All posts in “Cybersecurity”

Trump-themed dating app leaks users’ personal data

Make America leak again.
Make America leak again.

Image: screenshot / donald daters

It just got a little harder for all the Trump-loving singles out there to find romance. 

It turns out that Donald Daters, a dating app targeted at those whose attempts at love have been stymied by their support for Donald Trump, has been leaking all kinds of user data. Security researcher Baptiste Robert discovered the vulnerability, tweeting his findings on Monday afternoon.  

And they don’t look good. Robert was able to find users’ names, photos, personal messages, and the tokens needed to “steal their session” — i.e. log in as them. 

Robert shared his finding with Motherboard, which was able to independently verify most of his claims. According to Motherboard, an “apparently misconfigured database” is likely at fault. 

Donald Daters bills itself as a safe space free from the judgement of liberals. 

“Donald Daters is an American-based singles community connecting lovers, friends, and Trump supporters alike,” reads the app’s description. “Many on the Left chose party over love, stopping any date if the other user is a supporter of our president.”

The app’s privacy policy notes that by logging in with your Facebook account, you give Donald Daters “permission to gather information and photos of your Facebook friends who might be common Facebook friends with other Donald Daters users.”

Ironically enough, it also notes that “we do not promise, and you should not expect, that your personal information, or searches, or other information will always remain secure.”

So hey, all you upset Donald Daters out there, you can’t say they didn’t warn you.  

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86784%2f7aac4b15 04d1 4d7f a838 5f203ea4bbd7

Apple doubles down on Chinese hardware hack denial in letter to Congress

Disclosure

Every product here is independently selected by Mashable journalists. If you buy something featured, we may earn an affiliate commission which helps support our work.

Not budging.
Not budging.

Image: Justin Sullivan / getty

Apple really wants everyone to know that it has absolutely no idea what Bloomberg is talking about. Like, not at all. 

As of today, “everyone” includes our elected officials. The Cupertino-based tech giant sent a letter, dated Oct. 8, to four members of Congress explicitly denying a report from Bloomberg Businessweek. The article alleged that the Chinese government had managed to secretly insert tiny chips onto motherboards that eventually found their way into Apple’s possession. 

The letter is the latest in a string of categorical denials from the technology company which fundamentally and in no uncertain terms dispute Bloomberg’s well-sourced story. Addressed to four members of Congress — Sen. John Thune, Sen. Ben Nelson, Rep. Greg Walden, and Rep. Frank Pallone — and signed by Apple’s vice president of information security, George Stathakopoulos, the letter’s counterclaims only added to the mounting confusion.  

“In light of your important leadership roles in Congress, we want to assure you that a recent report in Bloomberg Businessweek alleging the compromise of our servers is not true,” read the letter published by Apple Insider. “You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong.”

The compromised boards in question were supposedly manufactured by Super Micro Computer Inc., a company that denied Bloomberg’s reporting in the standard press release format. 

In writing directly to four members of Congress, Apple took it a step further. 

“In the end, our internal investigations directly contradict every consequential assertion made in the article—some of which, we note, were based on a single anonymous source,” continued Apple’s letter. “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”

Of course, Apple has issued denials before, seemingly designed to split hairs and skirt the actual substance of allegations based on technicalities. One notable example of which occurred in 2013, when following revelations made by Edward Snowden the company insisted that it did not provide the U.S. government “with direct access to [its] servers.” 

And yes, while that was technically true, we all now know that the company was working with the government

So, who to believe? The reporters who broke the story, or the corporate execs denying it? Unfortunately, we don’t yet know. 

However, it’s safe to assume that just like the case of the Snowden revelations, the truth will eventually come out. And if that truth isn’t in Apple’s favor, then keep the letter to Congress in mind every time you read a public statement from the maker of Q1’s best-selling smartphone.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85470%2fa5d2abe8 2500 49f1 b018 2be409f7c7cc

NYC wants to build a cyber army

Empires rise and fall, and none more so than business empires. Whole industries that once dominated the planet are just a figment in memory’s eye, while new industries quietly grow into massive behemoths.

New York City has certainly seen its share of empires. Today, the city is a global center of finance, real estate, legal services, technology, and many, many more industries. It hosts the headquarters of roughly 10% of the Fortune 500, and the metro’s GDP is roughly equivalent to that of Canada.

