Search Results for “Motherboard”

March 28, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Zoom Updates iOS App to Stop Sending Data to Facebook

Video-conferencing software company Zoom issued an update to its iOS app, which stops it from sending certain pieces of data to Facebook. A Motherboard analysis had revealed this privacy faux pas. Motherboard discovered that when a user opened the app, their timezone, city, and device details were sent to the social network giant.

Neowin: Zoom removes SDK in its iOS client that sent user data to Facebook
MacRumors: Zoom Updates iOS App to Stop Sending Data to Facebook
iMore: Responding to backlash, Zoom stops sharing user data with Facebook
TechWorm: Zoom Updates iOS App Following Backlash Over Sending Data To Facebook
The Sun: Zoom ‘sends your location, device and habits’ to Facebook – even if you DON’T have an account
BetaNews: Why is Zoom secretly sharing data with Facebook?
Verdict: Coronavirus: Concerns raised about Zoom’s security
BGR: Zoom’s iPhone app sends your data to Facebook even if you don’t have an account
Cult of Mac: Zoom shares data with Facebook even about non-Facebook usersQuartz: A tale of two Zooms

May 20, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Spyware Firm NSO Group Created a Web Domain That Masqueraded as a Facebook Security Team Site to Spread Its Powerful Pegasus Malware

Notorious Israeli spyware firm NSO Group created a web domain that looked as if it belonged to Facebook’s security team to entice targets to click on links that would install the company’s powerful Pegasus cell phone hacking technology, according to data analyzed by Motherboard. Although it’s not uncommon for nation-state hackers to impersonate Facebook, Facebook is currently suing NSO Group for leveraging a vulnerability in Facebook-owned WhatsApp to let NSO clients remotely hack phones. Motherboard also discovered that a server used by NSO’s system to deliver malware was owned by Amazon and is more evidence that NSO has used U.S. infrastructure.

Related: Slashdot

Tweets:@josephfcox @lorenzofb @dangoodin001 @josephfcox @josephfcox @josephfcox

Slashdot : NSO Group Impersonated Facebook To Help Clients Hack Targets

@josephfcox: New: former NSO Group employee leaked me an IP address used to launch Pegasus malware against targets. I looked up pDNS records and found a related domain was impersonating Facebook security's team. Also found more NSO infrastructure in the United States
@lorenzofb: NSO Group impersonated Facebook in an attempt to help clients hack targets. .@josephfcox found a web domain that looked like a Facebook site and was used for phishing targets to instal NSO's spyware.
@dangoodin001: When I get subscribed to a list without permission I respond to the sender (& any other email addresses I can find for the company) and demand I be removed. Sometimes I get a reply that says I can just use the unsubscribe link. No, I can't and here's why: https://vice.com/en_us/article/
@josephfcox: Many NSO clients have abused the tech, and publishing those domains can be important to find other abuses. In this case, we don't know if they were used in legitimate law enforcement or intelligence operations, so are not publishing domains themselves https://vice.com/en_us/article/qj4p3w/nso-group-hack-fake-facebook-domain
@josephfcox: Facebook said took control of this domain to stop people abusing it in the future. Also has relevance for Facebook's recent legal action against domain registrars: Facebook used those that allowed fake Facebook domains (same registrar as the Pegasus link) https://vice.com/en_us/article/
@josephfcox: The IP address was used to launch Pegasus' 1-click variant. The linked domains were a mix of things designed to be innocuous ('unsubscribe me please' style links), and then those impersonating Facebook or FedEx package tracking links https://vice.com/en_us/article/

March 31, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Zoom Hit by Class-Action Lawsuit in California Over Alleged Data Sharing With Facebook

A user of the popular and suddenly controversial video-conferencing software Zoom filed a class-action lawsuit against the company for sending data to Facebook. The lawsuit argues that Zoom violated California’s new data protection law by not obtaining proper consent from users about the transfer of the data. The lawsuit follows a report by Motherboard that found that Zoom was sending some data from the Zoom iOS app to Facebook, a problem the company rectified after the report’s publication.

