New Vulnerability in Bluetooth Connections Allows Hackers to Spy on Private Conversations


Bluetooth is used worldwide as one of the most convenient methods of connecting and controlling the devices in range. However, according to a recent report, a vulnerability labeled as the KNOB (Key Negotiation of Bluetooth) attack has been found in Bluetooth connections.

All the Bluetooth compliant devices can be affected by the vulnerability, which allows attackers to spy on a victim's personal conversations. Hackers can also exploit the vulnerability to manipulate the data present on the compromised device.

How the attack unfolds? 

While establishing a functional Bluetooth connection, both the devices rely upon an encryption key. Therefore,
in order to execute the attack, hackers exploit the vulnerability in the Bluetooth standard and weaken this encryption of Bluetooth devices instead of breaking it straightaway.

The attacker gets in the way while the devices are setting up the encryption key and resorts to brute force attack for breaking the new key with less number of digits and manipulates both the devices to employ the new encryption key.

The vulnerability affects devices by some of the renowned manufacturers namely, Apple, Qualcomm, and Intel. Companies like Apple, Microsoft, Cisco, Google, Blackberry, Broadcom and Chicony has already issued a patch to fix the flaw, as per the reports by Mashable.

The group of researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security, who found this critical vulnerability, explained, "We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired."


RBI AnyDesk Warning; here's how Scammers Use it to Steal Money



In February, Reserve Bank of India (RBI) issued warning regarding a remote desktop app known as 'AnyDesk', which was employed by scammers to carry out unauthorized transactions from bank accounts of the customers via mobile or laptop.

In the wake of RBI's warning, various other banks such as HDFC Bank, ICICI Bank and Axis Bank along with a few others, also issued an advisory to make their customers aware about AnyDesk's fraudulent potential and how it can be used by the hackers to steal money via Unified Payments Interface (UPI).

However, it is important to notice that Anydesk app is not infectious, in fact, on the contrary, it is a screen-sharing platform of extreme value to the IT professionals which allows users to connect to various systems and mobiles remotely over the internet.

How the Scam Takes Places? 

When a customer needs some help from the customer care, he gets in touch via a call and if he gets on line with a scammer, he would ask him to download AnyDesk app or a similar app known as TeamViewer QuickSupport on his smartphone.

Then, he would ask for a remote desk code of 9-digit which he requires to view the customer's screen live on his computer. He can also record everything that is been shown on the screen. Subsequently, whenever the victim enters the ID and password of his UPI app, the scammer records it.

Users are advised not to download AnyDesk or any other remote desktop applications without fully understanding their functioning.

You should also be highly skeptical of the additional apps that customer support executives may ask you to download as besides fraudsters, no one asks for codes, passwords or any other sensitive information.


Student Uncovers Flaw in Education Software Exposing Data of Students



A high school senior in Lexington, Massachusetts discovered two vulnerabilities in software programs employed by his school which could have potentially affected the student data of around 5 million students.

Billi Demikarpi is a teen hacker who developed a penchant for hacking when he was in the freshman year and subsequently uncovered serious security flaws in two education programs, Aspen and Blackboard.

Reportedly, the probable consequences of these vulnerabilities would have been more disastrous than those San Diego Unified School District faced after the massive data breach that put to risk the data of more than 500,000 students along with the staff of the school.

The information that could have been exposed via the Aspen vulnerability includes details of bus routes, birthplaces, special education status, number of reduced or free lunches and suspensions.

It could have been exploited by the hacker to gain access to the data on the website after entering his own script as the Aspen website lacked the filters which other websites usually contain in order to reject hacker requests.

According to the statements given by both the companies, no one has exploited the security flaws besides Billi, who only accessed the information about himself and of a friend's whom he took consent from before doing so.

While sharing  his experience, Demirkapi said, “These companies say they're secure, that they do audits, but don't take the necessary steps to protect themselves from threats.”



