A hacker’s job is never done. Though they work hard to scam, defraud and launch malicious attacks, there’s also many times when we make their job just a little too easy. In this week’s Hacker Tracker, we take a look at how a weak defense against hackers essentially leaves a wide open door allowing them to walk right on in … just ask Yahoo.
When one door closes, another one opens. Or, is it a window?
Either way, these sayings aren’t so encouraging when it comes to cybersecurity. Hackers are ready and waiting to find an opening or vulnerability allowing them access to do damage.
You don’t have to look far to see security flaws leading to massive data breaches.
Security experts believe that may be what happened to Yahoo — the tech giant confirmed that over 500 million user accounts were compromised by hackers, marking what is said to be the largest data breach in U.S. history.
The stolen information includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. It’s believed that the data was actually compromised in late 2014 but that Yahoo CEO Marissa Mayer was not quick to disclose the information.
Sen. Mark Warner (D-VA) is pointing the finger at Yahoo for the breach taking place and has accused Mayer of knowing about the breach since July. He is arguing that the Securities and Exchange Commission should open an investigation into the hack.
According to The New York Times, Yahoo decided not to invest in the type of security defenses needed to protect its systems from increasingly sophisticated hackers. Though that decision took place years ago, it may have contributed to the hot cybersecurity water the company has found itself in today.
Yahoo employees told NYT that security was just one of the competing priorities Mayer was faced with when she took over as CEO back in 2012. The company’s security team, internally referred to as the “Paranoids,” was often known to clash with other parts of the business about security-related costs, and its requests would be overlooked due to concerns about the inconvenience of increased protection.
Welcome To A Hacker’s Paradise
Pokémon GO has taken the digital and physical world by storm.
With hundreds of millions of users — 80 percent of those making in-app purchases — it’s not hard to see why hackers are flocking to the app just as quickly as players.
Fortunately, for fraudsters, many Pokémon GO players are focused on one thing — leveling up. Whether it means exposing their personal data or making purchase after purchase, Pokémasters are willing to do it as long as they can get one step closer to “catching ’em all.”
“This is a case of augmented reality taking on a life of its own — a game experience adding real value and spinning off additional industries — and sure enough, this big thing has attracted the attention of bad guys,” Rich Stuppy, chief operating officer of Kount, told Karen Webster earlier this week.
The scary part is that players aren’t even making it that hard for hackers to gain access to their sensitive information.
Users have even become so enthralled with the game that they’ve provided full access to their Google accounts without even knowing it, essentially giving the mobile app full permission to see all of their emails, search history and even payment card credentials — all in the name of advancing through the game.
Hackers are easily taking advantage of competitive gamers by using classic phishing campaigns to trick users into mistakenly giving up their credentials to the game, email, payment info, etc. They typically do this by offering access to what looks like a leveled-up account or a bounty of in-game bonuses but is really just a ploy to collect and steal personal information.
Users even fall victim to malicious email campaigns promoting free Pokécoins (the virtual currency inside the game) that require filling out a form and providing data for a chance to “win,” which Stuppy said also takes advantage of the urgent emotional response gamers have to get something free or get ahead in the game.
“It’s essentially the Nigerian Prince scam but with Pokémon,” he explained.
When Updating Goes Bad
Slowly but surely, it seems as though Apple may be losing a grip on its once “unhackable” reputation.
A new report from Fortune revealed that the company’s latest iOS 10 operating system upgrade makes it easier for hackers to steal users’ passwords.
In fact, a Moscow-based security company said a security hole in the operating system makes it 2,500 times easier to hack.
According to Elcomsoft, iOS 10 is highly susceptible to a “brute force attack,” where hackers automatically try a continuous number of password combinations until they unlock the right one. This vulnerability may provide an opportunity for hackers to steal credit card data, infiltrate backups and access Apple’s Keychain password manager, where passwords and other authentication data is stored.
“When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older,” according to an Elcomsoft blog post on the subject.
The firm’s password-cracking software program, Phone Breaker, was reportedly able to send 6 million passwords per second at iOS 10’s backup in an effort to try and unlock access, compared to just 150,000 passwords per second through iOS 9.