fatal. Well done for finding a way to save lives!

Hats down to the people who made it happen! Some of the major cities where self-driving cars are present already struggle with traffic so the people would appreciate the lack of additional bot-cars. Let the testing continue where safest – the virtual reality.

If you are curious if there are any driverless cars in your town, or if your city is preparing to welcome the autonomous vehicle revolution, check out this useful map – http://avsincities.bloomberg.org/ .

The post How is virtual reality helping the development of driverless cars? appeared first on Panda Security Mediacenter.

Read More

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

oneplus-root-backdoor

Another terrible news for OnePlus users.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.

The application in question is “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.

This APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5.

You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.

oneplus

If it’s there, anyone with physical access to your device can exploit EngineerMode to gain root access on your smartphone.

EngineerMode has been designed to diagnose issues with GPS, check the root status of the device, perform a series of automated ‘production line’ tests, and many more.

After decompiling the EngineerMod APK, the Twitter user found ‘DiagEnabled’ activity, which if opened with a specific password (It is “Angela”, found after reverse engineering) allows users to gain full root access on the smartphone—without even unlocking the bootloader.

Although the chance of this application already being exploited in the wild is probably low, it seems to be a serious security concern for OnePlus users as root access can be achieved by anyone using a simple command.

root-oneplus-android-phone

Moreover, with root access in hands, an attacker can perform lots of dangerous tasks on victim’s OnePlus phone, including stealthy installing sophisticated spying malware, which is difficult to detect or remove.

Meanwhile, in order to protect themselves and their devices, OnePlus owners can simply disable root on their phones. To do so, run following command on ADB shell:

“setprop persist.sys.adb.engineermode 0” and “setprop persist.sys.adbroot 0” or call code *#8011#

In response to this issue, OnePlus co-founder Carl Pei said that the company is looking into the matter.

The Twitter user has promised to release a one-click rooting app for OnePlus devices using this exploit. We will update the article as soon as it is available.

Female gamers, online abuse, and staying safe

For many women playing online games, the experience is less than enjoyable. Female gamers may love the games, but other players can make life a living hell with sexist abuse.

A recent Guardian story detailed one woman gamer’s experiences, ranging from low level insults, to unwanted sexual advances from another player. To avoid similar problems, she has developed a range of safeguards, from pretending to be a boy, through to simply not participating in the in-game chat between players.

Obviously the real problem is unreasonable behaviour by male players, and this is where real change needs to take place. In the meantime, female gamers will need to take steps to better protect themselves.

Here are some tips to help you stay safe online.

1. Understand the game’s reporting system

Most games now offer a system for reporting abuse, allowing the game operator to intervene when “banter” becomes unreasonable. Usually this will be a button marked “Report Abuse”, although this will vary between games and websites.

You should make sure you know how to report abuse before you start playing online. Many platforms may ask for additional evidence to help them investigate a report, such as taking a picture of what is shown on your screen (known as a screenshot):

For an Apple computer, hold down Shift + CMD (⌘) + 3 – a picture will be saved to your desktop.

For a Windows PC, hold down Alt + Prt Scr – the picture can be found under This PC -> Pictures -> Screenshots

2. Use the reporting system

Some major platforms like Xbox Live use real time monitoring to detect abusive language, and block trolls automatically – but many do not. These automated systems are not fool-proof either, so you must report abuse – otherwise the troll is free to abuse you and other players.

The sooner you report abuse, the quicker it will be dealt with.

3. Stay calm, don’t react

Once you have reported another player for abuse, you should avoid communicating with them again. Many trolls enjoy upsetting other people and making them feel bad, but you should never get into an argument with them.

Stay calm, and let the reporting process complete. If you are unsatisfied with the outcome of an investigation, or are concerned that nothing is being done, contact the games provider’s support helpline. Remember that an investigation may take longer than you expect.

4. Install a PC security tool

Some trolls will go even further, stalking and harassing their victims outside the game. They may attack via social media, or even try and hack their computer, looking for sensitive personal data that they can use to embarrass or threaten their victims.

To protect yourself against these people, always ensure you have an anti-malware tool installed on your computer. This will detect and block hackers, keeping your data safe. Download Panda Free Antivirus to get started now. You can also learn more about using social media safely in this guide.

Be prepared and be sensible

For women who do fall victim to trolls, it may feel as though they are not receiving proper protection online. Unfortunately this means that until games companies start taking these threats more seriously, female gamers will need to protect themselves.

