Search Results for “Motherboard”

March 28, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Zoom Updates iOS App to Stop Sending Data to Facebook

Video-conferencing software company Zoom issued an update to its iOS app, which stops it from sending certain pieces of data to Facebook. A Motherboard analysis had revealed this privacy faux pas. Motherboard discovered that when a user opened the app, their timezone, city, and device details were sent to the social network giant.

Related: Neowin, MacRumors, iMore, TechWorm, The Sun, BetaNews, Verdict, BGR, Cult of Mac, Quartz

May 20, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Spyware Firm NSO Group Created a Web Domain That Masqueraded as a Facebook Security Team Site to Spread Its Powerful Pegasus Malware

Notorious Israeli spyware firm NSO Group created a web domain that looked as if it belonged to Facebook’s security team to entice targets to click on links that would install the company’s powerful Pegasus cell phone hacking technology, according to data analyzed by Motherboard. Although it’s not uncommon for nation-state hackers to impersonate Facebook, Facebook is currently suing NSO Group for leveraging a vulnerability in Facebook-owned WhatsApp to let NSO clients remotely hack phones. Motherboard also discovered that a server used by NSO’s system to deliver malware was owned by Amazon and is more evidence that NSO has used U.S. infrastructure.

Related: Slashdot

Tweets:@josephfcox @lorenzofb @dangoodin001 @josephfcox @josephfcox @josephfcox

Slashdot : NSO Group Impersonated Facebook To Help Clients Hack Targets

@josephfcox: New: former NSO Group employee leaked me an IP address used to launch Pegasus malware against targets. I looked up pDNS records and found a related domain was impersonating Facebook security's team. Also found more NSO infrastructure in the United States
@lorenzofb: NSO Group impersonated Facebook in an attempt to help clients hack targets. .@josephfcox found a web domain that looked like a Facebook site and was used for phishing targets to instal NSO's spyware.
@dangoodin001: When I get subscribed to a list without permission I respond to the sender (& any other email addresses I can find for the company) and demand I be removed. Sometimes I get a reply that says I can just use the unsubscribe link. No, I can't and here's why:
@josephfcox: Many NSO clients have abused the tech, and publishing those domains can be important to find other abuses. In this case, we don't know if they were used in legitimate law enforcement or intelligence operations, so are not publishing domains themselves
@josephfcox: Facebook said took control of this domain to stop people abusing it in the future. Also has relevance for Facebook's recent legal action against domain registrars: Facebook used those that allowed fake Facebook domains (same registrar as the Pegasus link)
@josephfcox: The IP address was used to launch Pegasus' 1-click variant. The linked domains were a mix of things designed to be innocuous ('unsubscribe me please' style links), and then those impersonating Facebook or FedEx package tracking links

March 31, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Zoom Hit by Class-Action Lawsuit in California Over Alleged Data Sharing With Facebook

A user of the popular and suddenly controversial video-conferencing software Zoom filed a class-action lawsuit against the company for sending data to Facebook. The lawsuit argues that Zoom violated California’s new data protection law by not obtaining proper consent from users about the transfer of the data. The lawsuit follows a report by Motherboard that found that Zoom was sending some data from the Zoom iOS app to Facebook, a problem the company rectified after the report’s publication.

May 5, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Hacker Bribed Roblox Worker and Gained Access to Personal Data on Over 100 Million Active Monthly Users

A hacker said he bribed a Roblox worker to gain access to the back end customer support panel of the popular online video game, giving them access to personal information on over 100 million active monthly users and other privileges such as granting virtual in-game currency. The hacker was able to see users’ email addresses, as well as change passwords, remove two-factor authentication from their accounts, ban users, and more, according to the hacker and screenshots of the internal system. The hacker shared screenshots with Motherboard that included the personal information of some of the more high-profile users, including YouTuber Linkmon99, purportedly the “richest” Roblox player in the world. The hacker claims they hacked Roblox to prove a point. Robox said it immediately took action to address the issue and individually notified the minimal amount of customers who were impacted.

