All posts in “Hackers”

Hackers want your data. Meet the ones who are trying to protect it.

The last two years have seen the Equifax breach, the WannaCry cyberattack, a nefarious DDoS attack that destroyed the internet for a full day, and a laundry list of other security breaches of the stores, restaurants, and retailers we know and love. A skilled hacker has a dangerous amount of power in their hands — power with the potential to destroy lives. 

But take heart: Scattered across the internet are hundreds of thousands of equally skilled hackers who are fighting to protect you. 

If your personal information wasn’t compromised this year, you have that army of nerds to thank. 

Way back in 1983, Volkswagen offered a reward to hackers who were able to breach the operating systems of the company’s Beetles. Twelve years later, Netscape instituted the first “bugs bounty” program, offering rewards to users who reported issues in its Navigator 2.0 software. The program wasn’t especially lucrative — Netscape’s product director at the time said in an interview that “several” hackers received a $1,000 prize, while “many others” received Netscape merchandise — but it demonstrated the potential of such programs. A small but dedicated group of Netscape users put hours into the task, despite the small chance of a reward. 

A few other companies followed suit throughout the next few decades, including Mozilla, which announced a similar program, with a $500 prize, in 2004. 

But it wasn’t until 2010 that bug bounty programs were brought to the mainstream: Google launched an “experimental new incentive” for the cybersecurity community to find bugs in Chromium, offering $1,337 for “particularly severe or particularly clever” bugs and $500 for other security bugs. 

Today, most of the largest companies with technological components, from Snapchat and Dropbox to Tinder and Starbucks, have “bug bounty” programs. They offer monetary rewards, often in the thousands of dollars, to anyone who can exploit security vulnerabilities and report them to the company. Across basements, offices, cubicles, arenas, Slack channels, and forums, hackers answer their call. 

The hackers

According to a recent HackerOne report, ethical hackers largely hail from India (23%), the U.S. (20%), Russia (6%), Pakistan (4%), and the U.K. (4%). They come from a range of educations: 58% are self-taught, 50% studied computer science in college, and 26.4% studied it in high school. A full 90% are under 35, with 50% under 25, and just 8% under 18. 

But there’s one trait that all ethical hackers have in common, and that’s “endless curiosity,” according to Marten Mickos, CEO of bug bounty platform HackerOne: “We don’t find them. They find us. They read, they study vulnerabilities, and then they report them. Most of them start when they’re young.”

Jack Cable is no exception. He’s a high school senior who taught himself to program by watching YouTube lectures when he was 12 years old. In between homework, college applications, and high school math team competitions, Cable has exposed more than 200 security vulnerabilities for around 50 companies, including Uber, Bitcoin Exchange, and even the U.S. Air Force. 

Cable has spent the duration of his career serving the public good, as have other hackers. Cable also knows people who began as criminal hackers who are now turning their lives around, working for good.

Cable frequents a forum of around 150 hackers who share tactics and collaborate on finding bugs, even though they’re ultimately competing for the prizes. 

“Everyone is much more collaborators than competitors,” says Cable. “There is a strong component of helping each other out, of working together to improve these companies’ security.” 

Sean Melia is a senior security engineer at security service company Gotham Digital Science. In late 2014, he saw a YouTube video in which a hacker reported receiving $15,000 for finding a bug. Intrigued, Melia poked around the internet and found a bounty program from Yahoo. Over the next few weeks, he located more than 30 bugs for the platform — and pocketed $22,000. 

Melia located more than 30 bugs for Yahoo — and pocketed $22,000. 

“I’ve never had that much money at one time getting deposited into something,” he said of his start. “I was kind of hooked after that.” 

Now, after a long day of assessing the security of networks and web applications, Melia goes home and hacks. He has found more than 800 bugs for more than 50 companies, including Yahoo, Twitter, and Starbucks. 

That said, Melia insists that the money isn’t everything. “To be good at this, it has to be a passion,” he says. “If you’re just like, ‘I want the money,’ you’re not going to fare well.” 

Still, the money is a nice incentive. One hacker, “robd4k,” recently earned enough to build himself a house.  And according to HackerOne data, the top hackers based in India earn 16 times that of the average software engineer. 

