Monthly Archives: November 2016

Elon Musk Plans to Launch 4,425 Satellites to provide Global Internet from Space

Big tech companies, including Facebook, Google, and Microsoft, are in the race of bringing Internet connectivity to unconnected parts of the world through wireless devices, flying drones, high-altitude balloons, and laser beams.

 
But, SpaceX founder Elon Musk has big plans for bringing low-cost Internet service worldwide, and it all starts in space.

 

Private rocket launch service SpaceX has asked the U.S. government for permission to launch 4,425 satellites in orbit to beam high-speed Internet down to the world, according to a newly filed application with the Federal Communications Commission (FCC).

 
That’s a hell of a lot of satellites; in fact, the figure surpasses the total number of satellites in the Earth’s orbit.


Here’s what the company’s
102-page technical document reads:

“The system is designed to provide a wide range of broadband and communications services for residential, commercial, institutional, governmental and professional users worldwide.”

Initially announced in January 2015 as part of his plan to fund a city on Mars, the project would cost at least $10 Billion, Musk estimated in 2015, though the latest documents did not mention any cost estimate or financing plan.

 
California-based SpaceX has also revealed in the documents technical details of the proposed network of satellites it wants to launch as an Internet Service Provider (ISP) to offer high-speed broadband and communication services globally.

SpaceX to Initially Launch 800 Satellites

The proposed SpaceX network would begin with an initial launch of 800 satellites, the filing states, to expand Internet access in the United States, including Puerto Rico and the US Virgin Islands, though it is unclear when these satellites will launch.

The satellites would be launched into orbits at altitudes ranging from 715 miles (1,150 km) to 790 miles (1,275 km) above Earth. Each satellite in those constellations would weigh 850 pounds (386 kg) and could cover an ellipse about 2,120km wide.

 
If deployed successfully, it would increase the number of satellites in orbit by over 300%, which altogether will serve to provide a space-based worldwide Internet network that would offer Internet speeds of up to 1 Gbps for the end users.

SpaceX said, “Once fully deployed, the SpaceX System will pass over virtually all parts of the Earth’s surface and therefore, in principle, have the ability to provide ubiquitous global service.”

As of now, the company has not elaborated on potential uses of this massive internet network, but there’s a lot of time to figure out those details.

The primary business of SpaceX is launching satellites into orbit for government and commercial customers, including flying cargo supply ships to the International Space Station for NASA.

 
However, SpaceX is not the only company looking with an ambition to deliver the internet through space. OneWeb — a venture backed by Airbus, Virgin, Bharti, and Qualcomm — and Boeing have also filed applications for spectrum to support satellite-based Internet.

 

via:  thehackernews

US Army announces ‘Hack the Army’ bug bounty program inviting hackers to expose security flaws

‘We’re looking for new ways to do business,’ outgoing secretary of the army Eric Fanning said.

The US Army has announced the launch of its first bug bounty program called “Hack the Army”, offering rewards to hackers who find security vulnerabilities in its digital recruiting infrastructure. Announced at a press conference in Texas on 11 November, the program comes after the successful inaugural Hack the Pentagon bug bounty program in April.

“We’re not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense,” outgoing secretary of the army Eric Fanning said. “We’re looking for new ways to do business.”

Hack the Army will be run in partnership with bug bounty platform HackerOne, and will be an invite-only program so that eligible hackers can be vetted before they are accepted to participate in the pilot program. However, interested military and government personnel will automatically be accepted into the program.

Eligible hackers will be tasked with scouring through the army’s recruitment websites and databases of personal information of new applicants and current army personnel, Wired reports.

“The largest branch of the US military is preparing to be hacked to enhance its security in the coming weeks,” HackerOne wrote in a blog post. “Working with the hacker community is an effective way to uncover vulnerabilities in even the most powerful organizations… Inviting the hacker community to find unknown security vulnerabilities will supplement the great work the army’s talented cybersecurity personnel are doing already.”

HackerOne also previously provided the infrastructure for the Hack the Pentagon program which invited over 1,400 registered hackers to test the digital security of select Department of Defense websites including Defense.gov. The pilot resulted in 138 valid vulnerabilities discovered and resolved during the 24-day program.

