Luscious is a niche pornographic image site focused primarily on animated, user-uploaded content. Based on the research carried out by our team, the site has over 1 million registered users. Each user has a profile, the details of which could be accessed through our research.

Private profiles allow users to upload, share, comment on, and discuss content on Luscious. All of this is understandably done while keeping their identity hidden behind usernames.

The data breach our team discovered compromises this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address. The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.

[…]

The private personal user details we viewed included:

• Usernames
• Personal email addresses
• User activity logs (date joined, most recent log in)
• Country of residence/location
• Gender

Some users’ email addresses indicated their full names, increasing their vulnerability to exploitation and cybercrime.

It’s worth mentioning that we estimate 20% of emails on Luscious accounts use fake email addresses to sign up. This suggests that some Luscious users are actively taking extra steps to remain anonymous.

User Behaviours & Activities

The data breach also gave a complete overview of user activities. This allowed us to view things like:

• The number of image albums they had created
• Video uploads
• Comments
• Blog posts
• Favorites
• Followers and accounts followed
• Their User ID number – so we can know if they’re active or have been banned

Source: Report: Data Breach in Adult Site Compromises Privacy of All Users

Ouch – if you were on there, good luck and change your details immediately!

Jordan B. Peterson had his gmail account deactivated and I had the opportunity to inspect the bug report as a full-time employee. What I found was that Google had a technical vulnerability that, when exploited, would take any gmail account down. Certain unknown 3rd party actors are aware of this secret vulnerability and exploit it. This is how it worked: Take a target email address, change exactly one letter in that email address, and then create a new account with that changed email address. Malicious actors repeated this process over and over again until a network of spoof accounts for Jordan B. Peterson existed. Then these spoof accounts started generating spam emails. These email-spam blasts caught the attention of an AI system which fixed the problem by deactivating the spam accounts… and then ALSO the original account belonging to Jordan B. Peterson!

Source: Open Letter: Dear Attorney Representing Tulsi Gabbard, this is how Google is “accidentally” deactivating user accounts | Minds

The O.MG cable (or Offensive MG kit) from [MG] hides a backdoor inside the shell of a USB connector. Plug this cable into your computer and you’ll be the victim of remote attacks over WiFi.

You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device. Think of it as a BadUSB device, like the USB Rubber Ducky from Hak5, but one that you can remote control. It is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.

In the years BadUSB — an exploit hidden in a device’s USB controller itself — was released upon the world, [MG] has been tirelessly working on making his own malicious USB device, and now it’s finally ready. The O.MG cable hides a backdoor inside the shell of a standard, off-the-shelf USB cable.

The construction of this device is quite impressive, in that it fits entirely inside a USB plug. But this isn’t a just a PCB from a random Chinese board house: [MG] spend 300 hours and $4000 in the last month putting this project together with a Bantam mill and created his own PCBs, with silk screen. That’s impressive no matter how you cut it.

Source: OMG Cable | Hackaday

http://mg.lol/blog/omg-cable/ The makers

Soft launch of the cable for USD 200

A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.

The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.

The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.

Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.

According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.

The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”

Source: Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants • The Register

Not so much a hack as poor security by Capital One then

After nearly a decade in court, Google has agreed to pay $13 million in a class-action lawsuit alleging its Street View program collected people’s private data over wifi from 2007 to 2010. In addition to the moolah, the settlement—filed Friday in San Francisco—also calls for Google to destroy all the collected data and teach people how to encrypt their wifi networks.

A quick refresher. Back when Google started deploying its little Street View cars around our neighborhoods, the company also ended up collecting about 600 GB of emails, passwords, and other payload data from unencrypted wifi networks in over 30 countries. In a 2010 blog, Google said the data collection was a “mistake” after a German data protection group asked to audit the data collected by the cars.

