Hack News on social media

Hack News is available on social media as well. Now you never have to leave your favorite social network anymore, because Hack News is everywhere!

Follow us on Twitter: Hack News on Twitter

Visit our Facebook page: Hack News on Facebook

Subscribe to our Youtube channel: Hack News on Youtube

Browse our Instagram art: Hack News on Instagram

More art on Deviantart: Hack News on Deviantart

We are still expanding our social media presence, but our focus will be on these 5 networks right now. And we especially recommend to subscribe to our Youtube channel, because there we will upload hacking tutorials on a regular basis. So if you want to learn, then make sure you stay up to date with us.

Is Bitcoin a curse or is it the future? And should you invest in it?

Probably one of the most discussed subjects online in recent years is Bitcoin. What do we think of it, and is it smart to invest money in it?

Bitcoin created a shockwave through the financial world. Together with other crypto currencies it provided an alternative to the FIAT currency markets and created an entirely new economy. One that is global and does not care about the economic situations of the different countries around the world.

But what is it? In simple terms Bitcoin and other crypto currencies are blockchains. A chain that is comprised of all transactions that ever happened, an algorithm and a huge amount of code. Nothing very special to the common man, but to computer technicians it is probably one of the most impressive things that ever happened.

Should you put your money in it? Especially over the last year the value of a single Bitcoin has risen to thousands of dollars. If you invested in Bitcoin at the start, and you bought a serious amount, you are likely laughing right now, because you made those millions. You are officially a millionaire and you did not really have to work for it. But what is the real tangible value of it?

Really the blockchain is nothing more than digital code. The only thing that makes a difference is that there is a limited amount of coins available. You can mine the coins, but the total amount of Bitcoin is a pre defined number. For this reason, in a technical sense, it can only deflate. Meaning the value should become higher, always. The only thing that is needed for that is that it is used more. So as more stores start accepting it, the value will keep rising. As more miners arrive, and more buyers, the value will keep on increasing. Focu on hyping it, and collectively you are forcing the world to make you a millionare.

Both Bitcoin and the alternative coin Litecoin have now been embedded in to the CFD market. Respected internet brokers like Plus500 allow you to invest in it without actually buying the coins, you simply buy the CFD contracts on the market. Using just 500 bucks you can invest in up to 100.000 dollar worth of Bitcoin. It works with a leverage system. And when it grows you make a huge profit. Want to learn more? Just visit that website. Big business is doing it, so why wouldn’t you?

On the other hand, it is just digital code, and like FIAT currencies, there is not much difference there. It is not a real thing, like a house, or a golden ring. It exists in the digital world and nowhere else. No matter how sophisticated the system is, in a true sense, it is not much more than a number inserted in a digital database. Like credits on a Poker site, really. The big difference there is that the blockchain is managed by all its users, and is completely open. Meaning every single event that ever happened is visible In the blockchain. Every payment, every coin mined, yes, really all of it.

So there is a system that is owned by the users, not so much by a single entity. In the case of FIAT currencies, like the dollar or the euro, these are also just digital numbers. Everything is digitalized meaning banks can simply change the number in the database and you are dependent on what happens next. There are the financial watchdogs who make sure there is no abuse. But with the blockchain, every user is a watchdog.

How does it relate to previous metals like gold and silver? Traditionally these resources have been used as an alternative to FIAT currencies. Whenever the economy went bad, investors jumped on the metal market and gold and silver would rise in value. Because there are limited amounts as well, and those metals are tangible. You buy a silver coin, its a real coin, and it can be exchanged for money at millions of locations worldwide. Usually at a rate that is very close to the market value. But gold can be mined as well, like crypto currencies, and there is no real way of knowing how much gold actually exists in the ground. So should a big discovery be made, the value might drop. However, countries in the world choose to keep their reserves in gold and silver. And it is used in the industry, so there is something to say for that.

