All posts in “hacking”

Strike fear into the hearts of hackers with this online class

Just to let you know, if you buy something featured here, Mashable might earn an affiliate commission.

Image: Pixabay

To beat a hacker, you must become a hacker.

That’s what ethical hacking is all about: you learn the tricks and tools that cyber-criminals use to infiltrate the networks of major institutions, use that knowledge to set up secure safeguards, and get paid handsome sums by those companies. Plus, you’ll be protecting the public from financial breaches and identity theft. 

Become the digital dark knight that the internet deserves by enrolling in this online course: The Complete Ethical Hacking Masterclass. It’s available for just $15 while this deal lasts.

This bundle offers 65 lectures and 11.5 hours of immersive content that will prep you for a new career in the high-paying field of ethical hacking. With each course, you’ll explore cutting-edge concepts and master new tools to round out your skill set — including setting up virtual penetration testing environments, networking fundamentals, advanced client-side and server-side exploitation, and how to attack wired and wireless networks. You’ll even learn the art of performing network sniffing with Wireshark. 

Get lifetime access to the Complete Ethical Hacking Masterclass for $15, which is a massive reduction from its usual $199 price.

Reddit hack exposes old private messages

r/bummer
r/bummer

Image: AMBAR DEL MORAL/mashable

The internet is forever, and, yes, that apparently includes your old Reddit private messages.  

The so-called front page of the internet today announced that it suffered a hack in June, and, as a result, Reddit private messages from 2005 to 2007 are now in the hands of the as-of-yet unknown culprits. 

That’s right, your finely aged secret memes are on the loose. Oh, and also your email addresses and account credentials. 

“A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007 [was accessed],” explains a statement from the company. “In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.”

According to the statement, Reddit plans to notify all affected users and reset passwords for accounts that might still be using decade-old passwords. Importantly, the company insists, if you got your first Reddit account post-2007 you’re in the clear. 

We reached out to Reddit in an attempt to determine if long-deleted accounts from back in the day were affected in any way, but did not receive an answer to that question as of press time. 

So how did this happen? It appears that SMS-based two-factor authentication played a key role. 

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” notes the statement. “We point this out to encourage everyone here to move to token-based 2FA.”

Indeed, while 2FA is a vital security tool, it does have its weak points. Dedicated hackers can potentially intercept codes sent via SMS by exploiting a flaw in what is known as the Signaling System 7 protocol (SS7), or simply phish the code. A physical security token, as endorsed by Google, is much more secure. 

Reddit is working with law enforcement to investigate the hack, and in the meantime encourages all its users to set up 2FA with an authenticator app

And, although Reddit doesn’t officially recommend this, if you have a super old Reddit account it’s worth your time to take a walk down your private message memory lane to double check you didn’t reveal anything of value in your old PMs. Because having a hacked 12-year-old private message come back to bite you in the ass is probably not how you want to start your day. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85470%2fa5d2abe8 2500 49f1 b018 2be409f7c7cc

Someone is using a cancelled TV show’s verified Twitter account to promote a cryptocurrency scam

An apparent hacker has been using a discontinued TV show’s verified Twitter account to promote a cryptocurrency scam.

A nefarious Twitter user appears to have gained access to the official @AlmostHumanFOX account, and has been tweeting from the account since the beginning of the month. 

During this time, the account, which is followed by almost 19,000 Twitter users, has been promoting cryptocurrency “giveaways” and impersonating Justin Sun, the influential founder and CEO of Chinese blockchain company TRON.

As TheNextWeb points out, cryptocurrency “giveaway” scams have plagued Twitter in recent months. Even Elon Musk has complained about it. Basically, a scammer attempts to convince Twitter users through faked accounts to send them a small amount of cryptocurrency and in turn, the scammer promises to send them back crypto in tenfold. The scammer then takes the original crypto deposit and runs, never returning any of the currency. 

In the case of the compromised @AlmostHumanFOX account, a hacker has not only managed to take control over a verified Twitter account, but also managed to remain in control of the account for almost a full month (from July 1 to today, July 24).

The sci-fi series Almost Human aired for one season on FOX and was cancelled in 2014. Since then, its Twitter account has remained inactive. Then, suddenly, on July 1, the account woke from its 4 year slumber and tweeted.

Fans of the show took notice.

Within days the account began discussing Bitcoin and other cryptocurrency in the Twitter replies of various crypto companies and news sites. Before long, the hacker changed the account’s avatar, profile header image, and display name to mimic that of Justin Sun’s account. 

The @AlmostHumanFOX account, now looking like Sun’s account, then replied to Sun’s tweets with links to the cryptocurrency “giveaway” in hopes of fooling Sun’s fans. Sun’s actual Twitter account has over 400,000 followers. 

A screenshot of the scammer in action.

A screenshot of the scammer in action.

Image: TWITTER

The Twitter account hack has seemingly gone on unnoticed by Fox and Twitter. As of July 24, the hacked @AlmostHumanFOX account is still tweeting cryptocurrency scams under the guise of Justin Sun. Its worth noting that while Twitter removes the blue checkmark verification from accounts that change usernames, it allows verified accounts to change its display name without losing verified status. This technicality has been exploited by whoever is controlling the @AlmostHumanFOX account.