[…]

The basis for the class-action lawsuit was that Google was basically infringing on federal wiretapping laws. Google had argued in a separate case on the same issue, Joffe vs Google, that its “mistake” was legal, as unencrypted wifi are a form of radio communication and thereby, readily accessible by the general public. The courts did not agree, and in 2013 ruled Google’s defense was bunk. And despite Google claiming the collection was a “mistake,” according to CNN, in this particular class-action lawsuit, investigators found that Google engineers created the software and embedded them into Street View cars intentionally.

[…]

If you thought Google would pay out the nose for this particular brand of evil, you’d be mistaken. The class-action netted $13 million, with punitive payments only going to the original 22 plaintiffs—additional class members won’t get anything. The remaining money will be then distributed to eight data privacy and consumer protection organizations. Similarly, another case brought by 38 states on yet again, the same issue, only netted a $7 million settlement.

Source: Google Set to Pay $13 Million in Street View Class-Action Suit

“In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”

Source: Evite Invites Over 100 Million People to Their Data Breach

It’s 2019 and people still store personal information in plain text?!

Search for them in your emailbox – you may have received evites from others instead of having made an account, in which case you are also in the data breach

Japan-based cryptocurrency exchange Bitpoint announced it lost 3.5 billion yen (roughly $32 million) worth of cryptocurrency assets after a hack that happened late yesterday, July 11.

The exchange suspended all deposits and withdrawals this morning to investigate the hack, it said in a press release.

Thoroughly compromised

In a more detailed document released by RemixPoint, the legal entity behind Bitpoint, the company said that hackers stole funds from both of its “hot” and “cold” wallets. This suggests the exchange’s network was thoroughly compromised.

Hot wallets are used to store funds for current transactions, while the cold wallets are offline devices storing emergency and long-term funds.

Bitpoint reported the attackers stole funds in five cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereal.

The exchange said it detected the hack because of errors related to the remittance of Ripple funds to customers. Twenty-seven minutes after detecting the errors, Bitpoint admins realized they had been hacked, and three hours later, they discovered thefts from other cryptocurrency assets.

Another three and a half hours later, after a meeting with management, the exchange shut down, and law enforcement notified.

Two-third of stolen funds belonged to customers

The exchange also said that 2.5 billion yen ($23 million) of the total 3.5 billion yen ($32 million) that were stolen were customer funds, while the rest were funds owned by the exchange itself, as reserve funds and profits from past activity.

Source: Bitpoint cryptocurrency exchange hacked for $32 million | ZDNet

In new research published Tuesday and shared with TechCrunch, Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock.

Smart home technology has come under increasing scrutiny in the past year. Although convenient to some, security experts have long warned that adding an internet connection to a device increases the attack surface, making the devices less secure than their traditional counterparts. The smart home hubs that control a home’s smart devices, like water meters and even the front door lock, can be abused to allow landlords entry to a tenant’s home whenever they like.

[…]

he researchers found they could extract the hub’s private SSH key for “root” — the user account with the highest level of access — from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler.

They later discovered that the private SSH key was hardcoded in every hub sold to customers — putting at risk every home with the same hub installed.

Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a “pass-the-hash” authentication system, which doesn’t require knowing the user’s plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner.

Source: Security flaws in a popular smart home hub let hackers unlock front doors | TechCrunch

Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed.

Cyber-spy hunters at US security firm Cybereason told El Reg on Monday the miscreants responsible for the intrusions were, judging from their malware and skills, either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them, perhaps deliberately so.

Whoever it was, the snoops apparently spent the past two or more years inside ten-plus cellphone networks dotted around the planet. In some cases, we’re told, the hackers were able to deploy their own VPN services on the telcos’ infrastructure to gain quick, persistent, and direct access to the carriers rather than hop through compromised internal servers and workstations. These VPN services were not detected by the telcos’ IT staff.

[…]

The undetected VPN deployments underscore just how deeply the hacker crew was able to drill into the unnamed telcos and compromise pretty much everything needed to get the job done. The gang sought access to hundreds of gigabytes of phone records, text messages, device and customer metadata, and location data on hundreds of millions of subscribers.

