All posts in “hacking”

Twitter is *not having* Equifax’s response to that massive hack

Nope.
Nope.

Image: RHONA WISE/EPA-EFE/REX/Shutterstock

Equifax is oh so sorry that it allowed the personal information of potentially 143 million Americans to be stolen by hackers. So, so sorry. But, being the benevolent credit reporting agency that it is, the company has gone out of its way to ensure you can easily check if you’re affected. Except, yeah, the entire process is shitty, confusing, and possibly meaningless.  

And the hordes of Twitter are not having it. Like, really not having it. They’ve taken to the social media platform to ridicule Equifax for both the leak itself and the piss-poor way the company has managed the aftermath.  

First, let’s start with the Equifax’s so-called “potential impact” check system. Ostensibly, by entering your last name and the last six digits of your Social Security number, you will be able to see if your data was pilfered. 

Except that when many people, this reporter included, entered their information into the site, it returned nothing back. No “you’re in the clear,” and no “you may have been impacted.” All it did was provide an opportunity to sign up for an Equifax credit monitoring service. 

To make matters even worse (yes, it gets worse), entering seemingly made-up information returned results. 

Mashable tested it out, and we got the same result. 

Mr. Test is in trouble.

Mr. Test is in trouble.

Image: equifax

Even nuttier, Krebs on Security reports that entering the same information — once on a mobile device and once on a computer — provided different results on a least one occasion. 

People, it should perhaps go without saying, are not happy.

That sentiment was made even more pronounced when Equifax’s own social media team appeared oblivious to the world crumbling around it. 

And the jokes — Stevie related and non-Stevie related — poured in.

While the credit of 143 million Americans may very well be on a death spiral, we seem to at least still have our sense of humor.  So there’s that. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f81571%2f423be0d3 1c7e 4460 b77e 53bf38382c0d

That Instagram hack is shaping up to be way bigger than anyone thought

Well shoot.
Well shoot.

Image: LILI SAMS/MASHABLE

Turns out we all may be “high profile” in the eyes of Instagram. 

A bug in the social media company’s API reportedly allowed hackers to gain access to account holders’ phone numbers and email addresses, with Instagram assuring everyone on Aug. 30 that it was the celebs of the world who were targeted. But that was then.  

Things are looking just a tad bit different now, with reports suggesting that as many as 6 million accounts were possibly affected and that regular old users may have fallen victim as well. 

The company issued a new statement on Sept. 1, copping to the fact that things may be worse than it originally admitted. 

“After additional analysis, we have determined that this issue potentially impacted some non-verified accounts as well,” a spokesperson told Mashable via email. “Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”

A “low percentage” of 700 million accounts — the current number of monthly active users on Instagram  — is still quite a lot of accounts. 

According to The Daily Beast, the person or persons responsible for the hack have gone so far as to create a searchable database allowing anyone to find the contact details of any affected user — all for the low low price of approximately $10 (paid in Bitcoin, of course). 

“Out of an abundance of caution, we encourage you to be vigilant about the security of your account, and exercise caution if you observe any suspicious activity such as unrecognized incoming calls, texts, or emails,” wrote CTO Mike Krieger in a Sept. 1 blog post. “Additionally, we’re encouraging you to report any unusual activity through our reporting tools.” 

In other words, this hack didn’t just affect “high-profile Instagram users” as the company initially suggested. You and I are at risk as well — so much so that Instagram is warning us all to be on the lookout. 

So look out, because this is shaping up to be way worse than anyone initially thought. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f81327%2fd9210d6b 691e 49f3 a1b2 faa5e7587551

Oops: An Instagram bug let a hacker access phone numbers and email addresses

"I'll take that one, and that one, oh and that one too."
“I’ll take that one, and that one, oh and that one too.”

Image: Ambar Del Moral/mashable

What’s shady, possibly wearing a hoodie, and is currently sitting on the stolen personal information of an untold number of high-profile Instagram users?

That would be — SURPRISE! — a random hacker. Or several of them.  

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” an Instagram spokesperson told Mashable via email. “No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”

Instagram isn’t saying much more than that, and declined to provide details like just how many accounts were targeted and who specifically may have fallen victim. However, the fact that the company is notifying every single verified user of the breach suggests the number is high. Overall, the service boasts more than 700 million monthly active users.

“At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue,” the Instagram spokesperson explained. 

And just how many verified users are there? When asked, the spokesperson declined to comment. The spokesperson did confirm, however, that the company is aware of one specific person who had breached the system — so at least there’s that. 

Notably, news of this hack comes on the heels of an embarrassing moment for the company. Selena Gomez, who with 125 million followers has one of the most popular accounts on Instagram, had her account hacked just a few days ago. Whoever took control of that account used the opportunity to post nude pics of Justin Bieber, so you know this is some serious shit. 

And while all the non-verified account holders can, for now, breathe a sigh of relief that they apparently weren’t targeted this time around, they shouldn’t mistake that luck for security. Rather, they should take this as an opportunity to enable two-factor authentication and make sure they have a unique password for each online account. 

