Snapchat Lied about privacy, saved your selfie images and videos on their server

Source: www.hackread.com

 

Snapchat has agreed to settle with the Federal Trade Commission (FTC) deception charges leveled against itself without admitting or denying any wrongdoing, says an official statement released on Thursday.

As part of the settlement, the company is required to implement a privacy program monitored by an outside privacy expert for the next 20 years.

This settlement is similar to arrangements endorsed by Google, Facebook, and Myspace.

FTC had complained against Snapchat for ‘making multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.

snapchat-lied-about-privacy-it-saves-your-photos-and-videos-on-their-server

Other charges slapped against Snapchat included:

  • It stored video snaps unencrypted on the recipient’s device in a location outside the apps’ ‘sandbox’
  • Misrepresentation of data collection practices
  • Collection of iOS users’ contacts information from their address books without their consent: The apps, during registration, prompted the users to enter their mobile number to find their friends on Snapchat. It informed the users that the apps will collect their email, phone numbers, and Facebook ID. However, it also collected the names and phone numbers of all the contacts in their mobile device’s address book without the users’ permission.
  • Failure to secure its ‘Find Friends’ feature that resulted in a security breach that allowed the attackers to collect usernames and phone numbers of 4.6 million Snapchat users. The apps was updated later and provided the users with an option to opt out of the Find Friends feature.

Snapchat is a widely used messaging apps, which promises privacy and security, because the messages exchanged through its servers do not stay there forever but disappear after the recipient has viewed the message.

However, FTC claimed that messages did not disappear; conversations, images and videos could be easily saved by third party applications and that the application’s premises were misleading.

FTC recorded several cases of misrepresentations from the messaging company. Recipients could easily access the videos once they connected their mobile device to a computer and navigated the file directory of the device. As well, FTC found a false claim about the user receiving a notification whenever the recipient tries to take a screenshot of the video or the message. A recipient using Apple device with an operating system prior to iOS 7 can escape the screenshot detection.

Additionally, the Snapchat’s Android application transmitted geolocation information of its users, observed the FTC.

Edith Ramirez, FTC Chairwoman, said,

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises”

She added further,

“Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

The Snapchat settlement is part of the FTC’s ongoing effort to ensure privacy promises maintained truthfully by the application manufacturers.

Although, the settlement does not have any financial component to it, but any further violation is punishable by a civil penalty of up to USD 16,000 each.

The FTC plans to publish a description of the consent agreement package soon, which will be available for public comments till 9 June, 2014.

Snapchat, on its blog on Thursday, said

“This morning we entered into a consent decree with the FTC that addresses concerns raised by the commission. We continue to invest heavily in security and countermeasures to prevent abuse,” the blog post read.

They also said their main focus was to develop ‘a unique, fast way to communicate with photos’ and in doing so,

“some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community.”

However, the company blog reiterated,

“We are devoted to promoting user privacy and giving Snapchatters control over how and with whom they communicate. That’s something we’ve always taken seriously, and always will.”

Snapchat is a Los Angeles-based company, run by Evan Spiegel and Bobby Murphy, two former Stanford alumni.

Released in 2011, the service quickly gained a following and now claims to transmit 700 million messages every day.

But is privacy and security in an online environment a plausible desire?

Security researchers firmly believe that anything sent over the Internet stands chance of interception and that anything posted on the Internet remains forever.

“The Internet is forever, and people don’t realize that. You think you can delete a tweet or a Facebook post, but it doesn’t go away. Most people don’t know how hard it is to make a message disappear,” told Nico Sell, a security expert and one of the founders of rival mobile message app Wickr, to The New York Times.

Microsoft sticks to vow, leaves XP exposed to ongoing attacks

Source: www.computerworld.com

Hackers are exploiting an Internet Explorer (IE) vulnerability that was left unpatched in Windows XP on Tuesday, Microsoft and outside security experts said.