This was all done, we’re told, to spy on and gather the whereabouts of some 20 to 30 high-value targets – think politicians, diplomats, and foreign agents. The hackers and their masters would thus be able to figure out who their targets have talked to, where they work and stay, and so on.

[…]

To cover their tracks, the hackers would have long periods of inactivity.

“They come in, they do something, and they disappear for one to three months,” said Serper. “Then they come in again, disappear, and so forth.”

Source: What the cell…? Telcos around the world were so severely pwned, they didn’t notice the hackers setting up VPN points • The Register

Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, issued a statement on June 22 following similar warnings from private American cybersecurity firms.

Krebs, whose recently renamed agency is tasked with protecting American critical infrastructure, said CISA is “aware of a recent rise in malicious cyber activity” against American companies and government agencies by Iranian actors.

CISA specifically warned about “wiper” attacks which, in addition to stealing data, then destroy it as well. It’s not clear who exactly was targeted.

American operators are targeting Iranians as well, Yahoo News reported on Friday. The news was confirmed by the Washington Post and the New York Times. Iranian officials said the attacks were unsuccessful, Americans deemed the attacks “very” effective.

The Americans say they hacked Iranian spies who were allegedly involved in several attacks against oil tankers in the Persian Gulf over recent weeks. The cyberattacks followed a U.S. spy drone being shot down over Iran last week.

Even though President Donald Trump called off a kinetic attack with just minutes to spare last week, there’s little reason to think the overall conflict is over. The U.S. is preparing more hacking plans to target Iran while American businesses are expecting that if tension continues, it’ll be them in the crosshairs.

Cyberwar has fundamentally changed some of the calculus of war. Two decades ago, when the U.S. invaded a pair of countries on the other side of the world, the conflict was largely confined to those countries. Hacking levels the playing field and allows a country like Iran — which would generally not be able to compete with the American military’s traditional superiority — to inflict damage inside the U.S. itself.

Source: U.S. and Iran’s Hackers Are Trading Blows

A member of the Facebook Wink Users Group discovered that after selling his Nest cam, he was still able to access images from his old camera—except it wasn’t a feed of his property. Instead, he was tapping into the feed of the new owner, via his Wink account. As the original owner, he had connected the Nest Cam to his Wink smart-home hub, and somehow, even after he reset it, the connection continued.

We decided to test this ourselves and found that, as it happened for the person on Facebook, images from our decommissioned Nest Cam Indoor were still viewable via a previously linked Wink hub account—although instead of a video stream, it was a series of still images snapped every several seconds.

Here’s the process we used to confirm it:

Our Nest cam had recently been signed up to Nest Aware, but the subscription was canceled in the past week. That Nest account was also linked to a Wink Hub 2. Per Nest’s instructions, we confirmed that our Aware subscription was not active, after which we removed our Nest cam from our Nest account—this is Nest’s guidance for a “factory reset” of this particular camera.

After that, we were unable to access the live stream with either the mobile Nest app or the desktop Nest app, as expected. We also couldn’t access the camera using the Wink app, because the camera was not online. We then created a new Nest account on a new (Android) device that had a new data connection. We followed the steps for adding the Nest Cam Indoor to that new Nest account, and we were able to view a live stream successfully through the Nest mobile app. However, going back to our Wink app, we were also able to view a stream of still images from the Nest cam, despite its being associated with a new Nest account.

In simpler terms: If you buy and set up a used Nest indoor camera that has been paired with a Wink hub, the previous owner may have unfettered access to images from that camera. And we currently don’t know of any cure for this problem.

Source: Buyer Beware: Used Nest Cams Can Let People Spy on You: Reviews by Wirecutter | A New York Times Company

Updated: patch your nest to fix it!

Clinical lab testing titan Quest Diagnostics acknowledged in a press release on Monday that an “unauthorized user” had gained access to personal information on around 11.9 million customers, including some financial and medical data.