At the moment I am writing this article the price of Bitcoin is close to 10.000 dollars for each coin. The real remaining question is, is something digital, something invented by some random guy on the internet, really worth the 10.000? I am not convinced of this. The hype is incredible and it is likely it will still grow bigger. So right now, yes, you can invest in it. Do not put all your hard earned money in it, but get at least a bit of Bitcoin. As it hits the mainstream markets now, it will surely increase more and you will make a profit. But for the long term? No. Make that profit and get something tangible with it. Buy a house, or a piece of land. Why? Because that is not created out of thin air by some internet guru, but it is something in the real world, and there is limited availability as well. And with real estate it is not a question of availability and demand, the demand will always increase in the long run, if the population grows.

Good luck!

The Tor browser could leak IP addresses for a while – Fixed now

Due to a bug in the Firefox browser, Tor was leaking the ip addresses of its users if they made a mistake.
The bug was discovered by the Italian security researcher Filippo Cavallarin. The vulnerability resides in FireFox and eventually also affects Tor Browser, since the famous privacy-aware service that allows users to surf the web anonymously uses FireFox at its core.

Dubbed by the researcher as TorMoil, the vulnerability affects Tor browser for macOS and Linux and not for Windows, but the details of the flaw have not been publicly released, out of respect for the security and privacy of Tor users.

TorMoil is triggered when users click on links that begin with file:// addresses, instead of the more common used https:// and http:// addresses.

Tor released a fix for this shortly after:

“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken,” the Tor Project said in a blog post.

“Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.”

Tor’s statement said there is no evidence that the flaw has been actively exploited on the Internet or darkweb to obtain the IP addresses or Tor users. Of course, the lack of evidence doesn’t mean the flaw wasn’t exploited by law enforcement officers, private investigators, or stalkers. And now that a fix is available, it will be easy for adversaries who didn’t know about the vulnerability before to create working exploits.

The company finally released an updated version for the browser here. The new version is called Tor Brfrowser 7.0.9. Since Windows users were not affected, they stay on the older version 7.0.8. But if you do not know wich version you have, since the bug was discovered on Thursday, October 26, by Filippo Cavallarin, everyone who installed the Tor browser before this date should update to the latest version.

Sources:

Knack.be

The Hacker News

A Bug Bounty Hunter Gets Threatened With CFAA For Sharing Evidence

A Chinese drone manufacturing company called DJI had their private keys both the “wildcard” certificate for all the company’s web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub by company developers for years.

Kevin Finisterre used this data to reach important private information uploaded by DJI customers such as images of flight logs, government IDs and passports, even associated with military domains. When he found out there was a bounty program by the company, he applied for it. The program was launched after the US army issued a ban on using DJI drones for any military purpose due to ‘operational security’ concerns. Firmware of DJI drones were also hacked, reports said.

DJI appreciated the finding by Finisterre of the company’s SSL certificates and firmware encryption keys having been exposed via GitHub for years and rewarded the bounty hunter with $30,000 top prize. However, after exchanging 130 email messages with the IT department of the company and communicating with the legal department which offered no legal protection for Finisterre’s research about the exposed data, the company stated if the bounty hunter did not destroy all his findings he was going to face prosecution under the CFAA. Finisterre did not accept the agreement since it included a threat and also being silenced, he decided to go public about it. He got called a ‘hacker’ for this and company acted as if they barely knew who he was despite the 130 exchanged email messages concerning the exposed data.

DJI’s Phantom brand quadcopter drone

As you all will remember, last April, Marcus Hutchins, a British cybersecurity researcher, was arrested by the FBI at a Las Vegas airport while he was returning home from the annual Def Con hacking conference. He was the researcher who discovered a hidden ‘kill switch’ for Wannacry to stop this worldwide ransomware attack which resulted in a lot of damage. The authorities blamed him by being a part of this attack as the creator of the Kronos malware that caused the attack.

Cases like these are discouraging for security researchers towards finding out about a problem and reporting it. While the issue got resolved in both cases by researchers, they were threatened, silenced and even got punished with a trial for a jail time.

