All Posts By

Laurenadmin

Instagram Accounts Left Open To Hacking

By | Blog, Uncategorized | No Comments

In June 2018, Instagram had amassed one billion monthly active users worldwide with the USA being the largest user group and the UK 8th on the demographics chart with a total of 23 million users.

Facebook purchased Instagram in 2012 and combined they are the two most popular social media networks used worldwide.

What happened?

In July of this year a critical vulnerability was discovered in Instagrams’s 2-step authentication password recovery feature allowing hackers to compromise any Instagram account in only ten minutes without the account holder being aware.

2-step or two factor authentication is an additional layer of security added to websites, including Amazon, Google, Microsoft and Twitter, to mention a few, to make it harder for hackers and fraudsters to access your online accounts. There are various types of two factor authentication however mobile text verification is still the most widely used and it is the type of authentication used by Instagram.

How was the vulnerability identified?

The flaw in Instagram’s recovery system was found by Laxman Muthiyah, a bug bounty hunter.

He investigated the password recovery feature that allows users to regain access to their account after forgetting their password. This involves a user receiving a six-digit passcode to their smartphone for authentication.

He knew that the use of 6 digits meant there could be a total of 1 million possible combinations that could be text to account holders.  To be able to access an account all 1 million codes would need to be tried within the 10 minute window between receiving the code and the code expiring.

Although this seems impossible, it can be done with mass brute-force campaigns using an automated script and a cloud service account.

“In a real attack scenario, the attacker needs 5,000 IP [addresses] to hack an account,” he said. “It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”

Log-in attempts from one specific IP are restricted by Instagram, however Muthiyah discovered that they didn’t blacklist the IP addresses that had exceeded the number of allowed attempts for a certain time period which meant he could he switch between IP addresses in order to perform a continuous attack.

“I found two things that allowed me to bypass their rate-limiting mechanism: Race hazard and IP rotation,” he said. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited. The number of requests we can send is dependent on concurrency of requests and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need thousands of IPs to perform the attack.”

He provided the evidence to Facebook, they verified the issue and congratulated him, awarding him with a $30,000 bounty, whilst swiftly resolving the glitch.

“The Facebook security team was convinced after providing the above video of sending 200K valid requests,” Muthiyah said. “They were also quick in addressing and fixing the issue.”

Are other websites vulnerable to this threat?

There are many different forms of two-factor authentication, such as app-generated codes, physical authentication keys, email-based systems and app-generated authentication but many 2FA schemes still use mobile text verification involving six-digit, one-time passcodes that expire within a few minutes. So how many services are vulnerable to the same kind of attack?

Almost all well-known websites use some form of two-factor authentication and it is clearly more effective than just a username and password but 2FA attacks are on the rise and many of the systems for account recovery are susceptible to phishing. With the amount of websites using 2FA increasing, it is important these flaws are found and eliminated quickly.

We have to bear in mind when online that although 2FA provides additional security it is not completely watertight.

Last year, an Android Trojan was exposed taking money from PayPal accounts even when 2FA is active. Posing as a battery optimisation tool, the app asked for excessive accessibility permissions, allowing it to observe activity on other apps and waiting for someone to open PayPal and log in.

What you can do

Google and Microsoft both have Authenticator Apps you can use for an added layer of security, downloadable from the Microsoft Store and Google Play, however where there is an app or a website, there is always a hacker trying to break the code and access your details. Get tips on how to stay safe online at https://www.getsafeonline.org/

More Hacking Victims Revealed After Another BA Website Hack

By | Blog | No Comments

Have you used the British Airways website recently?

Debit and credit card details may have been stolen from over 185,000 customers after the British Airways website was hacked yet again.

It is estimated 77,000 had their name, address, email address and detailed payment information taken and 108,000 people lost personal details.

This comes after a previous breach of its website earlier this year affecting 380,000 transactions, where passenger names and home addresses were compromised, as well as financial information, including debit and credit card numbers, expiry dates and CVV codes. In this instance, malicious code designed to ‘skim’ financial data was injected into the British Airways website without being detected.

All websites are based on code, it determines the functionality along with the overall design, but malicious code can be injected instead. It is common for websites to embed multiple pieces of code from other sources or third-party suppliers and hackers can exploit this vulnerability.

Both attacks were carried out by the same perpetrators.

British Airways will be contacting the customers affected by this to inform them if their details have been stolen.

Unfortunately British Airways are not the only company to experience this type of cyber attack and they are on the rise.

Once cyber criminals have personal data it can be used to access bank and credit card accounts to make fraudulent purchases. Stolen data may also be sold using the Dark Web.

Some security experts suggest that it’s likely the data stolen by the British Airways hackers is already available for sale on the dark web.

There will be an investigation by the UK’s National Crime Agency and the Information Commissioner’s Office.

You can check if your personal data has been compromised by data breaches by using https://haveibeenpwned.com/

First Ever Apple Computer Reaches $375,000 At Auction

By | Blog | No Comments

Designed and hand built by Steve Wozniak, the co-founder of Apple in 1976, the Apple 1 was a bare circuit board provided without power supply, monitor or keyboard. It could be used for playing games, running the BASIC operating system or developing programs.

As a Hewlett-Packard employee, Wozniak originally offered HP the rights to the Apple -1. It declined.

To fund the project Wozniak sold his HP-65 calculator for $500 (£318), while Jobs sold his VW Microbus. 200 units were created in total and 175 sold.

It went on sale in 1976 for $666.66 (around £545) and it was the world’s first low-cost, assembled computer.

With the release of the Apple 2, Jobs and Wozniak wanted to reclaim some of the original boards used in the Apple 1, so they offered trade-in discounts against the new model. The boards which were reclaimed were then destroyed explaining why this product is so rare.

There are approximately 60 Apple 1 computers remaining, with only eight working examples. The Apple Registry has a list of them all.

The auction took place in Boston, Massachusetts, on Tuesday and  the final bid was won by an anonymous businessman who placed his bid online.

The highest price ever paid for an Apple -1 was $905,000 (£575,900) by the Henry Ford museum complex in October 2014.

In May 2015 a box of electronic goods was dropped off at a tech recycling business in Silicon Valley. This box contained a 1976 Apple 1 which was subsequently sold at auction for $200,000. Before chucking out or recycling computers, laptops, mobile phones, software or hardware it’s worth doing a quick Google check to see if they are an older, rarer technology which may fetch you a pound or two.