Per NBC News, news of the breach comes via way of a Securities and Exchange Commission filing in which Quest wrote that American Medical Collection Agency (AMCA), which provides billing collection services to Quest contractor Optum 360, had notified it of the breach in mid-May. NBC wrote that Quest said AMCA’s web payments page had possibly been compromised from Aug. 1, 2018 to March 30, 2019.

In its statement, Quest wrote that compromised information could include “certain financial data,” Social Security numbers, and some medical material—but not the results of laboratory tests on patients. It also wrote the extent of the breach remained unclear:

AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.

Quest added that it had “suspended” sending collections requests to AMCA. According to the Wall Street Journal, a spokesperson for Optum360 parent company UnitedHealth said their Optum360 systems were unaffected by the breach.

Source: Lab Testing Giant Quest Diagnostics Says Data Breach May Have Hit Nearly 12 Million Patients

Owners of Supra Smart Cloud TVs are in danger of getting some unwanted programming: it’s possible for miscreants or malware on your Wi-Fi network to switch whatever you’re watching for video of their or its choosing.

Bug-hunter Dhiraj Mishra laid claim to CVE-2019-12477, a remote file inclusion zero-day vulnerability that allows anyone with local network access to specify their own video to display on the TV, overriding whatever is being shown, with no password necessary. As such it’s more likely to be used my mischievous family members than hackers.

Mishra told The Register the issue is due to a complete lack of any authentication or session management in the software controlling the Wi-Fi-connected telly. By crafting a malicious HTTP GET request, and sending it to the set over the network, an attacker would be able to provide whatever video URL they desired to the target, and have the stream played on the TV without any sort of security check.

Source: Supra smart TVs aren’t so super smart: Hole lets hackers go all Max Headroom on e-tellies • The Register

The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to “significant amounts” of data stretching back 19 years.

The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details and passport details. It said the breach took place in “late 2018” – the same year it ‘fessed up to another lengthy attack.

Students will be miffed to find out that someone knows they had to retake second-year Statistics since academic records were also accessed.

The uni insisted: “The systems that store credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers, and some performance records have not been affected.”

Source: Strewth: Hackers slurp 19 years of Oz student data in uni’s second breach within a year • The Register

why was this data not encrypted?

With about $600 and a few tools, hackers could fake the radio signals used by commercial airplanes to navigate and land safely, according to new research.

In a paper and demonstration from researchers at Northeastern University in Boston, a software defined radio — a non-traditional radio that uses software instead of hardware for many components — successfully tricks a simulated plane into thinking that the aircraft is traveling off-course. 

Through a process called ‘spoofing’ — a term also applied to scam and robo-callers who fake their numbers — researchers are able to deceive an aircraft’s course deviation indicator into thinking the plane is off-center.

This causes it to misalign or falsely ‘correct’ its trajectory and land adjacent to the runway.

Scroll down for video 

+3

With about $600 and a few tools, hackers could fake the radio signals used by commercial airplanes to navigate and land safely, according to new research. In a scary demonstrations, researchers were able to simulate an attack on the radio signals used by nearly all aircraft

As first reported by Ars Technica, the radio signals spoofed by their device, are the same signals used in almost every aircraft throughout the last 50 years, including those on-board large commercial jetliners.

Because of the technology’s age, radio signals used in Instrument Landing Systems (ILS), are not encrypted or authenticated like other digitally transferred data, they say.

While the tools used by researchers in the demonstration aren’t necessarily new, Ars Technica notes that the cost of such devices have come down, making the type of attack more feasible for hackers than ever before.

Researchers note that an attack using their method is possible, but in many cases, misaligned planes can swiftly be corrected by adept pilots who are able to see their positioning in clear conditions and either adjust or perform a fly-around.

Source: Radio signals used to land planes can easily be HACKED using tools amounting to just $600 | Daily Mail Online

ASUS’ update mechanism has once again been abused to install malware that backdoors PCs, researchers from Eset reported earlier this week. The researchers, who continue to investigate the incident, said they believe the attacks are the result of router-level man-in-the-middle attacks that exploit insecure HTTP connections between end users and ASUS servers, along with incomplete code-signing to validate the authenticity of received files before they’re executed.