Capital One Data Breach, Hacker gets Access to 100 Million Accounts


A massive data breach to Capital One servers compromised the personal details of an estimated 106 million bank customers and applicants across Canada and the US.

The suspected hacker, Paige Thompson, 33, has been arrested by FBI on Monday. She has shared details about the data breach on a GitHub page earlier in April, according to the criminal complaints.

Thompson broke into a Capital One server and illegally acquired access to customers' names, addresses, credit limit, contact numbers, balances, credit score, and other related data.

According to the documents, the 33-year-old, Seattle resident gained access to 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and 140,000 Social Security numbers.

Thompson who had previously worked with Amazon Web Services as a software engineer was able to access the data by exploiting a misconfigured web application firewall in company's infrastructure, as per a court filing.

Despite the magnitude of the breach, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company told.

Expressing concern over the matter, Chairman Richard Fairbank, said, "While I am grateful that he perpetrator has been aught, I am deeply sorry for what has happened.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he assured.

Meanwhile, the company is notifying the victims and aiding them with identity protection and free credit monitoring.




WhatsApp, Telegram Data Stored on Phones is Vulnerable to Cyber Attacks



The data saved by users onto their devices through social messaging apps, Whatsapp and Telegram is vulnerable to cyber attacks and can be exploited by malware with access to external storage, as per the security researchers at Symantec.

End-to-end encryption prevents user data from being read or secretly modified, it led users into believing that their communication is highly secured and their conversations are protected against being accessed by third-party apps. However, the findings at Symantec have made users reconsider the whole idea of data protection via encryption.

The media exchanged on WhatsApp and Telegram gets stored in either of the two storages, external or internal. Now, if the data is stored in the victim's external storage and the malware enters his mobile device, it is configured to gain easy access to these saved files and exploit it subsequently. Moreover, the malware can acquire access to this data even prior to the users, according to The Verge.

After examining the issue, WhatsApp released statements telling that the corresponding updates are under progress with Android's ongoing development.

Referencing from the statements given by a WhatsApp spokesperson, “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development,”

"WhatsApp follows guidelines from Android including: 'You should use external storage for user data that should be accessible to other apps and saved even if the user uninstalls your app, such as captured photos or downloaded files.' We store files in the same manner as other messaging apps (like Viber), email (like Gmail), and file storage apps (like Dropbox)," he added.

Commenting on the upcoming Android update, he informed, "The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared."


HDFC Bank Issues Warning Against a New Online Scam: Here's What you Should Know!



HDFC Bank has sent out a warning to its online banking users about a scam carried out by an app known as AnyDesk which is used by hackers for stealing money through unified payments interface (UPI). The main objective of the scam is to acquire unauthorized access to a victim’s mobile and carry out illegal transactions without any knowledge of the account holder.

In February, Reserve Bank of India (RBI), said, ‘AnyDesk’ have the ability to acquire complete access to users mobile devices which is exploited by hackers to steal their money via making transactions remotely. AnyDesk is a remote device control app which allows the remote controlling of devices.

Bewaring the customers, the bank has issued an official mailer concerning the matter and further warned its users that hackers attempt to access their account related confidential information such as OTP, PIN, expiry date, debit card details, and other sensitive data which is required for the purpose of authentication during transactions.

To ensure the safety of its users, HDFC Bank advised them against sharing their confidential data with anonymous callers and in order to keep their bank balance fortified, they should avoid downloading any apps onto their smartphones.

Commenting on the matter, the bank said, "Beware! Fraudsters may ask you to download AnyDesk App and share a 9-digit code which gets them access to your phone to steal money. Do not share your card details / OTP / PIN with anyone and report any unusual activity immediately to the bank.”



EA Origin Security Flaw Exposed over 300 Million Gamers to Account Takeovers



In the wake of the discovery of an EA based vulnerability, EA origin has been forced to re-examine its module for security and safety as the flaw could have potentially exposed millions of gamers to account takeovers.

As per the findings and research of specialists at Check Point and CyberInt, the vulnerability affected over 300 million gaming enthusiasts playing online games namely FIFA, Madden NFL, NBA Live and Battlefield.