So much wealth and power, and all under constant attack. The value of technology and data has skyrocketed, and so has the value of stealing and disrupting the services that rely upon it. Cyber crime and cyber wars are adding up: according to a report published jointly between McAfee and the Center for Strategic and International Studies, the costs of these operations are in the hundreds of billions of dollars – and New York’s top industries such as financial services bare the brunt of the losses.

Yet, New York City has hardly been a bastion for the cybersecurity industry. Boston and Washington DC are far stronger today on the Acela corridor, and San Francisco and Israel have both made huge impacts on the space. Now, NYC’s leaders are looking to build a whole new local empire that might just act as a bulwark for its other leading ecosystems.

Today, the New York City Economic Development Corporation (NYCEDC) announced the launch of Cyber NYC, a $30 million “catalyzing” investment designed to rapidly grow the city’s ecosystem and infrastructure for cybersecurity.

James Patchett, CEO of New York City Economic Development Corporation. (Photo from NYCEDC)

James Patchett, CEO of NYCEDC, explained in an interview with TechCrunch that cybersecurity is “both an incredible opportunity and also a huge threat.” He noted that “the financial industry has been the lifeblood of this city for our entire history,” and the costs of cybercrime are rising quickly. “It’s a lose-lose if we fail to invest in the innovation that keeps the city strong” but “it’s a win if we can create all of that innovation here and the corresponding jobs,” he said.

The Cyber NYC program is made up of a constellation of programs:

  • Partnering with Jerusalem Venture Partners, an accelerator called Hub.NYC will develop enterprise cybersecurity companies by connecting them with advisors and customers. The program will be hosted in a nearly 100,000 square foot building in SoHo.
  • Partnering with SOSA, the city will create a new, 15,000 square foot Global Cyber Center co-working facility in Chelsea, where talented individuals in the cyber industry can hang out and learn from each other through event programming and meetups.
  • With Fullstack Academy and Laguardia Community College, a Cyber Boot Camp will be created to enhance the ability of local workers to find jobs in the cybersecurity space.
  • Through an “Applied Learning Initiative,” students will be able to earn a “CUNY-Facebook Master’s Degree” in cybersecurity. The program has participation from the City University of New York, New York University, Columbia University, Cornell Tech, and iQ4.
  • With Columbia University’s Technology Ventures, NYCEDC will introduce a program called Inventors to Founders that will work to commercialize university research.

NYCEDC’s map of the NYC Cyber initiative. (Photo from NYCEDC)

In addition to Facebook, other companies have made commitments to the program, including Goldman Sachs, MasterCard, PricewaterhouseCoopers, and edX.org. Two Goldman execs, Chief Operational Risk Officer Phil Venables and Chief Information Security Officer Andy Ozment, have joined the initiative’s advisory boards.

The NYCEDC estimates that there are roughly 6,000 cybersecurity professionals currently employed in New York City. Through these programs, it estimates that the number could increase by another 10,000. Patchett said that “it is as close to a no-brainer in economic development because of the opportunity and the risk.”

From Jerusalem to New York

To tackle its ambitious cybersecurity goals, the NYCEDC is partnering with two venture firms, Jerusalem Venture Partners (JVP) and SOSA, with significant experience investing, operating, and growing companies in the sector.

Jerusalem-based JVP is an established investor that should help founders at Hub.NYC get access to smart capital, sector expertise, and the entrepreneurial experience needed to help their startups scale. JVP invests in early-, late-, and growth-stage companies focused on cybersecurity, big data, media, and enterprise software.

JVP will run Hub.NYC, a startup accelerator that will help cybersecurity startups connect with customers and mentors. (Photo from JVP)

Erel Margalit, who founded the firm in 1993, said that “If you look at what JVP has done … we create ecosystems.” Working with Jerusalem’s metro government, Margalit and the firm pioneered a number of institutions such as accelerators that turned Israel into an economic powerhouse in the cybersecurity industry. His social and economic work eventually led him to the Knesset, Israel’s unicameral legislature, where he served as an MP from 2015-2017 with the Labor Party.

Israel is a very small country with a relative dearth of large companies though, a huge challenge for startups looking to scale up. “Today if you want to build the next-generation leading companies, you have to be not only where the ideas are being brewed, but also where the solutions are being [purchased],” Margalit explained. “You need to be working with the biggest customers in the world.”