Plead, as the malware is known, is the work of espionage hackers Trend Micro calls the BlackTech Group, which targets government agencies and private organizations in Asia. Last year, the group used legitimate code-signing certificates stolen from router-maker D-Link to cryptographically authenticate itself as trustworthy. Before that, the BlackTech Group used spear-phishing emails and vulnerable routers to serve as command-and-control servers for its malware.

Source: Hackers abuse ASUS cloud service to install backdoor on users’ PCs | Ars Technica

Cryptocurrency trading hub Binance, one of the world’s largest, has confirmed it lost about 7,000 Bitcoins (around $40 million) to hackers after its so-called “hot wallet,” i.e. one connected to the internet and used to process transactions, was breached, Bloomberg reported on Tuesday.

The hot wallet in question contained about two percent of Binance’s holdings and was robbed in a single transaction, Bloomberg wrote. Binance wrote in a statement that they were aware the hackers involved “used a variety of techniques, including phishing, viruses and other attacks,” though the company was “still concluding all possible methods used” and there may be “additional affected accounts that have not been identified yet.”

[…]

Binance said that it would cover any losses in full using its Secure Asset Fund for Users, an insurance reserve set up for this type of situation, Bloomberg wrote. The news network added that Binance said automated systems triggered an alarm during the incident, though it was unable to prevent the attack’s success, and it estimates a security review and temporary halt to all deposits and withdrawals will take a week to complete:

Source: One of the World’s Largest Crypto Exchanges, Binance, Hacked to the Tune of $40 Million

Marcus Hutchins, the British security researcher who shot to fame after successfully halting the Wannacry ransomware epidemic, has pleaded guilty to crafting online bank-account-raiding malware.

For nearly two years now, Hutchins, 24, has been under house arrest in the US after being collared at Las Vegas airport by FBI agents acting on a tip-off. The Brit, who was at the time trying to fly back home to Blighty after attending the Black Hat and DEF CON security conferences, was accused of creating and selling the Kronos banking trojan, and denied any wrongdoing.

The US government subsequently piled on charges, and it now appears that the pressure has been too much: on Friday this week, Hutchins accepted a plea deal [PDF], and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” he said in a statement.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Each of the two counts carries a maximum penalty of five years behind bars, a $250,000 fine, and a year of probation. As with most plea deals, he’s likely to get less than that, though he may still spend some time in an American cooler.

While being held in jail after his arrest, Hutchins apparently admitted creating the software nasty. According to the Feds, the Brit at one point told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” later adding: “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Now the FBI have their guilty plea, and Hutchins – a professional malware reverse-engineer these days – is facing an uncertain future. But you have to wonder if it was all really worth it for the US authorities. After all, plenty of today’s cyber-security engineers and researchers have toyed with writing malware, even for research purposes. Thus, a stretch behind bars would be a very hard sentence for an offense committed when he was a teen.

Source: Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

The discovery of a new, sophisticated team of hackers spying on dozens of government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet’s cybersecurity that experts have warned about for years: DNS hijacking, a technique that meddles with the fundamental address book of the internet. Researchers at Cisco’s Talos security division on Wednesday revealed that a hacker group it’s calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organtaizations.

In the process, they went so far as to compromise multiple country-code top-level domains — the suffixes like .co.uk, or .ru, that end a foreign web address — putting all the traffic of every domain in multiple countries at risk. The hackers’ victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet’s directory system, hackers were able to silently use “man-in-the-middle” attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[…] Cisco Talos said it couldn’t determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cypress, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco’s Craig Williams confirmed that Armenia’s .am top-level domain was one ‘of the “handful” that were compromised, but wouldn’t say which of the other countries’ top-level domains were similarly hijacked.

https://m.slashdot.org/story/354704

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

[…]

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

[…]

Their end goal: “Experience and money,” the hacker said.