The bug, identified as CVE-2014-1815, was one of two Microsoft patched with a critical update issued Tuesday for IE6, IE7, IE8, IE9, IE10 and IE11. In the accompanying security bulletin, Microsoft noted that the vulnerability had been both known to hackers and used by them prior to yesterday’s update.

“Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer,” the bulletin stated.

But because Windows XP exhausted its support privileges last month, users running the aged operating system did not receive the IE security update, as did owners of Windows Vista, Windows 7 and Windows 8 PCs.

Windows XP lives

  • Microsoft sticks to vow, leaves XP exposed to ongoing attacks
  • Microsoft’s Patch Tuesday gives XP attackers a roadmap
  • Microsoft: We’re serious this time; XP’s dead to us
  • Windows XP die-hards can slash attack risk by dumping IE
  • Hackers now crave patches, and Microsoft’s giving them just what they want
  • Microsoft seeds doubt by erasing XP line in the sand
  • XP’s retirement triggers another wave of deserters
  • Microsoft slashes Windows XP custom support prices just days before axing public patches
  • Update: IRS misses XP deadline, will spend $30M to upgrade remaining PCs
  • Microsoft Patch Tuesday bids adieu to Windows XP
More on Windows

Also on Tuesday, Microsoft reasserted that it has patched its last Windows XP bug. In the strongest signal yet that it will stick with its plan — and that a May 1 emergency patch for IE on XP had been a one-time deal — a company spokesman said, “The Windows XP end of support policy still remains in place moving forward.”

Originally, Windows XP was bundled with IE6, but over the years users have upgraded to IE7 and then IE8, the five-year-old browser that is the newest from Microsoft able to run on XP. If XP was still supported, XP PCs would certainly have received the update.

“This is the first advisory that clearly would have applied to Windows XP,” said Ross Barrett, senior manager of security engineering at Rapid7, in an email yesterday. “IE6, IE7 and IE8 are vulnerable on Windows [Server] 2003; this would historically have mapped to the same scope of XP patches, but not this time.”

As Barrett noted, Microsoft’s security bulletin listed Windows Server 2003 as affected by the vulnerability. The server software was patched Tuesday because its support lifespan runs until July 14, 2015.

CVE-2014-1815 is a classic “drive-by” vulnerability that can be triggered simply by duping IE users into visiting a malicious or compromised website. As soon as an unpatched Internet Explorer reaches such a site, the exploit leaps into action, immediately hijacking the PC and sticking malware on the hard drive.

Because IE6, IE7 and IE8 on Windows XP will not be patched, users will remain vulnerable to these sneaky attacks in perpetuity.

Most security professionals have urged people stuck on XP to switch to another browser, one that still receives updates: Google’s Chrome, Mozilla’s Firefox and Opera Software’s Opera all fit that bill. According to research conducted by Computerworld, XP users can dramatically lower their risk by dumping IE.

Other vulnerabilities patched by Microsoft yesterday were also left unfixed in Windows XP. “We can assume that any vulnerability that [was] for Windows Server 2003 is applicable to XP as well. For this month, that means at least: MS12-029 (IE), MS12-024 (ASLR), and MS12-025 (Group Profile),” said Wolfgang Kandek, chief technology officer at Qualys, in an email.

Together, those three security updates patched four vulnerabilities out of the month’s total of 13.

For people who cannot give up IE, Microsoft provided workarounds it said would help ward off attacks, including those aimed at the browser when it’s running on Windows XP. However, the workarounds have negative side effects that may make some websites unusable, Microsoft warned. The security bulletin MS14-029 includes those workaround instructions.

Another stop-gap users can deploy is the Enhanced Mitigation Experience Toolkit (EMET), a free anti-exploit utility that works on Windows XP. EMET 4.1 can be downloaded from Microsoft’s website.

