Monthly Archives: August 2016

FireChat brings private group chat to its off-grid messaging service

FireChat, the messaging service from Disrupt Battlefield finalist Open Garden that allows you to chat with people around you even when there is no regular Internet connection, is getting a major update today. This new version of FireChat introduces private group chats on top of its existing private one-on-one chats and public chatrooms.

These private groups can include up to 50 people and work like regular messages in FireChat. You simply select who you want to add to a group and start texting — just like in any other group chat app.

The FireChat team tells me that it’s seeing good growth in communities around the world. “In the US, people use it during large events, such as the Electric Forest music festival in Michigan and the Democratic National Convention in Philadelphia,” Open Garden CMO Christophe Daligault told me. “In India, students and communities use it to create their own free and resilient communications network. In the Philippines, media organizations (Inquirer, ABS-CBN, GMA News) use it to broadcast news, weather and traffic alerts to people whom they could not reach otherwise.”

In the Philippines, the team also recently started collaborating with its first government agency, the Metro Manila Development Authority, which used the service to send alerts during a major earthquake preparedness exercise.

While this new feature may seem straightforward, it actually turned out to be a major technical challenge, the company’s CTO Ben Teitelbaum told me.

“With meshed private group messaging, we’ve built on FireChat’s mobile ad-hoc routing capabilities to support group messaging that works when some, or even all,  group members are disconnected from the Internet,” he said. “One of the biggest challenge was with key distribution. With a conventional messenger like WhatsApp or Facebook Messenger, a client can always get group information from the server. With FireChat 8, peers get group keys, invitations, messages, and group membership information directly from other other peers.”

Earlier this year, by the way, Open Garden/FireChat co-founder Micha Benoliel moved into a new role as chairman after having been at the helm of the company as its CEO since it was founded in 2012. Paul Hainsworth, the company’s VP of product management, stepped into the CEO role. He previously worked at the likes of Sprint, BlackBerry and Virgin Mobile, which gives him the kind of telecom experience Open Garden needs as it tries to make OEM deals to get its products pre-installed on handsets.

Via: techcrunch

Students to play Pokémon Go at Idaho University to earn course credits

Much-needed skills like leadership, ethics, safety, and respect can all be acquired by playing the app as part of a new class.

Pokémon Go has all but taken over the world, and now one university has announced its students will play the megahit smartphone app on campus to earn course credits.

Starting in the new academic year, the University of Idaho in the US says students will wander the institution’s grounds gathering Poké Balls and searching for Pikachu, Jigglypuff, and Snorlax as part of a new physical activity class called Pop Culture Games.

The module will teach students about leading active lifestyles, building teamwork, and exploring their communities, all through Pokémon Go.

Course instructor, Steven Bird, described how he wants the game to be more about catching a Pikachu, and explained: “This app does more than let you shoot a Poké Ball. You get to adventure around, seeing different things, being active, seeing the sun. It allows you to move in large groups and a team. You get, not only physical activity, but you also get team-building and leadership.”

The instructor said he already had the course in mind for some time, but had to incorporate Pokémon Go when it became an overnight, global sensation. The game’s technology and nostalgic content encourages people who might normally shy away from organised exercise to get outside, get moving and meet other players, said the university.

The goal is to give students a fun and creative class that teaches them skills to take with them far beyond an afternoon searching for colourful characters, said chair of the Department of Movement Sciences, Philip Scruggs. Much-needed skills like leadership, ethics, safety, and respect can all be acquired through the class too.

Scruggs said in a statement: “We are hoping to capture the interest in Pokémon Go and other active games and draw the link with a healthy, active lifestyle. It’s a great way to engage youth through adults, and a great way to engage families in active games together. Our interest is to turn folks onto an active lifestyle, and that can be achieved in endless ways.”

As well as Pokémon Go, students taking the class will also play the live-action game Humans vs. Zombies, which combines elements of tag, hide-and-seek, and other games for group players as they make their way around the campus as humans trying to survive a zombie invasion.

Via: independent

Time Warner takes 10% stake in Hulu, joins live-streaming TV service

Hulu has become even more of a major media company mashup – Tim Warner is joining Disney, Fox and Comcast with a sizeable ownership stake of the streaming entity, picking up 10 percent  (culled from a cumulative drawing down of the thirds owned by each of the other big media co’s previously) for a reported $583 million. Hulu’s over-the-top bundle, which is set to launch sometime in 2017, will benefit from the deal with content from Turner networks.

Time Warner joining the party was discussed perviously, but the deal going down means it’s serious about beefing up its offering in the hopes of competing with other growing streaming players like Netflix and Amazon. Hulu, because of its close ties with the companies that control ABC, Fox and NBC, has been able to beat its competitors to the punch when offering viewers streaming access to network shows very close (generally the day after) their original air date.

Turner doesn’t have quite the mainstream broadcasting muscle, but it does own CNN, TBS,, Cartoon Network, TNT and others. The ability to count its offerings among potential live over-the-top streaming channels will definitely add to the niche appeal of any Hulu cable replacement bundle that makes an appearance next year.