The vulnerability relied on an alternate authentication method known as, Access Tokens which are like passwords; by stealing a Single Sign-On authorization token, the security flaw would have given complete authority into the hands of the hackers, who further would have been able to hijack player's accounts without needing the login or password.

Stealing 'Access Tokens' can be a bit more complex than stealing passwords, however, it still is possible. It's because users have been enlightened against providing passwords on dubious websites, hackers now resort to accessing access tokens rather than the passwords. Moreover, it can be carried out behind the scenes without needing any active participation from the user.

On Wednesday, commenting on the matter, Oded Vanunu, head of products vulnerability research for Check Point, told, "EA's Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts,"

Referencing from the statements given by Alexander Peleg in an email in the regard, "We had the vulnerabilities under control so no other party could have exploited them during the period it took EA to fix," 

Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.





Matrimonial Sites an Easy and Fast Platform to Dupe Brides-To-Be



Cybercrimes are at a rise once again and this time it's the matrimonial sites turning into a rather easy platform for those out to dupe the brides-to-be.

The recent case of a Hyderabad based software engineer who in the hopes of finding an ideal counterpart for her on a rather well-known and popular matrimonial site wound up giving up Rs 30,000 to somebody impersonating an All India Institute of Medical Sciences (AIIMS) Doctor.

Neha Saxena, the victim, has lodged a complaint at the Cyber-Crimes police station against the individual who hoodwinked her, said that she had given him the cash supposing he was a surgeon at AIIMS. First it was Rs 30,000 on the 7th of March and then it was Rs 20,000 more on the 20th of March.

Alarmingly, this is a not an irregular case as cyber matrimonial fraud is on the quick ascend, much to the worry of the cops, as in the previous six months alone more than 100 such cases have resurfaced.

U Rammohan, SP, Digital Violations, CID, says "There was an instance where an employee of a star hotel, posing as an IIT graduate with a salary of Rs 50 lakh per annum, duped up to 11 women. However, only one woman was ready to lodge a complaint, which is also a reason for the lack of swift action,"

Top cybercrime specialists said that most women neglect to report such cases as they dread harm of their reputation. In many cases though, women are also subjected to physical molestation and in some the victim were contacted over telephone and hoodwinked citing to personal emergency even surgery in some instances.

By and large, as the police say the fraudsters use profile information of actual person to reach the victim to anticipate doubt and shockingly enough women also are into matrimonial fraud.

The cybercrime police of the city thusly caution the many individuals who are already registered on such sites advising them to stay wary and alert.



Canadian Investigation Found Facebook to be Violating Privacy Laws



On Thursday, Canadian officials said that owing to its assailable security algorithms, Facebook exposed sensitive information of millions of its users. It has been counted as a critical failure on the company’s part which it did admit to letting happen but denied to fix.

Facebook has violated local as well as national laws when it gave access to private data of millions of its users to third parties, according to an investigation conducted by the information and privacy commissioner of British Columbia and the privacy commissioner for Canada.

The company CEO, Mark Zuckerberg put forth an apology for the major breach of trust that happened in the political scandal associated with Cambridge Analytica, however, they did not take into consideration the issued recommendations regarding the prevention of further exploitation of user data.

Putting the same into perspective, at a news conference, Daniel Therrien, head at federal privacy watchdog, said, “There’s a significant gap between what they say and what they do,”

As the regulators decided to push Facebook to a Canadian federal court which is likely to impose fines on the company, Mr. Therrien told that, “historically there have been very small penalties — in the tens of thousands of dollars.”

Facebook told the investigators that it does not agree with their findings, in response, Mr. Therrien said, “I find that absolutely untenable that a company can tell a regulator that it does not respect its findings.”

Furthermore, he asserted the need to have more authorities for the inspection of companies and even strict privacy laws in the North American country, Canada.

Reportedly, Facebook has denied audits of its privacy procedures and said that it has taken necessary measures against the problems raised by the investigators.