Source: Hackers publish personal data on thousands of US police officers and federal agents | TechCrunch

Facebook has been prompting some users registering for the first time to hand over the passwords to their email accounts, the Daily Beast reported on Tuesday—a practice that blares right past questionable and into “beyond sketchy” territory, security consultant Jake Williams told the Beast.

A Twitter account using the handle @originalesushi first posted an image of the screen several days ago, in which new users are told they can confirm their third-party email addresses “automatically” by giving Facebook their login credentials. The Beast wrote that the prompt appeared to trigger under circumstances where Facebook might think a sign-up attempt is “suspicious,” and confirmed it on their end by “using a disposable webmail address and connecting through a VPN in Romania.”

It is never, ever advisable for a user to give out their email password to anyone, except possibly to a 100 percent verified account administrator when no other option exists (which there should be). Email accounts tend to be primary gateways into the rest of the web, because a valid one is usually necessary to register accounts on everything from banks and financial institutions to social media accounts and porn sites. They obviously also contain copies of every un-deleted message ever sent to or from that address, as well as additional information like contact lists. It is for this reason that email password requests are one of the most obvious hallmarks of a phishing scam.

“That’s beyond sketchy,” Williams told the Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

“This is basically indistinguishable to a phishing attack,” Electronic Frontier Foundation security researcher Bennett Cyphers told Business Insider. “This is bad on so many levels. It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up… No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does.”

A Facebook spokesperson confirmed in a statement to Gizmodo that this screen appears for some users signing up for the first time, though the company wrote, “These passwords are not stored by Facebook.” It additionally characterized the number of users it asks for email passwords as “very small.” Those presented with the screen were signing up on desktop while using email addresses that did not support OAuth—an open standard for allowing third parties authenticated access to assets (such as for the purpose of verifying identities) without sharing login credentials. OAuth is typically a standard feature of major email providers.

Facebook noted in the statement that those users presented with this screen could opt out of sharing passwords and use another verification method such as email or phone. The company also said it would be ending the practice of asking for email passwords.

Source: Facebook Is Just Casually Asking Some New Users for Their Email Passwords

This beggars belief!

In January, the National Enquirer published a special edition that revealed an intimate relationship Bezos was having. He asked me to learn who provided his private texts to the Enquirer, and why. My office quickly identified the person whom the Enquirer had paid as a source: a man named Michael Sanchez, the now-estranged brother of Lauren Sanchez, whom Bezos was dating. What was unusual, very unusual, was how hard AMI people worked to publicly reveal their source’s identity. First through strong hints they gave to me, and later through direct statements, AMI practically pinned a “kick me” sign on Michael Sanchez.

“It was not the White House, it was not Saudi Arabia,” a company lawyer said on national television, before telling us more: “It was a person that was known to both Bezos and Ms. Sanchez.” In case even more was needed, he added, “Any investigator that was going to investigate this knew who the source was,” a very helpful hint since the name of who was being investigated had been made public 10 days earlier in a Daily Beast report.

Much was made about a recent front-page story in the Wall Street Journal, fingering Michael Sanchez as the Enquirer’s source—but that information was first published almost seven weeks ago by The Daily Beast, after “multiple sources inside AMI” told The Daily Beast the exact same thing. The actual news in the Journal article was that its reporters were able to confirm a claim Michael Sanchez had been making: It was the Enquirer who first contacted Michael Sanchez about the affair, not the other way around.

AMI has repeatedly insisted they had only one source on their Bezos story, but the Journal reports that when the Enquirer began conversations with Michael Sanchez, they had “already been investigating whether Mr. Bezos and Ms. Sanchez were having an affair.” Michael Sanchez has since confirmed to Page Six that when the Enquirer contacted him back in July, they had already “seen text exchanges” between the couple. If accurate, the WSJ and Page Six stories would mean, clearly and obviously, that the initial information came from other channels—another source or method.

[On Sunday, AMI issued a statement insisting that “it was Michael Sanchez who tipped the National Enquirer off to the affair on Sept. 10, 2018, and over the course of four months provided all of the materials for our investigation.” Read the full statement here. — ed.]

