Blog Feed
Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed
Reddit was hacked. The attackers managed to extract logins, e-mail addresses, passwords (salted and hashed, fortunately), and even a complete list of private messages from users who joined the site before 2007. The hackers were also able to access the e-mail addresses and logins of all users who received the site’s newsletter in June 2018. The SMS authentication failed. The attackers were able to intercept SMS messages containing one-time passwords, gaining access to the accounts of several Reddit employees. Let’s take a closer look: What exactly happened, and what is Reddit doing to minimize the consequences of the attack? Who were the victims of the Reddit attack, and how can you tell if you’re one of them? Why did the SMS-based two-factor authentication fail, and what can you replace SMS messages with if you’re still using them? Reddit just disclosed a breach, says it’s still investigating severity. Of particular note was that the intruders managed to bypass SMS-based two-factor authentication in the compromise. https://t.co/LCu6XAVn34 This is why physical 2-factor or at least app-based 2FA is superior. — briankrebs (@briankrebs) August 1, 2018 How Reddit was hacked On June 19, 2018, the Reddit team realized that there had been a data leak. The attack itself happened sometime between June 14 and 18. The attackers managed to compromise the accounts of several Reddit employees who had access to cloud storage and source code. Access to the employees’ accounts was protected by two-factor authentication, but through the traditional, old-fashioned method of delivering one-time passwords in SMS messages. The attackers intercepted the SMS messages containing one-time passwords and were able to bypass two-factor authentication. If all of Reddit’s staff had been using hardware tokens, the hackers wouldn’t have had even a chance at succeeding. Despite the seriousness of the attack, the attackers weren’t able to make any changes to the system. They had only read access. Nonetheless, they were able to view source code, configuration files, and internal logs. They were also able to download backups. Thus, all data regarding users and the operation of the forum, from its founding until 2007, fell into the hackers’ hands. The attackers also downloaded a database of e-mail addresses belonging to users who received e-mail newsletters in June 2018. What Reddit has done First of all, Reddit’s administrators strengthened the security of the logging, encryption, and monitoring systems. They also discontinued SMS authentication, in favor of software and hardware OTP tokens. They reported the incident to law enforcement agencies, and an investigation was launched. Reddit users who may have been affected were sent messages with information about the incident, encouraging them to look after the security of their accounts — change passwords, enable two-factor authentication. Detailed instructions on how to activate two-factor authentication for Reddit are available here. So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN — Troy Hunt (@troyhunt) August 1, 2018 Who was affected by the Reddit attack Reddit’s team is not disclosing the number of affected users. All the same, we’re talking about millions of people. The affected users can be divided into 2 groups: Everyone...
read moreHow to enable two-factor authentication on Reddit
Learn more about Protectimus Slim NFC security token or order one here: Protectimus Slim NFC The best 2FA token to protect your Reddit account! Ho set-up two-factor authentication on Reddit, first of all, log in your Reddit account and initiate the two-factor authentication setup. 1. Go to the “User Setting” page using the navigation menu in the right upper corner -> 2. Click “Privacy & Security” -> 3. Choose “Two-factor authentication” -> 4. Click the button “click to enable” -> 5. Confirm that your email address is correct -> 6. Enter your password and click “Next” -> 7. You will see the QR code with the secret key. Now you can either scan it with your authentication app (Google Authenticator, Protectimus Smart, Authy, etc.) or add it to your hardware security token Protectimus Slim NFC. Learn how to program Protectimus Slim NFC token. 8. After you programmed the hardware OTP token or enrolled a software token on your smartphone, enter a 6-digit one-time password to the corresponding field and click “Enable two-factor”. 9. You’ll see the notification about successful 2-factor authentication setup. Enjoy reliable and convenient protection for your account — make hackers’ lives difficult with two-factor authentication on! Main image...
read moreNon-SMS Two-Factor Authentication for Instagram. Why Is It Good?