Referenced from the statements given by Facebook on the account, “there’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.”

“After many months of good-faith cooperation and lengthy negotiations, we are disappointed” that regulators consider the issues raised in this report unresolved,” the company added.




Facebook 'unintentionally' uploaded the email addresses of 1.5 million users without their knowledge


On Wednesday, Facebook admitted that it happened to upload email addresses of 1.5 million users without their consent. However, the contacts were not distributed to anyone and the company said that all the users whose email addresses were uploaded will be sent a notification stating the same.

While the company is in the process of deleting the imported contacts, it said that it had no intentions of uploading these user contacts and will delete them soon.
In the recent years, Facebook fall prey to various security-related problems, including the major Cambridge Analytica political scandal which revealed that the personal data of millions of users has been harvested from their Facebook profiles by Cambridge Analytica to be used for political purposes; another major hit that the company took was a glitch which put to risk the passwords of millions of people.
Facebook has been battling public relation issues for the management of its users’ personal data which it shared with app developers who paid handsomely for advertisements and those who were friends with the company CEO, Mark Zuckerberg.
This month, sensitive documents dealing with internal deliberations over personal data of users were leaked. The documents, which comprised of presentations, emails, meeting summaries and spreadsheets, were shared by a British journalist to various media outlets, as per by NBC News.
Reportedly, the documents indicated deliberations over the selling of users’ data to third-party app developers and seemingly, Facebook decided against it. However, they opt to share the data with CEO Mark Zuckerberg’s friends who in-turn provided their valuable data or spend a huge amount of money on Facebook advertisements.  
A report indicated that Facebook finalized deals of sharing their user data with developers of Sony, Microsoft, Tinder, and Amazon, whereas access to the same information to others was restricted by Facebook.
Referencing from the statements given by Facebook VP and Deputy General Counsel Paul Grewald, 'The documents were selectively leaked as part of what the court found was evidence of a crime or fraud to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data,
'The set of documents, by design, tells only one side of the story and omits important context,' he added.  





US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

WhatsApp May Oppose the Demand for Traceability of Messages




The government wants to probe into the sources of inciting and provocative messages and posts which have led to violence across the nation, incidents of lynching and various other controversial issues.

In order to do so, it has proposed certain guidelines that would require Whatsapp to unveil information regarding the origins of messages.

As doing so will contradict the end-to-end encryption WhatsApp provides, the company will oppose the proposed regulations. It will also be violating free speech and privacy rights. 

The intermediary guidelines which are reported to be made public after elections will include jail terms and penalties for heads and officials of various messaging platforms and social media companies for non-compliance.

Reasoning WhatsApp’s failure to act in accordance with the proposed guidelines, a person said, “WhatsApp feels the proposed guidelines are too broad and not in sync with privacy protection norms that are important to people everywhere,”

“What is expected from the rules is just not possible considering the end-to-end encryption the company provides — it would mean a new product.” He added.

The Facebook-owned app, which did not answer all the questions, believes that confidentiality is one of the key aspects of what they have to offer. They feel that gathering private information of users is contradictory to the whole idea of WhatsApp which was primarily designed to keep the conversations private. 

Putting the same into perspective, another person said, “The company will continue to push back against government’s attempts that it feels weaken its end-to-end encryption feature,”

While defending its stance on safety and privacy, WhatsApp previously said, “People rely on WhatsApp for all kinds of sensitive conversations, including with their doctors, banks, and families. The police also use WhatsApp to discuss investigations and report crimes,”  

“Attributing messages on WhatsApp would undermine end-to-end encryption and the private nature of WhatsApp, creating the potential for serious misuse. Our focus is on improving WhatsApp and working closer with others in society to help keep people safe.” 

Reasserting the intention of the government, an official told ET, “They don’t or refuse to understand this — we don’t want you to look into the video or the audio or content, just tell us where (it began) or who started it,”

Understanding the concern of national security and integrity, WhatsApp said that it has made essential changes in the product and has addressed misinformation via public education campaigns. Besides that, the company also made necessary alterations like limiting the times a message can be forwarded and letting people exit groups in one tap.

