How Hackers Are Stealing High-Profile Instagram Accounts

Excerpt from this article:

Ruvim Achapovskiy, the founder of SocialBomb, a social marketing agency in Seattle, said that he’s seen branded-content scams increase sharply over the past year. They’ve also gotten more sophisticated. Hackers sometimes create their own fake brands to phish influencers, but often they pretend to be representatives from real companies. “They’ll set up some sort of username that’s something that seems like it would be legit, like @LuluLemonAmbassadors,” he said. “They’ll use all the company logos, make it seem as legit as possible, make the bio seem normal. Use the company’s mission statement. It’s super simple.”

Once hackers gain control of an influencer’s account, said Moritz von Contzen, founder of the Dutch social-media agency Avenik, they’ll often hop into the account’s direct messages and begin spamming other influencers with the same phishing links before the hacked influencer even knows what’s happening.

Advertisements

‘I’m Possibly Alive Because It Exists:’ Why Sleep Apnea Patients Rely on a CPAP Machine Hacker

Excerpt from this article:

Lynn, who lives in rural Arizona, did an at-home oximetry test, which tests blood oxygen levels, and then a sleep study. She was diagnosed with a difficult-to-treat form of sleep apnea, a disorder in which patients suddenly stop breathing for periods of time while they sleep that most often affects overweight men. She was given a continuous positive airway pressure (CPAP) machine and face mask—which blows air down a patient’s windpipe to keep the airways open—and sent home.

But a year-and-a-half and three sleep doctors later, her symptoms hadn’t improved. Her Apnoea-Hypopnea Index (AHI), which refers to the number of times she stopped breathing per night, was “horrible.”

“None of the doctors could get my AHI down and none of them seemed particularly concerned about it, to be honest,” she said. She started Googling for help, and came across a forum called CPAPtalk.com.

On the forum, users were talking about a piece of software called “SleepyHead.”

The free, open-source, and definitely not FDA-approved piece of software is the product of thousands of hours of hacking and development by a lone Australian developer named Mark Watkins, who has helped thousands of sleep apnea patients take back control of their treatment from overburdened and underinvested doctors. The software gives patients access to the sleep data that is already being generated by their CPAP machines but generally remains inaccessible, hidden by proprietary data formats that can only be read by authorized users (doctors) on proprietary pieces of software that patients often can’t buy or download. SleepyHead and community-run forums like CPAPtalk.com and ApneaBoard.com have allowed patients to circumvent medical device manufacturers, who would prefer that the software not exist at all.

 

ReplyAll #130 The Snapchat Thief

Excerpt from this podcast:

ALEX: Yeah. So take everything he says with a grain of salt. But he told me that he and his fellow hackers actually have a pretty reliable method for how they usually get accounts. It’s called SIM Swapping.
PJ: OK.
ALEX: So here’s how SIM Swapping works: You, PJ, have a phone number. I’m not going to say it on the radio even though that would be such a good troll.

ALEX: Um. So, so, what they do is they find out that you have a valuable account and they find out your number. And they call the phone company and pretend to be you and say, “I’ve got a new phone that you need to transfer my phone number to.” So the phone company transfers your phone number to the hacker’s phone.
PJ: And then they have logins on all your apps?
ALEX: They don’t have logins on all your apps. But since everybody uses two factor authentication on their phones–
PJ: Ahhhh! Then they go to instagram and they’re like “I forgot my password!”
ALEX: Exactly. And then Instagram sends a password reset text to the phone number, which they’re now in control of, and just like that, they have your account.
WORTHY: You know what OGUsers is right? 
ALEX: Oh, do I ever.
WORTHY: Yeah, so basically, OGs like that–OG handles, those are easy because it’s normal people like me and you. As long as I got the number, done. All I got to do is call T-Mobile, Verizon–any phone companies and you’ll have it for about 24 hours before they notice, you know, it was obviously a fraud. But by the time you know that happens you’ve already swapped that OG handle, you’ve got it. It’s yours. It’s done.
PJ: I mean, I don’t know if this is true, but there’s probably a lot of people at T-Mobile who are trusted to port a number.
ALEX: Yeah like my experience at every phone store I’ve ever been to is that the people there are moving phone numbers from one phone to another all day every day. Like, anytime you buy a new phone, that’s what they’re doing.

Your Mother’s Maiden Name Is Not a Secret

Excerpt from this article:

Security questions are astonishingly insecure: The answers to many of them are easily researched or guessed, yet they can be the sole barrier to someone gaining access to your account. The cryptology and security expert Bruce Schneier once described them as an “easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password.”

There has been no shortage of incidents demonstrating these questions’ vulnerabilities. In 2005, Paris Hilton’s T-Mobile account was hacked by a teenager who, like anyone who searched “Paris Hilton Chihuahua” on the internet, knew the answer to “What’s your favorite pet’s name?” In 2008, Sarah Palin’s Yahoo account was hacked by a college student who reset her password using her birth date, ZIP code and the place where she met her spouse.

How many of us can answer the premillennial “What city were you in to celebrate the year 2000?” or “What year did you take out your first mortgage?” And how many Indian- or Brazilian-born users went to a high school without a mascot, or grew up on a street with no name? How many of our mothers never changed their names?

The other main type of security question asks for a subjective answer. Such questions imagine lives punctuated by distinct firsts and bests and filled with enduring favorites, but favorites and bests and even firsts can change when people maintain accounts for decades. At some point, both factual and subjective security questions become archaeological. “In what month did you meet your significant other?” requires a framing question: Whom were you with when you set up this account?

A 2015 study by Google engineers found that only 47 percent of people could remember what they put down as their favorite food a year earlier — and that hackers were able to guess the food nearly 20 percent of the time, with Americans’ most common answer being pizza.

 

A Murder Case Tests Alexa’s Devotion to Your Privacy

Excerpt from this article:

Arkansas police recently demanded that Amazon turn over information collected from a murder suspect’s Echo. Amazon’s attorneys contend that the First Amendment’s free speech protection applies to information gathered and sent by the device; as a result, Amazon argues, the police should jump through several legal hoops before the company is required to release your data.

… Let’s look at a few scenarios. These are more or less specific to Amazon’s technology and policies, but variants could apply to Google Home or other digital assistants. This brings up a more basic question: Do you have to give informed consent to be recorded each time you enter my Alexa-outfitted home? Do I have to actively request your permission? And who, at Amazon or beyond, gets to see what tendencies are revealed by your Alexa commands? Amazon claims you can permanently delete the voice recordings, though wiping them degrades performance. Even if you’re smart enough to clear your browser history, are you smart enough to clear this, too? And what about the transcripts?

Another question: How do you know when your digital assistant is recording what you say? Amazon provides several ways to activate the recording beyond the “wake” word. A light on the Echo turns blue to indicate audio is streaming to the cloud. After the request is processed, the audio feed is supposed to close. You can also set the device to play a sound when it stops streaming your audio, but what happens if the device is hacked or modified to keep recording?

Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings

Excerpt from this article:

As we’ve seen time and time again in the last couple of years, so-called “smart” devices connected to the internet—what is popularly known as the Internet of Things or IoT—are often left insecure or are easily hackable, and often leak sensitive data. There will be a time when IoT developers and manufacturers learn the lesson and make secure by default devices, but that time hasn’t come yet. So if you are a parent who doesn’t want your loving messages with your kids leaked online, you might want to buy a good old fashioned teddy bear that doesn’t connect to a remote, insecure server.