Tag Archives: Hackers
Google is advising anyone who uses the Chrome browser to make sure their browsers have the latest update, which patches a “high” risk security flaw that hackers are already exploiting on unsuspecting victims.
It’s common practice when bugs are disclosed to not immediately share details of how they work until a majority of users have a security patch. The practice allows companies like Google to notify users, and roll out updates, without tipping off any potential bad actors.
While little is known about how the threat, called CVE-2019-5786, works, Justin Schuh, Google’s Chrome engineering and security desktop lead, tweeted on Tuesday that everyone should update their Chrome browser “right this minute” on every device.
Google Chrome updates are usually automatic, however they don’t always roll out to everyone, all at once. If you’d like to trigger a manual update, you can click the three dots in the upper-right corner of the window, select “Help” and “About Chrome.” This will tell users whether their browser is updated or if they need to restart their device to trigger the updated, patched version of the browser.
Hackers have tried to convince potential buyers—and the BBC Russian Service—that they had cracked Facebook’s security and extracted private messages from 120 million accounts. However, according to an outside expert reported by the BBC, it appears likely that at least 81,000 Facebook accounts had their privacy breached. And according to Facebook, the breach is due to malware-containing browser extensions.
“We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related,” Facebook’s vice president of product manager, Guy Rosen, said in a statement.
The hackers originally published an offer in September for personal information related to 120 million Facebook accounts on a English-language forum. This included a sample of data that the BBC had an expert examine, confirming that over 81,000 profiles’ private messages were included. An additional 176,000 accounts had data that could have been scraped from public Facebook pages.
Facebook’s Rosen said that its security wasn’t compromised, and urged people to remove any plug-ins they don’t fully trust. Rosen said the social network had notified law enforcement, had the website hosting the Facebook account data had been taken down.
Depending on the browser, plug-in extensions may be able to monitor a user’s activity on any web page. This typically doesn’t include keystrokes, but extensions can sweep in anything rendered on a page for a user to see, such as public and private messages.
Plug-ins that provide toolbars or insert links for coupons for e-commerce are common. However, with so many extensions available, malicious parties have many options: compromise existing software through insiders or poor developer security; release their own seemingly benign plug-ins that provide a useful function alongside snooping; or buy extensions from developers and then update them to include malware.
So, install at your own risk.
Until yesterday, unless you had a family member or friend in prison, you most likely had never heard of JPay. That’s because all of its services are directed toward inmates and their families.
Since 2002, JPay has been quietly moving into prisons across the country, first by providing quicker (though pricier) ways for family members to send money to loved ones behind bars and, since 2004, by providing limited email systems in prisons. Those systems are often touted as an innovation that keeps incarcerated people connected with support networks on the outside. In keeping up with the technological times, JPay also offers prison-specific tablets on which users can access their e-messages, buy music, and play electronic games.
But this week, Idaho prison officials announced that these tablets became the means for 363 inmates, across five state prisons, to create nearly a quarter million dollars of credits. Collectively, the prisoners created roughly $ 225,000 in JPay credits, which they added to their respective accounts to pay for e-messages, music, and games. In a statement to the Associated Press, Idaho Department of Correction spokesman Jeff Ray said that, of the 363 imprisoned hackers, 50 men credited their accounts in amounts exceeding $ 1,000 with the largest amount falling just under $ 10,000.
Idaho is just one of a number of states across the country offering tablets to incarcerated populations. Nearly half of all state prison systems offer some form of e-messaging, a basic form of prison email provided by a single company that controls both software and hardware. In Idaho, that company is JPay. One of the largest purveyors of prison messaging, JPay contracts as the sole provider of these services in 20 states across the country.
And Idaho is also one of a growing number of states where prisoners have the option to purchase a JPay tablet. Unlike the Kindle Fire or the IPad, these tablets are specific to JPay and an imprisoned population—one cannot access the Internet or other services through the tablet. But it allows users to to listen to music, read e-books, play video games, and avoid the lengthy lines at the JPay kiosks to read and write e-messages. All of these services come at a cost. In Idaho, sending a single e-message costs 47 cents, while downloading music costs as much as $ 3.50. As 363 people in Idaho found out, they can also use those tablets to get around these costs.
“The Idaho Department of Correction has nothing more to say about this matter at this time,” Ray wrote in response to WIRED. In a statement emailed to WIRED, JPay spokesperson Jade Trombetta wrote, “While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”
As the sole provider of e-messaging and digital services within Idaho’s prison system, it might stand to reason that the company’s monopoly increased its risk of hacking. “If you’re forced to buy from one entity, I could see the increasing motivation,” says Jake Williams, a security expert and founder of Rendition Infosec. “But I don’t think this [monopoly] increases vulnerabilty to hacking.”
Instead, says Williams, any system offering an app over a device operates at a risk.“Any time you have a mobile app—whether it’s a phone or a tablet—the user has a lot of control over any data stored in the device itself,” he explained. In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet. “A malicious user can access that back-end data,” says Williams.
It’s a problem that Williams sees often. He points to a recent vulnerability assessment that Renditions conducted on a mobile shopping app. To limit the amount of data being transmitted over the network, the app stored the item price on the SQLite database, a back-end storage mechanism on the app itself. But by modifying the price on that back-end system, “we could change the purchase price and buy the item for whatever price we wanted,” Williams recalls. “This is not an uncommon flaw with mobile apps.”
For JPay or any other provider offering tablets, a person’s credit balance is most likely stored on the tablet rather than being transmitted on JPay’s infrastructure to a centralized server. This makes it accessible for someone savvy enough to hack into the SQLite database and change their account.
Though they can still send and receive e-messages, the 363 hackers have temporarily lost their ability to download music and games until they compensate JPay for its losses, Ray told the Associated Press. They’ve also been issued disciplinary tickets, which means losing even more privileges and being labeled at a higher security risk level, a classification that could mean being moved to a more restrictive prison, being excluded from certain prison programs, and even being denied parole.
What would make a person, let alone 363 people, take that chance? In Idaho, prison wages range from 10 to 90 cents an hour. That, says Peter Wagner, director of the Prison Policy Initiative, can be a powerful motivator to figure out ways to increase one’s spending power. “JPay is a company that charges 47 cents to send an email. That’s five hours of wages,” he noted.