Cyberscoop: Zoom hit with class-action lawsuit for sharing user data with Facebook
TechNadu: Zoom User Sues the Platform for Sharing His Data With FacebookBusiness Insider: Zoom is being sued for allegedly handing over data to Facebook
Tech Insider: Zoom is being sued for allegedly handing over data to Facebook
Bloomberg: Zoom Sued for Allegedly Illegally Disclosing Personal Data

May 5, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Hacker Bribed Roblox Worker and Gained Access to Personal Data on Over 100 Million Active Monthly Users

A hacker said he bribed a Roblox worker to gain access to the back end customer support panel of the popular online video game, giving them access to personal information on over 100 million active monthly users and other privileges such as granting virtual in-game currency. The hacker was able to see users’ email addresses, as well as change passwords, remove two-factor authentication from their accounts, ban users, and more, according to the hacker and screenshots of the internal system. The hacker shared screenshots with Motherboard that included the personal information of some of the more high-profile users, including YouTuber Linkmon99, purportedly the “richest” Roblox player in the world. The hacker claims they hacked Roblox to prove a point. Robox said it immediately took action to address the issue and individually notified the minimal amount of customers who were impacted.

Tweets:@waypoint @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox

Security News | Tech Times: Roblox Hacked by Bribed Insider
Engadget: ‘Roblox’ insider sold user data access to a hacker
Boing Boing: ‘Roblox’ hacker got 100 million user accounts for popular online game, reports VICE

@waypoint: The hacker got access to over 100 million active Roblox monthly users and the ability to grant virtual in-game currency.
@josephfcox: One of the most high profile users in Roblox confirmed their account information was exposed. I showed them an email address the hacker found; they said this was their private, dedicated email address only for using this game https://vice.com/en_us/article/
@josephfcox: This is some of the stuff the Roblox hacker could have done, and did some of to at least a few accounts. If you can't hack a site/service/application, the customer support reps may help you out for a little bit of cash https://vice.com/en_us/article/
@josephfcox: Not only does this show how much of a threat insiders at companies can be, but also how accessing data of children can be pretty straight forward. Roblox has a huge community of children using it; also used for kids parties during COVID-19 https://vice.com/en_us/article/
@josephfcox: The hacker sent messages between them and the insider. According to LinkedIn, this person worked for a contractor that works for Roblox. Targeting customer support reps is fruitful for hackers; lots of data access, potentially fewer controls in place https://vice.com/en_us/article/
@josephfcox: Here's a screenshot the hacker shared showing Roblox's back end customer support portal. Look up private email addresses, grant players in-game currency. Hacker says they reset passwords and stole items to sell https://vice.com/en_us/article/

April 29, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
NSO Employee Abused Access to Company’s Powerful Pegasus Hacking Technology to Target a Love Interest

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful Pegasus hacking technology to target a love interest, Motherboard found out from multiple sources. Pegasus can track the target’s location, read their texts, emails, social media messages, siphon their photos and videos, and turn on the device’s camera and microphone. While on location in the UAE in 2016, the NSO employee broke into an intelligence agency client’s office and was detained by authorities. While in the office, the employee used the Pegasus system to target a woman he knew personally. The employee was subsequently fired. After this incident, NSO introduced a “more rigorous screening of customer-facing people,” one former employee said.

Related: Slashdot

Tweets:@josephfcox @josephfcox @josephfcox @josephfcox

Slashdot: NSO Employee Abused Phone Hacking Tech To Target a Love Interest

@josephfcox: New: per former NSO Group employees/other sources, NSO employee abused the company's powerful Pegasus hacking tool. Used it to target a love interest. While NSO abuse is often government, intelligence agencies, this is first confirmed case of insider abuse
@josephfcox: Here's what happened: NSO employee on site for a client in UAE. Employee broke into the client office, used the Pegasus system to target a woman he knew, illegally. Pegasus is powerful phone hacking technology that can remotely take over up to date iPhones https://vice.com/en_us/article/
@josephfcox: NSO's Pegasus is reserved for law enforcement and intelligence agencies. But this NSO employee "used the system while nobody was looking." This again shows that even if a surveillance system is technically sophisticated, ultimately humans are in control https://vice.com/en_us/article/
@josephfcox: When the UAE found out, local authorities arrested the employee. NSO fired him immediately, and put more protections in place to stop employees accessing client installations of NSO's phone hacking technology https://vice.com/en_us/article/