While the hacking community is predominantly white and male, there’s diversity in the methodology that hackers employ, and this multifaceted approach is what companies with bug bounties seek. 

Ethical hackers “will be much more creative in finding the bugs,” Mickos said. “Even if you have a really smart person in house, it’s difficult [for them] to find their own typos. The outside world will always outperform the inside world.” 

Are they ever tempted to exploit vulnerabilities for themselves? Not as long as the reward for being ethical is bigger. 

“I’ve never found a case where I would benefit more from not reporting it,” Cable said.

The process

Melia discovered one of his recent bugs by accident. 

He was routinely scanning the Starbucks app, just like a normal user, and was in the process of ordering himself a coffee when he realized that by changing his order number on the checkout screen, he could modify other people’s orders. This would allow him to send coffees to other people’s houses — or have their orders sent to his house, at no cost. Melia reported the bug for a reward of several thousand. 

“I’d rather have a $4,000 to $6,000 bounty than a chance of stealing a free coffee,” he said. 

Though ethical hackers sometimes congregate and share strategies, the process itself is generally solitary — other hackers are, at the end of the day, the competition. They’ll spend hours poring over apps and websites, often with little reward. 

“It’s a lot of trial and error,” says Cable. “Testing everything, [thinking about] how you can use that to employ something.” He adds, “Ninety-nine percent of the time it’s not going to indicate a vulnerability. and in that case, you have to move on.” 

The most important feature in an ethical hacker, Cable says, is persistence. “If you can keep the mindset that there will be setbacks and at times it will be difficult to find vulnerabilities, if you keep trying new things and keep learning, you’ll be able to identify more vulnerabilities.” 

Melia prefers a “black box” approach. On a typical day he opens an application, enters it like a “normal” user, and tries to manipulate everything he can to make the application do things it wasn’t intended to do. Along the way, he learns as much about the company as possible: the size of the network, the scope of the audience, the locations the app or website reaches, the structure of it and what might be exposed. 

When discouragement comes, Melia recommends stepping away from the computer, or turning to Netflix. 

“There have been instances where I can’t exploit a bug, and then I’m lying in bed and I’m like, ‘Oh, I figured it out.'”

If they want to make a profit, a hacker can’t rest for too long. “Any one of the other hackers would have found it eventually,” said Melia of his Starbucks hack. “I was just the first one.” 

The future

Many individuals with hacking skills don’t choose the path of Cable and Melia. Some of that, says Mickos, has to do with the stigma of the job. 

The deluge of breaches, vulnerabilities, scams, and viruses that tend to envelope cybersecurity news have left a bad taste in the public’s mouth when it comes to the word “hacker.” And there’s not enough reporting on the good that hackers do to convince the public to value the community.         

There are about 1,000 ethical hackers for every bad one, but they don’t get covered in the press.  

“For every bad hacker there are about 1000 ethical hackers,” Mickos says. “It’s just they don’t make a story in the press, so you don’t hear much about them.”

That’s a problem for two reasons. First, because most hackers, according to Mickos, begin building their skills at an age when they’re just developing their moral compass, when bounties are difficult to get, and when free coffees look incredibly tempting. And when hackers don’t feel that people value their work, they’re less inclined to help those people. 

Second, laws in many places reflect a broader societal suspicion toward the hacking community, and that can impede the work that ethical hackers do. 

The Computer Fraud and Abuse Act, passed in the 1980s, defines the term “computer fraud” in a way that prosecutors are able to stretch broadly to subject white-hat hackers to hefty fines, or even prison time. While it’s unlikely to apply to official bug bounty programs where authorization is explicitly granted, the threat of legal action can keep self-employed hackers from sharing discoveries they make and, consequently, from advancing the field overall. 

Melia has been nervous about law enforcement before. He once found a vulnerability in a website that allowed him access to the data of 3,000 users. He “immediately cancelled” what he was doing and reported the bug, but still received an “almost threatening” phone call from the company. He was sent a $500 gift card only after assuring the company that he’d done nothing with the data. He was relieved that he wasn’t arrested, but was still required to sign a non-disclosure agreement. 

He’s one of the lucky ones. 

In 2008, the Massachusetts Bay Transportation Authority invoked the CFAA to bar three MIT students from presenting at a conference about flaws they’d found in its electronic ticketing system — talking about hacking, the judge ruled, was as bad as hacking itself. 

