Information Security Blog | Cyber Security Blog


Information Security Blog | Cyber Security Blog
Read More

Samsung has said that all customer data are safe, and its Samsung Pay system has not been affected after it was revealed that Chinese hackers breached the network of its U.S. subsidiary LoopPay in March.

The attack, which was uncovered in late August, targeted the company's office network, but Samsung claimed no customer data were at risk and the incident was dealt with "immediately and comprehensively" by LoopPay. Despite the attack taking place over six months ago, it only came to light Wednesday when the New York Times published a report which laid the blame for the attack on a hacking group known as the Codoso Group or Sunshock Group, which is said to be affiliated with the Chinese government.

The report suggests that the hackers were after the technology developed by the company rather than details of customers' payment transactions. The attack breached the security of three internal servers at LoopPay's offices in Woburn, Massachusetts.

LoopPay is a subsidiary of the South Korean electronics giant and handled mobile payments before the company introduced its proprietary Samsung Pay system earlier this year as a direct challenger to Apple Pay. LoopPay was acquired by Samsung in February for $250 million and the company has used its technology -- known as magnetic secure transmission or MST -- in its implementation of Samsung Pay.

A statement by the South Korean company said: "Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay office network, which is a physically separate network from Samsung Pay. The LoopPay incident was resolved and had nothing to do with Samsung Pay."

Chinese Tension

Samsung Pay launched in the U.S. just last week after a successful debut in South Korea where it racked up $30 million worth of purchases in just one month and is seen as a competitor for Apple Pay and Google's own Android Pay systems. Unlike its competitors, however, Samsung's use of MST technology gives it an advantage of allowing it to be used on older cash registers that support magnetic stripe cards.

The theft of intellectual property belonging to U.S. companies by Chinese hackers is a hot topic at the moment, after Washington called on Chinese President Xi Jinping to help prevent this during his recent state visit to the White House. The result of the summit was a range of agreements to help prevent these incidents, including the provision of a new high-level contact group and assurances to investigate complaints from each other -- and resolve them where possible.

The breach of LoopPay's internal network took place in March, but the company was only made aware of it in late August when the security company investigating the operations of the Codoso Group found information relating to LoopPay. The same group was also responsible for a sophisticated attack on the Forbes website earlier this year, which infected visitors to the website.

"They Will Come Back"

While Samsung says its new payment system has not been compromised, some security experts disagree, saying that once such an attack takes place, it is very difficult to remove the threat from your network. “Once Codoso compromises their targets -- which range from dissidents to C-level executives in the U.S. -- they tend to stay there for quite a long time, building out their access points so they can easily get back in,” John Hultquist, head of intelligence on cyber-espionage at iSight Partners, told the New York Times. “They’ll come back to a previous organization of interest again and again.”

Samsung, however, is confident its new system is safe and secure: "Each transaction uses a digital token to replace a card number. The encrypted token combined with certificate information can only be used once to make a payment. Merchants and retailers can’t see or store the actual card data," it said.

Speaking to International Business Times, Mark Bower, global director, enterprise data security for HP Data Security, said that this type of attack is all too common. "Any company today has to assume a breach will happen and take more advanced threat mitigation measures. The payments business has learned the lesson hard over the years, and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides."

Read More

Imagine waking up on a splendid spring day, opening your laptop and realising that you can’t access your online accounts anymore. Your email has been breached, your website, your most precious work, is now gone, and your credit card was used for shady transactions.

In a nutshell, this is what I experienced almost 6 years ago.

All the ruckus was caused by one of my ex-employees, whom I had recently fired. I suppose this was his way to get revenge.

Fortunately, he didn’t cause any unfixable damage, but made me a little bit paranoid about my online security. Ever since I’ve been trying to adopt every measure within reach in order to avoid future similar hacks. But I’ll share more on what I’ve learned from this experience in a separate article I’m writing.