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

Lecigne made news three months ago when he was awarded $10,000 by the Internet Bug Bounty (IBB), a new program funded by Facebook and Microsoft. IBB cut Lecigne the check for finding a critical vulnerability in Adobe’s Flash Player. Lecigne donated the $10,000 to the Hackers for Charity non-profit.

An App-Controlled Drone That Delivers Beautiful 1080p Footage

Source: www.wired.com

The government may still be wary of them, but civilians, filmmakers, and wanna-be spies all clearly want more camera-wielding drones. Now Parrot, one of the companies responsible for the whole quadcopter craze, is finally announcing its own 1080p camera-totin’ model: The Bebop Drone.

Bebop comes with a built-in 14-megapixel camera that can shoot 180-degree footage with its fisheye lens. In a demo, its 3-axis image stabilization produced shake-free video (which is great, because that whole shaky cam fad always left me on the nauseous side). The quadcopter also has a gyroscope, accelerometer, altimeter, magnetometer, ultrasound, and vertical camera tucked inside its frame to keep actual flying super smooth as well.

This airborne camera-mobile also includes 802.11 AC Wi-Fi and dual 2.4GHz/5GHz antennas for connecting and streaming footage to Parrot’s new Skycontroller or your mobile device. (The latter can be used as a controller too with the Freeflight 3.0 iOS and Android app.) The Skycontroller is basically a fancy Android 4.2-running analog controller that connects to the Bebop Drone over a range up to 1.24 miles. It also includes a tablet mount so you can view its photos and videos while you navigate. The Freeflight app offers virtual, onscreen controls–as opposed to physical joysticks–as well as the ability to pre-program flight plans, including the option to schedule when and at what angle the Bebop will take a photo or video.

Bebop isn’t Parrot’s first time loading up a drone with a camera, but it weighs slightly less than its predecessor even with its bumper-like “hull” attached. Its Lithium Polymere 1200 mAh battery takes around 2.5 hours to charge and supports 12 minutes of flight time. That may sound paltry, but it’s on par with competitors’ capabilities.

The Bebop Drone doesn’t go on sale until the end of this year, and Parrot isn’t listing the price just yet. However, you can bet it won’t be cheap: DJI has a direct Bebop competitor with a built-in camera priced at $1,000. And GoPro toting drones from Helipal and DJI run around $400 (not including the cost of the GoPro).

Still, if you’ve got that kind of dough lying around, you’ll be able to take some pretty sweet drone selfies once this guy comes out.

Office for iPad Downloaded 27 Million Times in 46 Days: Microsoft

Source: http://gadgets.ndtv.com

It looks like Office for iPad has got an overwhelming response from users worldwide as Microsoft has revealed some download numbers and statistics of the applications, with the company’s Julia White announcing the statistics at the TechEd conference on Monday.

The figures were stated by White 46 days since the launch of Office for iPad on March 28, implying that the Microsoft Office suite for iPad users was additionally downloaded 15 million times over the 12 million figure that was reported in early April. This gives an average daily download rate since launch of 587,000.

Additionally, it has been known that Microsoft Word for iPad is the most popular among others and is currently ranked at 11th position in United States (as per Techcrunch) and is in the top 100 in 109 countries. As a rival, Google Docs sits at 23rd position in the US for iPad models.

Microsoft last month released its first update for the Office for the iPad suite, with a new printing feature. Users can now print Word documents, Excel spreadsheets and PowerPoint presentations on a printer connected to the iPad, using the inbuilt Apple AirPrint feature. In Word, users can choose to print a document with or without markup, and in Excel users can print a selected range, a single worksheet or an entire spreadsheet.

With the update, the company also introduced a SmartGuides feature for PowerPoint, AutoFit feature for Excel. Microsoft also included a few bug fixes and stability improvements in the update.

Microsoft’s Office apps are free, but users need an Office 365 subscription for making edits to documents. Microsoft recently introduced its Office 365 Personal subscription in India, priced at Rs. 330 per month, or Rs. 3,299 for an annual subscription.