And in 2005, 19-year-old Samy Kamkar was able to create a script that would force anyone who visited his Myspace page, or the page of anyone who had visited his page, to send him a friend request. Kamkar reported the bug anonymously to Myspace, but it was too late. One million friend requests and a deleted profile later, the Los Angeles Police Department seized Kamkar’s computers and electronics. He was sentenced to three years of probation — without internet access. 

Companies need to offer high enough bounties that make it more profitable for hackers to help.

To end up with the world’s most talented hackers working for good rather than breaching Equifax, companies need to offer high enough bounties. To do so is an investment in the companies, and in the public’s security. 

Legislation should make concrete exceptions to protect hackers who report bugs that they find — the world is worse off if those bugs are kept secret, or even exploited, because hackers fear arrest. 

Most importantly, companies and the media should recognize the work that hackers do. 

“I see in all parts of society that teenagers and teenage boys will go outside of the human rules,” says Mickos. “But if you work with them, don’t dismiss them, and appreciate their energy and skill and curiosity, they will develop into very good citizens and find their moral compass.”

Companies should incentivize ethical hacking and offer monetary rewards. HackerOne reports that nearly one in four hackers have not reported a vulnerability because the website lacked a channel to disclose it. 

But companies should go beyond offering monetary rewards. They should publicize the work that ethical hackers do, to make the media and the world aware. 

This recognition plays no small part in keeping hackers like Cable and Melia around. A name in a news article can lead to media appearances, and even job offers.  

“They have to make it worth the hackers’ while,” says Melia. “There needs to be some type of public disclosure. The bounty community helped fix these issues … the companies need to recognize the efforts put in by the communities to protect them.” 

Hackers are, according to Mickos, “the ones who will rescue and safeguard our society.”

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f12%2fe76fcdc4 ed41 036e%2fthumb%2f00001

What putting medical records on an Apple Watch means for your privacy

Apple wants to put your medical history in the palm of your hand. And, for good measure, on your wrist as well. 

The tech giant confirmed Wednesday that it intends to allow customers access to their medical records via iPhones and Apple Watches on iOS 11.3 beta. But like with so many things in the world of highly personal data, putting medical information on a digitally connected device is not without risk — and how it all shakes out could have a huge impact on the lives of millions. 

According to CNBC, which broke the story, the new feature will be folded into the Apple Health app. After a health provider is added to the app, the “user taps to connect to Apple’s software system.”

Does that mean this information passes through Apple’s servers before hitting your iPhone, or does it come directly from the provider itself? And how, exactly, is that data protected from hackers or leaks? That, unfortunately, is unclear. This reporter reached out to numerous people at Apple with a series of questions about the new service, but received no response. 

This is a problem. If Apple wants people to trust it with details regarding their “allergies, conditions, immunizations, lab results, medications, procedures and vitals,” as CNBC reports, then it needs to be more forthcoming about how it plans to secure that information. 

Your life in an app.

Your life in an app.

Image: NurPhoto/Getty Images

Mashable was able to confirm that the medical records in question can be kept on an iCloud account — if you opt in — but that otherwise they’re stored locally on the device, and protected with the same form of encryption that secures everything else on the device. It’s unclear if this is a separate opt-in than the one an iPhone user makes to back files up to iCloud.

It is very possible that you might want your photos backed up to the cloud, but not the details of your embarrassing medical condition. Hopefully Apple plans to give users that flexibility. Unfortunately, however, at this time we don’t know. 

Risk and reward

While the benefits of having your medical history at your fingertips may be numerous, so are the potential pitfalls. After all, it’s not hard to imagine what could go wrong. As the notorious 2014 hack of celebrity iCloud accounts made clear, Apple can’t guarantee the safety of your data. Sure, that incident involved targeted phishing, but for many people, a jealous ex is part of a valid threat model — and that’s exactly the type of person who would be able to bluff their way into an iCloud account. 

That is also the same kind of person who might have physical access to your iPhone or Apple Watch. As soon as they got into one of those devices, your medical records would potentially be up for grabs.

To be clear, it’s not like your medical data is necessarily safe where it is. We learned in 2014 that hackers had stolen the records of some 4.5 million patients after breaching the systems of an American hospital network. 

