Categories
Apps

Phishers have targeted your Instagram accounts

Add Your Heading Text Here

Share it:

To hijack popular Instagram accounts, scammers are sending phishing e-mails with fake copyright infringement notifications.

Have you reached a few thousand followers on Instagram? More? Congratulations, you are insta-famous. Among other things, though, being an Instagram influencer means that it’s quite possible that account thieves are after you. A new phishing scheme targeting popular accounts on Instagram is gaining momentum. Here is how it works.

You’ve got copyright violation notification

“Your account will be permanently deleted for copyright infringement,” claims an e-mail notification that looks very official. It has the usual Instagram header and logo, and the e-mail address in the From field is extremely close to a legitimate one: In most cases it’s either mail@theinstagram.team or info@theinstagram.team.

The e-mail claims that you have just 24 hours (in some versions it’s 48 hours) to appeal and provides a “Review complaint” button. If you click it, you end up on a convincing phishing page, where fraudsters put an image saying they care very much about copyright protection and offer you a link to “Appeal.” To make the scam look even more legitimate, they offer a long list of language choices, although it doesn’t work — whatever you click, the phishing page always remains in English.

As soon as you click the “Appeal” link, you are invited to input your Instagram credentials. And that’s not the end. Immediately, another message appears: “We need to verify your feedback and check if your e-mail account matches the Instagram account,” it says. Click “Verify My E-mail Address,” and you’ll see a list of e-mail providers. If you choose yours, you’ll be invited to submit both your e-mail address and (surprise!) the password for your e-mail account.

Then, a “We will review your feedback” reply appears, but only for few seconds. After that you’ll be redirected to a real Instagram’s website — another simple trick that lends additional credibility to the scam.

It’s not the first time when Instagram influencers are targeted by scammers. The first wave of phishing was tempting users to apply for a blue “Verified” account badge.

Categories
International

Is the Chinese government responsible for mass surveillance on Uighurs?

Add Your Heading Text Here

Share it:

In less than two weeks, two major reports have been published that contain leaked Chinese government documents about the persecution of Uighurs and other Muslim minorities in China. Details include the extent to which technology enables mass surveillance, making it possible to track the daily lives of people at unprecedented scale

The first was a New York Times article that examined more than 400 pages of leaked documents detailing how government leaders, including President Xi Jinping, developed and enforced policies against Uighurs.

The latest comes from the International Consortium of Investigative Journalists, an independent non-profit, and reports on more than 24 pages of documents that show how the government is using technology to engage in mass surveillance and identify groups for arrest and detainment in Xinjiang region camps that may now hold as many as a million Uighurs, Kazakhs and other minorities, including people who hold foreign citizenship.

These reports are significant because leaks of this magnitude from within the Communist Party of China are rare and they validate reports from former prisoners and work by researchers and journalists who have been monitoring the persecution of the Uighurs, an ethnic group with more than 10 million people in China.

As ICIJ reporter Bethany Allen-Ebrahimian writes, the classified documents, verified by independent experts and linguists, “demonstrates the power of technology to help drive industrial-scale human rights abuses.” Furthermore, they also force members of targeted groups in Xinjiang region to live in “a perpetual state of terror.”

The ICIJ reports that the Integrated Joint Operations Platform (IJOP), a policing platform, is used by the police and other authorities to collate personal data, along with data from facial-recognition cameras and other surveillance tools, and then uses artificial intelligence to identify categories of Xinjiang residents for detention.

The Human Rights Watch began reporting on the IJOP’s police app in early 2018. The organization reverse-engineered the IJOP app used by police and found that it prompts them to enter a wide range of personal information about people they interrogate, including height, blood type, license plate numbers, education level, profession, recent travel and even household electric-meter readings, data which can be used by an algorithm (the ICIJ describes it as “as-yet-unknown”) that determines which groups of people should be viewed as “suspicious.”

The documents also say that the Chinese government ordered security officials in Xinjiang to monitor users of Zapya, which has about 1.8 million users, for ties to terrorist organizations. Launched in 2012, the app was created by DewMobile, a Beijing-based startup that has received funding from InnoSpring Silicon Valley, Silicon Valley Bank and Tsinghua University and is meant to give people a way to download the Quran and send messages and files to other users without being connected to the Web.