Following the success of the program, Defense Secretary Ash Carter directed other DoD components and military services to launch their own bug bounty initiatives as well.

“We’re going to include incentives in our acquisition guidance and policies so that contractors who work on DoD systems can also take advantage of innovative approaches to cybersecurity testing,” Carter said in October. “For example, in some circumstances, we will encourage contractors to make their technologies available for independent security reviews where bug bounties before they deliver them to us. This will help them make their code more secure from the start, and before it’s installed on our system.”

The army has yet to release any additional specifics about the new Hack the Army program.

Many companies have launched popular bug bounty programs in an effort to bolster cybersecurity defenses, and uncover and fix potential security vulnerabilities in their digital infrastructure.

Tech giants such as Microsoft, Yahoo, Google, Facebook and Twitter have had their own successful rewards programs for years. Chrysler, Uber, the Department of Defense and Apple also recently launched their own initiatives.

 

via:  ibtimes

Lower insurance premiums through security certification

What should organizations consider if they are to prepare for cyber insurance?

The answer to cyber security woes is insurance, right?  Well, not really – so take a deep breath, relax and spend some quality time thinking about insurance and how it might apply to your cyber security situation.

What cyber insurance will not do is stop cyber incidents. What it will do is help you pick up the pieces after a cyber incident and so get your company operational again. But like any insurance, you must have met certain obligations, otherwise no pay-out. But what do your obligations consist of and how will the insurance company decide whether you have met them adequately should you need to claim?

Your obligations are essentially to ensure that your IT estate, including servers, infrastructure and user devices (PCs, laptops, tablets, smartphones, and so on) are operated and maintained to good security practices.

In practical terms, this means that devices and software are maintained at manufacturers’ supported release levels with the most current security patches applied, and that devices, applications and access controls have been configured to ensure secure operation and that the IT governance is to a good and demonstrable standard.

Governance covers policies, procedures, standards and work practices that are maintained in line with good practice and changes in the legal and regulatory environment.

Governance also covers the maintenance of logs, audit trails, system backups and IT Health Check reports, all of which support the notion that security due diligence has been, and is being, maintained. These logs, trails, reports and the availability of backups will be vital input to any investigation carried out by an insurance company should a claim be made on a cyber security policy.

Besides operating the IT estate to good security practices, what else can a company do? Here the recommendation is to get independent verification of the cyber security worthiness of your operation.

ISO27001 certification is one route; an independent report as to the compliance with ISO27001 is another (and generally cheaper) route. But there is also the relatively new Cyber Essentials scheme, which is being heavily promoted by the government as a way of improving the UK’s cyber security.

Two Cyber Essentials (CE) certifications are available. One is the basic Cyber Essentials certification which relies on a company filling out a questionnaire relating to its operation and governance. This questionnaire is then reviewed independently for scheme compliance. This is a low-cost route (currently £300 plus VAT) to a cyber certification.

The second CE certification is Cyber Essential Plus, which is basic CE with the addition of an independent auditor going to a company site to check that the CE questionnaire was factual. An IT Health Check on the IT estate is also part of the Plus certification. This approach is more expensive than the basic CE certification (for a small company, expect something in the low thousands of pounds), but much less expensive than gaining ISO27001.

Gaining a cyber certification, be it ISO27001, Cyber Essentials or Cyber Essentials Plus, should lead to lower insurance premiums, with ISO27001 giving the best premium.

 

Also check out:  Six key factors in cyber insurance

 

via:  computerweekly

48 Percent of Companies Don’t Inspect the Cloud for Malware

A recent survey of 643 IT and IT security practitioners in the U.S. and Canada found that fully 48 percent of respondents don’t inspect the cloud for malware, and another 12 percent are unsure whether they do or not.

Notably, among those that do inspect, 57 percent say they have found malware.

The survey, sponsored by Netskope and conducted by the Ponemon Institute, also found that while 49 percent of business applications are now stored in the cloud, just 45 percent of those applications are known, sanctioned or approved by IT.