“Bezos directed me to ‘spend whatever is needed’ to learn who may have been complicit in the scheme, and why they did it. That investigation is now complete.”

Reality is complicated, and can’t always be boiled down to a simple narrative like “the brother did it,” even when that brother is a person who certainly supplied some information to a supermarket tabloid, and even when that brother is an associate of Roger Stone and Carter Page. Though interesting, it turns out those truths are also too simple.

Why did AMI’s people work so hard to identify a source, and insist to the New York Times and others that he was their sole source for everything?

My best answer is contained in what happened next: AMI threatened to publish embarrassing photos of Jeff Bezos unless certain conditions were met. (These were photos that, for some reason, they had held back and not published in their first story on the Bezos affair, or any subsequent story.) While a brief summary of those terms has been made public before, others that I’m sharing are new—and they reveal a great deal about what was motivating AMI.

An eight-page contract AMI sent for me and Bezos to sign would have required that I make a public statement, composed by them and then widely disseminated, saying that my investigation had concluded they hadn’t relied upon “any form of electronic eavesdropping or hacking in their news-gathering process.”

Note here that I’d never publicly said anything about electronic eavesdropping or hacking—and they wanted to be sure I couldn’t.

They also wanted me to say our investigation had concluded that their Bezos story was not “instigated, dictated or influenced in any manner by external forces, political or otherwise.” External forces? Such a strange phrase. AMI knew these statements did not reflect my conclusions, because I told AMI’s Chief Content Officer Dylan Howard (in a 90-minute recorded phone call) that what they were asking me to say about external forces and hacking “is not my truth,” and would be “just echoing what you are looking for.”

(Indeed, an earlier set of their proposed terms included AMI making a statement “affirming that it undertook no electronic eavesdropping in connection with its reporting and has no knowledge of such conduct”—but now they wanted me to say that for them.)

The contract further held that if Bezos or I were ever in our lives to “state, suggest or allude to” anything contrary to what AMI wanted said about electronic eavesdropping and hacking, then they could publish the embarrassing photos.

Todd Williamson/Getty

I’m writing this today because it’s exactly what the Enquirer scheme was intended to prevent me from doing. Their contract also contained terms that would have inhibited both me and Bezos from initiating a report to law enforcement.

Things didn’t work out as they hoped.

When the terms for avoiding publication of personal photos were presented to Jeff Bezos, he responded immediately: “No thank you.” Within hours, he wrote an essay describing his reasons for rejecting AMI’s threatening proposal. Then he posted it all on Medium, including AMI’s actual emails and their salacious descriptions of private photos. (After the Medium post, AMI put out a limp statement saying it “believed fervently that it acted lawfully in the reporting of the story of Mr. Bezos.”)

The issues Bezos raised in his Medium post have nothing whatsoever to do with Michael Sanchez, any more than revealing the name of a low-level Watergate burglar sheds light on the architects of the Watergate cover-up. Bezos was not expressing concerns about the Enquirer’s original story; he was focused on what he called “extortion and blackmail.”

Next, Bezos directed me to “spend whatever is needed” to learn who may have been complicit in the scheme, and why they did it.

That investigation is now complete. As has been reported elsewhere, my results have been turned over to federal officials. Since it is now out of my hands, I intend today’s writing to be my last public statement on the matter. Further, to respect officials pursuing this case, I won’t disclose details from our investigation. I am, however, comfortable confirming one key fact:

Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details.

Source: Bezos’ Investigator Gavin de Becker Finds the Saudis Obtained the Amazon Chief’s Private Data

Reuters is a bit shorter on the matter:

WASHINGTON (Reuters) – The security chief for Amazon chief executive Jeff Bezos said on Saturday that the Saudi government had access to Bezos’ phone and gained private information from it.

Gavin De Becker, a longtime security consultant, said he had concluded his investigation into the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.