However, the government did not seem to be satisfied with these alterations and has continued to request for traceability.










Facebook Exposes Passwords of Hundreds of Millions of Its Users



A rather shocking vulnerability was uncovered by security researcher Brian Krebs, who reports that Facebook left the passwords of approximately 200 to 600 million users simply ‘stored’ in plain text.

A huge number of Facebook, Facebook Lite, and Instagram users may have had their passwords exposed as the aftereffect of a disturbing oversight by the social networking company.

Facebook just previously learned of the issue this past January and has since affirmed the shocking security failure, yet persists it has fixed the issue and has not discovered any proof that the data was 'abused.'

Albeit all users whose passwords were exposed will be informed, the 'shocking flaw' comes so far another blow to the already melting away trust of numerous Facebook users in the midst of the two years of consecutive privacy scandals.

The firm is as yet attempting to decide precisely the exact number of passwords which were exposed and to what extent, assures a source at Facebook who cautioned Krebs of the issue in the first place.

 ‘It’s so far unclear what caused some users’ passwords to be left exposed. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them, we estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.'
            - Facebook released a public statement with Krebs' report and affirms that it revealed the plain text passwords amid a standard security review in January.

In any case while Facebook says no password reset is as such required, it will caution the users if their information has been abused or will be abused in any way, the security experts still recommend the users to change their current passwords.



Hackers Tracking Location History via Google Photos Vulnerability


A vulnerability has been found in the web version of Google photos which lets malicious websites access the sensitive information related to the photos such as date and geographic coordinates.

On the basis of this metadata information of your photos, they will be tagged by Google photos automatically.

The metadata of any photo allows details to be moved along with the photograph file which is readable by end users, hardware and software.

How the Hack Functions

To begin with, the hackers have to befool the user and trick him into accessing the malicious website while he is logged into his Google Photos account.

As soon as the malicious website opens in the web browser, it generates answers to the questions the attacker has by stealthily generating requests to the Google Photos search endpoint.

As stated in a report by Imperva, the hacker can keep a record of the queries which have been already asked and resume the process from there on upon your next visit onto any of his infectious websites.

Reportedly, the vulnerability has been patched by Google after Imperva brought it to their knowledge.





Hacker Puts Up For Sale the Data of Six Companies, Totalling 26.42 Million User Records



Gnosticplayers, a hacker who already is for the most part known for putting up for sale more than 840 million user records in the previous month has yet again made an appearance and has returned with a fourth round of hacked data that he's selling on a dark web marketplace.

Ever since February 11 the hacker has set available for sale, data for 32 companies in three rounds on Dream Market, a dark web marketplace. This time, Gnosticplayers is more focused on the information of six companies, totalling 26.42 million user records, for which he's asking 1.2431 bitcoin which is approximately $4,940.

The difference between this Round 4 and the past three rounds is that five of the six databases Gnosticplayers set available for sale were gained amid hacks that have occurred a month ago, i.e. in February 2019. What's more, it merits referencing that a large number of the companies whose data Gnosticplayers has sold in the past three rounds have already affirmed breaches.

The six new companies targeted this time are , namely game dev. platform GameSalad, Brazilian book store Estante Virtual, online task manager and scheduling applications Coubic and LifeBear, Indonesia e-commerce giant Bukalapak, and Indonesian  student career site YouthManual.


"I got upset because I feel no one is learning,” the hacker said in an online chat "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry."

He says that he set up the data for sale essentially in light of the fact that these companies had neglected to ensure their passwords with solid encryption algorithms like bcrypt.

Albeit simply the last month the hacker said that he needed to hack and put up for sale more than one billion records and after that retire and vanish with the cash. But in a recent conversation, he says this is not his objective any longer, as he discovered that various other hackers have already just accomplished the similar objective before him.