Here's a screenshot of the hacked @AlmostHumanFOX Twitter account.

Here’s a screenshot of the hacked @AlmostHumanFOX Twitter account.

Image: TWITTER

Here's a screenshot of Justin Sun's actual verified Twitter account.

Here’s a screenshot of Justin Sun’s actual verified Twitter account.

Image: TWITTER

While accounts have been compromised before, even verified ones, the span of time this has gone on for, completely under the radar, is certainly alarming. The @AlmostHumanFOX account isn’t the only now-dormant verified Twitter handle out there open to hacking. But at least a most dormant accounts sit idly rather than being used for nefarious purposes.

Mashable has reached out to the real Justin Sun, Fox, and Twitter for comment. We will update this article if and when we hear back.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86332%2f4645f748 16bf 490d 8915 e8c8828a1a10

Voters’ data was left exposed online because of course it was

Disclosure

Every product here is independently selected by Mashable journalists. If you buy something featured, we may earn an affiliate commission which helps support our work.

Oops.
Oops.

Image: Hill Street Studios/getty

Sure, our ballot may be secret. But our voter data? Yeah, not so much.

Our most recent reminder of this disconcerting truth: Bob Diachenko, a self-described cybersecurity enthusiast who works for an IT development firm, discovered an online database containing information on thousands of US voters. The apparently misconfigured database, which belonged to a Virginia-based robocalling firm, reportedly included voters’ names, addresses, phone numbers, and political affiliation, along with other personal information.   

And it was all there for the taking. 

Diachenko describes the unprotected dataset as containing “Hundreds of thousands [of] US voter data,” but clarifies in the same blog post that there were 2,594 “listed files.” Because a single file could conceivably contain thousands of individuals’ data, the exact number of people whose data was exposed isn’t immediately clear. 

But RoboCent, the robocalling firm behind the exposed database, attempted to minimize the implications of Diachenko’s findings. Though firm cofounder Travis Trawick confirmed RoboCent’s involvement in a statement to ZDNet, he maintained that the data was from “an old bucket from 2013-2016 that hasn’t been used in the past two years.”

Trawick’s firm offers customers access to “thousands of voters, instantly” — but that’s not all RoboCent provides. 

“Clients can now purchase voter data directly from their robocall provider,” the company explains on its website. “We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order.”

You can see how such a service might be useful to a bad actor trying to, I don’t know, influence an election

And the cost? Why that would be just $.03 per record. Or, if you knew where to look online, free. According to Diachenko, the dataset was left in a misconfigured and self-titled AWS S3 bucket. 

We reached out to RoboCent in an attempt to confirm Diachenko’s claims, as well as to determine how long the data had been left exposed, how many people were potentially impacted, and whether the company was aware of any specific incidents of inappropriate access. We received no response as of press time. We also reached out to Diachenko with the hope of getting to the bottom of this, but did not hear back from him as of press time, either. 

Whether it be 2,600 people or several hundred thousand people, it’s not a good look for RoboCent to be allegedly exposing voter data to the public. Unfortunately, this kind of security lapse is something we’re all going to only have to get used to going forward (if you haven’t already). 

Because even if companies like RoboCent aren’t paying attention to their digital security, you can bet others are

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85470%2fa5d2abe8 2500 49f1 b018 2be409f7c7cc

A hacker tried selling stolen military drone documents for $200

This is the MQ-9 Reaper drone. Documents related to its use were stolen from the U.S. military by a hacker.
This is the MQ-9 Reaper drone. Documents related to its use were stolen from the U.S. military by a hacker.

Image: Getty Images/Stocktrek Images

Researchers at the cybersecurity firm Recorded Future recently released a report about one of its more interesting findings. 

While scouring the hacker forums on the dark web, the firm’s analysts discovered someone selling MQ-9 Reaper drone documents — maintenance books, training guides, and a list of airmen assigned to the military drone. The hacker was looking for $150-200 for the documentation. 

That may seem a strangely low asking price, and according to Andrei Barysevich, a Recorded Future analyst, it is. The hacker was advertising the documents as classified information, but while they are only made available to military and its contractors, they aren’t classified. Still, according to Barysevich in a statement to Buzzfeed News, “We felt like he has no true understanding of the value of this information, he had no idea how to sell it, he was just trying to get rid of it.”

The way in which the hacker gained access to these drone documents is just as ridiculous as the hacker’s lowball sales price.

In 2016, Netgear issued a warning about a security flaw in its routers. The U.S. military had failed to update the accessed router with the fix for this well-known bug — which is exactly how the hacker got in. 

Even more interesting, in Recorded Future’s communications with the hacker, the firm discovered just how deep the hacker’s access into the U.S. military networks were. The hacker said he was able to watch live footage shot by the drones. He was even able to identify to the cyber security firm which military official he was able to hack to gain access to the now-for-sale drone documentation. 

Recorded Future has been in touch with authorities and is helping them on the case.

Let this be an important lesson for all: Secure the networks where you host your military drone files.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f84228%2fb70ccc42 3a6f 4ef6 bbe9 a320b12126a8