Last month, Bezos accused the newspaper’s owner of trying to blackmail him with the threat of publishing “intimate photos” he allegedly sent to Sanchez unless he said in public that the tabloid’s reporting on him was not politically motivated.

In an article for The Daily Beast website, De Becker said the parent company of the National Enquirer, American Media Inc., had privately demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their newsgathering process.”

“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information,” De Becker wrote. “As of today, it is unclear to what degree, if any, AMI was aware of the details.”

https://www.reuters.com/article/us-people-bezos-saudi/saudis-gained-access-to-amazon-ceo-bezos-phone-bezos-security-chief-idUSKCN1RB0RS

NSO and a competitor, the Emirati firm DarkMatter, exemplify the proliferation of privatized spying. A monthslong examination by The New York Times, based on interviews with current and former hackers for governments and private companies and others as well as a review of documents, uncovered secret skirmishes in this burgeoning world of digital combat.

A former top adviser to the Saudi crown prince, Mohammed bin Salman, spoke of using NSO’s products abroad as part of extensive surveillance efforts.CreditGiuseppe Cacace/Agence France-Presse — Getty Images

Image

The firms have enabled governments not only to hack criminal elements like terrorist groups and drug cartels but also in some cases to act on darker impulses, targeting activists and journalists. Hackers trained by United States spy agencies caught American businesspeople and human rights workers in their net. Cybermercenaries working for DarkMatter turned a prosaic household item, a baby monitor, into a spy device.

The F.B.I. is investigating current and former American employees of DarkMatter for possible cybercrimes, according to four people familiar with the investigation. The inquiry intensified after a former N.S.A. hacker working for the company grew concerned about its activities and contacted the F.B.I., Reuters reported.

NSO and DarkMatter also compete fiercely with each other, paying handsomely to lure top hacking talent from Israel, the United States and other countries, and sometimes pilfering recruits from each other, The Times found.

The Middle East is the epicenter of this new era of privatized spying. Besides DarkMatter and NSO, there is Black Cube, a private company run by former Mossad and Israeli military intelligence operatives that gained notoriety after Harvey Weinstein, the disgraced Hollywood mogul, hired it to dig up dirt on his accusers. Psy-Group, an Israeli company specializing in social media manipulation, worked for Russian oligarchs and in 2016 pitched the Trump campaign on a plan to build an online army of bots and avatars to swing Republican delegate votes.

Last year, a wealthy American businessman, Elliott Broidy, sued the government of Qatar and a New York firm run by a former C.I.A. officer, Global Risk Advisors, for what he said was a sophisticated breach of his company that led to thousands of his emails spilling into public. Mr. Broidy said that the operation was motivated by hard-nosed geopolitics: At the beginning of the Trump administration, he had pushed the White House to adopt anti-Qatar policies at the same time his firm was poised to receive hundreds of millions of dollars in contracts from the United Arab Emirates, the archrival to Qatar.

A judge dismissed Mr. Broidy’s lawsuit, but suspicions have grown that Qatar had a hand in other operations, including the hacking and leaking of the emails of Yousef al-Otaiba, the influential Emirati ambassador in Washington.

The rapid expansion of this global high-tech battleground, where armies of cybermercenaries clash, has prompted warnings of a dangerous and chaotic future.

Source: A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments – The New York Times

The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today.

As detailed in a press release published on Toyota’a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.

“It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards,” says the data breach notification.

[…]

Security experts consider the attacks targeting Toyota’s subsidiaries and dealers to be part of a large scale coordinated operation attributed to the Vietnamese-backed APT32 hacking group, also known as OceanLotus and Cobalt Kitty, says ZDNet.

FireEye says that APT32 is targeting “foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors.”

APT32 also targeted research institutes from around the world, media organizations, various human rights organizations, and even Chinese maritime construction firms in the past. [1, 2, 3, 4, 5, 6, 7]

Source: Toyota Security Breach Exposes Personal Info of 3.1 Million Clients

No mention of what data exactly was stolen, which is worrying.