Did you know your Instagram two-factor authentication is ensured by a technology that has a backdoor as big as the one in the Titanic after it met the iceberg? Well, we will tell you more: the same faulty technology may still ensure the security of your Facebook and Twitter accounts! The last, but not the least important — you use the same technology to confirm most of your online purchases, so yeah — your banking account can be compromised as well. The name of that flawed technology is SMS authentication. SMS based 2-factor authentication has few huge drawbacks, undermining the system functionality: SMS are stored and sent as plaintext on your smartphone and can be compromised with malware; SMS are transmitted over inadequately protected channels; Every mobile operator’s employee can change your phone number to another SIM card. Therefore, either by bribing a mobile operator’s employee with access to the SMS database or by using the technique known as “SIM porting”, the hackers can steal your Internet identity. Meddling with OTPs opens up a wide field of manipulations — from stealing your Facebook, Twitter or Instagram account via the password reset procedure (which is exactly what happened when Katy Perry’s Twitter account was hacked) and up to stealing your banking accounts, as the banks still mostly rely on SMS to ensure the 2-factor authentication. Fortunately, more and more services start moving to more secure two-factor authentication alternatives. And Instagram supports this good trend. On July 18th, 2018 an article on Techcrunch announced that Instagram started building non-SMS two-factor authentication. Instagram is finally working on token-based two-factor authentication!! 🎉 Thank you Instagram! I have been waiting for this since 2016! We finally won’t have to rely our account’s security on SMS! 😍 pic.twitter.com/u0iIPTaZO2 — Jane Manchun Wong (@wongmjane) July 17, 2018 What’s wrong with SMS authentication? 1. SIM swap is real! The hackers can contact the mobile operator’s technical support with a request to port your phone number to another SIM-card, and by completing the verification with the help of social engineering tactics, they will be receiving your SMS (including the ones with one-time passwords) from now on. In fact, the issues with SIM porting has become so common and using SMS for two-factor authentication were proven to be so grave, that the US National Institute of Standards and Technology (NIST) has recommended dropping using SMS for OTP delivery back in 2016. However, this call was not yet followed by the majority of the financial industry, healthcare, insurance and so on. Almost any business dealing with your Personally-Identifying Information (PIA) promotes using SMS two-factor authentication as an additional lever for ensuring the security or at least leaves this opportunity to their users. | Read also: Dutch Scientists: SMS Verification Is Vulnerable 2. Your smartphone might be compromised with malware SMSs are stored in plain text on your mobile device. Many models of smartphones are susceptible to specific Trojans like Perkele, Zitmo, Zeus or Citadel, which can be downloaded as a malware with some third-party apps and monitor the SMS messages with OTP codes. Thus said, as your smartphone is considered a safe haven device for the case when your PC or laptop are compromised, it is actually the smartphone that can provide the backdoor to your data. 3. Don’t rely on...
read moreHow to Protect Your Privacy on Facebook
Personal privacy protection became a popular topic in the last few months. This is especially related to the EU General Data Protection Regulation (GDPR) which has become active in May 2018 and the Cambridge Analytica fiasco. Facebook has reacted almost immediately and provided tools for protecting and viewing your personal information. In this article, we will talk about what information does Facebook collect about you, why is it dangerous, and how to protect your privacy on Facebook in order not to become the victim of next “Cambridge Analytica scandal”, as well as phishing, social engineering, and so on. To make it easier to navigate through the article, here is a list of issues we are going to cover: What does Facebook know about you Cambridge Analytica Scandal Explained How to protect your Data From Similar Future Misuse How To Make Your Facebook Profile Private General Privacy Settings Facebook Photo Privacy Settings Facebook Apps Privacy Settings Facebook Posts Privacy Settings Facebook Friends Privacy Settings Advanced Privacy Settings How To Delete Your Facebook Account What Does Facebook Know About You? We could simply say “everything”, but it’s not that easy. The information stored on Facebook depends strictly on you and the accesses you granted on your devices. Since most of us don’t always pay attention to what we let devices or apps do, if you are an active user, you are likely to be shocked by the amount of data and the details Facebook knows about you. We’ll go into types of this info, and give you some tips on how to protect your privacy on Facebook. But before this, here are the instructions on how to download the information about you on Facebook. How to get your data Log into your Facebook account and click on the arrow down in the right upper corner. From the drop-down list choose “Settings”. There you will see a message asking you to proceed to “Your Facebook information”. You can also find this option on the left side of the panel. From the “Your Facebook information” page you can view and download your full history. If you opt for downloading, it might take some time. The exact time will depend on how long have you been using the network, how active you were, and what kind of information you uploaded. The data will be provided to you in a form of a password protected zip. file. On the download page, you can also choose to have all data downloaded or just a certain period. You can as well choose types of information you want to obtain. The file can be downloaded in the HTML or JSON formats. The JSON format can be of use if you want to import the received info somewhere else. Once generated, the file will be available for download at the same page under the “Available Files” tab for four days. Types of Personal Information Stored on Facebook The index.html file in the root of the folder opens the archive in your browser. That will allow you to navigate through everything as you would any webpage. On this webpage, you’ll find out that Facebook knows your username, real name, password changes, the contacts of people whose Facebook profiles you linked with the numbers in your phone, your calls and messages (if...