According to the ICIJ, the documents show that since at least July 2016, Chinese authorities have been monitoring the app on some Uighurs’ phone in order to flag users for investigation. DewMobile did not respond to ICIJ’s repeated requests for comments. Uighurs who hold foreign citizenship or live abroad are not free from surveillance, with directives in the leaked documents ordering them to be monitored as well.

Source: Tech Crunch

Categories
Apps

How the Cascade Virus Made Kaspersky Famous.

Add Your Heading Text Here

Share it:

Cascade was the first virus that Eugene Kaspersky ever encountered. It was 30 years ago, in 1989, and it changed his life completely. He disassembled the virus and wrote a tool that helped remove it. The tool became popular among his friends and acquaintances, and that was when he decided to devote all of his time to developing an antivirus solution. That antivirus became commercially available in 1992, and in 1997, the company we now know as Kaspersky was founded.

A lot has happened since 1989 — from the founding of the EU and the breakup of the USSR to the cloning of a life being and the creation of the modern Internet. Here, in the graphic below, we take a look back at those 30 years: how things have changed, how the cyberthreat landscape has become more and more complicated, how tech has evolved, and how the world has reacted to such changes.

source: Kaspersky Blog

Categories
Privacy

Understanding the new TLS protocol

Add Your Heading Text Here

Share it:

Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF)

The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare.

How TLS Delegate Credentials works

For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one.

This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires.

The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare’s infrastructure must upload their TLS private key to Cloudflare’s service, which then distributes it to thousands of servers across the world.

The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key.

The delegated credentials can live up to seven days and can be rotated automatically once they expire.

Source: ZDNet

Categories
Apps

Chrome zero-day exploited in the wild

Add Your Heading Text Here

Share it:

On Halloween, Google releases Chrome 78.0.3904.87 to patch a Chrome zero-day discovered by Kaspersky exploited in the wild.

Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day.

The actively-exploited zero-day was described as a use-aster-free bug in Chrome’s audio component.

Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences.

Chrome 78.0.3904.87 is available for Windows, Mac, and Linux. The release will slowly roll out to all Chrome users in the coming weeks but users can trigger a manual update right now by visiting the browser’s Help > About Google Chrome section

source: ZDNet

Categories
Internet Security

iOS 13.2 tips: Check these security and privacy settings today

Add Your Heading Text Here

Share it:

If you are the type that is security conscious, here are some steps you should take to lock down an iPhone running iOS 13.2 and iPad running iPadOS 13.2.

iPhones and iPads are, out of the box, quite robust and secure platforms. But with a few tweaks you can harden that security dramatically without adding too much burden to your dat-to-day usage of the device.

#1: Block apps from having Bluetooth access

After you install iOS 13 you might find a whole swathe of apps such as Facebook asking you for permission to transmit data over Bluetooth. You can either allow or deny access when the prompts are displayed, or you can head over to Settings > Privacy > Bluetooth and make the changes there.

Note that this doesn’t affect audio streaming to headphones and speakers.

#2: Set brute-force protection

iOS has built-in brute-force protection to prevent an unauthorized user from trying to guess your passcodes.

Go to Settings > Face ID & Passcode (or Touch ID & Passcode on older iPhones), enter your existing passcode, and scroll down to Erase Data.

After 10 attempts (toward the end there will be a time lockout to slow down the entry process), the encryption key will be deleted and your data wiped.

#3: Make sure iOS automatic updates are enabled

iOS 13 has the ability to keep itself updated automatically, which is a great way to make sure that your iPhone is fully patched.

This should be set up automatically, but you can check it over at Settings > General > Software Update and making sure Automatic Updates is enabled.

#4: Find your devices

iOS 13 has a cool new app called Find My which you can use to locate your friends and family, share your location, or find a missing device.

This app has two cool features, one is Enable Offline Finding that helps you find lost devices that aren’t connected to Wi-Fi or Bluetooth. The other is Send Last Location, which sends the device’s location to Apple when the battery is low.

#5: Control what Touch ID/Face ID is used to authenticate

Do you want the convenience of Face ID or Touch ID, or do you rather the additional protection that having to enter your passcode offers? iOS 13 allows you to switch Face ID/Touch ID on and off for:

iPhone Unlock
iTunes and App Store
Apple Pay
Password AutoFill

Go to Settings > Face ID & Passcode (or Touch ID & Passcode on older iPhones), and enter your existing passcode to take control of this.

source: ZDNet