There is a high threat by drones used by the military on areas where civilians live, causing many lost lives. When the sensitive data cannot be protected, it would even be more dangerous by any malicious attacks. Security researchers are an important part for preventing such threats.

Sources:

http://www.realclearlife.com/technology/marcus-hutchins-wannacry-ransomware-arrested/

https://www.buzzfeed.com/kevincollier/wannacry-malware-hero-likely-considering-plea-deal-on

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

https://www.techdirt.com/articles/20171117/11504938638/drone-maker-dji-offers-bug-bounty-program-then-threatens-bug-finder-with-cfaa.shtml

https://www.thebureauinvestigates.com/stories/2017-01-17/obamas-covert-drone-war-in-numbers-ten-times-more-strikes-than-bush

http://www.independent.co.uk/news/world/americas/us-politics/donald-trump-civilian-deaths-syria-iraq-middle-east-a7649486.html

Equifax Has Sold Private Data Including Salary Details of Millions of Employees To Other Companies

Equifax-owned company called Workforce Solutions, also known as The Work Number (TALX), sold salary data of its employees to debt specialists, financial service companies, and other organizations. Facebook Inc. is one of those companies buying such data despite the fact that the U.S. Federal Trade Commission put Facebook on privacy probation.

It is well known that social media such as Facebook now encourage their users to share their private data online. These sites’ entire policies are based on encouraging their customers to share their private lives as much as possible. The data shared (most of the time voluntary) is sent to several organizations and companies regardless of users’ consent. Despite the fact that social media users share their private lives online, salary is one of the sacred areas to most people, people who would not want to post publicly how much they earn. Facebook has been buying data from Equifax and also selling all the private data it collects from its users back to several companies including Equifax which had a breach to expose 143 million Americans’ private information.

Equifax Work Number database now contains over 296 million employment records and contains employees at all wage levels, from CEOs to interns. Considering how loose their security level is, apparent from breaches, it is not even a surprise there was unauthorized access to their employee tax records, lasting over a year, from April 2016 to May 2017. Cybersecurity expert Brian Krebs states that ‘crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees,’ to breach TALX’s databases, the Tax Form Management platform. He said due to this method of breaching, Equifax has no idea how many employees were affected from it. Krebs also reported that last September, a research team was able to access 14,000 consumer records after slipping into an online portal where Equifax employees in Argentina manage credit report disputes from consumers, as the password combination was set to an easy guess such as admin/admin.

Equifax-owned The Work Number has such a detailed database about salary data they put on sale that it shows week-by-week data for years, health care providers, types of health care coverage, files of unemployment claims and more. The data The Work Number owns and sells includes 12 million records.

Equifax can easily get and store such private and hidden information through thousands of U.S. businesses, including Fortune 500 companies, government agencies (who hold 85 percent of the entire country’s population), the Department of Defense and even schools. These sectors and people let Equifax tap directly into their data so that the credit bureau can have the latest job information and they even pay for Equifax to own their workers’ private information as they see it as a privilege. Once Equifax collects the private data, it sells the data to third parties such as debt agents, social media giants like Facebook Inc., and various companies giving financial services.

A good example could be given when we look at Facebook employees. A typical employee at Facebook may require verification of his employment through TALX when he applies for a loan, public aid, or a new job. If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose”, that company can purchase his employment and income information for about $20. Prospective landlords can verify an applicant’s income through The Work Number, or human resources departments can examine an applicant’s background information much cheaper.

How the Work Number process works, according to a 2007 slide about Equifax’s $1.4 billion acquisition of TALX that year. Image: SEC

Of course, gathering data which was more than a fifth of the firm’s $3.1 billion revenue last year makes TALX one of the most profitable businesses of Equifax. Rick Smith, Equifax’s former CEO, said at an event at the University of Georgia in August. “That acquisition, by the way—I don’t know if I’m proud of this or not—but it’s worth about $9 billion today.”