“These data confirm that while cloud adoption is very much on the rise, organizations still lack confidence in the cloud’s ability to protect sensitive information,” Netskope founder and CEO Sanjay Beri said in a statement.

“With the rise of cloud threats like accidental data exposure, malware and ransomware aimed at exfiltrating data and extracting financial gain from sensitive data, IT teams need more robust intelligence, protection, and remediation to protect their data from breach or loss,” Beri added.

While more than half of respondents said the use of cloud services significantly increases the likelihood of a data breach, almost 20 percent are unable to determine whether they’ve experienced a breach or not.

Among the 31 percent of companies that did experience a data breach in the past year, 48 percent said the breach occurred when a user exposed data from a cloud service, either intentionally or accidentally. A quarter don’t know how the breach occurred, however, and 30 percent don’t know what data may have been lost or stolen.

Respondents’ leading concerns about cloud security risks are loss of control over the security of data and end user actions (49 percent), loss or theft of intellectual property (47 percent), and compliance violations (39 percent).

A separate Blancco Technology Group survey of more than 290 IT professionals in the U.S., Canada, Mexico, U.K., Germany, France, India, Japan and China found that 26 percent of respondents are either not confident or somewhat confident about their IT teams’ knowledge of the use of all cloud storage providers.

Twenty-one percent of respondents said they store a combination of the following types of data in the cloud: B2B customer information, company information, employee information, and B2C customer information.

Fifteen percent of respondents rarely or never conduct audits of cloud providers that store their corporate data, even though 40 percent of respondents believe storing corporate data in a cloud environment increases their compliance risk.

Sixteen percent of respondents said they don’t know what security precautions they would take to prevent data loss or theft when decommissioning or shutting down a cloud/virtual server.

“Whenever storing data offsite with a cloud provider, organizations must be diligent in knowing where their data is being stored, how it’s being protected and when it needs to be removed (in the case of migrating data to a new vendor or consolidating data centers, for example),” Blancco Technology Group chief strategy officer Richard Stiennon said in a statement.

 

via:  esecurityplanet

Metasploitable3: An Intentionally Vulnerable Machine for Exploit Testing

Test Your Might With The Shiny New Metasploitable3.

Today I am excited to announce the debut of the shiny new toy – Metasploitable3.

Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc 🙂

If you are already a Metasploitable fan, you would have noticed that we haven’t had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn’t even know who was maintaining it anymore. So we decided to do something about it.

After months of planning and building the vulnerable image from scratch, we have something for you all to play 🙂 Unlike its predecessor, Metasploitable3 has these cool features:

It is Open Source

During development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play.

Metasploitable3 can be found as a Github repository here.

Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements:

To build automatically:

  1. Run the build_win2008.sh script if using bash. If you are using Windows, run build_win2008.ps1.
  2. If the command completes successfully, run “vagrant up”.
  3. The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it’s done, you should be able to open the VM within VirtualBox and login. The default username is “vagrant” with password “vagrant”.

To build manually, please refer to the README documentation.

If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome!

It is for People with Different Skills Levels

Metasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn’t take long to find the right exploit to use, and get a high privileged shell.

But you see, we want to make you try a little harder than that 🙂

First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.

For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn’t be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that.

For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable:

$ MS3_DIFFICULTY=easy vagrant up

If the image is already built, you can simply open a command prompt and do:

$ netsh advfirewall set allprofiles state off

It Has Flags

One very common thing about performing a penetration test is going after corporate data. Well, we can’t shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as “data you want to steal”, and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways:

  • Obfuscation
  • Strict permission settings
  • File attributes
  • Embedded files

Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge.

A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags.

It is Expandable

In real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this.

Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box.

Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute.

And that’s what our new toy is all about 🙂

Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don’t have this in your toolkit, please feel free to grab it here.

 

via:  rapid7

Beware, iPhone Users: Fake Retail Apps Are Surging Before Holidays

Hundreds of fake retail and product apps have popped up in Apple’s App Store in recent weeks — just in time to deceive holiday shoppers.