This week’s cyber security guide is about something that, if it had been available back then, probably none of this would have happened: Two-Factor Authentication.

So, what exactly is Two-Factor Authentication?

Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double check that your identity is legitimate.

How does Two-Factor Authentication work?

When you want to sign into your account, you are prompted to authenticate with a username and a password – that’s the first verification layer.

Gmail login procedure (email and password)

Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.

Gmail - login - enter verification code

Its purpose is to make attackers’ life harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it more difficult for cyber criminals to breach your account.

However, you shouldn’t expect it to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.

What are the authentication factors?

There are 3 main categories of authentication factors:

1. Something that you know – This could be a password, a PIN code or answer to a secret question.

2. Something that you have – This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.

3. Something that you are – This is a biological factor, such as a face or voice recognition, fingerprint, DNA, handwriting or retina scan. However, some of these are quite expensive, so, unless you work in a top secret / Mission Impossible kind of facility, you probably don’t have this kind of authentication method implemented.

Read More

It will also be safer to try on iOS based devices like the iPad or iPhone, because by that time, developers will have spotted all of its major bugs and problems and Apple will have made the proper modifications. At the time, we weren't sure if this was done purposefully, or if it was a human error and that it would be corrected in the forthcoming betas of iOS 10. If you do not want to apply for Apple's developer account and still like to try the iOS 10 beta, follow this guide.

Like many technology companies, Cupertino does not now run a bug bounty program that awards cash prize to security researchers that find security holes in the company's software. But rather than an oversight by Apple, experts told MIT Technology Review it could be a novel strategy from Apple to encourage researchers to report flaws.

Still, security experts note that since the company's showdown with the Federal Bureau of Investigation over encryption, Apple's devices have been closely scrutinized and the company's security measures have become a central focus for many in the security field. This move could potentially be used by "jailbreakers" - people who release code that removes an operating system's restrictions to allow a wider range of software to be used. It might now be a good idea to launch one. This came as surprising news, especially considering Apple's vocal stance on user privacy and security. According to Fortune, Apple might have anxious some users when it was revealed the company unencrypted the kernel in iOS 10.

Apple recently showed off a preview version of iOS 10 at a developer’s conference and as developers are wont to do they immediately hacked into the code to see what they could find inside. However, the company has now responded saying that this was in fact a strategic move, and was done to optimize the OS performance.

The kernel controls how apps access hardware resources and manages security. The tech giant probably released the unencrypted beta version to expand its debugging strategy. And, the security experts were quite surprised when they found that the smartphone maker had not obscured the workings of the center of its OS by using encryption as it did before. 

Read More

The second of Battlefront’s 4 DLC packs is prepared to play now for everyone, and includes 5 new maps and a Cloud Car.

Considering how costly a deteriorate pass is, a initial DLC enlargement for Star Wars: Battlefront didn’t accurately get things off to an moving start. But a second one is out now and does during slightest embody a new location: Bespin’s Cloud City from The Empire Strikes Back.

We’ve only had a discerning go and it contains 5 new maps, a new diversion mode called Sabotage, and a new Twin-Pod Cloud Car to commander in Fighter Squadron (it’s really tiny and comes with a sensor jammer, a bit like a Snowspeeder).

The dual new characters are Lando Calrissian and a annuity hunter Dengar. You also get a new Hutt Contract, new weapons, and new Star Cards.

We don’t consider it’s going to change anyone’s mind about a game, generally as it costs £12 when bought separately, though during slightest it’s some-more estimable than a initial one.

Released during a same time is a giveaway refurbish that increases a turn top to 70, adds new dress options for Rebels and Imperials, and a long list of tweaks and balancing changes.

The third DLC enlargement is due this autumn and will be formed around a Death Star(s). The fourth and final enlargement is due in early 2017 and a essence are now a secret.

It’s ordinarily suspicion that it will deliver elements from this Christmas’ Rogue One movie, though after a proclamation of Battlefront 2 for subsequent year that no longer seems so certain.

