Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited The tl;dr version: this particular hack involves the hackers sending emails from a hacked account, to people in that account’s contact list. So it starts with you getting an email from someone you already know. But it’s much more clever than that! They take text from previous messages that person has sent, and it isn’t random. They find messages where the person has sent attachments, and they construct the new message from it. So if it’s someone you know, the phrasing of the subject and the text sound like something that person would write. The attachment in the new message is merely a screen capture, and it hides a link to their fake Google login in page. So you click on the attachment from a friend, and you’re told to view the attachment you need to log in to Google, and they get your username and password. And within seconds, they’re going through your account and sending more hacked messages to your friends.
They’ve even constructed the login page so that if you take the precaution of looking at the address bar in your browser before you start to sign in, you see “https:accounts.google.com” so you think you’re at the real Google. You’re not.
Once they’ve got your password, they can read all your email and do other things to your account.
The linked article has screenshots and advice for how to recognize this kind of attack, as well as steps for what you can do to see if you’ve already been hacked. Check it out!
And this one is less about hackers: Security backdoor found in end-to-end encryption system used in WhatsApp. The Guardian reports that security experts have found that since buying WhatsApp, Facebook has added a back door. In updates, Facebook denies that his is a backdoor to government agencies and claim they will fight any attempts from governments to access accounts.
Which is meaningless.
The existence of the backdoor means that when Facebook loses that fight (because of court orders, for instance) that the backdoor will be used to read the supposedly secure communications. The original design of WhatsApp and similar end-to-end services didn’t have a backdoor because if one exists, it will be exploited eventually. Also, Facebook’s description of the service currently lies and says that they can never read the messages. With the backdoor there, yes they can.
While we’re on the subject of cyber security: Cellebrite, a Major Dealer of Hacking Tools, Has Itself Been Hacked. This is one of the companies that makes tools that allow people to hack your phone. After indulging in a moment of schadenfreude that these hackers have been hacked, we then have to worry about what is in that 900GB of data that was stolen from them. Since the dump “contains what appears to be evidence files from seized mobile phones” among other things, who knows whose personal information has been stolen. Supposedly Cellebrite only sells their tools to law enforcement agencies and the like, but it has been previously shown that those agencies include some very shady regimes. And in the case of their mobile hacking devices, those things could be resold or stolen from those agencies and be in anyone’s hands.
And let’s do one more: E-Sports Entertainment Association hacked; profiles of 1.5 million customers exposed. The leaked data includes real names, phone numbers, and birthdates. Very useful for identity theft. Not much you can do about it once the information has been stolen.
ETA: Several people are questioning the Guardian story about Whatsapp: The backdoor that never was, and how to improve your security with WhatsApp. The argument seems to be that while there is a security problem, it isn’t technically a backdoor. The article I linked has information on things you can do to avoid your Whatsapp messages being compromised. I’m going to leave it to the security experts to argue this out.
A few weeks back I received a message from a website (where I have ordered a few things in the past) alerting me that someone had tried to reset my password, and if it wasn’t me, I should notify them and take various steps to secure my account.
It was not me, so I reported it, then I double-checked that my old password still worked, confirmed that since the attempt no one had ordered more stuff from them on my account, and I changed my password and set up two-factor authentication. Two-factor authentication is a step beyond the simple user name and password combination, usually involving using your cellphone. In order to make changes to your account, a person needs to log in with the user name and password, and then enter a confirmation code which the site sends you in the form of a text message to the phone at the time you make the request. This makes it very difficult for someone who has stolen your password to do nefarious things with your account, because they don’t have access to your phone.
A week or so later I received another such message from yet another internet web service that I almost never use. Again, I hadn’t requested a reset, so presumably someone was trying to hack me. This service didn’t offer two-factor authentication, and it wasn’t a place where one could spend money, so I just changed my password.
And then it happened again, this time at a big service owned by Microsoft, and this time the warning included additional information: the person who had tried to change my password had done so, according to Microsoft, from an IP address in Russia. Well, there are a lot of hackers in Russia, so that probably shouldn’t be a surprise.
This site offered two-factor authentication, so I set it up, changed passwords again, et cetera.
Then this week it all became clear: Russian Hackers Amass Over a Billion Internet Passwords
Lots of web services require you to use an email address in order to set up an account. The reason for this is that if you forget your password to the service, you can make a reset request, and they’ll send a link to the address you used so you can get back in. Most people use one email address for all of these sign-ins, and they use the same password everywhere, because remembering dozens of different passwords is difficult.
I use a program called 1Password, which has the ability to generate a separate password for me for every place I need one, stores the passwords in an encrypted database, and lets me access those passwords from either of my Macs, my iPhone, my iPad, or my Windows laptop (and if I owned an Android device, they’ve got that covered, too). Since 1Password has plug-ins for all of the major browsers, it’s really easy to use.
Anyway, this is my plug to say that if you don’t have something like 1Password, you really, really should. Mac OS X has similar functionality built into the operating system, now. Pretty much every browser in the world will store passwords for you, and some of them have a secure password generation feature built in. And you do need more than just storage. Having the computer generate a different password for each site is a bit more secure that you trying to generate a new password, because 99% of the time when humans are told to think up a new password they do something like take the old password and add numbers, such as
1 2 3 or something easy to remember (and really easy for someone to guess or a hacking script to generate).
I highly, highly recommend 1Password, myself, but there are other options: Lifehacker: Five Best Password Managers or Top Ten Reviews: 2014 Password Management Software Product Comparisons.
But again, I can personally vouch for 1Password.