The counterfeiters have masqueraded as retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like Zappos.com and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.

The shoe retailer Foot Locker Inc. has three iPhone apps. But that did not stop an entity calling itself Footlocke Sports Co., Ltd. from offering 16 shoe and clothing apps in the App Store.

“We’re seeing a barrage of fake apps,” said Chris Mason, chief executive of Branding Brand, a Pittsburgh company that helps retailers build and maintain apps. He said his company constantly tracks new shopping apps, and this was the first time it had seen so many counterfeit iPhone apps emerge in a short period of time.

Some of them appeared to be relatively harmless — essentially junk apps that served up annoying pop-up ads, he said.

But there are serious risks to using a fake app. Entering credit card information opens a customer to potential financial fraud. Some fake apps contain malware that can steal personal information or even lock the phone until the user pays a ransom. And some fakes encourage users to log in using their Facebook credentials, potentially exposing sensitive personal information.

The rogue apps, most of which came from developers in China, slipped through Apple’s process for reviewing every app before it is published.

That scrutiny, which Apple markets as an advantage over Google’s less restrictive Android smartphone platform, is supposed to stop any software that is deceitful, that improperly uses another company’s intellectual property or that poses harm to consumers.

In practice, however, Apple focuses more on blocking malicious software and does not routinely examine the thousands of apps submitted to the iTunes store every day to see if they are legitimately associated with the brand names listed on them.

With apps becoming more popular as a way to shop, it is up to brands and developers themselves to watch for fakes and report them, much as they scan for fake websites, said Ben Reubenstein, chief executive of Possible Mobile, a Denver company that makes apps for JetBlue Airways, the PGA Tour and the Pokémon Company, among others.

“It’s important that brands monitor how their name is being used,” he said.

Apple removed hundreds of fake apps on Thursday night after The New York Times inquired about the specific app vendors that created many of them. Other apps were removed after a New York Post article last week drew attention to some of the counterfeits.

“We strive to offer customers the best experience possible, and we take their security very seriously,” said an Apple spokesman, Tom Neumayr. “We’ve set up ways for customers and developers to flag fraudulent or suspicious apps, which we promptly investigate to ensure the App Store is safe and secure. We’ve removed these offending apps and will continue to be vigilant about looking for apps that might put our users at risk.”

In September, Apple also embarked on a campaign to review all two million apps in the App Store and remove “apps that no longer function as intended, don’t follow current review guidelines or are outdated.” The company says that a significant number of apps have been removed and that the review is continuing.

Despite Apple’s efforts, new fake apps appear every day. In some cases, developers change the content of an app after it has been approved by Apple’s monitors. In other instances, the counterfeiters change their names and credentials, and resubmit similar apps after one round of fakes is discovered.

“It’s a game of Whac-a-Mole,” Mr. Mason of Branding Brand said.

On Friday, for example, an entity calling itself Overstock Inc. — an apparent attempt to confuse shoppers looking for the online retailer Overstock.com — was peddling Ugg boots and apparel through a fake app that was nearly identical to one banished by Apple on Thursday.

The same Chinese app developer, Cloaker Apps, created both fake Ugg apps on behalf of Chinese clients.

A fake Michael Kors app, claiming to be connected to Nordstrom. Some counterfeits are more convincing than others.

Jack Lin, who identified himself as the head of Cloaker, said in a phone interview in China that his company provides the back-end technology for thousands of apps but does not investigate its clients.

“We hope that our clients are all official sellers,” he said. “If they are using these brands, we need some kind of authorization, then we will provide services.”

Mr. Lin said Cloaker charged about 20,000 renminbi — about $3,000 — for an app written in English.

But like so many of the apps his company produces, Cloaker is not what it purports to be. Its website is filled with dubious claims, such as the location of its headquarters, which it says is at an address smack in the middle of Facebook’s campus in Menlo Park, Calif.

In the interview, Mr. Lin at first said he had offices only in China and Japan. When asked about the California office, he then claimed to have “tens of employees” at the Facebook address.

China is by far the biggest source of fake apps, according to security experts.