Read More

Facebook co-founder Mark Zuckerberg has been increasingly peaceful to share moments from his family and work life.

But a print he posted on Tuesday, dictated to foster Instagram’s user milestone numbers, might have finished adult divulgence a small some-more about Zuckerberg than he intended: Dude hasn’t mislaid any of his hacker counsel when it comes to safeguarding his privacy.

A couple of eagle-eyed observers forked out that a laptop on Zuckerberg’s table not usually has fasten covering a webcam, though there’s also fasten covering a Apple laptop’s twin microphones. That’s right, even one of a many chosen (and richest) coders on a world still takes easy measures to safeguard that nobody is espionage on him.

This unconsidered exhibit comes only weeks after Zuckerberg’s amicable media accounts were hacked, one of that reportedly had a not-so-complicated cue “dadada.”

And if Zuckerberg’s hacker credentials and purpose as a vital tech personality aren’t adequate to remonstrate we that he isn’t only being paranoid, cruise a fact that progressing this year FBI Director James Comey admitted that he puts fasten over his webcam.

This kind of meditative used to be a domain of swindling theorists and a certain multiply of hacker, though Zuckerberg only took it mainstream. In fact, in a run-up to a second deteriorate of Mr. Robot, a uncover about a hacker conspiracy, USA Networks even went so distant as to send out branded webcam covers (which this publisher happily uses).

No, supervision spies substantially don’t caring what you’re observant or doing in front of your computer.

But if it’s good adequate for a creator of a largest amicable network on a planet, maybe it’s value adhering some fasten on your possess webcam. You won’t demeanor paranoid anymore; instead, we can call yourself a billionaire tech noble in training.

Read More

There could be many reasons for hacking someone's Facebook account and it is not as simple as we speak. One should know the fact that there are no direct softwares that can hack Facebook account simply by entering the victim's user id. But it is possible with some methods those really work, out of which phishing, key logging, packet sniffing are most popular and widely used ones. Today, in this tutorial you are going to learn how to perform packet sniffing attack to hack Facebook account using your Android smartphone.

What exactly is packet sniffing?

Hack facebook using android

Let’s make this simple with an example. Consider two persons A and B using the same public WiFi network. The information sent and received between the device and WiFi hot-spot is done in the form of packets. These packets are not secured and can be access by any other device connected to same network. If Person A is using Facebook, his log-in credentials are sent in the form of packets which Person B can access and read them. In fact, Person B can modify them. Not only log-in credentials, everything you use within your browser can be seen and modified by anyone else as long as you are connected to that network.

So, Why Android Phone?

Earlier, when this process is first developed the only way to do packet sniffing is using PC or laptop running on Windows or Linux operating system. But now it can be done using any Android phone with root access (we shall talk about this later). The main reason for using Android phone is simplicity. It works same as PC, in terms of speed and accuracy. It has same number of tools as PC. And when you are in crowd, you can simply take out your mobile and do some hacking anonymously.

Does the Android Phone require any particular specs?

No particular specifications are needed for your Android device to do this. But your device needs to be rooted. For a brief explanation of what rooting is, read the tutorial on "How to Root Any Android Device".

Read More

GitHub has revealed a number of users’ accounts have been accessed by an attacker reusing email addresses and passwords obtained from other internet services that have been compromised.

The code-hosting platform, which claims millions of users around the world, revealed a series of “unauthorized attempts” to log-in to many accounts on on Tuesday evening. “This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” explained Shawn Davenport VP of Security at GitHub, in a blog post.

While Davenport was quick to stress that GitHub itself had not been hacked, he did concede that the attacker was successful in gaining entry to “a number” of GitHub accounts, though didn’t specify how many.