Oh, and while they’re at it, maybe cross their fingers and hope that Instagram doesn’t again fall prey to a solitary hacker with an apparent grudge against the verifieds of the social media world. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f81327%2fd9210d6b 691e 49f3 a1b2 faa5e7587551

Safe-cracking robot proves nothing is secure

The safe doesn't stand a chance.
The safe doesn’t stand a chance.

Image: jack morse/mashable

If hackers want what’s on your computer, chances are they can find a way to get it. But what about your non-digital goods? Like, the ones you keep in a safe at home?

Turns out those aren’t that secure, either. 

This was made abundantly clear at the 25th annual DEF CON in Las Vegas, where professional tinkerer and founder of SparkFun Electronics Nathan Seidle could be found demonstrating an open source safe-cracking robot. Costing around $200 to build, the device uses magnets to attach to the exterior of a safe and is run by an Arduino microcontroller. 

Oh, and it’s very portable. Like, carry around in a backpack as you sneak into a house portable. What’s more, the robot basically runs itself. 

“We wanted to make this thing as autonomous as possible,” he told the gathered crowd. And autonomous it is: You just hit the red button, and off it goes. 

Checking out the details.

Checking out the details.

Image: jack morse/mashable

To demonstrate just how quickly the robot works (and it does work quickly), Seidle pulled a Sentry Safe that he bought from a Home Depot in Vegas — which he claimed is one of the more common personal combination lock safes — right out of the box at the start of his presentation. With just a few adjustments, his robot was off to the races.  

The safe was fully cracked by 12:31 p.m. The talk started at noon.

Importantly, this tool works for this specific type of safe, but that doesn’t mean your other options are much better. 

Toward the end of his talk, Seidle quickly ran through different methods for locking up your valuables. Say, for example, you want a safe with a key? Or maybe a fancy digital keypad? With a casual dismissal, he mentioned that many of those can be opened in minutes. 

“No matter how much money you spend on a safe, nothing is impervious,” noted Seidle. Which, well, was basically music to the crowd’s ears.  

Because, essentially, nothing can be kept out of reach from a dedicated hacker. Not your computer, not your cellphone, and definitely not whatever it is you keep in your safe at home. Consider yourself warned. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

Creepy spyware has infected Macs for years, and we’re only just realizing it now

Your Mac is not safe. Well, at least not as safe as you think it is. 

That’s the big takeaway following the detailed investigation of a particularly insidious strain of Apple-focused malware that has potentially been around for up to a decade — all the while broadcasting video and audio from victims’ computers back to an unknown attacker. 

The malware, dubbed Fruitfly, was first reported on in January by Malwarebytes. However, it was Synack Chief Security Researcher Patrick Wardle who blew the lid off Fruitfly’s true nature on July 21. 

“[A] hacker built this to spy on users for probably perverse reasons.”

In a conversation with Mashable, Wardle explained that he was sent the malicious software by a friend earlier this year, and that he found it interesting enough to investigate. That investigation led to some unexpected places. 

Wardle discovered that the malware directed infected computers to contact a command and control server for instructions — known as “tasking” — but that the primary server was offline. As such, he realized the computers would look for specific backup domains for their directions. It just so happened that “one or two” of those domains were available for registration.  

So he registered one, and created a server that could talk to the malware. What he found, well, is pretty damn creepy. 

First, Fruitfly gave him both the infected computers’ IP addresses — which can be used to determine their locations — and the computers’ names. With most Macs, the computer name is just the owner’s name. 

So, for starters, Wardle was sitting on the names and locations of many of the victims. But that’s not all. The malware gave him the power to remotely switch on webcams and microphones, take control of mice, change files, and would even notify him if the computer was in use by its owner. 

“Usually you see that in government or nation-state software,” Wardle, who used to work for the NSA, observed. 

But the victims weren’t nation-state actors — they were regular people. Strangely, however, the system didn’t seem designed for financial gain as is more typical of malware infecting the devices of everyday folks. Instead, it appeared to have a completely different objective. 

“[A] hacker built this to spy on users for probably perverse reasons,” explained Wardle, emphasizing that it was “designed to performance surveillance.” 

Approximately 90 percent of the infected computers are located in the U.S., with Wardle identifying around 400 compromised devices. He cautioned that those are just the infected systems he found, and that the total could be in the low thousands. Why so low? He speculated two reasons: To keep things manageable for the aforementioned creep, and to avoid detection. 

Speaking of detection, how did this thing go undiscovered for so long? Well, according to Wardle, a lot of that has to do with Macs.

“Mac security software is not that good,” he noted before elaborating that while Macs are good at detecting known threats, they are not that good at identifying new threats. Which, well, is a not-so-gentle reminder that even Mac users should get webcam covers. What’s more, Wardle added that Macs are actually easier to hack than recent versions of Windows — a statement which is sure to not win him any love in the Apple community. 

Wardle contacted law enforcement with his findings, and he says the entire Fruitfly malware net appears to be shut down at this time. And while that is good news for the 400 victims he identified, the findings suggest that a host of Mac-focused malware may already be out there under all of our noses. All someone needs to do is look for it. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003