March 24, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Hackers Are Hijacking Twitter Accounts to Push Website Purportedly Selling Face Masks and Toilet Paper

Hackers have taken over a wave of Twitter accounts to aggressively advertise a website that claims to be selling face masks and toilet paper during the coronavirus pandemic. The accounts posted hundreds of tweets linking to the site over at least a few hours earlier today. One journalist for Motherboard, Todd Feathers, confirmed that his account was hijacked to spread the message. The hacker also sent direct messages to Feathers’ followers with a link to the website. The site claims to sell face masks, respirators, digital thermometers, and toilet roll. Twitter said it had acted against several accounts and URLs around this recent activity, and pointed to its policy banning malicious use of bots and inauthentic accounts.

Tweets:@josephfcox @josephfcox @josephfcox

@josephfcox: New: hackers are taking over Twitter accounts to advertise a sketchy face mask website. Hundreds of tweets going out at the moment; once inside an account hackers also DM contacts with the link as well. At least one account accessed from Virginia
@josephfcox: The site was created yesterday, but there are nearly identical sites hosted on the same IP created days earlier https://vice.com/en_us/article/
@josephfcox: Here is one of the tweets from a hacked Twitter account. Searching for the site on Twitter shows a heavy wave of other accounts posting it. Some of the other accounts also hacked https://vice.com/en_us/article/

May 12, 2020

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Israeli Spyware Vendor NSO Group Is Pitching Its Mobile Hacking Technology to Local Police Forces in the U.S.

Israeli spyware vendor NSO Group, which has earned a notorious reputation for selling its mobile phone surveillance technologies to oppressive regimes around the globe, has been pitching its products to U.S. local police forces. A brochure by Westbridge Technologies, which calls itself “the North American branch of NSO Group,” tells local law enforcement that they can turn their targets’ phones “into an intelligence gold mine” by using a spyware product called Phantom. A former NSO employee says that Phantom is the same as Pegasus, the most intrusive spyware that NSO Group sells to despotic governments, including Saudi Arabia.

Related: Slashdot

Tweets:@josephfcox @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox

Slashdot: NSO Group Pitched Phone Hacking Tech To American Police

@josephfcox: Scoop: NSO Group, best known for selling iPhone hacking tech used to spy on associates of murdered journalist Jamal Khashoggi, also pitched their products to local American police. One law enforcement official called the tool "awesome."
@josephfcox: Obtained brochure for NSO product called PHANTOM. Can remotely infect devices with 0-click, get messages, location, etc Source says PHANTOM is a rebranded PEGASUS, NSO's infamous hacking product. Local police would have the same capability as Saudi intel https://vice.com/en_us/article/
@josephfcox: Federal authorities, intelligence agencies having 0-click phone hacking technology is one thing. Local police having it, is another, but that's exactly who NSO was trying to sell to https://vice.com/en_us/article/
@josephfcox: Here are some of the capabilities of the phone hacking technology pitched to local American cops are "Unlimited access to the target's mobile devices." https://vice.com/en_us/article/
@josephfcox: After talking to Westbridge, the U.S. arm of NSO Group, an official from the San Diego Police Department said the phone hacking tech "sounds awesome" https://vice.com/en_us/article/
@josephfcox: Price is the reason San Diego police give for not buying NSO Group's phone hacking tech, saying they don't have funds for such a large scale project https://vice.com/en_us/article/
@josephfcox: In the brochure sent to local cops, Westbridge/NSO says its malware is modular, can be tweaked depending on client's regulations. Other companies in the industry do this: maybe your warrant allows text but not Skype interception, etc https://vice.com/en_us/article/
@josephfcox: Updated with comment from San Diego Police Department, which spoke to NSO Group's U.S. arm about phone hacking technology. Says would require a warrant to use such tech https://vice.com/en_us/article/

