eBay waited over 30 days before they fixed password stealing flaw

eBay waited over 30 days before they fixed password stealing flaw

eBay waited over 30 days before they fixed password stealing flaw

 

eBay has been criticised for taking over a month to fix a security flaw that could have left millions of user’s passwords at risk.

The security flaw was discovered on 11th December by a security researcher known only as MLT. He contacted eBay the same day he found the flaw, but revealed a month later eBay had only just fixed the flaw.

MLT said eBay “only rushed to patch the security flaw after the media contacted them”. In a blog post MLT described the security flaw as “fairly basic”. He demonstrated just how hackers could have set up a fake login page with ‘ebay.com’ in the URL, this would then trick users in to revealing their usernames and passwords.

The hackers could then lure victims to these pages by sending out a phishing email that contained links to a bogus login page. Once the hackers have stolen the usernames and passwords they could then send scam emails to millions of other users or even bid on stuff.

eBay has blamed a “miscommunication” with MLT for the delay in fixing the security flaw.
An eBay spokesman has been quoted saying “we’re aware of this particular issue, which involves fraudsters attempting to phish customers using a malicious code in very limited case’s, this type of scheme is extremely rear on our platform”.

There is no sign that the hacker’s have exploited the security flaw and stolen any passwords, but it’s an indication of just how many vulnerabilities’ lie undiscovered within the websites we all use daily.

This is not the first time eBay has reacted slowly to report a security flaw, back in 2015, an Estonian Researcher Jaanus kääp said eBay had not fixed security venerability he found and emailed them about 4 times in 12 months.

Share Button

Switched You Phone Off? Hackers Can Still Spy On You

Switched You Phone Off? Hackers Can Still Spy On You

Andriod

Security experts have detected a type of Android malware that is tricking people in to thinking they have turned off their phone.

When you press the ‘Power off’ button the malware will show you a fake box designed to look like the real Android ‘Power off’ Menu.

The phone then shows a black screen, and looks like it has been switched off. You won’t see any notifications or get any alert sounds.

However the phone is still switched on. The malware has actually inserted a line of code into the Android’s shutting down process that lets the hackers remotely access the devices, theoretically allowing them to do what ever they wanted to your device.

They could for example, make calls and send text messages to a premium-rate number, which could cost you a small fortune. In effect, your phone becomes a device the hackers can use to spy on you.

The malware which has yet to be named was discovered by security researchers at AVG. In a blog post they said it originated in an unofficial Android app store in China, infecting devices when users downloaded the malicious apps. AVG said the malware has already infected 10,000 devices worldwide, all of them running Android KitKat (4.4) or earlier, but they did not reveal which apps contain the malware.

The best way to stay safe is make sure you only install apps from the Google Play Store.

AVG said that its free ‘Antivirus for Android’ app will find and remove the malware. Other security experts have said the only way to be completely sure your phone is off it to remove the battery but this is not always possible on the new smart phones.

Unlike the criminals behind ransomware, these devious hackers don’t want you to know your device is infected, because the longer you remain oblivious, the more money they can steal off you. It is relatively easy to stay safe, Rather than just removing your battery at the end of every night, which is not always possible, simply restrict your app downloads to the Goole Play Store. Hackers are now finding it a lot harder to smuggle malicious apps past Googles Security.

Share Button

Windows users are at risk from an old security flaw

Windows users are at risk from an old security flaw

Windows security flaw

Microsoft have admitted that the .

The bug was found in the SSL and TLS security technology that encrypts data being sent between web servers and your browser. This flaw could let a hacker force the data to use a weaker encryption; this will then make it easier to steal things like your personal information.

A French-based team of security experts announced they had discovered the bug on the 3rd March, but the scary part was it had been undetected since 1999.

Initially the flaw was believed to affect BlackBerry, Android phones and Apples Safari web browser, but two days later Microsoft announced it also affected its operating system as well.

Microsoft said they were investigating the flaw and will “take the appropriate action to protect their customers”. This will most probably mean a security update or perhaps an emergency patch outside the update schedule.

Other tech companies have acted quickly to fix this flaw. Google have updated their version of Chrome for Macs, Apple are expected to release a fix for safari the week beginning 9th March. Google have yet to say if they will update Android to fix this flaw.

Security experts have advised PC users to switch to Firefox s browser, as the FREAK vulnerable does not affect it. They also recommended that Android uses should only use Googles Chrome browser on there devices and not the default Android browser. Mac Users should also try and avoid using Safari until Apple releases their update.