read moreMan In The Middle Attack Prevention And Detection
In the age of being dependent on contemporary technologies, the cybersecurity issues are as vital to pay attention to as never before. We leave a huge trace of our personal identity online. Not to mention an enormous digital trail we leave in social networks when posting photos with geolocation, reposting all news and thoughts we consider important, commenting on everything that we have an opinion about. We also use online banking almost for all our payments, as well as we use e-governance services to avoid facing bureaucracy in person, etc. Remember, every byte of such sensitive data can be stolen and used against you. You can lose all your money and even more than that if you become a victim of a hacker attack. And one of the most dangerous and inconspicuous hacking techniques is man in the middle attack. If it happens when you transmit sensitive data to your bank or, for example, tax office, you won’t even understand that something wrong is going on, while the attacker will be stealing your login credentials and any other info he/she needs to hack you. In this article, we’ll explain: what is man in the middle attack how MITM Attacks are performed how to protect your company from MITM attack how to protect yourself as an average user from man in the middle attacks So, let’s begin! What Is Man In The Middle Attack? Before we start digging into how to stop man in the middle attack, we should be on the same page regarding what it is. A man in the middle attack is the digital equivalent of eavesdropping. It may occur when a device transmits data to a server or website. For instance, it may be a user’s smartphone that sends the location to the server of an app installed on it or a computer sending login credentials to the bank server. The attacker can intercept the data that is being exchanged. If the connection is not secure, the attacker won’t even have to decrypt the data. After the data gets captured, the original data is usually sent to the destination server, though in some cases the attacker can modify the information, it depends on the purpose he/she has. Man In The Middle Attack Explained So, now let’s explain man in the middle attack in details. You could easily find yourself under a man in the middle attack before you even had your first computer. The thing is that there can be a man in the middle of any channel used for data exchange. For instance, unbeknownst to you, the mailman could take all the letters that you wrote, open the envelopes, read them, seal them in a way that it is impossible to see that someone opened the letter, and send them to the addressee. If you think “oh, I wouldn’t mind anyone knowing what I write in my letters”, think twice. What if you sent some legal papers? Or business plans? If we return to our present Internet age, think again: what data do you send to servers? It could be anything from exchanging funny memes to approving transactions via online banking systems. In the online world, a man in the middle cyber attack works in the same way. For instance, let’s imagine you connect to...
