Week 13: Evasion Techniques

Google Dec.10th revealed that Google+ has suffered another massive data breach, forcing the tech giant to shut down its struggling social network four months earlier than its actual scheduled date, i.e., in April 2019 instead of August 2019. Google said it discovered another critical security vulnerability in one of Google+’s People APIs that could have allowed developers to steal private information on 52.5 million users, including their name, email address, occupation, and age.

 

For more information, visit the news at https://thehackernews.com/2018/12/google-plus-hacking.html

What was supposed to be a battery optimization app from the android app store turned out to be a trojan. Once downloaded from a third-party android app store, the app changes an accessibility setting on an android phone to help thieves access the user’s paypal app and send money from the account to the thieves. The moral of this story is to never download apps from third-party markets.

 

https://threatpost.com/android-trojan-targets-paypal-users/139872/

Supply chains are particularly vulnerable to hacking because they can be long and one breach has the possibility to compromise the data of countless stakeholders. For example, a transportation company could be responsible for delivering goods to a wide array of different customers. Even if the individual customers have solid security within their own walls, the suppliers that they contract may not. Therefore, the businesses that contract these suppliers can be targeted through their supply chain. The article advocates for increased conversation between clients and suppliers about cyber security. There should be standards that both parties adhere to.

https://threatpost.com/supply-chain-security-risk/139835/

https://thehackernews.com/2018/12/australia-anti-encryption-bill.html

This is huge! but not in a good way. Australia just passed a Bill that would force tech giants like Apple, Google, etc, to assist law enforcement in decrypting or finding other means to provide the data they government wants. Apple pushed back stating that encryption is just math and weakening that math would weaken it for everyone. This is a startling read. Everyone in our area of study should read this. Australia could be setting the tone for future legislation among world powers. The Five Eyes alliance with members United States, United Kingdom, Canada, Australia and New Zealand have recently stated, “privacy is not an absolute.”

Tone

The article lists the advantages and disadvantages of identify monitoring services.

Pro: You’ll have peace of mind if you’re at a high risk of identity theft. Having an identity monitoring service may offer an extra layer of security and put your mind at ease.

Cons: The cost may be a problem. The more you pay, you more protection received. However, it can be expensive based on which plan you need.

Con: The services don’t necessarily prevent fraudulent activity. While these services will alert you that fraud has occurred, they won’t necessarily keep it from happening.

Con: You can get similar protection without paying an ID monitoring company. American Automobile Association offers its members free identity theft protection,

 

https://money.usnews.com/money/personal-finance/family-finance/articles/2018-09-25/the-pros-and-cons-of-identity-monitoring-services

 

Quora has suffered a massive data breach with unknown hackers gaining unauthorized access to potentially sensitive personal information of about 100 million of its users. They announced that an unidentified malicious third-party managed to gain unauthorized access to one of its systems and stole data on approximately 100 million users—that’s almost half of its entire user base.

According to Adam D’Angelo, the chief executive officer and co-founder of Quora, the personal user information compromised in the breach includes:

• Account information, such as names, email addresses, encrypted (hashed) passwords, and data imported from linked social networks like Facebook and Twitter when authorized by users.
• Public content and actions, like questions, answers, comments, and upvotes.
• Non-public content and actions, including answer requests, downvotes, direct and messages (note that a low percentage of Quora users have sent or received such messages).

Quora said it is still investigating the breach and assured its users that it working rapidly to “take the appropriate steps to prevent such incidents in the future.”

 

https://thehackernews.com/2018/12/quora-hack.html

Intro-to-Ethical-Hacking-Week-13

https://capture.fox.temple.edu/Mediasite/Play/5c14b8a0e47442a8b07cde9a4453efee1d

Instagram Accidentally Exposed Some Users’ Passwords In Plaintext

• Swati Khandelwal

 

Instagram recently patched a security issue in its website that was responsible of accidentally exposing some its users passwords in plain text.

 

The bug originated in the feature called  “Download Your Data” that allows users to download a copy of their data shared on the social media platform. Plaintext passwords of some users who had used this feature had their passwords were included in the URL as plaintext.

 

The company has assured users that the stored data has been deleted from the servers  and the tool has now been updated to resolve the issue, which “affected a very small number of people.”

 

Instagram suggest that affected users to change their passwords and clear their browser history as soon as possible.

 

Reference: https://thehackernews.com/2018/11/instagram-password-hack.html