Equifax already confirmed in an emailed statement to News as it shares ‘job data’ with debt collectors and others in agreement with Fair Credit Reporting Act guidelines.

Despite the fact that the Work Number database presents a continuous threat for both employees and consumers with their large database to private data and with little to no protection to it, the Work Number stated they will continue to supply such data for their customers, the sale of the data is included.

Such private data being shared by financial companies means your health status, credit history, financial status, debts, salary, your bank accounts and several other private details about your life are exposed to many organisations and companies. When, for instance, you fail to pay for your credit card debt or hospital bill, the companies can withdraw this amount from your bank account and you won’t even realize it unless you see a detailed account report.

At this point, there does not seem to be a real solution to this big scandal concerning the violation of private data since the Federal Trade Commission (FTC), which is supposed to take care of such issues, also sends its employees’ data to Equifax and it is an Equifax client as well. FTC regularly sends wage and work information about its attorneys and staff members to the Work Number database.

Trade specialists comment about one of the biggest scams of our century concerning the violation of company’s customer related data as a ‘secret CIA’ since it is being done legally and nobody does anything about to prevent it.

Sources:

https://www.fastcompany.com/40485634/equifax-salary-data-and-the-work-number-database

https://krebsonsecurity.com/2017/10/equifax-breach-fallout-your-salary-history/

https://www.nbcnews.com/technology/exclusive-your-employer-may-share-your-salary-equifax-might-sell-1B8173066

Facebook creates scary “shadow profiles” with information you never wanted to give

Everyone already knows Facebook is obsessed with collecting your private information. Data collection seems to be the primary business goal of this company these days. However, what most people do not know is that Facebook does not just collect and archive data taken from your profile. No, Facebook actually keeps huge databases of so called “shadow profiles”. These profiles contain information you never gave to them, infact we are pretty sure you would never allow them to have it.

For example, Facebook is a major customer of third-party data-brokers, who compile huge dossiers on people based on their spending, internet and phone usage, employment history and so on. In addition, Facebook encourages users to upload their entire address books to their system to “find your friends,” and while doing this, most Facebook users do not realize that they are leaking sensitive information, including nicknames, private numbers, and connections to the system.

Facebook mines this data to create their “shadow profiles” of its billions of users. And yes, these profiles are literally filled with data about you that you have never consciously provided to the system. It is data mined from third parties, including your friends, but also those spooky data-brokers we mentioned before. Facebook’s shadow profile system was first confirmed in 2013 when it accidentally leaked all of the users’ shadow profiles to them along with their own data. Something the company says it will never do again out of (ironic) respect for the privacy of the people who provided the data that goes into your shadow profile.

The “shadow profiles” are involuntary and there’s no opt-out. Facebook even has shadow profiles on people who don’t use the service. For example, even though I’m not a Facebook user anymore, multiple people have uploaded their address books containing my email and phone number to the system, thus allowing Facebook to create a profile of my contacts by looking at who lists me as a contact.

Ofcourse Facebook doesn’t like, and doesn’t use, the term “shadow profiles.” because it sounds like Facebook creates hidden profiles for people who haven’t joined the network, which Facebook says it doesn’t do. Ofcourse the company is not being honest about this, as I just explained.

Most users remain unaware of the reach and power of the”shadow profiles”. Because shadow-profile connections happen inside Facebook’s algorithmic black box, people can’t see how deep the data-mining of their lives truly is, until an uncanny recommendation pops up.

Scary examples: (quotes from Gizmodo)

  • A man who years ago donated sperm to a couple, secretly, so they could have a child—only to have Facebook recommend the child as a person he should know. He still knows the couple but is not friends with them on Facebook.
  • A social worker whose client called her by her nickname on their second visit, because she’d shown up in his People You May Know, despite their not having exchanged contact information.
  • A woman whose father left her family when she was six years old—and saw his then-mistress suggested to her as a Facebook friend 40 years later.
  • An attorney who wrote: “I deleted Facebook after it recommended as PYMK a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email.”