Time Warner also owns HBO, but that brand’s offerings aren’t mentioned as being part of this deal, with the focus on Turner content for both Hulu’s current streaming video on demand, and future live streaming video platforms. An HBO tie-in could be a game-changer for any OTT replacement for cable packages, but Time Warner is currently charting its own streaming course on the HBO side with HBO Now, and likely wants to continue to own that avenue to viewers exclusively if it makes financial sense to do so.

The shift to OTT live TV services is likely inevitable, and recent efforts by companies including Twitter and Facebook to own live video (including content with the largest live audiences, like sports) presents a strong motivator for Hulu and others with more legacy roots to stake out their own territory in the bold new stream feature of TV.

Via: techcrunch

Apple Announces Bug Bounty Program with Maximum Reward of $200K

Apple has announced it will be launching a bug bounty program that will pay security researchers upwards of USD 200,000 for finding flaws in its software.

On Thursday at the Black Hat USA 2016 security conference in Las Vegas, Nevada, head of the Apple Security Engineering and Architecture group Ivan Krstic made the announcement at the end of his presentation on iOS security.

Krstic feels the program furthers what Apple has been doing all along. As quoted byThreatpost:

“We’ve had great help from researchers like you in improving iOS security all along. As the mechanisms we build get stronger, the feedback I’ve gotten from my team is that it’s getting increasingly difficult to find those vulnerabilities. The Apple bounty program will reward researchers who share critical vulnerabilities with Apple and we will make it a top priority to resolve those and provide public recognition.”

At the outset, the program will only be open to two dozen security researchers who have reported vulnerabilities in Apple’s software in the past. In time, it will expand to include additional bug bounty hunters.

All the while, Apple will reward researchers based upon what types of vulnerabilities they disclose to the company. For instance, the tech giant said it will pay up to USD 25,000 for flaws that could allow an actor to gain access from a sandboxed process to user data outside of that sandbox, while it will dish out as much as USD 100,000 to those who can extract data protected by Apple’s Secure Enclave technology.

For reporting vulnerabilities in its firmware, Apple will potentially pay out USD 200,000. But that won’t be easy, according to Krstic:

“The difficulty in finding most of the critical vulnerabilities is going up and up as we invest in new security technology and mechanisms. The difficulty is such that we want to reward people for their time and creativity they put in to finding bugs in these categories.”

Apple’s bug bounty program is set to kick off in September 2016.

News of this announcement follows (and is perhaps motivated by) the FBI’s commissioning of hackers to break into the iPhone 5C of one of the San Bernardino shooters.

Via: tripwire

Citibank IT guy deliberately wiped routers, shut down 90% of firm’s networks across America

It was just after 6pm on December 23, 2013, and Lennon Ray Brown, a computer engineer at the Citibank Regents Campus in Irving, Texas, was out for revenge.

Earlier in the day, Brown – who was responsible for the bank’s IT systems – had attended a work performance review with his supervisor.

It hadn’t gone well.

Brown was now a ticking time bomb inside the organization, waiting for his opportunity to strike. And with the insider privileges given to him by the company, he had more of an opportunity to wreak havoc than any external hacker.

Prosecutors described what happened next, just before Brown left the Citibank offices that evening:

“Specifically, at approximately 6:03 p.m. that evening, Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90 percent of all Citibank networks across North America.”

“At 6:05 p.m. that evening, Brown scanned his employee identification badge to exit the Citibank Regents Campus.”

Seemingly unconcerned about being linked to the attack on Citibanks infrastructure, Brown sent a text message to one of his colleagues:

“They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”

“Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”

Brown may now be regretting his rash actions, as he has been sentenced to 21 months in a federal prison for transmitting a command that caused damage without authorization to a protected computer. In addition, he has been ordered to pay $77,200 in restitution.

A moment of madness on Brown’s part caused the disruption of business systems, would have cost the company money to investigate and resume normal operations, and has cast a shadow over the rest of the IT worker’s life. After all, how many firms are likely to trust him with their IT security now?

In short, everyone loses.

And this should be a concern for any business. You spend so much time and effort worrying about online criminals and internet hackers breaking into your business to steal your secrets, have you considered the threat which might actually be on your payroll?

The truth is that the person hacking you may not be someone you’ve never met, wearing a hoody on the other side of the world. They could be sat right next to you, wearing a business suit.

I would wager that the threats posed by malicious insiders, people who you have invited into your company’s offices, who you have shared your network passwords with, who you have granted access to your systems, pose a large potential threat and could put your business at even greater risk.

Even if they’re not IT-specific staff, if you have let them walk into your building they may have opportunities to plant keylogging hardware to grab passwords, open backdoors for other hackers, or spirit away sensitive documents without you realizing.

Don’t ignore the risks posed by the insider threat. If you turn a blind eye to them and solely focus on threats coming from outside your network then you are making a big mistake.

Take precautions, restrict privileges, monitor unusual activity, and put policies in place in both IT and human resources.

It is never going to be possible to stop every insider threat. But what you can do is attempt to limit their impact, and reduce the opportunities for a rogue member of your staff to go off the deep end.