Its been estimated that of the 14 million websites offering encryption, around five million still remain vulnerable to the flaw.

Share Button

Has Shellshock made the Internet unsafe?

Has Shellshock made the Internet unsafe?

There is a new security vulnerability that has affected more computers than the Heatbleed bug and it allows hackers to steel your information from banks, routers and security cameras.

Shellshock

Security experts have for the second time this year discovered a flaw that can place your online safety and personal information at risk.

This new vulnerability is called Shellshock, and it has affected more devices than the Heartbleed virus, the Shellshock virus is so serious the US National Cyber Security Division has rated it 10 out of 10 for “exploitability” and “potential impact”. It is such a big threat because it takes advantage of a flaw that lets hackers take control of software we all use.

The threat goes beyond websites and homes. The UK government have said that Shellshock could affect “critical national infrastructure” like Power and hospitals if companies don’t respond quickly.

The software to blame for this flaw is called Bash, which is a Unix Shell, used by Linux, Apples OS X and less popular operating systems. Like the Command Prompt windows use, Bash will let hackers take control of your PC using nothing more then text commands. The Windows OS does not use Bash, so hackers are not able to exploit this flaw, but that still does not mean Window users are safe. If the hacker exploits the Bash flaw on a web server they can still steal your personal information that is stored on it, if this were to happen to a bank, the hackers could do serious damage if they wanted to. The rewards for the hackers can be huge, and until companies fix this flaw we are all at risk from this.

Many companies, including Apple, have now patched the flaw in their software, but there are still millions of routers and security cameras and other devices that still use the Bash code.

Virgin, TalkTalk, BT and Sky routers were unaffected by this flaw as their firmware uses BusyBox which is an alternative to Bash. You can always contact your routers manufacture to see if the Shellshock bug affects it.
So are you still at risk everytime you go on line? Yes if you are still using a router that not been patched to secure it from the Bash bug. If you are using a patched router then your safety will depend on the security of the web server you are accessing, but that is something you really should not have to worry about. Like so many security threats this is unnerving because it makes you feel powerless. It’s a stark reminder you will always be in the hands of security and tech companies.

If things are going to improve things need to be updated faster, to stop the flaws and the government and security company’s need to show more support for these internet functions if we are to try and stop further flaws that could jeopardise out online security.

Share Button

Five million Gmail users that had their passwords leaked?

Five million Gmail users that had their passwords leaked?

Gmail Hacked

What happened?

Google have admitted that up to five million Gmail passwords and address have been leaked online, but they are denying this was a direct attack on the company its self.

The leaked list of login details were leaked on a Russian forum, the Gmail address along with passwords were supposedly posted together. Google have said that most of the passwords were out-dated or incorrect and the list could have been made from an attack on another site were Gmail address were uses as logins. Google did reset the passwords for all affected accounts just to be on the safe side.

Google have said on their online Security Blog that “One of the unfortunate realities of the internet today is a phenomenon know in security circles as ‘credential dumps’ (the posting of usernames and passwords on the web).

“We are always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several list claiming to contain Google and other Internet providers credentials.”

“We found that less than 2% of the usernames and passwords combination would have worked, our automated anti-hijacking system would have blocked most of the login attempts.”

So how does this affect you?

If you were one of the unlucky ones that did have your Address and password on the list, Google have already rest your password, so there is no need to worry. If you used the same password for other sites you might want to change it, this is especially important for your email account: because if someone can access your email account they can use that to reset all other login details, so please always make sure you have a good strong password for your Gmail or any other emaill accounts you use.

Google have advised users to protect themselves and their password they should use their two-step verification

Google have advised users to protect themselves and their password they should use their two-step verification

Google have also advised that all useres should turn on the two-step authentication system, this will add an extra layer of security by sending a one time code to your mobile number when you access the account from a new device. Its worth setting up for the extra protection. If you want to check and see if your address was leacked please go to isleaked.

What do I think?

These sorts of incidents are a big reminder that cybercriminals are actively targeting all of us. Modern web services like Gmail do their best to try and protect us; all of us should use Google’s extra security and make it as hard as possible for the criminals.

I think it’s a good thing that Google has taken the time to explain the incident in great detail as this has helped to take some of the hysteria out off the incident, and helps to show “hacks” are not always as bad as they are claimed to be.

Share Button