As expected, Facebook does what it can to underplay how much data it gathers through contacts, and how widely it casts its net. “People You May Know suggestions may be based on contact information we receive from people and their friends,” Facebook spokesperson Matt Steinfeld wrote in an email.

So how do you stop Facebook from collecting data? Contact every person you know who ever received your contact information and uploaded it to Facebook and ask them to go to Facebook’s contact management page and delete it. That is really the only way.

Just don’t miss anyone. “Once a contact is deleted, we remove it from our system, but of course it is possible that the same contact has been uploaded by someone else,” Steinfeld wrote in an email.

Sources: BoingBoingGizmodo

SQL injection tutorial – A step by step guide (4 parts)

Are you interested in learning about hacking? Perhaps you imagined hacking a website and uploading your own custom message to it? Today we want to introduce you to SQL injection. The guide below comes in 4 parts and takes you from beginner to advanced in less than an hour. The final part is about uploading a shell as an image.

Remember, these tutorials are for educational purposes only.

SQL injection tutorial – A step by step guide – Part 1:

SQL injection tutorial – A step by step guide – Part 2:

SQL injection tutorial – A step by step guide – Part 3:

SQL injection tutorial – A step by step guide – Part 4:

Million Mask March 2017 – The day activists and hackers unite and march together

There is one day each year that is special to both activists and hackers. Every year on that day they unite and march together, all over the world, to fight against censorship and oppression. They are united by hiding their faces, walking anonymously through each big city, showing the world they exist.

It started small, a few years ago, with an operation called #OpVendetta, created by the collective of Anonymous. This collective is often portrayed by the media as being some sort of shady hacker group, but really Anonymous is just an idea. Everyone can be anonymous and it doesn’t have any members or leaders. People involved with Anonymous hide their identities, for safety reasons, but also to be united as one. To show they do not act as seperate entities, but rather as one big block.

Over the years the operation once known as #OpVendetta became famous as the Million Mask March. The name #OpVendetta ofcourse refers to the movie V for Vendetta, wich ends with thousands of people marching while wearing their Guy Fawkes masks. It became a symbol for global protest in large numbers. Nowadays the Million Mask March attracts thousands, some say millions, of activists all over the world. Mostly marching in their capital cities, but marches also exist in smaller cities.

The protest marches do not carry any group opinion. It is said that you can join the march for whatever reason you want. Most of the activists march for their freedom, and to combat censorship. But it is not necessarily limited to that. The last few years there are many animal rights activists as well, for example. What unites everyone is the concept of anonymity.

Do you want to know if there is a march close to you? The easiest thing you can do is go to Facebook, then type Million Mask March Yourcityname to find a march you can visit. Also search for the hashtags #millionmaskmarch or #mmm2017 on Instagram or Twitter. You will see many people advertising their marches or talking about this subject. Even if you don’t plan to march, it is truly an event that touches the hearts of everyone.

The Antikythera Mechanism – The 2000 year old computer

Often when we study ancient cultures we automatically assume that we are way ahead of them, and that they were not much advanced. We treat them as “barbarians” without an evidence for it. However, sometimes an artifact is found proving quite the opposite. This article is about one of those artifacts, called the Antikythera Mechanism.

For many decades, scientific investigation failed to yield much data and relied more on imagination than the facts. However, research over the last half century has begun to reveal its secrets. The single most information-rich machine, dated as around the end of the 2nd century B.C., is the most sophisticated mechanism known in the ancient world. Nothing as complex is known for the next thousand years. The shoe-box size bronze mechanism had its inscriptions barely readable, and its 30 bronze gears bearing thousands of interlocking tiny teeth were calcified when it was uncovered from the shipwreck at Antikythera, Greece, in 1901. The underwater excavation revealed beautiful bronze sculptures, ropes of decadent jewelry and a treasure trove of antique coins.

