The Hacker News

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Instagram Adds Two-Step Verification to Prevent Account from being Hacked

mercredi 17 février 2016 à 16:34

Hijacking an online account is not a complicated procedure, not at least in 2016.

Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users.

It is impossible to make your online accounts hack-proof, but you can make them less vulnerable.

Then what you can do to protect yourselves from hackers?

Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on.

But, what would you do if a hacker had somehow managed to access your accounts’ passwords?

Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match.

Hence the concept of Two-Factor Authentication (2FA) born out!

Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking.

2-Factor Authentication or two-step verification is an additional security mechanism that certifies the user is legit after clearing dual identification step i.e. a randomly generated security code would be provided to the user via call/SMS for authentication.

2-Factor Authentication eliminates the hackers to intrude into your online accounts (even if they have your usernames and passwords).

Now, the Multimedia sharing Giant Instagram also joined the league by implementing two-step verification.

Better late than Never:

However, the decision to roll out 2FA feature could be criticized as it's parent company Facebook had already implemented it five years back.

The current users could not expect the new two-step verification feature to get released soon, as the company had mentioned that they would slowly release the phone verification feature.

But yes, there is good news for Singapore Residents. As the first roll would be out for Singaporeans.

Earlier, Instagram hacking was a deja vu as many videos and images of celebrities leaked online in the yesteryears.

Hackers could create havoc such as hijacking or deletion of Instagram Accounts, flooding the account with illegit contents and much more. Taylor Swift was one of such victims of the Instagram hack.

To save yourself from hackers you are recommended to enable 2-Factor Authentication when the Instagram security feature as soon as rolls for your country.

NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians

mercredi 17 février 2016 à 13:32

So what do you expect from an Artificially intelligent program run by the government intelligence agency?

Possibly killing innocent people.

The real-life SKYNET, the fictional malevolent artificial intelligence in the Terminator movies, run by the US National Security Agency (NSA) is a surveillance program that uses cell phone metadata to track the GPS location and call activities of suspected terrorists, who may be shot by a Hellfire missile.

Now, a new analysis of previously published NSA documents leaked by former NSA staffer Edward Snowden suggests that many of those people killed based on metadata may have been innocent.

Last year, the leaked documents detailing the NSA's SKYNET programme published by The Intercept showed that NSA had used a machine learning algorithm on the cellular network metadata of 55 Million people in Pakistan to rate each citizen's likelihood of being a terrorist.

You need to know that the US drone bombing campaigns in Pakistan have been raging for years.

Elementary Errors in SKYNET

However, the spy agency has made elementary errors in their machine-learning algorithm, which lead to the generation of thousands of false leads, potentially exposing innocent people to remote assassination by drone.

One of the leaked slides claimed that SKYNET has a false-positive rate of 0.008%, in some cases, and the NSA was using about 55 million people’s phone records for SKYNET.

But, Ars Technica points out that, even at this minute rate, many innocent people are possibly mislabeled. Some of the NSA's tests even saw higher error rates of 0.18%, which means mislabeling nearly 99,000 people out of the 55 Million.

"There are very few 'known terrorists' to use to train and test the model," Patrick Ball, the executive director of Human Rights Data Analysis Group, told the site. "If they are using the same records to train the model as they are using to test the model, their assessment of the fit is completely bullshit."

The purpose SKYNET serves is not clear yet. Although SKYNET could be part of non-violent surveillance programs, like tracking and monitoring suspected terrorists, Ars suggests this technology could potentially be used to target drone strikes.

US Drone Strike Killed Almost 4,000 People

Since 2004, the United States government has carried out hundreds of drone strikes against alleged terrorists in Pakistan and killed somewhere between 2,500 and 4,000 people, the Bureau of Investigative Journalism reported.

The NSA has not yet commented on how the agency used SKYNET, and how the technology was trained.

But Does Killing people "Based on Metadata" actually make sense?

Maybe it is easy to say YES, it makes sense as it happened or is happening far away in a foreign land. But imagine if SKYNET gets turned on us.