read moreCybersecurity vs. Information Security
Currently, there is a large number of similar terminology used in the field of ensuring international information security, even sometimes without getting a generally recognized definition. The most controversial debates on global markets in the field of international information security (IIS) are more focused on the interpretation of the terms «cybersecurity» and «information security» and related semantic nuances. Telling the difference between terms like «cybersecurity» and «information security» is quite relevant, because nowadays a lot of banking regulatory agencies request banks to implement own cybersecurity systems and IIS security policies. Therefore, it is necessary to know what these definitions are, which side the threat can come from, and how it can be prevented. So, what is the difference between these two terms? Information security (sometimes shortened to InfoSec) is usually understood as the protection of information of the whole company from deliberate or accidental actions leading to damage to its owners or users. First of all, information security is aimed at risk prevention. More often, financial documents, logins and passwords for entering the network of different organizations are taken away from the companies. As it happened in July, 2017, when at the Equifax credit history bureau in the US largest personal data loss occurred. The attacker got personal information of more than 143 million consumers and 209,000 credit card numbers. All in all, on September 8, 2017, the shares of the bureau fell by 13%. While creating the program for information security the special attention should be drawn to the correct management structure you apply. InfoSec experts seek to exploit the CIA (which is the abbreviation for its three components) as a manual for developing policies and procedures for an efficient information security program. The triad components are as follows: Confidentiality: The primary objective is access limitation to information. As a case study an account routing number while banking online may be used. The encryption of data is an overall method of providing confidentiality. IDs and passwords compose a model procedure; two-factor authentication is becoming the standard. Biometric authentication, hardware and software security tokens are also popular options. Integrity: It endorses the data coherence, exactness, and reliability throughout the life cycle. Data should not vary in transit, and all actions are aimed at guaranteeing that data won’t be changed by unregistered people. Availability: Authorized users should have easy access to necessary information in case of need, and all software and hardware should be provided adequately and updated regularly. | Read also: General Data Protection Regulation Summary The CIA triad constitutes the rule sample for securing your organization. It’s three constituent elements present a strong set of safety controls in order to store and save your data. Actual kinds of information security threats: First of all and the most popular reason is employee carelessness and negligence. In 2010, the iPhone 4 prototype was left in the pub by one of the Apple employees, Gray Powell. There were still several months before the official presentation of the gadget, but one student found it and sold it for $5,000 to Gizmodo journalists, who in turn made an exclusive review of the novelty. Using pirated software. In accordance with the Microsoft research, 7% of the studied unlicensed programs contained special software for stealing passwords and personal data. DDoS-attacks (Distributed-Denial-of-Service). Usually, these attacks are...
read morePhishing, Vishing, Smishing, Pharming – What Is the Difference
Recently the Internet has become an integral part of our lives. The network offers many incredible opportunities such as communication, shopping, paying bills, and various entertainments. But unfortunately not always and not everyone uses the Internet for the good of society. Due to the rapid development of numerous resources, many types of fraud have arisen that aim to obtain confidential data and use it further for personal profit. The main ones are phishing, vishing, smishing, pharming. However, to protect you personal data on the internet it’s enough to use elementary data protection rules and to know how to recognize the common threats and how to combat them. And this exactly what will be discussed in this article. Phishing Phishing is one of the most commonly used methods of Internet fraud at this time. It is a kind of obtaining secret information by an attacker who uses the well-known methods of social engineering to make the users to open their personal data themselves. This can be the number and code of a bank card, phone number, login, password, and email address from certain services. Mainly phishing is used to get access to users’ online banking accounts or e-wallets, with the further possibility of funds withdrawal to the fraudster account. So how does phishing work? A user gets a phishing-message to his mailbox that, first of all, affects his emotions. For example, this can be a notification about a big win or, on the contrary, the notification about hacking the account with the further suggestion to follow a phishing link and to enter the authorization data. A user goes to the provided resource and ‘gives away’ his login and password to the fraudster who, on his part, quickly operates with the information received. There are several specific examples of Internet phishing: Attackers send out millions of messages on behalf of a well-known company to various emails with the request to confirm their login and password. When you click the provided URL you can see the authorization page that is absolutely identical to the page on the original resource. The trick, most likely, is hidden in the link to the site. The domain should be very similar to the real one but differ in several symbols. A similar kind of phishing messages can be also found in different social networks. Phishers can use shortcomings in the SMTP protocol to send emails with the fake “Mail From:” line. Responding to such a letter the user sends the answer directly to the offender. It is also necessary to be cautious during participating in Online Auctions and sales since the goods offered for sale even though the legal resource can be paid through a third-party fraudulent website. Many users face fictitious Internet organizations that request donations. Online shops with extremely accessible prices for branded goods can also be counterfeited. As a result, there is a chance to pay for a product that will never be received since it never existed. | Read also: Top 7 Tips How to Protect Yourself from Phishing Scams Vishing Vishing (vishing – voice+phishing) is another variety of phishing that also uses methods of social engineering, but with the help of a phone call. This is how attackers, let’s call them “vishers”, usually act: The user receives a phone call, for...