That place, in his mind, is New York City. It’s a city he has known since his youth – he worked at Moshe’s Moving IN NYC while attending Columbia as a grad student where he got his PhD in philosophy. Now, he can pack up his own success from Israel and scale it up to an even larger ecosystem.

Since its founding, JVP has successfully raised $1.1 billion across eight funds, including a $60 million fund specifically focused on the cybersecurity space. Over the same period, the firm has seen 32 successful exits, including cybersecurity companies CyberArk (IPO in 2014) and CyActive (Acquired by PayPal in 2013).

JVP’s efforts in the cybersecurity space also go beyond the investment process, with the firm recently establishing an incubator, known as JVP Cyber Labs, specifically focused on identifying, nurturing and building the next wave of Israeli cybersecurity and big data companies.

On average, the firm has focused on deals in the $5-$10 million range, with a general proclivity for earlier-stage companies where the firm can take a more hands-on mentorship role. Some of JVP’s notable active portfolio companies include Source Defense, which uses automation to protect against website supply chain attacks, ThetaRay, which uses big data to analyze threats, and Morphisec, which sells endpoint security solutions.

Opening up innovation with SOSA

The self-described “open-innovation platform,” SOSA is a global network of corporations, investors, and entrepreneurs that connects major institutions with innovative startups tackling core needs.

SOSA works closely with its partner startups, providing investor sourcing, hands-on mentorship and the physical resources needed to achieve growth. The group’s areas of expertise include cybersecurity, fintech, automation, energy, mobility, and logistics. Though headquartered in Tel Aviv, SOSA recently opened an innovation lab in New York, backed by major partners including HP, RBC, and Jefferies.

With the eight-floor Global Cyber Center located in Chelsea, it is turning its attention to an even more ambitious agenda. Uzi Sheffer, CEO of SOSA, said to TechCrunch in a statement that “The Global Cyber Center will serve as a center of gravity for the entire cybersecurity industry where they can meet, interact and connect to the finest talent from New York, the States, Israel and our entire global network.”

SOSA’s new building in Chelsea will be a center for the cybersecurity community (Photo from SOSA)

With an already established presence in New York, SOSA’s local network could help spur the local corporate participation key to the EDC’s plan, while SOSA’s broader global network can help achieve aspirations of turning New York City into a global cybersecurity leader.

It is no coincidence that both of the EDC’s venture partners are familiar with the Israeli cybersecurity ecosystem. Israel has long been viewed as a leader in cybersecurity innovation and policy, and has benefited from the same successful public-private sector coordination New York hopes to replicate.

Furthermore, while New York hopes to create organic growth within its own local ecosystem, the partnerships could also benefit the city if leading Israeli cybersecurity companies look to relocate due to the limited size of the Israeli market.

Big plans, big results?

While we spent comparatively less time discussing them, the NYCEDC’s educational programs are particularly interesting. Students will be able to take classes at any university in the five-member consortium, and transfer credits freely, a concept that the NYCEDC bills as “stackable certificates.”

Meanwhile, Facebook has partnered with the City University of New York to create a professional master’s degree program to train up a new class of cybersecurity leaders. The idea is to provide a pathway to a widely-respected credential without having to take too much time off of work. NYCEDC CEO Patchett said, ”you probably don’t have the time to take two years off to do a masters program,” and so the program’s flexibility should provide better access to more professionals.

Together, all of these disparate programs add up to a bold attempt to put New York City on the map for cybersecurity. Talent development, founder development, customer development – all have been addressed with capital and new initiatives.

Will the community show up at initiatives like the Global Cyber Center, pictured here? (Photo from SOSA)

Yet, despite the time that NYCEDC has spent to put all of these partners together cohesively under one initiative, the real challenge starts with getting the community to participate and build upon these nascent institutions. “What we hear from folks a lot of time,” Patchett said to us, is that “there is no community for cyber professionals in New York City.” Now the buildings have been placed, but the people need to walk through the front doors.

The city wants these programs to be self-sustaining as soon as possible. “In all cases, we don’t want to support these ecosystems forever,” Patchett said. “If we don’t think they’re financially sustainable, we haven’t done our job right.” He believes that “there should be a natural incentive to invest once the ecosystem is off the ground.”