Judge Orders Apple to Unlock iPhone Used by San Bernardino Shooters

mercredi 17 février 2016 à 11:47

The Tech Giant Apple has come into an entangled situation which could be a potential security threat for Apple users in near future: Help the FBI Unlock an iPhone.

The US Magistrate Judge Sheri Pym has ordered Apple to provide a reasonable technical assistance in solving a critical case of Syed Farook; who with his wife Tashfeen Malik planned a coordinated "2015 San Bernardino attack" that killed 14 people injured 22.

As part of the investigation, the Federal Bureau of Investigation (FBI) had seized the Farook's iPhone 5C that would be considered as an insufficient evidence until and unless the iPhone gets unlocked by any means.

Previously, Apple had made several crystal clear statements about its Encryption Policy, stating that even the company is not able to decrypt any phone data as the private key lies at the user's end.

A similar problem encountered three years back with Lavabit, who was forced to shut down its services soon after when FBI demands SSL keys to snoop the emails.

However, despite forcing or ordering Apple to break the encryption and unlock the suspect’s iPhone, judges have ordered the company to find an alternative way to unlock iPhone, keeping data intact.

Can Apple Unlock iPhone? Yes, Here's How:

From iOS 8, Apple added a data security mechanism called Data Protection, which uses 256-bit AES Encryption key to encrypt everything on the device.

Here the passcode a user enters is itself used as part of the encryption key and thus, it is impossible for an attacker or even Apple itself to unlock iPhone until the user re-inputs the passcode.

Besides Data Protection, Apple offers "Auto-Destruct Mode" security feature that will erase all the data on the iPhone if an incorrect password is entered 10 times concurrently, making the data unrecoverable.

So, Judge Pym wants Apple to come up with an alternative that should increase the brute force attempts from 10 to millions, in order to prevent the data from getting self-destructed.

Apple has not yet confirmed whether it is possible to write such a code that can bypass iOS Auto-Destruct feature.

But, if it's possible, it would provide an alternative backdoor mechanism to every law enforcement and intelligence agency to unlock iPhone by simply brute forcing 4-6 Digit Pins effectively within few hours.

Here we support Apple policy not to help break its users' encryption, because once a master key is created to unlock that particular iPhone, we're sure that the US government will misuse this power and demand for the key again and again in near future for unlocking other phones.

Apple Rejects to Unlock San Bernardino Shooter's iPhone

Update: Apple has dismissed the court order to unlock San Bernardino gunman Syed Rizwan Farook's iPhone.

Here's what Apple CEO Tim Cook said in a statement:

"The United States government has demanded that Apple takes an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand."

"We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."

Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)

mercredi 17 février 2016 à 09:27

A highly critical vulnerability has been uncovered in the GNU C Library (glibc), a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.

Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.

The vulnerability is similar to the last year's GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks, representing a major Internet threat.

GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.

The recent flaw, which is indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.

The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.

How Does the Flaw Work?

The flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program's memory with code.

This code then compromises the vulnerable application or device and tries to take over the control over the whole system.

It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.

However, an attacker need to bypass several operating system security mechanisms – like ASLR and non-executable stack protection – in order to achieve successful RCE attack.

Alternatively, an attacker on your network could perform man-in-the-middle (MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.

Affected Software and Devices

All versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.

The widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.

The vulnerability could extend to a nearly all the major software, including:

Virtually all distributions of Linux.
Programming languages such as the Python, PHP, and Ruby on Rails.
Many others that use Linux code to lookup the numerical IP address of an Internet domain.
Most Bitcoin software is reportedly vulnerable, too.

Who are Not Affected

The good news is users of Google's Android mobile operating system aren't vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.

Additionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the uclibc library as it is more lightweight than hefty glibc.

The vulnerability was first introduced in May 2008 but was reported to the glibc maintainers July 2015.

The vulnerability was discovered independently by researchers at Google and Red Hat, who found that the vulnerability has likely not been publicly attacked.

The flaw was discovered when one of the Google's SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google's security team reported in a blog post published Monday.

Where glibc went Wrong

Google researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.

Here's what went wrong, according to the Google engineers:

"glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated."

"Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow."

Proof-of-Concept Exploit Released

Google bod Fermin J. Serna released a Proof-of-Concept (POC) exploit code on Tuesday.

With this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.

Patch glibc Vulnerability

Google researchers, working with security researchers at Red Hat, have released a patch to fix the programming blunder.

However, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.

For people running servers, fixing the issue will be a simple process of downloading and installing the patch update.

But for other users, patching the problem may not be so easy. The apps compiled with a vulnerable glibc version should be recompiled with an updated version – a process that will take time as users of affected apps have to wait for updates to become available from developers.

Meanwhile, you can help prevent exploitation of the flaw, if you aren’t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.

For more in-depth information on the glibc flaw, you can read Red Hat blog post.

Facebook Offering You $1000 to Run Advertisement Against Terrorism

mardi 16 février 2016 à 12:59

Facebook Offering $1,000 Credits If You Want to Run Advertisements Against ISIS and Terrorism

Over a past few times, we have seen a steady growth in the online recruitment of Jihadis from social networking sites by many radical groups.

ISIS has topped the online recruitment, and it is the only terror group that leverages the enormous power of Twitter and Facebook to radicalize young minds, spread its message and recruit foreign supporters to its fights.

Many ISIS militants maintain extremely active accounts on the popular social media platforms and have a strong presence on the most popular encrypted messaging app Telegram with more than 100,000 followers.

This issue had impacted the society deeply. Recent examples include last year’s Paris attack in which ISIS used some popular messaging apps to plot the attack.

As the Dark Siders of social media began to turn this platform into a Terror-Picker, the White Siders of the same social media came under a single roof to declare fight against terrorism, and rage cyber war against these anti-humans.

Facebook Buckled Up to Fight against Terrorism

Facebook is also on the main line up to join the fight against terrorism. The social media giant has also come up with a solution to minimize the presence of caliphate group from its social media platform.

Similar efforts have previously been made by Anonymous hacktivist group, who conducted various planned operation like OpISIS, OpParis, expunging ISIS channels from Twitter and Telegram.

Recently, Facebook introduced a new program, dubbed "Counter-Speech," that offers advertising credits up to $1000 for those who raise their voice against hate speeches & terror propagandas.

This new intelligent strategy would enlighten the immature minds of those who got influenced by the radicalized propaganda and created an automatic hatred towards the group (who tried to brainwash with their propagandas).

So, rather than vanishing or blocking the extremist Facebook pages that spread hatred among its followers, Facebook is focusing on educating more and more young minds in an effort to fight against terrorism.

The First Person to Receive $1000 Credit

Arbi-el-Ayachi - A German comedian had got benefited from the newly released Facebook plan when he released a video showing eating halal meat is poisonous to Christians, last year.

How did the idea strike?

The idea was formed by the current Facebook Chief Operating Officer Sheryl Sandberg while speaking at World Economic Forum last month.

Sandberg backed up this idea by referring to a recent attack conducted by the group in Germany called "Laut gegen Nazis" (an anti-neo nazi group) had attacked the Facebook page of the far-right NDP by getting members to like ("Like Attack") and post on the page.

"Rather than scream and protest, they got 100,000 people to like the page, who did not like the page and put messages of tolerance on the page, so when you got to the page, it changed the content and what was a page filled with hatred and intolerance was then tolerance and messages of hope" Sandberg stated.

Cyber World Fights Against Terrorism

Gradually, the massive operation to fight against terrorist organizations began to hit the headlines and grabbed the attention of several tech giants like Google, YouTube, and Twitter.

Youtube had wiped out more than 1000 dozens of radical videos from its database.
Twitter had expelled 1,25,000 accounts of Jihadi members since in mid 2015.
Google also rolled out a special advertising program for terrorist sympathizers who type extremism-related words in the search engine, but the "top" search results display anti-radicalized links.

Joint ventures like this would act as a Digital Age Shield to minimize the threat levels.

However, Facebook had not mentioned about the verification procedure for those credited $1000. So, it may be possible that those awarded credits could be used for personal promotions too...