There has been a number of high-profile “hacks” across the tech realm of late, perhaps the most notable one being LinkedIn. The professional social network, which was acquired by Microsoft for $26.2 billion this week, hit the headlines last month after it reset passwords on millions of accounts as new data-leak reports began to surface. The compromised account details reportedly stemmed from a leak dating all the way back to 2012 when 6.5 million passwords were pulled from the social network, with the account credentials put up for sale on the so-called “dark web” four years later. Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts were subsequently hacked, an event blamed on the LinkedIn password dump.

GitHub likely doesn’t know the origins of the passwords and email addresses used to compromise the accounts in question on, but it does serve as a stark reminder that reusing the same password across multiple online services is never a good idea.

GitHub says that it will be sending notifications to the individuals affected on how they can reset and restore access to their accounts. Davenport also has a dose of good advice to mete out: “We encourage all users to practice good password hygiene and enable two-factor authentication to protect your account,” he said.

Read More

A judge in Helsinki, Finland has ordered one of the founders of notorious file-sharing site The Pirate Bay to pay $395,000 to several record labels. The Finnish divisions of Sony Music, Universal Music, Warner Music and EMI had sued Peter Sunde, accusing Pirate Bay of illegally sharing the music of 60 of their artists.

Sunde, who left The Pirate Bay in 2009,said on Twitterthat he didn’t even know about the court case. "The record companies know that I have not had any part of TPB for ages, still suing," he wrote. "Bullying is the new black."

Finland’sDigiTodayreports that the labels hold Sunde responsible for the pirated material found on The Pirate Bay, even though he know longer works there, and the judgement includes a million-euro fine if the content is not taken down. He also must pay roughly $62,000 to the International Federation of the Phonographic Industry. (The IFPI did not immediately respond to a request for comment.)

Pirate Bay Co-Founder Creates Art Project to 'Bankrupt' the Record Business

Sunde called it "another frivolous court case" and is floating the idea of crowd funding his legal fees. Asked what would happen if he fails to pay, he said flatly, "I can’t pay. I dunno. I get more debt. And also, I’ll just get more debt. Add debt to debt. Maybe prison, dunno?!"

The Pirate Bay is already being blocked by several ISPs in Finland, including Elisa and TeliaSonera.

Sunde doesn’t hide his disdain for the recording industry, and last December launched a symbolicproject called kopimashinthat continually copies a song, then tallies the damages that arise for each instance of copyright infringement. "The goal of the kopimashin is to make the audio track the most copied in the world and while doing so bankrupting the record industry," he said at the time. 

Read More

Instant messaging is a blessing and a curse. It’s a convenient way to keep in touch with friends from all over the world but it also means whatever you say will stay online forever. You can’t exactly erase anything you regret sending, especially not from the receiver’s end. Or can you? Researchers from security vendor Check Point found a way to do so through a vulnerability on Facebook’s popular Messenger app.

How many times have you said something stupid, be it carelessly or in a fit of rage, over a message online that you regretted almost instantly after pressing the send button? You desperately want to retract it, but you can’t. Even if you delete it off your own chat log, the recipient still has it on their chat history. There’s really no way to erase a sent message on your own on most if not all online chatting apps and Facebook Messenger is no exception.

But researchers at Check Point found a vulnerability that could let someone do this. According to the company, the security flaw gives attackers a way to change conversation threads on Facebook Online Chat and Messenger App. You can modify or remove any sent messages, photos and files from somebody’s chat history.

Having said that, if you’ve had foot-in-mouth and really hurt someone with your words, it’s probably not wise to hack their account to wipe away the evidence.

From a more practical perspective, considering Facebook wants to turn Messenger into a serious business tool, this could give attackers incentive to exploit these types of security flaws. According to Check Point, here are some potential scenarios:

  • Malicious users can manipulate message history as part of fraud campaigns. A malicious actor can change the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.
  • Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.
  • The vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address, and keep the phishing scheme up to date.
Read More

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.

Remote code execution bug was possible due to two weaknesses: The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie.

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like change me, instagram, password) in just a few minutes.