Via: tripwire

Hacker attacks following Verizon purchase of Yahoo

A hacker has claimed to have stolen 200 million user account details from Yahoo.

Yahoo is believed to be investigating reports that a hacker has stolen 200 million of its user account details and is selling them on the dark web.

According to the BBC, Yahoo is investigating the breach.

Reports on the web suggest that a hacker called Peace, believed to have previously been part of a Russian hacking syndicate, is selling Yahoo user account details for £1,380, using bitcoin.

While some observers have said the stolen login details are relatively old, dating back to 2012, many users do not change their password and login details and often use the same login across multiple web and social media sites.

Simon Crosby, CTO and co-founder of Bromium, said: “Users need to be vigilant. If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider.

“Users should also be on the lookout for strange-looking emails from friends who they would normally trust – their account might have been compromised. Finally, reset your online service passwords such as your bank, if you think your email may have been compromised, since many SaaS apps use email to confirm password changes.”

According to some experts, the hacker may have tried to extort money from Verizon, which last month acquired Yahoo for $4.8bn.

Lisa Baergen, director at NuData Security, said: “All indications are that this is an old breach (2012) prior to Yahoo changing the method in which it stores and protect passwords. This dark web “sale” of old data appears to have been triggered by the sale of Yahoo to Verizon. The hacker sent his demand for extortion to the Verizon CISO, who appears to not have taken the bait… and now the data is for sale.”

Trent Telford, CEO at Covata, said the hacker claimed Yahoo’s encryption was weak.

“While it’s not completely clear what encryption Yahoo was using – the hacker did comment that the data was hashed with an MD5 algorithm, coding that can easily be bypassed – the access management element alone clearly wasn’t sufficient. Companies must understand that not all encryption was created equal. They must use technology that not only robustly encrypts data at source individually rather than in huge sets, but also enables them to rigorously control who is accessing it and where. This ensures information is only readable by those with the relevant security clearance in a secure environment. The data also becomes completely trackable, meaning access can be locked down should it somehow make its way onto the dark web.”

Via: computerweekly

Disney Confirms Data Breach of Playdom Forums’ Servers

Disney Consumer Products and Interactive Media has confirmed a data breach that affected some users of its Playdom forums.

A spokesperson for the business segment of the Walt Disney Company explains in a statement that security teams detected the incident back in July:

“On July 12, 2016, we became aware that an unauthorized party gained access to the Playdom Forum servers. We immediately began investigating the incident and discovered that on July 9 and July 12, 2016, the unauthorized party acquired certain user information from the site.”

The actor is believed to have accessed the usernames, email addresses, passwords, and IP addresses of Playdom Forum users.

According to the site’s statistics, there were 356,000 registered users prior to the breach’s discovery.

At this time, it’s unclear how the attacker gained access to Disney’s forum servers. Security researcher Troy Hunt believes the breach might be connected to Playdom’s use of a vulnerable version of forum software vBulletin.

post on vBulletin’s own forums seems to confirm that point.

A screenshot of the Playdom Forums taken by the Wayback Machine’s internet archiving system. (Source: Naked Security)

In response to the breach, Disney has invalidated all Playdom users’ passwords and notified law enforcement of the incident. The company has also shut down the playdomforums, website and launched a new forum with “enhanced security measures.”

For users who may have been affected by the breach, Disney offers the following advice:

“If you use the same password on other online accounts, we recommend you set new passwords on those accounts immediately. Internet security experts recommend using different passwords for each account and electing passwords that are hard to guess. In addition, we will never ask you for personal or account information in an email, so please exercise caution if you receive unsolicited emails that ask for that information.”

It’s important that users create a strong, unique password for each of their web accounts. Doing so will help protect against password reuse attacks, such as those campaigns which recently targeted Carbonite’s users.

Via: tripwire

Social Security Administration Now Requires Two-Factor Authentication

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

The SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees.

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam.

To recap: Once you establish and verify your account and start getting texted codes to login, from then on you will be more secure. If you have not signed up already, these new security options do not make it any more difficult for someone else to sign up as you.

Considering that many senior citizens are still wary of text messages and likely have never sent or received one, it’s not clear that these optional security measures will go over well. I would like to see the SSA make it mandatory to receive a one-time code via the U.S. Mail to finalize the creation of all new accounts, whether or not users opt for “extra security.” Perhaps the agency will require this in the future, but it’s mystifying to me why it doesn’t already do this by default.

In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits.

Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here.

The SSA’s new text messaging system is apparently experiencing some technical difficulties at the moment, at least for Verizon Wireless customers. The SSA posted this message on its site over the weekend: “We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code.  Verizon wireless customers are unable to access their personal my Social Security account at this time.”

Update, 1:00 p.m. ET: For the record, I requested comment from the SSA about why they did not apparently contact all users by U.S. mail to verify their identities. I received the following response:

“The Social Security Administration protects the information entrusted to us and has strengthened the online registration process by making identity verification and authentication more stringent.  We cannot provide more details publicly as we don’t want to draw a roadmap for criminals.”

Also, as one reader already pointed out in the comments below, the SSA’s adoption of 2-factor SMS authentication comes as the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

Via: krebsonsecurity