The post Female gamers, online abuse, and staying safe appeared first on Panda Security Mediacenter.

Read More

Oh, Crap! Someone Accidentally Triggered A Flaw That Locked Up $280 Million In Ethereum

parity-ethereum-wallet

Horrible news for some Ethereum users.

About $300 million worth of Ether—the cryptocurrency unit that has become one of the most popular and increasingly valuable cryptocurrencies—from dozens of Ethereum wallets was permanently locked up today.

Smart contract coding startup Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced earlier today that its “multisignature” wallets created after this July 20 contains a severe vulnerability that makes it impossible for users to move their funds out of those wallets.

According to Parity, the vulnerability was triggered by a regular GitHub user, “devops199,” who allegedly accidentally removed a critical library code from the source code that turned all multi-sig contracts into a regular wallet address and made the user its owner.

Devops199 then killed this wallet contract, making all Parity multisignature wallets tied to that contract instantly useless, and therefore their funds locked away with no way to access them.

“These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at “0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4″ address,” devops199 wrote on GitHub.

“I made myself the owner of ‘0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4’ contract and killed it and now when I query the dependent contracts ‘isowner()’ they all return TRUE because the delegate call made to a died contract.”

Parity multisignature wallets also experienced a vulnerability in July this year that allowed an unknown hacker to steal nearly $32 million in funds (approximately 153,000 units of Ether) before the Ethereum community secured the rest of its vulnerable Ether.

According to Parity, a new version of the Parity Wallet library contract deployed on 20th of July contained a fix to address the previously exploited multi-sig flaw, but the code “still contained another issue,” which made it possible to turn the Parity Wallet library contract into a regular wallet.

The vulnerability affected Parity multi-sig wallets that were deployed after July 20—meaning ICOs (Initial Coin Offerings) that were held since then may be impacted.

So far, it is unclear exactly how much cryptocurrency has disappeared due to this blunder, but some cryptocurrency blogs have reported that Parity wallets constitute roughly 20% of the entire Ethereum network.

This made researchers familiar with the space estimating around $280 Million worth of Ether is now inaccessible at this time, including $90 million of which was raised by Parity’s founder Gavin Woods.

Parity froze all affected multi-sig wallets (that is millions of dollars’ worth of Ethereum-based assets) as its team scrambles to bolster security. The team also promised to release an update with further details shortly.

To what extent are smartphone shaping our lives?

pandasecurity-cellphone-addict

How dependant on your cellphone are you?

Earlier this year Pew Research Center released a fact sheet stating the vast majority of Americans own cellphones – about 95% of the population of the USA has at least one cellular device on hand, and in about 77% of the cases, it is a smartphone. The number of smartphone owners has risen by 32% in the last five years, and the growth is not giving any sign of slowing down – the percentage of smartphone ownership is projected to reach 82% by the end of the year.

In the past we used to say that there is a time for everything, now we say there is an app for everything. We can all admit it – we enjoy and depend on our connected devices. Smartphones are in place to ease our lives, but the more time we spend staring at the small screens, the more dependent we get.

There are a few main factors confirming smartphones are shaping our lives.

The necessity

Having a smartphone is sometimes a necessity. Even if you do not own one yourself, it is very likely you’ve been given a smartphone device from work. Some health care professionals must be reachable at all the time. Salespeople would be available 24/7 too; no salesperson would be happy if a competitor picks up the lead instead. Even if you are not entirely convinced of their importance, smartphones are sometimes your primary connection to your employer, clients, or loved ones. Having one on hand is a necessity.

The convenience

One of the main reasons smartphones are so popular is because they are meant to ease our lives. Not that long ago you had to call a travel agent to book a vacation, or you had to mail physical checks so you can pay your utility bills. Stopping at the bank for a quick credit balance check is now part of the past too. Now, everything you need is at your fingertips. You no longer have to wait for the newspaper boy so you can read yesterday’s news – they are readily available online right on your large screen phone. We bet you haven’t seen a physical map in years too; you use the navigation capabilities of your smartphone instead.

The addiction

Undoubtedly smartphones are here to stay. The problem is that they are becoming so functionally diverse that people are starting to be addicted to them. Companies such as Facebook want to keep you engaged with their platform as long as possible. To keep your attention, they bombard you with content that they know you will enjoy seeing. Smartphones open a back door for gambling too – you no longer have to drive to Vegas or Atlantic City if you want to try your luck. While being entertained is excellent, you should always be careful to not end up in a bad place.