Related: Security News | Tech Times, Engadget, Boing Boing

Tweets:@waypoint @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox

Security News | Tech Times: Roblox Hacked by Bribed Insider
Engadget: ‘Roblox’ insider sold user data access to a hacker
Boing Boing: ‘Roblox’ hacker got 100 million user accounts for popular online game, reports VICE

@waypoint: The hacker got access to over 100 million active Roblox monthly users and the ability to grant virtual in-game currency.
@josephfcox: One of the most high profile users in Roblox confirmed their account information was exposed. I showed them an email address the hacker found; they said this was their private, dedicated email address only for using this game
@josephfcox: This is some of the stuff the Roblox hacker could have done, and did some of to at least a few accounts. If you can't hack a site/service/application, the customer support reps may help you out for a little bit of cash
@josephfcox: Not only does this show how much of a threat insiders at companies can be, but also how accessing data of children can be pretty straight forward. Roblox has a huge community of children using it; also used for kids parties during COVID-19
@josephfcox: The hacker sent messages between them and the insider. According to LinkedIn, this person worked for a contractor that works for Roblox. Targeting customer support reps is fruitful for hackers; lots of data access, potentially fewer controls in place
@josephfcox: Here's a screenshot the hacker shared showing Roblox's back end customer support portal. Look up private email addresses, grant players in-game currency. Hacker says they reset passwords and stole items to sell

April 29, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
NSO Employee Abused Access to Company’s Powerful Pegasus Hacking Technology to Target a Love Interest

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful Pegasus hacking technology to target a love interest, Motherboard found out from multiple sources. Pegasus can track the target’s location, read their texts, emails, social media messages, siphon their photos and videos, and turn on the device’s camera and microphone. While on location in the UAE in 2016, the NSO employee broke into an intelligence agency client’s office and was detained by authorities. While in the office, the employee used the Pegasus system to target a woman he knew personally. The employee was subsequently fired.  After this incident, NSO introduced a “more rigorous screening of customer-facing people,” one former employee said.

Related: Slashdot

Tweets:@josephfcox @josephfcox @josephfcox @josephfcox

March 24, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Hackers Are Hijacking Twitter Accounts to Push Website Purportedly Selling Face Masks and Toilet Paper

Hackers have taken over a wave of Twitter accounts to aggressively advertise a website that claims to be selling face masks and toilet paper during the coronavirus pandemic. The accounts posted hundreds of tweets linking to the site over at least a few hours earlier today. One journalist for Motherboard, Todd Feathers, confirmed that his account was hijacked to spread the message. The hacker also sent direct messages to Feathers’ followers with a link to the website. The site claims to sell face masks, respirators, digital thermometers, and toilet roll. Twitter said it had acted against several accounts and URLs around this recent activity, and pointed to its policy banning malicious use of bots and inauthentic accounts.

May 12, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Israeli Spyware Vendor NSO Group Is Pitching Its Mobile Hacking Technology to Local Police Forces in the U.S.

Israeli spyware vendor NSO Group, which has earned a notorious reputation for selling its mobile phone surveillance technologies to oppressive regimes around the globe, has been pitching its products to U.S. local police forces. A brochure by Westbridge Technologies, which calls itself “the North American branch of NSO Group,” tells local law enforcement that they can turn their targets’ phones “into an intelligence gold mine” by using a spyware product called Phantom. A former NSO employee says that Phantom is the same as Pegasus, the most intrusive spyware that NSO Group sells to despotic governments, including Saudi Arabia.

Related: Slashdot

Tweets:@josephfcox @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox @josephfcox