Gnosticplayers likewise revealed that not every one of the information he acquired from hacked companies had been put on sale. A few companies surrendered to extortion demands and paid expenses so that the breaches would stay private.





Facebook to be reoriented towards user privacy and encryption says Mark Zuckerberg



On Wednesday, Facebook’s CEO, Mark Zuckerberg put forth a reoriented model of privacy for the social media platform which has continued to encourage generation after generation to share what’s up with their life via pictures and status updates.

In an essay Mark posted on his account, he announced his future plans regarding Facebook which are focused on safety, interoperability, private interactions, encryption, secure data storage and reducing permanence.

After consistently being in news for security issues, the company has finally decided to appropriately position itself for an unknown time which is yet to come. Seemingly, the plan of action has been fuelled by the descending trust of the users and ongoing arguments with regulators across the globe.

Explaining the new model, Zuckerberg told that Facebook would be subjected to a change which would remodel the platform after a living room, where people will have complete control over who can communicate with them and a trust that no one else can access what they share, which is in contrast to the initial model which was based into broadcasting information to large sections.

Referencing from Zuckerberg’s Facebook post, “Public social networks will continue to be very important in people's lives -- for connecting with everyone you know, discovering new people, ideas and content, and giving people a voice more broadly. People find these valuable every day, and there are still a lot of useful services to build on top of them. But now, with all the ways people also want to interact privately, there's also an opportunity to build a simpler platform that's focused on privacy first.”

“In a few years, I expect future versions of Messenger and WhatsApp to become the main ways people communicate on the Facebook network. We're focused on making both of these apps faster, simpler, more private and more secure, including with end-to-end encryption. We then plan to add more ways to interact privately with your friends, groups, and businesses. If this evolution is successful, interacting with your friends and family across the Facebook network will become a fundamentally more private experience.”

The subtle and skeptical reactions to Mark’s announcement included privacy advocates questioning about the data that is collected for Facebook’s benefits, they asked if the practice will be minimized. Meanwhile, they asserted on the CEO’s need to talk beyond encryption and prioritize answering the questions on data collection for business purposes.

Referenced from the statements given by Jess Chester, executive director of a nonprofit privacy advocacy group in Washington, “Why does it always sound like we are witnessing a digital version of Groundhog Day when Facebook yet again promises — when it’s in a crisis — that it will do better,”

“Will it actually bring a change to how Facebook continually gathers data on its users in order to drive big profits?" He added.

Commenting on the matter, Jennifer Grygiel, assistant professor of communications at Syracuse University, questioned, “What’s not clear is how they are going to make this transition safely. We have already seen the risks associated with WhatsApp and private encryption in India, for example, where misinformation has led to mobs and the loss of life,”

Studies suggest that consumer trust in Facebook took critical hits due to continuous exploitation of users’ data. In terms of reputation among 100 highly visible public companies, Facebook fell from being 51st to 94th last year. Moreover, certain Facebook user polls implied people entirely getting rid of the app by uninstalling it.

While acknowledging the reduced trust quotient in his post, Zuckerberg wrote, “I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing,” he said. “But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.”


To Zuckerberg’s proposal of a future which would look different, Twitter bore witness to another skeptical remark as Ashkan Soltani, a former Federal Trade Commission official and privacy researcher, said “This move is entirely a strategic play to use privacy as a competitive advantage and further lock in Facebook as the dominant messaging platform.”

Hackers Target Popular Instagram Profiles


Cyber Hackers have now set their sights on the Instagram accounts of high-profile and social media influencers with phishing emails so as to gain access to their accounts before the influencers can even comprehend what's going on.

As indicated by sources it was reported that the hackers have especially targeted those Instagram profiles that have followers somewhere in the range of 15,000 and 70,000. Their targets for the most part go from well-known actors and artists to even proprietors of new companies.

Starting with the phishing emails showing up from Instagram requesting that the user should verify their accounts to get the 'Verified' batch on their respective Instagram profiles; it takes them to the phishing page that requests the following user certain details such as their date of birth, email, and credentials.