Many of the fake retail apps have red flags signaling that they are not real, such as nonsensical menus written in butchered English, no reviews and no history of previous versions. In one fake New Balance app, for example, the tab for phone support did not list a phone number and said, “Our angents are available over the hone Monday-Firday.”

Data from Apptopia show that some of the fake apps have been downloaded thousands of times, although it is unclear how many people have actually used them. Reviews posted on some of the apps indicated that at least some people tried them and became frustrated. “Would give zero stars if possible,” wrote one reviewer of the fake Dollar Tree app. “Constantly gets stuck in menus and closes what you were doing and makes you start over.”

Mr. Mason says consumers want to shop online and they search for apps from their favorite stores and brands.

“The retailers who are most exposed are the ones with no app at all,” he said. Dollar Tree and Dillard’s, for example, have no official iPhone apps, which made it easier to lure their customers to the fake apps.

But the counterfeiters have also mimicked companies that do have an official presence in the App Store, hoping to capitalize on consumer confusion about which ones are real.

The shoe retailer Foot Locker Inc., for example, has three iPhone apps. But that did not stop an entity calling itself Footlocke Sports Co. Ltd. from offering 16 shoe and clothing apps in the App Store — including one purporting to be from a Foot Locker rival, Famous Footwear.

Similarly, the supermarket chain Kroger Company has 20 iPhone apps, reflecting the various retail chains in its empire. An entity calling itself The Kroger Inc. had 19 apps, purporting to sell things as diverse as an $80 pair of Asics sneakers and a $688 bottle of Dior perfume.

Some of the fake apps have even used Apple’s new paid search ads to propel them to the top of the results screen when customers search for specific brands in the App Store.

Jon Clay, director of global threat communications for Trend Micro, an internet security firm, said Apple’s tight control over the iPhone had historically kept malicious apps out of its App Store. Fake apps appeared more often on Google’s Android platform or on third-party app stores, he said.

But that is beginning to change. Shortly after the Pokémon Go game was released in the United States in July, for example, a spate of fake iPhone apps related to the game appeared, especially in countries where the game was not yet available.

“The criminals are going to take advantage of whatever is hot,” Mr. Clay said.

 

via:  nytimes

412 million FriendFinder accounts exposed by hackers

Hacked accounts linked to AdultFriendFinder.com, Cams.com, iCams.com, Stripshow.com, and Penthouse.com.

adultfriendfinder screengrab

Credit: AdultFriendFinder

Six databases from FriendFinder Networks Inc., the company behind some of the world’s largest adult-oriented social websites, have been circulating online since they were compromised in October.

LeakedSource, a breach notification website, disclosed the incident fully on Sunday and said the six compromised databases exposed 412,214,295 accounts, with the bulk of them coming from AdultFriendFinder.com.

It’s believed the incident happened prior to October 20, 2016, as timestamps on some records indicate a last login of October 17. This timeline is also somewhat confirmed by how the FriendFinder Networks episode played out.

On October 18, 2016, a researcher who goes by the handle 1×0123 on Twitter, warned Adult FriendFinder about Local File Inclusion (LFI) vulnerabilities on their website, and posted screenshots as proof.

When asked directly about the issue, 1×0123, who is also known in some circles by the name Revolver, said the LFI was discovered in a module on AdultFriendFinder’s production servers.

Not long after he disclosed the LFI, Revolver stated on Twitter the issue was resolved, and “…no customer information ever left their site.”

His account on Twitter has since been suspended, but at the time he made those comments, Diana Lynn Ballou, FriendFinder Networks’ VP and Senior Counsel of Corporate Compliance & Litigation, directed Salted Hash to them in response to follow-up questions about the incident.

On October 20, 2016, Salted Hash was the first to report FriendFinder Networks had likely been compromised despite Revolver’s claims, exposing more than 100 million accounts.

In addition to the leaked databases, the existence of source code from FriendFinder Networks’ production environment, as well as leaked public / private key-pairs, further added to the mounting evidence the organization had suffered a severe data breach.

FriendFinder Networks never offered any additional statements on the matter, even after the additional records and source code became public knowledge.