As soon as they got into one of those devices, your medical records would potentially be up for grabs.

But, still. Throwing another potential target in the mix in the form of an iPhone or Apple Watch, no matter how secure Apple may claim them to be, doesn’t make this reality any better. 

We reached out to both the Electronic Frontier Foundation and the U.S. Department of Health and Human Services for additional insight, and will update this when and if we hear back. 

In the meantime, it’s perhaps best to keep in mind that medical records present a unique challenge when it comes to balancing privacy, security, and availability. Not getting them into the hands of your doctor could have disastrous effects, but so could having them fall into the hands of a hacker. 

Apple’s customers would be better served by an open dialogue on how the company plans to achieve that optimal balance. Until that happens, however, upload your medical records to Apple’s cloud at your own risk. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f10%2f7050b8f1 a2d2 4a0e%2fthumb%2f00001

Purchased a OnePlus phone? Yeah, your credit card might have been stolen.

Phone with a side of theft.
Phone with a side of theft.

Image: RAYMOND WONG/MASHABLE

Things aren’t looking so hot for approximately 40,000 OnePlus customers. And no, not because they’ll probably have to wait until June to upgrade to the OnePlus 6. 

It turns out that the company’s website was hacked, and in the process credit card numbers and other payment information was likely stolen. 

According to a statement issued by the Chinese smartphone manufacturer, “a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.”

What this means in practice is that, from roughly mid November of 2017 to January 11, 2018, any customer who put their credit card into OnePlus.net could have had it lifted by hackers. Some customers are already reporting fraudulent charges

“The malicious script operated intermittently, capturing and sending data directly from the user’s browser,” the company said in a statement. “It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

OnePlus emailed the customers it believes might have been affected, and noted that both card expiration dates and security codes could also have been stolen. 

Image: RAYMOND WONG/MASHABLE

Security researchers at Fidus Information Security looked into the breach, and what they found doesn’t look so good for OnePlus. According to a Fidus blogpost, “OnePlus do not appear to be PCI compliant, nor do they mention this anywhere on the website.”

Why does this matter? PCI is short for Payment Card Industry Data Security Standard, and, according to the PCI Security Standards Council, the standards are “the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.”

In other words, according to Fidus, OnePlus may not have been taking basic steps to protect its customers data. Like we said, not looking good. 

So, what can you do if you got an email from OnePlus notifying you of the breach? Not much, unfortunately. OnePlus says you should check your bank statement for fraudulent charges, and reach out to the company for any “enquiries.” 

OnePlus will also offer “one year of credit monitoring to affected customers,” according to a company spokesperson. 

Somehow, for those who already had their credit cards stolen, we don’t imagine these measures will provide much solace.

This story has been updated to note that OnePlus is offering limited credit monitoring.

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f11%2fac0b75c3 6d62 ce77%2fthumb%2f00001

Facebook and WhatsApp malware attack is yet another stark reminder: Be wary of links

Image: Sergei Konkov\TASS via Getty Images

Hackers continue to successfully dupe people into clicking on shady (though carefully disguised) links, thereby gaining access to the text messages, Facebook accounts, and e-mails on both computers and phones. 

A new in-depth cybersecurity report — undertaken by the cybersecurity firm Lookout and digital rights group the Electronic Frontier Foundation — show that professionals of all persuasions are making poor clicking decisions: military personnel, medical professionals, journalists, lawyers, and universities.

The perpetrators of this recently uncovered hacking scheme have been dubbed “Dark Caracal” by the report, and the cybersecurity researchers present compelling evidence that the group has been operating out of a building in Beirut, Lebanon (which happens to be owned by the Lebanese General Directorate of General Security) since 2011. Phones or computers were breached in at least 21 countries, including the United States, China, and Russia.

The hackers used common, though still sophisticated, phishing techniques to steal text messages, call records, audio recordings, photos, and other data from their targets. Broadly speaking, phishing involves hackers disguising themselves as trustworthy or known sources — perhaps an e-mail from a bank or social media account — and then tricking people into sharing confidential information.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said Electronic Frontier Foundation technologist Cooper Quintin in a statement

In the case of the once-secret Dark Caracal operation, these hackers used WhatsApp messages and Facebook group links to successfully dupe people into clicking, and thereby allow spying and password collecting malware to enter their Android phones and computers. In the cybersecurity realm, these are called “waterhole attacks,” in which hackers identify the specific websites or apps used by a certain group of people — like an activist group or military organization — and infects these sites with malware in hopes that someone will click.