Once submitted, a batch notification shows up, yet for just four seconds. This is a trap to give the users the feeling that their profile has been verified thusly.

A visualization of how the hackers are stealing the Instagram profiles
As the user enters the credentials in the phishing page attackers gain access to those credentials and by utilizing them they access the Instagram profiles and change the data that requires recouping the stolen account.

The attackers change the username of the stolen address to show that it is hacked and use it to change the email address, over and over in order to trap the users with security emails making them feel as though the changes made were legitimate indeed.

Screenshot of the phishing email asking the user to verify his Instagram account
That is exactly what happened to a photographer who had approximately 15,000 followers on Instagram, when she had her account stolen.

The hackers nowadays have therefore, without any doubt become experts in areas where they 'lure' the victims into handing out their personal information to get a motivating force, particularly like the blue batch on their profiles and their mimicry of Instagram's messages nearly seems real.

Hence, here are some of the warnings users and organizations can keep an eye out for and eventually protect their accounts from being hacked;

1. Use of domains other than the social network's own
2. Dubious font styles (i.e., utilization of screenshots rather than genuine pictures)
3. Incorrect language and punctuation 
4. Emails that request credentials; social networks never request them outside of their real, secure login pages
5. Spam filters and Antispam portals.



Hackers Targeting Retail Websites and Online Shoppers via Formjacking



With the advent of online shopping, the e-commerce market has skyrocketed and by 2022, the figures are expected to touch a whopping $150 billion. The ever-expanding arena of e-shopping has given cybercriminals even more reasons to exploit user data employing all new ways. The most recent hacking method which affects online shoppers is known as ‘Formjacking’.

What is Formjacking?

It is a virtual ATM skimming method which is employed by cybercriminals to insert malicious codes into retail websites. These codes are programmed to leak payment details of the shoppers along with their card details.

A report from Symantec suggests that every month, over 4,800 different websites fall prey to Formjacking. It has also been observed that the number of Formjacking attacks has been increased over the past year and the data is also being sold on the dark web.
Referencing from the report, “By conservative estimates, cybercriminals may have collected tens of millions of dollars last year, stealing consumers’ financial and personal information through credit card fraud and sales on the dark web, with a single credit card fetching up to $45 in the underground selling forums,”
Expressing concern on the matter, Greg Clark, CEO, Symantec, said “Formjacking represents a serious threat for both businesses and consumers,”
 “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft. For enterprises, the skyrocketing increase in Formjacking reflects the growing risk of supply chain attacks, not to mention the reputational and liability risks businesses face when compromised,”



Attention Binge-Watchers! A New Netflix Scam Is On the Loose






Netflix users, become the target of yet another cyber-attack, this time as a phishing scam email requesting for the users to update their billing information so as to unlock their accounts.

The email scam says that the user account has been briefly suspended because of a few issues in the "automatic verification process" in this way, to unlock their accounts, the users would need to update their billing information i.e. the details of their payment method and credit/debit cards.

Since the user will have to login to their respective Netflix accounts they will be in danger of having their 'identity' stolen and their bank account will be at risk of being cleared.

This kind of scam isn't new though, particularly for huge brands, such as Netflix.

"Unfortunately, scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information," a Netflix spokesperson said.

The email security service responsible for detecting the Netflix phishing email and releasing an announcement advising users to be alert was MailGuard ,which is known to detect and block the "criminal intent" messages.

Despite the fact that Netflix utilizes various proactive measures to distinguish such fake exercises, a spokesperson from the 'streaming giant'  told media and the users who need to figure out how to guard their Netflix personal data from scams to visit netflix.com/security or contact customer service directly when situations similar to these arise.

What's more, in the event that if the user has already entered their details on the phishing page, he prompted them to change passwords for the account being referred to, be it Netflix or some other service.

Furthermore, on the off chance that they've entered the payment information, then immediately contact their bank to block their cards and along these lines prevent any exchanges.