The fake reality

The world should not only be viewed through the prism of one small screen. Companies are fighting for your attention and sometimes exaggerate the facts to attract you. While they get richer by selling the traffic to advertising companies, it is possible you are not getting the whole picture. You should have multiple sources of information and carefully vet the information you receive. Not everything you see on your Facebook feed is true. Misinformation can have a negative impact on your life.

The dangers

Sadly, smartphones are not only an easy way to get information and entertainment – they are sometimes a backdoor for hackers who want to sneak peek into your personal life. Having in mind the average American spends tens, and possibly hundreds, of hours on their smartphone device every month, the chances of having sensitive information stored on your phone is high. Unfortunately, hackers sometimes find their way into your mobile device. They could be after banking login information, delicate imagery, or your credit card details – whatever their goal is, they know their way in if you are not protected.

Agree or not, smartphone devices are here to stay and are already playing a significant part of our lives.

They allow us to connect with each other, they save us time, and they provide entertainment. While there are pros to having one, there are cons too – smartphones sometimes make people vulnerable to misinformation and hacker attacks. The good news is that people who are self-aware and have decent antivirus software installed have nothing to worry. Being protected will significantly decrease the chances of having your phone negatively shaping your life.

Download your Antivirus

The post To what extent are smartphone shaping our lives? appeared first on Panda Security Mediacenter.

Read More

Fall Creators, the new Windows 10 upgrade

Fluent Design is finally arriving to Windows 10

Earlier this year, Microsoft unveiled its Fluent Design System, a new design language for the Windows 10 interface, announcing at the same time a number of changes to the company’s software in the future. This week, the Redmond company has finally rolled out the first phase of the new system, as part of the Windows 10 Fall Creators Update.

The launch has been accompanied by a video showcasing some of the new design changes to Windows 10, although it doesn’t reveal much information about any of the future additions. The video offers a sneak peek of various components and apps that have been redesigned with new visual effects that aim to give Windows 10 more texture, depth and visual responsiveness to inputs. The new Fluent Design will roll out gradually, starting with its own apps and elements like the Start menu, Action Center and notifications. Microsoft has stated that these are just the first steps of the project and that new features and capabilities will be introduced in the future.

Fluent Design System is designed to be the successor to Microsoft’s Metro design and will appear across apps and services on Windows, iOS and Android. Microsoft is focusing on light, depth, motion and scale, with animations that add a sense of fluidity during interactions, in contrast to the minimalistic, tile-based interface of the past. Besides incorporating the first phase of Fluent Design System, Windows 10 Fall Creators Update also introduces OneDrive Files On-Demand, a new feature that allows users to access their documents without having to download them. Microsoft Edge has also been improved, incorporating a new tool to manage Favorites and the ability to import settings from Chrome. Finally, the operating system includes a new GPU monitoring option in the Task Manager.

More new features yet to come

We’re expecting to see even more changes in the next Windows 10 update, which is currently in development under the codename Redstone 4. Microsoft has started testing the initial features for this version, which is scheduled for March 2018. The main addition so far is a new Cortana Collections feature, which will see and remember users’ browsing habits. As Microsoft finishes its functionality tests, new information will be unveiled about the new improvements, in addition to a new Timeline feature that will let users resume sessions and apps on Windows PCs, iOS and Android devices more easily.

This update does not affect the operation of the Windows 10-compatible antivirus solutions available on the market, including the entire Panda Antivirus product line. So, installing a professional antivirus tool is not only possible, but highly recommended. In this context, the latest version of Panda’s antivirus solutions has the added guarantee of having achieved one of the best detection rates in the latest edition of the AV-Comparatives professional antivirus comparative review.

The post Fall Creators, the new Windows 10 upgrade appeared first on Panda Security Mediacenter.

Read More

Cryptocurrency Mining Takes its Toll on AWS Servers

Bitcoin has skyrocketed over the last several years and has become the most coveted currency of today. Not belonging to any state or country, able to be used all over the world equally and immediately, and able to provide complete anonymity when doing business — these are some of its biggest draws. But like any other payment system, using Bitcoin carries with it a few processing fees. Specifically, it uses a great deal of energy used for mining, and requires high-powered hardware. This reality places companies, and their infrastructures, in the crosshairs of cybercriminals looking to make a profit with mining software, without the overhead costs of running servers themselves.

