Search Results for “Thomas Brewster”


July 24, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Thieves Are Racking Up High Tab and Booze Bills By Using Hacked Deliveroo Accounts

A significant number of food delivery company Deliveroo account holders, particularly those in London, have had their accounts hacked in recent months and thieves have been buying their passwords from a dark Web dealer for as little as $6 or stealing the passwords by tricking account holders into entering them into a pre-designed phishing page. Yet another avenue that the thieves may be using to obtain the login information is”credential stuffing,” jamming passwords stolen in other breaches into Deliveroo accounts to gain access. Some victims have experienced bizarre food and booze orders illicitly made under their name, with some orders totaling $560 (£450). Deliveroo said it is working to address the problem.

August 9, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Apple Expands Its Bug Bounty Program to Include Macs, MacBooks, Apple TVs, and Apple Watches, Ups Top Bounty to $1 Million

Apple announced it will expand its bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, three years after launching a bug bounty program for iOS. Apple said it will open its bug bounty program to all researchers and increase the size of the bounty from the current maximum of $200,000 per exploit to $1 million for a zero-click full chain kernel code execution attack with persistence. Any researcher who finds a vulnerability in pre-release builds reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover. The Cupertino giant also confirmed a Forbes report earlier this week that it will give a number of “dev” iPhones to vetted and trusted security researchers and hackers under the new iOS Security Research Device Program.

Related: Techradar, MacRumors, SC Magazine, ThreatpostVentureBeat, ZDNetiDownloadBlog.com, iTnews – SecurityReuters, CBC, Cult of Mac, Thomas Brewster – Forbes, iMore, VICE News, The Verge


August 30, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Google Boots Malicious Apps Idea Note and Beauty Fitness From Play Store Which Have Been Downloaded 1.5 Million Times

As many as 1.5 million Android users are having ads clicked for them in what appears to be shady practices by apps hosted on Google Play according to researchers at Symantec. Made by a developer called Idea Master, the shady apps, which have now been removed from Play Store, are Idea Note, a notepad app with more than 1 million downloads, and Beauty Fitness, a workout assistant with at least 500,000 downloads.

July 29, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Hackers Can Bypass Limits on Visa Card Contactless Payments, Thieves Able to Drain Accounts With Single Tap, Researchers

The £30 limit (around $37) on Visa card contactless payments that apply in the UK and elsewhere can be bypassed, allowing opportunistic thieves to drain accounts with a single tap, researchers Leigh-Anne Galloway and Tim Yunusov from cybersecurity company Positive Technologies proved. On their own personal cards, the researches made contactless payments as high as £101, though it’s possible more could be stolen. To accomplish the limit bypass, the researchers used a specialized piece of hardware to intercept and insert messages, such as one that relays PIN verification is not necessary, into the communications between the card and the reader. Limits on these payments are higher in some countries, such as the U.S. where the limit is $100.  Visa said they had never recorded a case of contactless fraud in which the card hadn’t been stolen, although the researchers maintain no credit card theft is necessary for the bypass to work. A hacker only needs to get close enough to the victim’s card for a short period of time to take a payment.

August 6, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Apple Plans to Give Infosec Rockstars Who Participate in Bug Bounty Program Special iPhones for Testing, Will Launch Mac Bug Bounty Program, Report

Apple reportedly plans to announce plans to give infosec rockstar security researchers who participate in its invite-only bug bounty program special iPhones that will make it easier for them to find weaknesses in the smartphone. The special iPhones will essentially be “dev devices” that allow users to do a lot more than do locked-down iPhones and will be”lite” versions of the phones, without the same level of openness as enjoyed by Apple’s security team. Apple also plans to announce a Mac bug bounty program so that anyone who can find security issues in macOS will get rewarded with bug bounty payments that can run as high as $200,000.

Related: TechSpot, iDownloadBlog, MacDailyNews, Trusted Reviews, Engadget, The Mac Observer, MacDailyNews, BleepingComputer.comSoftpedia News, MacRumors, Apple Insider,iPhone Hacks

Tweets:@radian

TechSpot: Apple to launch macOS Bug Bounty program, will also give ‘special’ iPhones to researchers
iDownload Blog : Apple will supply security researchers with special iPhone variants for bug hunting
MacDailyNews: Apple hands hackers secret iPhones in a bid to boost security; to offer Apple Mac bug bounty
Trusted Reviews: Apple is giving jailbroken iPhones to hackers to tighten iOS security
Engadget : Apple may soon hand special iPhones to security researchers
The Mac Observer: Apple Bug Bounty Program Coming This Month
MacDailyNews: Apple hands hackers secret iPhones in a bid to boost security; to offer Apple Mac bug bounty
BleepingComputer.com: AT&T Launches Public Bug Bounty Program on HackerOne
Softpedia News: Apple to Give Away Special iPhones to Security Researchers
MacRumors: Apple to Give Security Researchers ‘Special’ iPhones for Bug Testing, macOS Bug Bounty Program Coming
Apple Insider: Apple to reportedly provide ‘dev device’ iPhones for bug hunting, introduce Mac bounty
iPhone Hacks : Apple to Reportedly Provide Security Researchers with Jailbroken iPhones