As mentioned, earlier estimates placed the FriendFinder Networks data breach at more than 100 million accounts.

These early estimates were based on the size of the databases being processed by LeakedSource, as well as offers being made by others online claiming to possess 20 million to 70 million FriendFinder records – most of them coming from AdultFriendFinder.com.

The point is, these records exist in multiple places online. They’re being sold or shared with anyone who might have an interest in them.

On Sunday, LeakedSource reported the final count was 412 million users exposed, making the FriendFinder Networks leak the largest one yet in 2016, surpassing the 360 million records from MySpace in May.

This data breach also marks the second time FriendFinder users have had their account information compromised; the first time being in May of 2015, which impacted 3.5 million people.

The figures disclosed by LeakedSource on Sunday include:

  • 339,774,493 compromised records from AdultFriendFinder.com
  • 62,668,630 compromised records from Cams.com
  • 7,176,877 compromised records form Penthouse.com
  • 1,135,731 compromised records from iCams.com
  • 1,423,192 compromised records from Stripshow.com
  • 35,372 compromised records from an unknown domain

All of the databases contain usernames, email addresses and passwords, which were stored as plain text, or hashed using SHA1 with pepper. It isn’t clear why such variations exist.

“Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world,” LeakedSource said, discussing the password storage options.

In all, 99-percent of the passwords in the FriendFinder Networks databases have been cracked. Thanks to easy scripting, the lowercase passwords aren’t going to hinder most attackers who are looking to take advantage of recycled credentials.

In addition, some of the records in the leaked databases have an “rm_” before the username, which could indicate a removal marker, but unless FriendFinder confirms this, there’s no way to be certain.

Another curiosity in the data centers on accounts with an email address of email@address.com@deleted1.com.

Again, this could mean the account was marked for deletion, but if so, why was the record fully intact? The same could be asked for the accounts with “rm_” as part of the username.

Moreover, it also isn’t clear why the company has records for Penthouse.com, a property FriendFinder Networks sold earlier this year to Penthouse Global Media Inc.

Salted Hash reached out to FriendFinder Networks and Penthouse Global Media Inc. on Saturday, for statements and to ask additional questions. By the time this article was written however, neither company had responded.

Salted Hash also reached out to some of the users with recent login records.

These users were part of a sample list of 12,000 records given to the media. None of them responded before this article went to print. At the same time, attempts to open accounts with the leaked email address failed, as the address was already in the system.

As things stand, it looks as if FriendFinder Networks Inc. has been thoroughly compromised. Hundreds of millions of users from all across the globe have had their accounts exposed, leaving them open to Phishing, or even worse, extortion.

This is especially bad for the 78,301 people who used a .mil email address, or the 5,650 people who used a .gov email address, to register their FriendFinder Networks account.

On the upside, LeakedSource only disclosed the full scope of the data breach. For now, access to the data is limited, and it will not be available for public searches.

For anyone wondering if their AdultFriendFinder.com or Cams.com account has been compromised, LeakedSource says it’s best to just assume it has.

“If anyone registered an account prior to November of 2016 on any Friend Finder website, they should assume they are impacted and prepare for the worst,” LeakedSource said in a statement to Salted Hash.

On their website, FriendFinder Networks says they have more than 700,000,000 total users, spread across 49,000 websites in their network – gaining 180,000 registrants daily.

 

via:  csoonline

Apple rumored to launch new 10.9-inch iPad with edge-to-edge screen

New iPads might be coming…in March 2017.

Apple’s iPads are rumored to be getting refreshed in the spring, according to a Barclays Research note obtained by MacRumors.

Analysts there believe that Apple is currently considering three differently sized displays for new iPads. In addition to 9.7- and 12.9-inch screens, Apple’s reportedly considering a larger iPad with a 10.9-inch display.

A new iPad with a larger 10-inch screen has been the source of previous rumors, although those pegged a new the screen to be 10.1 or 10.5 inches.