Slashdot: NSO Group Pitched Phone Hacking Tech To American Police

@josephfcox: Scoop: NSO Group, best known for selling iPhone hacking tech used to spy on associates of murdered journalist Jamal Khashoggi, also pitched their products to local American police. One law enforcement official called the tool "awesome."
@josephfcox: Obtained brochure for NSO product called PHANTOM. Can remotely infect devices with 0-click, get messages, location, etc Source says PHANTOM is a rebranded PEGASUS, NSO's infamous hacking product. Local police would have the same capability as Saudi intel
@josephfcox: Federal authorities, intelligence agencies having 0-click phone hacking technology is one thing. Local police having it, is another, but that's exactly who NSO was trying to sell to
@josephfcox: Here are some of the capabilities of the phone hacking technology pitched to local American cops are "Unlimited access to the target's mobile devices."
@josephfcox: After talking to Westbridge, the U.S. arm of NSO Group, an official from the San Diego Police Department said the phone hacking tech "sounds awesome"
@josephfcox: Price is the reason San Diego police give for not buying NSO Group's phone hacking tech, saying they don't have funds for such a large scale project
@josephfcox: In the brochure sent to local cops, Westbridge/NSO says its malware is modular, can be tweaked depending on client's regulations. Other companies in the industry do this: maybe your warrant allows text but not Skype interception, etc
@josephfcox: Updated with comment from San Diego Police Department, which spoke to NSO Group's U.S. arm about phone hacking technology. Says would require a warrant to use such tech

March 4, 2020
Jason Koebler, Emanuel Maiberg, and Joseph Cox / Motherboard

Jason Koebler, Emanuel Maiberg, and Joseph Cox / Motherboard  
Artificial Intelligence Company Banjo Deploys Its Technology Throughout Utah for What Some Allege is Panopticon-Like Surveillance Powers

The state of Utah has given an artificial intelligence company called Banjo real-time access to state traffic cameras, CCTV and “public safety” cameras, 911 emergency systems, location data for state-owned vehicles, and other sensitive data. Under a contract worth $20.1 million, Banjo said it is taking these data and combining them with information collected from social media, satellites, and other apps so that its algorithms “detect anomalies” in the real world to alert law enforcement of crimes as they happen. Banjo claims its technology called “Live Time Intelligence,” can solve kidnapping cases, identify active shooter situations and more. Banjo’s technology will be deployed or is in the process of being used in all 29 of Utah’s counties, in the state’s 13 largest cities, and in 10 other cities with “significant relevance” as well as for “campus security” for the University of Utah giving what critics say is panopticon-like surveillance powers throughout the state. Banjo claims its technology strips personal data out of the equation and that it does not help police find criminals; it helps them to find “emergencies” and locate criminal acts.

March 9, 2020
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Artificial Intelligence Firm Banjo Used Shadow Company Pink Unicorn Labs to Create Social Media Data-Scraping Apps

Banjo, an artificial intelligence firm that works with police, used a shadow company named Pink Unicorn Labs to create an array of Android and iOS apps that looked innocuous but were explicitly designed to secretly scrape social media, according to three former employees. The goal of creating the shadow company was to dodge detection by social media companies. Three apps created by Pink Unicorn Labs, One Direction Fan App,” “EDM Fan App,” and “Formula Racing App,” were available for downloading and analysis on archive sites.  An analysis showed that they were initially compiled in 2015 and were on the Play Store until 2016 and contained code that mentioned signing into Facebook, Twitter, Instagram, Russian social media app VK, FourSquare, Google Plus, and Chinese social network Sina Weibo. Business records show Banjo CEO Damien Patton initially incorporated the company.

March 13, 2020
Emanuel Maiberg, Jason Koebler, and Lorenzo Franceschi-Bicchierai / Motherboard

Emanuel Maiberg, Jason Koebler, and Lorenzo Franceschi-Bicchierai / Motherboard  
Cybersecurity Team Finds More Than Dozen Critical Security Flaws in Voatz Mobile Voting App

An audit by the team at cybersecurity firm Trail of Bits found that Voatz, a mobile voting app that has been used in several elections in the United States, has more than a dozen critical security flaws. Trail of Bits performed the first-ever “white-box” security assessment of the platform, with access to the Voatz Core Server and backend software. Their assessment confirmed the issues flagged in previous reports by MIT, which Voatz denied despite knowing of the flagged flaws. Trail of Bits also discovered more vulnerabilities and made recommendations to fix issues and prevent bugs from compromising voting security.

Related: Trail of Bits

Tweets:@alex_gaynor @mattblaze @mattblaze @kimzetter @lorenzofb