For instance, Dark Caracal sent WhatsApp messages to specific individuals, suggesting that they click on a link in a message. Dark Caracal also dropped links into Facebook groups and created mock login portals for Facebook, Google, and Twitter accounts — where some folks invariably typed in their passwords. 

Successful phishing campaigns are inherently deceptive, intended to feel trustworthy and encourage interaction. These sort of operations are surely not going away — in fact, they appear to be expanding in use and popularity. 

For this reason, one can employ two simple tactics in a malice-filled web: First using two-factor authentication to add a layer of security to your e-mail and social media accounts (although this is far from full proof — Dark Caracal appears to have even stolen 2-FA pass codes). The second is to always carry a healthy sense of distrust on the web, which in short means, don’t click. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f84228%2fb70ccc42 3a6f 4ef6 bbe9 a320b12126a8

Those huge CPU vulnerabilities, Meltdown and Spectre, explained

By now you’ve probably heard. A large portion of the world’s computer processors are vulnerable to at least one of two exploits that render them susceptible to hackers. But what, exactly, is going on — and what can you do to protect yourself?

While the answer to the first question is complicated, thankfully the answer to the second isn’t. It turns out that companies like Google and Microsoft have been working behind the scenes to create patches for what the security community has named Meltdown and Spectre. 

But we’re not out of the woods yet, and, depending on your operating system, you still need to take some proactive measures to make sure your data is safe. 

What’s in a name: Meltdown and Spectre

One of the reasons this latest threat is so complicated is because it’s actually multiple vulnerabilities that were unveiled at the same time. They’re similar in some ways, but differ in important others — a fact hinted at by their names. 

According to researchers, Meltdown “basically melts security boundaries which are normally enforced by the hardware.” Spectre, meanwhile, “breaks the isolation between different applications” allowing “an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”

And what does that actually mean? Essentially, either of these vulnerabilities could be theoretically exploited to steal sensitive data, like passwords, off your computer. Spectre is also a threat to your smartphone, so no escape there.  

Furthermore, while Meltdown can be mostly mitigated with software patches, it is thought only certain exploitations of Spectre can be stopped in this manner. In other words, the latter is going to haunt us for some time and either could potentially require new processors for a complete fix (maybe).

So, who has patched?

Companies, if they haven’t already, are rushing to release the aforementioned “mitigations” against possible attacks that could exploit Meltdown or Spectre (a helpful patch list can be found on the Computer Emergency Response Team site). Why mitigations? Well, because the patches and updates mitigate the risk — but might not remove it completely.   

Microsoft, on Jan. 3, released an update for devices running Windows 10 that was downloaded and installed automatically. 

Google, for its part, issued a lengthy blog post on the same day detailing all the steps it had taken to protect users against both Spectre (Variant 1 and 2) and Meltdown (Variant 3). While a lot of that work happened behind the scenes, there are still some actions you need to take yourself. For example, you should definitely enable site isolation on Chrome.

[embedded content]

Android devices with the most recent security updates are also protected from the above mentioned variants.

Apple was a little late to the customer-facing party, but on Jan. 4 made it clear that it is indeed paying attention. Specifically, the company said that — just like with its competitors — its products are at risk. That includes “all Mac systems and iOS devices,” to be exact. 

But wait, there’s good news! Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting “in the coming days.”

What do I need to do?

Meltdown and Spectre are the real deal, and rightly have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don’t involve buying a new computer

Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any all all patches for your operating system and browser of choice. 

But, because more updates are coming down the pike, you’re not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don’t pull the classic “remind me later” bit. 

And what about Spectre? This one is a little trickier. 

“Spectre is harder to exploit than Meltdown, but it is also harder to mitigate,” explain the researchers behind the discovery. “However, it is possible to prevent specific known exploits based on Spectre through software patches.” 

In other words, while nothing is perfect, much of the same advice applies as with Meltdown: update, update, update. 

Which, well, has always been good advice. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f12%2fe76fcdc4 ed41 036e%2fthumb%2f00001