If true, it would be ahuge departure

The most interesting part of Barclays’ note is that the new 10.9-inch iPad might be “bezel-free,” meaning the screen would stretch edge-to-edge. The iPad’s physical dimensions reportedly won’t change, just the screen.

If true, it would be a huge departure for Apple to remove the Home button/Touch ID sensor. Such a design could also serve as a glimpse at the iPhone 8, which is also rumored to have bezel-free screens.

Another nugget from the report states the iPad mini 4 will remain, but won’t be updated, which is the complete opposite of another rumor from last month that said Apple might be working on an iPad Mini Pro.

Lastly, the analysts claim the 12.9-inch iPad Pro will get the 9.7-inch’s quad microphones and superior TrueTone display and improved 12-megapixel iSight camera and True Tone flash.

With no new iPads coming by the end of the year, next spring seems like a good bet to see refreshes.

 

via:  mashable

AT&T to throttle streaming video next year with new ‘Stream Saver’ feature

AT&T on Friday announced a new feature for its data plans called Stream Saver. The carrier calls it a “free and convenient, data-saving feature” that will cap most mobile video streams at DVD quality (or around 480p).

It sounds harmless at first, but customers who aren’t concerned with data may not like that the feature will be enabled by default. To watch hi-def video, you’ll have to opt out via the myAT&T app or the AT&T website.

Stream Saver lets you watch more video on your wireless phone or tablet while using less data, by streaming most higher definition video at standard definition quality, similar to DVD (about 480p). Stream Saver helps your data go further.

[…] “We know our customers love to be entertained while mobile, and Stream Saver lets them enjoy more of what they love, whether it’s video or something else,” said David Christopher, chief marketing officer, AT&T Entertainment Group. “And, they are in control – it’s their choice on how to use this innovative feature.”

AT&T says that it will start rolling out the feature in early 2017 to customers on its “most popular plans.” Once it’s available, they’ll receive a message letting them know it’s on along with directions on how to disable it.

 

via:  idownloadblog

Costco Credit Card Switch Came With Unexpected Side Effect: Lost Insurance

When Costco announced it was ditching its exclusive co-branded American Express card in favor of a Citibank-issued Visa card, customers worried about the various ways this switch could affect their finances and credit, but one family says the change in card networks resulted in them losing an insurance policy.

Sacramento CBS reports (warning: link contains video that autoplays) that shortly after Costco switched from AmEx to Visa in June, an elderly couple was notified that their American Express Accident Guard Insurance – which would have provided financially for their grown children if they died in an accident — had been canceled.

That notification came too late, however, as the couple says they received a letter from AmEx two days after the policy was actually canceled, giving them no time to find an alternative option to keeping the policy.

The letter was dated June 25. However, it stated that the policy, which the couple had paid $21/month for nearly 12 years, would be terminated effective June 23.

When the couple contacted AmEx about the cancellation, they say they were told there was nothing that could be done. The couple said they now won’t be able to protect their children financially, as it would be too difficult and costly to get a new policy.

Left with little to no recourse, the couple contacted CBS Sacramento to find out if AmEx’s actions were legal.

To that end, CBS Sacramento’s Kurtis Ming contacted the California Department of Insurance, which confirmed that AmEx can’t just cancel a policy with no notice.

Under state law, insurers must notify customers of cancellation in writing between 10 and 60 days before the policy is terminated.

Much like Costco, AmEx, and Citi’s actions prior to the switch when customer were looking for information on the change, the companies sent CBS Sacramento in circles for answers: Costco pointed to Citi, Citi pointed to AmEx, and AmEx pointed to Citi.

Finally, AmEx told CBS Sacramento that it had re-enrolled the couple, admitting that some customers got lost during the switch.

“Enrollment in certain insurance products were disrupted by the transfer of the card account to Citi, because these products were offered only to American Express card members,” the company said in one of its three statements. “Former Costco card members, who had one of these products charged to their Costco American Express card, can continue enrollment in these products using another American Express card, if they call us promptly and authorize the charge.”

The company did not specify how many customers were affected by the so-called “disruption.”

Customers Lose Insurance In Costco Credit Card Switch [CBS Sacramento]

 

via:  consumerist