March 4, 2020

Jason Koebler, Emanuel Maiberg, and Joseph Cox / Motherboard

Jason Koebler, Emanuel Maiberg, and Joseph Cox / Motherboard
Artificial Intelligence Company Banjo Deploys Its Technology Throughout Utah for What Some Allege is Panopticon-Like Surveillance Powers

The state of Utah has given an artificial intelligence company called Banjo real-time access to state traffic cameras, CCTV and “public safety” cameras, 911 emergency systems, location data for state-owned vehicles, and other sensitive data. Under a contract worth $20.1 million, Banjo said it is taking these data and combining them with information collected from social media, satellites, and other apps so that its algorithms “detect anomalies” in the real world to alert law enforcement of crimes as they happen. Banjo claims its technology called “Live Time Intelligence,” can solve kidnapping cases, identify active shooter situations and more. Banjo’s technology will be deployed or is in the process of being used in all 29 of Utah’s counties, in the state’s 13 largest cities, and in 10 other cities with “significant relevance” as well as for “campus security” for the University of Utah giving what critics say is panopticon-like surveillance powers throughout the state. Banjo claims its technology strips personal data out of the equation and that it does not help police find criminals; it helps them to find “emergencies” and locate criminal acts.

Tweets:@jason_koebler

@jason_koebler: A predictive policing company called Banjo has gotten the state of Utah to pay it $20.1 million to build an artificial intelligence-powered panopticon throughout the entire state https://vice.com/en_us/article/k7exem/banjo-ai-company-utah-surveillance-panopticon investigation by me, @josephfcox and @emanuelmaiberg

March 13, 2020

Emanuel Maiberg, Jason Koebler, and Lorenzo Franceschi-Bicchierai / Motherboard

Emanuel Maiberg, Jason Koebler, and Lorenzo Franceschi-Bicchierai / Motherboard
Cybersecurity Team Finds More Than Dozen Critical Security Flaws in Voatz Mobile Voting App

An audit by the team at cybersecurity firm Trail of Bits found that Voatz, a mobile voting app that has been used in several elections in the United States, has more than a dozen critical security flaws. Trail of Bits performed the first-ever “white-box” security assessment of the platform, with access to the Voatz Core Server and backend software. Their assessment confirmed the issues flagged in previous reports by MIT, which Voatz denied despite knowing of the flagged flaws. Trail of Bits also discovered more vulnerabilities and made recommendations to fix issues and prevent bugs from compromising voting security.

Related: Trail of Bits

Tweets:@alex_gaynor @mattblaze @mattblaze @kimzetter @lorenzofb

Trail of Bits: Our Full Report on the Voatz Mobile Voting Platform

@alex_gaynor: This is a stunning result, Voatz's blockchain nonsense had no business being anywhere near a US election. This is a pattern I've seen repeated in the public sector: Blockchain not solving problems securely, but scamming governments out of money anyways.
@mattblaze: Devastating security analysis of Voatz. That the implementation is so awful is disturbing, but even if the software were completely hardened, it would still be based on a fundamentally insecure architecture that was forcefully warned against by the National Research Council.
@mattblaze: I'm a bit concerned that Voatz's sloppy implementation and poor design choices are overshadowing more fundamental problems with app-based voting. It's sort of like complaining about low-quality phrenology calipers.
@kimzetter: Remember that Voatz mobile voting app? MIT researchers who published a recent report weren't able to examine all of it, but @trailofbits has now taken a more comprehensive look and found 79 issues - 1/3 of them "high severity"
@lorenzofb: New: Voatz, a blockchain-based mobile voting app that's already in use in elections is filled with high-severity issues. "If this was a hot dog stand, it would be closed by the health department," said @matthew_d_green .

1
2
3
4
5
6
…
79
Older