 A few days ago, hackers attacked thousands of computers around the world through an attack of ransomware, posing as the Amazon team. Now, they’ve turned their attention to the power of the cloud.  Companies that hire Amazon Web Services (AWS) and do not adequately protect their servers are especially at risk.

Amazon and the Cryptocurrency Business

Despite the many security services that companies can hire for their systems, studies reveal that 97% of the 1,000 largest companies in the world are affected by data breaches and ransomware. Today, thanks to the rise of cryptocurrency, there is a more profitable activity offered by hijacked corporate servers: mining Bitcoins.

The value of this virtual currency has already reached record highs, attracting more and more cybercriminals interested in making easy money. In recent months, threat reports analyzed by PandaLabs show a marked increase in malware installed via the Remote Desktop Protocol (RDP). We witness thousands of ransomware infection attempts every day, as well as attempts to hijack servers for bitcoin mining. These attempts have one thing in common: the access route being the RDP after obtaining credentials through a brute force attack. It’s the same story all over again, just with different characters. We’ve seen it with ransomware and RDP attacks, and now we’re seeing it with bitcoin mining in the business world.

When we think of cryptocurrency, we usually associate it with bitcoin, but there are plenty of others. Hundreds, in fact. Cybercriminals install miners for a whole array of coins, as we saw in a case we wrote about which involved mining software for Monero and took place before the WannaCry attacks.

This time, according to a report by RedLock Cloud Security Intelligence (CSI), Amazon Web Services servers were compromised by cybercriminals who were able to access the system. However, in an unusual development, hackers did not seek to steal data or block the servers, but rather sought to access the system’s power for bitcoin mining. According to the information disclosed by RedLock, Amazon was not the only company attacked, as Aviva and Gemalto, two multinationals, were also mentioned in the report as victims.

What to Do to Protect Your Server

This latest hack shows the importance of creating robust corporate passwords. They don’t even need to be hard to remember. And of course, do not pass up advanced cybersecurity solutions that monitor the organization’s systems in real time, detecting and stopping any suspicious behavior that could be harmful.

The post Cryptocurrency Mining Takes its Toll on AWS Servers appeared first on Panda Security Mediacenter.

Read More

OnePlus Secretly Collects Way More Data Than It Should — Here’s How to Disable It

oneplus-telemetry-data

There is terrible news for all OnePlus lovers.

Your OnePlus handset, running OxygenOS—the company’s custom version of the Android operating system, is collecting way more data on its users than it requires.

A recent blog post published today by security researcher Christopher Moore on his website detailed the data collection practice by the Shenzhen-based Chinese smartphone maker, revealing that OxygenOS built-in analytics is regularly sending users’ data to OnePlus’ servers.

Collecting basic device data is a usual practice that every software maker and device manufacturers do to identify, analyse and fix software issues and help improve the quality of their products, but OnePlus found collecting user identification information as well.

Moore simply started intercepting the network traffic to analyse what data his OnePlus device sends to its servers, and found that the data collected by the company included:

  • User’ phone number
  • MAC addresses
  • IMEI and IMSI code
  • Mobile network(s) names
  • Wireless network ESSID and BSSID
  • Device serial number
  • Timestamp when a user locks or unlocks the device
  • Timestamp when a user opens and closes an application on his phone
  • Timestamp when a user turns his phone screen on or off

It is clear that above information is enough to identify any OnePlus user.

“Wow, that is quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities,” Moore said.

“It gets even worse. These event data contain timestamps of which activities were fired up in which in applications, again stamped with the phone’s serial number.”

Moreover, there’s no direct option available to disable this data collection behaviour.

This same issue was also publicly reported to OnePlus in July last year by another security researcher and software engineer, who goes by the online moniker “Tux,” but the problem got ignored by OnePlus as well as others.

Moore also reported this issue to OnePlus support, but the team did not provide any solution to address it, while OnePlus did not yet respond.

However, the good news is that Jakub Czekański, an Android developer, today introduced a permanent solution to disable this data collection practice even without rooting your smartphone.

You can directly connect your OnePlus device in USB debugging mode to a computer, open adb shell and enter this command — pm uninstall -k –user 0 net.oneplus.odm — in order to get rid of OnePlus’ excess data collecting practice.

Powered by WPeMatico