Tata Motors website hacked by Pakistani Hackers

Source: http://www.ehackingnews.com/

The official website of Tata Motors, the Largest Indian multinational automotive manufacturing company, has been breached and defaced by a Pakistani Hacker who uses the online moniker “H4$N4!N H4XOR”.

The main website is not affected by this breach. The Hacker has defaced the ‘connect.tatamotors.com’, a sub-domain dedicated for the Auto Expo 2014.

“India B Ready I Am Coming  😛 ” The hacker wrote on the defaced page.

“Pakistan Haxors Crew is here to remind you of your security… Our fight is not against any individual but the system as a whole.. Should you choose to ignore security, it will reincarnate as your worst nightmare !  We just defaced your website to give you a chance to put your hands on it before others come and destroy it!”

At the time of writing, the Tata Motors’ sub-domain still showed the defacement page. The mirror of defacement is available here:  http://zone-h.com/mirror/id/22337776

Two Students arrested for hacking into School System to change Score

Source: http://www.ehackingnews.com

Two students from a college in Shanghai’s Songjiang District have been arrested for allegedly breaking into their school’s computer systems to change their grades.

The college students named Chen and Zhang didn’t attend the morning physical education class regularly.  So, they decided to break into the college’s system and change their scores in December 2013.

After students heard about their successful effort, other students turned to them for help.

According to Shanghai Daily report, they charged 15 yuan to 20 yuan for each change they made in school’s database.

They earned more than 80,000 yuan(more than $12,000) by helping over 200 students.

The school noticed the false records in March and fixed the vulnerability that allowed them to change the scores

Bitly website hacked, accounts credentials compromised

Brought to you by http://www.ehackingnews.com

 

Bitly(bit.ly), the Popular URL shortening service, has issued an urgent security warning about a security breach that exposed account’s credentials.

The company says they found no evidence suggesting that any accounts have been accessed by the intruders.  However, as a precaution, the company has disconnected users’ facebook and twitter accounts.

“We invalidated all credentials within Facebook and Twitter” the blog post reads.

Although the social media accounts appear to be connected with bitly account,  users won’t be able to publish anything until they reconnect the accounts.

Users are advised to take the following steps to reset their OAuth tokens and API Keys:

1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.

2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’

3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.

4) Go to the ‘Profile’ tab and reset your password.

5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’

Bitly says “they have already taken proactive measures to secure all paths that led to the compromise”.

Syrian Electronic Army hacks 4 Wall Street Journal twitter accounts

Brought to you by http://www.ehackingnews.com/

Wall Street Journal was caught in the crossfire between the Syrian Electronic Army and Ira Winkler who is the CEO of security firm Secure Mentem.

The Syrian Electronic Army(SEA) hijacked four twitter accounts belong to WSJ : @WSJD,  WSJ Europe(@WSJPEurope), WSJ Africa(@WSJAfrica) and WSJ Vintage(@WSJVintage).

SEA posted the message “@Irawinkler is a cockroach” with a picture of Ira Winkler’s head on the body of a cockroach.

The attack was carried out in response to a RSA Conference presentation in which Winkler talked about the hacking methods of the SEA and made fun of them.

In his presentation, Winkler also commented that “these people are like cockroaches of the Internet”.

This is not the first attack carried out by SEA in response to this presentation.  Last month, the group also defaced the RSA Conference website and said “If there is a cockroach in the internet, it would be definitely you ”

Wall Street Journal seems to have recovered the hijacked twitter accounts posted in twitter “We have secured our compromised Twitter accounts and they are now functioning normally.”

Orange warns users of phishing attacks following 2nd security breach

Brought to you by http://www.ehackingnews.com/

France based Telecoms company Orange has been hacked second time this year, more than 1.3 Million customers are affected by this security breach.

In the mid of April, hackers gained access to the a platform used by Orange to send email and SMS to its subscribers, according to Connexion report.

The company sent an email to affected customers which contains a link to “click to call back” button. Users who clicks the link will receive call from Orange.