The reconstruction of the Antikythera Machine

X-Ray analysis of  the Antikythera Machine made by ancient Greek scientists and increasingly looking like the “philosopher’s guide to the galaxy,” as the Associated Press described it, revealed a text of a long explanatory “label” which helped us to understand it was dedicated to an astronomical phenomena and operated as a complex mechanical “computer” which tracked the cycles of the Solar System. It had dials that counted the days according to at least three different calendars, and another that could be used to calculate the timing of the Olympics. In addition to two rectangular plates that could be called front and back dials, there was an inscription which showed annually repeating astronomical events relating to the Sun and to fixed stars. While lunar eclipse related text probably ran down one side of the plate, and that for solar eclipse prediction down the other.

The front dial was surrounded by two scales, one representing the zodiac, the other the Egyptian calendar year. Pointers representing the stars and planets revolved around its front face, indicating their position in relation to Earth. The back plate has two large spiral dials. A tiny, painted model of the moon rotated on a spindly axis, flashing black and white to mimic the real moon’s movements. On this face, the upper five-turn Metonic Dial which included ‘Games’ dial represented a 235-lunar-month calendrical cycle while the lower four-turn Saros Dial including Exeligmos Dial represented a 223-lunar-month eclipse prediction cycle. It was planned as a 76-year “Kallippic” calendrical cycle.  The Games dial alone shows six Olympic competitions. The machine clearly showed the motion of planetary systems, possibly including Venus and Saturn as well.

Before the discovery of the device, researchers thought such technology had not existed for 1,000 years after.

All known fragments of the Antikythera Mechanism are currently held for research at the National Archaeological Museum in Athens.

Watch the documentary here:

Do you want to learn more about this amazing find? We recommend to read up on Wikipedia. There are also great articles about it that gives you a lot of information.

Find the wikipedia article here:
https://en.wikipedia.org/wiki/Antikythera_mechanism

The official website about this subject can be found here:

http://www.antikythera-mechanism.gr/project/overview

The scientific definition of the article can be reached here:  http://www.hpdst.gr/publications/almagest/issues/7-1

Further reading:

https://www.washingtonpost.com/news/speaking-of-science/wp/2016/06/14/the-worlds-oldest-computer-is-still-revealing-its-secrets/?utm_term=.265401683740

http://www.independent.co.uk/news/science/world-s-oldest-computer-used-to-read-the-stars-and-tell-the-future-new-study-reveals-a7079616.html

http://www.euronews.com/2016/06/22/is-this-2000-year-old-tool-the-world-s-oldest-computer

Sources: Youtube, Wikipedia

Microsoft Engineer installs Google Chrome when Microsoft Edge crashes during presentation – Hilarious!

Microsoft presenter Michael Leworthy was doing a presentation showing the new features of Microsoft Azure. While doing his presentation suddenly the web browser Microsoft has been presenting as the best browser in the world, Edge, crashed. Leworthy was forced to install Google Chrome to finish his presentation.

While people in the audience were giggling, the Microsoft engineer tries to continue presenting like nothing happened. It shows, however, how Microsoft (and other companies) have been struggling to keep up with Google. Chrome is the most popular web browser in the world, leaving the competition far behind.

Michael Leworthy was man enough to upload the presentation himself, showing Microsoft does have some sense of humour. Then again, the presentation does not say anything negative about Azure. So if the video goes viral, they might still get some sales from it.

Watch the full presentation below below. The funny stuff happens at around 37 minutes:

Microsoft, once known as the most powerful tech company in the world, has been struggling to regain its focus. Their operating systems are still the most widely used, but they seem to be having some issues with their other products.

Bad business moves, like replacing Windows Live Messenger with Skype, or continuing to change the name of the most popular e-mail service in the world, Hotmail, did not do them any good either. Especially because they did this during the rise of Gmail, causing Google to take the take their territory on the market at an amazing speed.

We honestly hope that some day Microsoft will become the giant that it once was, again. And if not, then at least we got some funny videos like the one above. That is worth something as well.

Sources: The Hacker News, Youtube