read moreHow to Protect Your Business Against Cyber Crime
Is your business underestimating the impact of a potential cyber security breach? Even though cyber crime is estimated to cost businesses billions a year, a number of companies don’t understand how they could be under threat. Not sure where to start? Here’s how to protect your business against cyber crime. Understand What You’re Up Against Before taking any other action, work out how secure your business is currently. With a cyber security audit you’ll get a clear idea of where your business is right now, while identifying any potential threats. An audit should take both external and internal threats into account. For example, an employee who uses an infected home device at work can cause just as much harm as hackers. You should also back up data often to protect against the damage a cyber attack would cause. Installing malware is also an essential step to guard against cyber threats. From cookie theft to key logging, the list of potential threats can seem endless. It pays to keep updated and aware of all the risks. You should also be aware of new variants of old scams which might surface. An example of an old scam that remains a threat today is phishing, which comes in many forms and can be very deceptive. The world of cyber crime is constantly evolving, which makes it hard to keep track of. But by doing your due diligence and keeping up to date with the latest recommended practice you give your business the best chance of being protected. Implement a Cyber Security Plan After your risk assessment is mapped out, it’s time to put a strategic plan together. The first step is to implement a risk management policy, and ensuring you’ve informed all employees of the changes. Everyone associated with your organisation, including suppliers and contractors, needs to be compliant with your security plan. Anyone who isn’t should be classed as a security risk! Extra attention should be given to reviewing password policy. Ideally you would like all devices to use 2-factor authentication wherever possible. You should continue to monitor and test your security controls after your plan has been implemented. If you’re aware of any abnormal activity within your business, you need to take action against it before it’s too late. Use Security Solutions In the dark about the steps needed to protect your business? Fortunately there are a number of schemes and solutions out there to help you. In the UK there’s a government-backed Cyber Essentials scheme which protects against up to 80% of all potential cyber attacks. Alternatively, by enrolling in GCHQ Certified Training you can get an in-depth understanding of cyber security and the process of protecting your company.. These schemes cover a variety of bases, including: Ensuring your internet connection is secure. Safeguarding devices. Restricting access to your data. Providing virus protection. Reducing the threat of hacking. Therefore, while it’s essential to have your own cyber security plan in place, using existing schemes can ensure your business is as secure as possible. Be Prepared to Be Hacked Prepare for all eventualities! By preparing for a cyber attack you’ll have a much better chance of dealing with it effectively. Unfortunately, every business is a potential victim of cyber crime. Having a plan in place to deal with an attack...