@radian: Very excited to return to the Black Hat stage this year to talk about some world-class Apple security features! iOS code integrity and Pointer Authentication Codes, Mac secure boot with the T2 Security Chip, the crypto behind the Find My feature, and more: (link: https://www.blackhat.com/us-19/briefings/schedule/#behind-the-scenes-of-ios-and-mac-security-17220) blackhat.com/us-19/briefing…


Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Justice Department Indicts Pakistani Man for Allegedly Paying More Than $1 Million in Bribes to AT&T Employees to Unlock More Than Two Million Phones

A Pakistani man Muhammad Fahd has been extradited from Hong Kong to the U.S. over allegations he paid more than $1 million in bribes to AT&T employees over five years to unlock more than 2 million phones, according to a Justice Department indictment.  Fahd and his co-conspirator Ghulam Jiwani are accused of paying as much as $420,000 to individual AT&T staff at a call center in Boswell, Washington, asking them to unlock phones tied to the AT&T network on behalf of people who were paying him to help them escape from AT&T contracts. Fahd is further accused of asking employees to install malware on AT&T computers so that he could study how the telecoms giant’s internal processes worked and of creating malware that used AT&T employees passwords to get access to different computers so that he could do the unlocking himself. On top of that, Fahd is accused of paying AT&T employees to install snooping hardware, malicious routers and rogue Wi-Fi access points in the building that again allowed for further access to supposedly protected computers. He faces up to 20 years in jail. Three co-conspirators have already pleaded guilty to accepting thousands of dollars to assist in the scheme.

August 29, 2019
James Thorne / GeekWire

James Thorne / GeekWire  
Federal Grand Jury Indicts Alleged Capital One Hacker on Multiple Counts of Wire Fraud, Computer Fraud, Including Allegations She Mined Cryptocurrency From Hacked Cloud Servers

A federal grand jury indicted former Amazon engineer Paige Thompson on multiple counts of wire fraud and computer fraud on allegations that she not only stole data but also mined cryptocurrency after infiltrating the cloud servers of Capital One and more than 30 other companies. Although the other companies are not named, the indictment states that the other victims include a state agency, a foreign telecommunications conglomerate, and a public research university. Israeli security company CyberInt has suggested that Michigan State University, Vodafone and the Ohio Department of Transportation may be among the victims, based on file names referenced in Thompson’s online messages. Thompson faces up to 25 years in prison if found guilty of the charges.

October 10, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Dutch Sex Work Forum Hookers.nl Hacked Due to Unpatched vBulletin Vulnerability, Data and Personal Details of Around 250,000 Users Stolen and Reportedly for Sale

A hacker has obtained the data and personal details of around 250,000 users of the Dutch sex-work forum Hookers.nl and is reportedly offering it for sale online.  A Hookers.nl moderator said the forum software supplier, vBulletin, had reported that a vulnerability had allowed an outsider access to the site’s database. The forum implemented a patch released earlier by vBulletin but recommended that users change their login credentials immediately. Both sex workers and their customers reportedly use the forum. Dutch broadcaster NOS, which broke the story, spoke to the hacker responsible, confirming that the data leak includes user names, IP addresses, and passwords. Those passwords are protected by encryption, though they might be crackable depending on the encryption used. The hacker also said the data had not yet been sold but expected it would be soon.

September 7, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
U.S. Government Seeks to Force Apple and Google to Turn Over Detailed Personal Information on at Least 10,000 Users of Gun Scope App

In an unprecedented reach for app users’ personal data, the U.S. government has filed for a court order to force Apple and Google to turn over information, including names, phone numbers and other identifying data, of at least 10,000 users of Obsidian 4, an app used to control rifle scopes made by night-vision specialist American Technologies Network Corp. The app allows gun owners to get a live stream, take video and calibrate their gun scope from an Android or iPhone device. The Immigration and Customs Enforcement (ICE) department is seeking the information as part of a broad investigation into possible breaches of weapons export regulations. The court order application states that the requested information “will assist the government in identifying networks engaged in the unlawful export of this rifle scope through identifying end users located in countries to which export of this item is restricted.” If the government succeeds, Apple and Google will also have to turn over telephone numbers and IP addresses which can be used to locate the app users.

Related: Cult of Mac, MacRumors, MacRumors, Apple Insider, MacDailyNews, Boing Boing, RT USA, CNET, Slashdot


September 3, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Android Operating Systems of Uyghur Muslims Outside of China Were Under Heavy Watering Hole Attacks Using the Same Method Deployed to Steal Data From iPhones

Following Forbes’ report that Google and Microsoft operating systems were under assault by the same hackers who tried to steal data from Apple iPhones of Uyghur Muslims inside China, it’s been confirmed that Androids of the target Muslim communities have been under heavy attack using the same methods deployed against iPhones, researchers at Volexity report. Eleven different Uighur and East Turkestan websites that were “strategically compromised” to deliver data-stealing attacks, with four used to target Google’s operating system, according to the researchers. They included sites for the Uighur Academy, Turkistan Press, Turkistan TV and Istiqlal Haber. The compromised websites are inaccessible within China because of the so-called Great Firewall that sites censored by the communist authorities. The researchers have reason to believe the Android hackers ceased their attacks via the Uighur sites shortly after Google’s Project Zero blog detailed the iOS attacks.

Related: Techradar, Tech Insider, TechNadu, BGR, Cult of Mac, TechSpot, MSPoweruser, Softpedia NewsiMore, fossBytes, The GuardianBoing Boing, MacRumors, eHackingNews, Slashdot, Volexity