As the world encounters an ever increasing array of cyber threats, old empires can falter – and new empires can grow. Cybersecurity may well be one of the next great industries, and it may just provide the needed defenses to ensure that New York City’s other empires can live another day.

Your Instagram account may have been compromised by hackers, too

Not good.
Not good.

Image: Thomas Trutschel / getty

You didn’t forget that Facebook owns Instagram, did you?

That little fact is extra germane today following the news that at least 50 million Facebook users, and possibly 90 million, had their accounts accessed by hackers. And, it turns out, those users’ Instagram accounts could have been compromised, too. 

Here’s the key detail: You can log into your Instagram account with your Facebook account. And, if you used your affected Facebook account to log into your Instagram account, hackers would have been able to access that account as well. 

Not a good idea.

Image: screenshot / instagram

To make matters worse, according to Krebs on Security, it’s not just hacked individuals’ Instagram accounts that were vulnerable. Potentially every third-party service that lets you log in with Facebook is vulnerable, too.

Think Tinder, Uber, and so, so many others. 

Facebook’s VP of product management Guy Rosen confirmed as much on an afternoon phone call with reporters. 

Importantly, the company at present doesn’t have any evidence that attackers actually gained access to Instagram accounts. But don’t think everything is chill just yet. As Facebook repeatedly insisted both in its official statement and on the conference call, the investigation is still in its early stages. 

Meaning, there’s still a lot about the hack that the company doesn’t know. Fun, right?

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85967%2f5ac3511e 3588 47d0 817e 3d170500d683

Some basic steps to protect your Facebook account after hack hits 50 million users

So Facebook just got pwned. Like, badly. 

The company announced today that hackers obtained access to 50 million users’ accounts, and could use them as if the accounts were their own. But what does that mean for you? Was your account one of the ones affected, and, if so, what can you do to protect your account going forward? 

While there remain a lot of unanswered questions about what data was stolen, and who is responsible, there are thankfully a few clear steps you can take to stop the bleeding. Whether it’s too late to really matter, well, that’s a different question. 

Find out if your account was affected

To determine how badly you should panic, it’s worth first finding out if your account was one of the 50 million in question. Unfortunately, there’s at present not a 100 percent sure way to know. 

While Facebook logged out all the accounts that were hit, finding yourself suddenly booted out of Facebook apps and browser sessions isn’t a surefire way to know if a hacker was digging around in your profile. That’s because the company also logged out another 40 million accounts as a precautionary measure. 

So, in other words, if you tried to log into Facebook this morning only to find that you strangely had to renter your password where before it had been saved, you might have been hit. But maybe not. If you didn’t have to do that, you’re probably safe. 

Either way, there are some basic precautions you should consider. 

Log out everywhere

The first thing you can do is log out of your Facebook account, everywhere. Like, every single place that it’s logged in — your web browser, the app on your phone, your iPad — everywhere. Facebook may have already done this for you, but, if it hasn’t, you should probably do this for yourself.

Why? Well, according to the company, hackers stole so-called access tokens — “the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app” — and used those to access victims’ accounts. Facebook has reset these tokens, but still suggests as a “precautionary action” people go ahead and log out everywhere. 

Oh, also, the “investigation is still in its early stages.” So, in other words, there’s probably a lot that the Facebook security team doesn’t know at this point. Better to log out just to be safe. 

To do so, head to the “Security and Login” section found in settings. There you will find an option to log out of all your sessions. Click it. 

Your password and 2FA

Importantly, Facebook explicitly says there is no need for you to change your password. And the company is probably correct. Again, though, the investigation of the hack isn’t yet complete. 

So while you likely don’t need to change your password, this might be a great time to make sure you have a password unique to Facebook. This means that if your password is ever compromised on Facebook, none of your non-Facebook accounts will be vulnerable as a result. 

What’s more, having a unique Facebook password means that if someone manages to get your email or, say, Twitter password, that person won’t then be able to automatically use it to log into your Facebook account. 

And, for good measure, turn on Facebook’s two-factor authentication. Use an authenticator app

Delete your account

Sick of all this Facebook garbage? Why not delete your account. After all, it’s pretty hard to hack your Facebook account if you don’t have one. 

Mark Zuckerberg famously said that “we have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” 

Maybe, just this once, he was right. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85967%2f5ac3511e 3588 47d0 817e 3d170500d683