read moreData Protection in Universities under GDPR
Educational institutions and their data protection departments handle and process a huge volume of personal data. Confidential information about employees, students, and applicants is often stored in databases with an extremely low level of data protection. Most institutions pay too little attention to potential dangers of a data breach. Along with that, the budgets for data protection in universities leave much to be desired. But unfortunately, an effective approach to data management and security is a rare find among educational establishments. The attention is mainly paid to the things that are more obvious but less risky. According to Breach Level Index Report, in 2015 nearly 100 breaches were recorded in education. This number is stunning if to take into account that the total number of breaches that year was around 970. More than 10% of all breaches occurred in universities. But it’s time to remember that in the digital era, information plays a vital role. It is the core of our entire lives, and lack of data protection has the potential to damage businesses, industries or even destroy human lives. The indifference to data breach issues is inevitably becoming obsolete. And when General Data Protection Regulation (GDPR) enters into force, this issue will be ignored no more. “We’re all going to have to change how we think about data protection.” – Elizabeth Denham – UK Information Commissioner Why Data Protection in Universities Matters? Why is the data protection in universities so important? It’s simple, the concentration of vital data in the educational institutions is so high, that possible breach would definitely lead to reputation damage and losing a lot of money. The list of sensitive data in educational establishments can vary depending on their specialization, size, and functions. But, first of all, university data protection systems have to take care of these three crucial aspects: Staff and students personal information. Names, addresses, emails, phone numbers, emergency contact details, dates of birth, academic qualifications, details of any disabilities and criminal convictions, etc. Payments data. Information about transactions, payments recipients and senders, etc. Scientific research data. Just think about it: how can intellectual leaders hold their positions if they lose the important data and scientific results? These people should take care of the mankind knowledge, not of potential fraud and cyber attacks. University data security systems face the same issues and risks as any other organization. For example, two most common sources of risks both for universities and any other organization are poor passwords and downloading files from unsafe websites. Consequently, data protection rules in universities are similar to those of any other organization. There is the data protection act that mainly regulates what is personal data and how to protect them. But also there are some specific considerable weaknesses that attract hackers’ interest in educational institutions and need to be solved as soon as possible. Here they are. | Read also: 10 Steps to Eliminate Digital Security Risks in Fintech Project 1. Inconsistent Regulation There is no approved set of official rules to regulate university data protection. It should be mentioned that there are some particular regulations, like academic records regulation, PII regulation and PCI rules, or medical records regulation, additionally, national laws have an impact on university data protection guidelines. But these pieces of legislation are not put together...
read moreGeneral Data Protection Regulation Summary
May, 25 will certainly be a key date for the history of the European Union. On this day, the new version of General Data Protection Regulation (GDPR) will take full force. It expands both Controllers and Processors’ commitments to the data privacy issues. According to the rules this document activates, all the companies and organizations across the EU will have to enhance their transparency and accountability measures. To put it simply, unless they are ready to receive a fine of up to 20 million euros in accordance with the new General Data Protection Regulation, they will need to revise their security policies and launch new data protection measures to reduce the risks of a data breach. As every business is unique and has its own system of protective measures, it is impossible to predict what you as an entrepreneur will have to do to be perfectly ready for the EU GDPR compliance. However, in this article, we will tell you more about the principles of General Data Protection Regulation 2018 and propose a short GDPR summary of changes so that you can understand what actions you should undertake. 10 facts your company needs to note about the GDPR GDPR concerns you, anyway. The most crucial fact about the General Data Protection Regulation of 2018 is that it applies to all organizations across the world processing any data of the citizens of the European Union. It is actually the first regulation of the European Union that will expand its legitimacy upon non-affiliated countries. Authors of the new law believe that it will change the way of dealing with personal information in the whole world. GDPR offers a new understanding of “personal data”. It has always been rather difficult to identify a piece of information as “private” or not. With new regulations coming into force, the notion of personal data will broaden even more. For example, the GDPR changes include expansion of its protective function on location data and online markers (such as IP address and cookie files, as it takes into regard the cloud-based nature of many modern organizations). Moreover, it identifies genetic and biometric data, such as gene sequences or fingerprints, as sensitive information. Valid consent is more important than ever. According to the GDPR of May 2018, companies will have to ensure the conditions of their agreements are written in very clear and precise terms. What is more, the client’s inactivity will not mean consent by default. The organizations must explain what kinds of personal data they will collect and why. Without clear personal consent, it will be impossible to use this information. Please welcome DPO – Data Protection Officer. In accordance with the European data privacy regulation a new person of authority called Data Protection Officer should be created in companies to deal with the personal data. The GDPR principles aren’t based on the number of the company’s employees working with the personal information, as it was widely accepted before. They concentrate on the processes of data usage instead. For that reason, definite specialists should be assigned to control them. Data Protection Impact Assessments. General Data Protection Regulation text also includes the issue of activating obligatory PIAs (privacy impact assessments) that can indicate the risks of collecting and processing sensitive data. PIAs will be required in situations...
read more