The personal data accessed by hackers includes names, email addresses, mobile and landline numbers, date of birth as well as names of mobile and internet operators.

No payment information or credit card numbers and no passwords have been compromised in this breach.

However, the main risk in this case is that the compromised data can be used by attackers to launch phishing attacks. Such attacks are claimed to be from the legitimate organizations and tricks users into provide their passwords and financial data.

Back in February 2014, Orange sent letters to 800,000 customers that hackers accessed personal data including email ids, phone numbers, names, mailing addresses.

France based Telecoms company Orange has been hacked second time this year, more than 1.3 Million customers are affected by this security breach.
Sponsored Links
In the mid of April, hackers gained access to the a platform used by Orange to send email and SMS to its subscribers, according to Connexion report.The company sent an email to affected customers which contains a link to “click to call back” button.  Users who clicks the link will receive call from Orange.

The personal data accessed by hackers includes names, email addresses, mobile and landline numbers, date of birth as well as names of mobile and internet operators.

No payment information or credit card numbers and no passwords have been compromised in this breach.

However, the main risk in this case is that the compromised data can be used by attackers to launch phishing attacks.  Such attacks are claimed to be from the legitimate organizations and tricks users into provide their passwords and financial data.

Back in February 2014, Orange sent letters to 800,000 customers that hackers accessed personal data including email ids, phone numbers, names, mailing addresses.

– See more at: http://www.ehackingnews.com/2014/05/orange-warns-users-of-phishing-attacks.html#sthash.xGMM1k5P.dpuf

Popular Remote Management Tool Allows Login Without Authentication (Courtesy of www.securityweek.com)

A remote management tool used in some enterprises can be exploited by attackers to remotely connect to a host without needing any passwords, according to a Trustwave researcher.

Many organizations use the NetSupport software to remotely manage and connect to PCs and servers from a central location. These systems normally are set up with either Domain or local credentials, and shouldn’t be accessible without the person logging in. However, if the system has NetSupport installed for remote desktop support, it most likely has the default configuration, which allows remote users to connect automatically without authentication, David Kirkpatrick, a principal consultant at Trustwave, wrote in a blog post. The software also leaks detailed information about the device, such as the hostname, version number, and the username.

With NetSupport’s default configuration, anyone can remotely connect to the system and bypass the login prompt altogether, Kirkpatrick said.

Kirkpatrick wrote a script using Nmap to check each endpoint on the network to determine if it has NetSupport installed, and whether it has the default configuration enabled. The script returns “useful NetSpport configuration settings,” such as hostname, username, and the NetSupport version number, among other things, Kirkpatrick said. An attacker could use the same script to search the network for vulnerable systems.

“I could run this script across the network and the clients would be unaware of my testing of their configuration,” Kirkpatrick said. Connecting to the system would be a little bit harder because the original user will see a pop-up on the computer indicating a new user was also connected to the system.

For an attacker to successfully compromise the machine, he or she would first need to have NetSupport Manager software installed, Kirkpatrick told SecurityWeek in an email. That isn’t difficult, as an evaluation copy is available for free. Once connected remotely, the attacker would be able to take over the systems as though he or she had control locally. The attacker could also send commands to the compromised system over the remote desktop connection and retrieve information from a Windows shell, he said. The mouse and keyboard can be shifted to the attacker’s control

It’s easier to dismiss the research as one affecting only insider threats. But the way NetSupport is wide open to abuse means its clear the software needs to be secured. The fact that a remote user can access the PC running one NetSupport product means the systems can be entirely compromised.

NetSupport has fixed the information leakage vulnerability in later versions to require that passwords are always required to connect to an endpoint, Kirkpatrick said.

“The lesson here is that greater care should be taken when installing such powerful software that can bypass all your domain security so easily,” Kirkpatrick warned, before adding, “Of course, software providers can help by securing their default installation configurations as well.”