Hacking the Furbo Dog Camera: Part I

The Furbo is a treat-tossing dog camera that originally started gaining traction on Indegogo in 2016. Its rapid success on the crowdfunding platform led to a public release later that year. Now the Furbo is widely available at Chewy and Amazon, where it has been a #1 best seller. The Furbo offers 24/7 camera access via its mobile application, streaming video and two-way audio. Other remote features include night vision, dog behavior monitoring, emergency detection, real-time notifications, and the ability to toss a treat to your dog. Given the device's vast feature set and popularity, Somerset Recon purchased several Furbos to research their security. This blog post documents a vulnerability discovered in the RTSP server running on the device. The research presented here pertains to the Furbo model: Furbo 2.

Once we got our hands on a couple of Furbos we began taking a look at the attack surface. Initially, the Furbo pairs with a mobile application on your phone via Bluetooth Low Energy (BLE), which allows the device to connect to your local WiFi network. With the Furbo on the network a port scan revealed that ports 554 and 19531 were listening. Port 554 is used for RTSP which is a network protocol commonly used for streaming video and audio. Initially the RTSP service on the Furbo required no authentication and we could remotely view the camera feed over RTSP using the VLC media player client. However, after an update and a reset the camera required authentication to access the RTSP streams.

https://www.somersetrecon.com/blog/2021/hacking-the-furbo-part-1

#hacking #furbo #camera
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Facebook Dangerous Individuals and Organizations List

https://theintercept.com/document/2021/10/12/facebook-dangerous-individuals-and-organizations-list-reproduced-snapshot/

#facebook #DeleteFacebook #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Influence government: exploring practices, ethics, and power in the use of targeted advertising by the UK state.

PDF: https://www.sccjr.ac.uk/wp-content/uploads/2021/09/SCCJR-Briefing-Paper_Influence-Government.pdf

💡 Read as well:
From Surveillance Capitalism to “Influence Government”: Using Microtargeted Ads to “Nudge” People’s Everyday Behavior
https://t.iss.one/BlackBox_Archiv/2562

#surveillance #capitalism #influence #uk #government #microtargeting #ads #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Kim Dotcom: The Most Wanted Man Online (Cyber Crime Documentary)

A true-crime documentary, but with a cyber twist!

Tech entrepreneur and owner of the popular file-sharing site, MegaUpload, Kim Dotcom arrived in New Zealand with his family in late 2010. Seeking peace and quiet, Dotcom rented the largest mansion in the land and settled down into an extravagant, luxurious life with his family.

In January 2012, it all came crashing down. At the FBI's behest, 70 heavily armed officers stormed the mansion, arresting Dotcom and his coders on a range of charges relating to alleged copyright infringement by MegaUpload.

https://devtube.dev-wiki.de/videos/watch/7548c758-a752-4e80-9c72-6d90e82353a6

#truecrime #cybercrime #dotcom #MegaUpload #docu #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Customers On Alert as E-Commerce Player Leaks 1.7+ Billion Records

A Brazilian e-commerce firm has unwittingly exposed close to 1.8 billion records, including customers’ and sellers’ personal information, after misconfiguring an Elasticsearch server, according to researchers.

A team at SafetyDetectives led by Anurag Sen made the discovery in June and quickly traced the leak back to Hariexpress — a firm that allows vendors to manage and automate their activity across multiple marketplaces, including Facebook and Amazon.

Although the firm replied to the researchers just four days after they alerted it to the leak in early July, it was subsequently uncontactable. Infosecurity is currently trying to confirm if the issue has been fixed or not.

The server was left unencrypted with no password protection in place. It contained 610GB of data, including customers’ full names, home and delivery addresses, phone numbers and billing details. Also exposed were sellers’ full names, email and business/home addresses, phone numbers and business/tax IDs (CNPJ/CPF).

SafetyDetectives could not confirm the total number of those affected due to the size of the trove and the potential for duplicate email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” it claimed.

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach.”

These include phishing and social engineering attempts built around legitimate user and business details, tax rebate and returns scams using CPF information, and even theft of items from the homes of customers who ordered high-value goods.

https://www.infosecurity-magazine.com/news/ecommerce-player-leaks-billion/

💡 Read as well:
[Reported] - Breach Exposed records from Brazil E-commerce platforms including MercadoLivre, amazonBR and many other.
https://t.iss.one/BlackBox_Archiv/2567

#brazil #breach #MercadoLivre #amazonBR #hariexpress
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

redact: tool for building decentralized, end-to-end encrypted websites

Hello Rust community! I'm very excited to show off for the first time a passion project a friend and I have been working on for about 4 months now, called Redact.

Redact is a tool for building end-to-end encrypted, zero-trust websites. By end-to-end encrypted we mean that not only is your connection to the website server protected by TLS, but each individual input field, and any user-submitted data displayed on the page, is a black-box inaccessible by either the host's server or the host's client-side Javascript. Websites that use Redact will store references to data in their databases, place those references in their HTML, and the user's device fills in the blank in an opaque way when the page loads. We do this with no Javascript and no in-browser encryption. We're like Signal/Telegram but for entire websites instead of just messaging. This is paired with a CRUD-only, encrypted storage provider that can be either third-party owned, or for the technically savvy, run solely by the user.

This project was initially motivated as a response to the large number of data breaches and data privacy concerns that have arisen in the last few years. The fundamental question we wanted to answer was: how can we keep the utility and rich content experience of a website in a modern browser, while at the same time assuring that a user's data cannot be stolen or unethically used? Our proposed solution is Redact.

We believe this project fits squarely within the "web3" space. Although we don't use blockchains, our project assumes zero-trust, decentralizes the storage of user data, and allows users to be self-sovereign by giving them ownership and control of their data

What we're looking for now is to see if anyone else sees this as a valuable idea, get feedback as to our architecture, and hear out any criticisms (some of which we already anticipate).

💡 You can find more information about how it works here: https://redact.ws/how-it-works

And if you're feeling brave, you can try connecting to the first ever "redacted" website by following our getting started docs here: https://docs.redact.ws/en/latest/getting-started.html

💡 Codebases:

— Local client: https://github.com/pauwels-labs/redact-client.git

— Storage server: https://github.com/pauwels-labs/redact-store.git

— Library that allows us to fluidly serialize, deserialize, and CRUD encrypted data: https://github.com/pauwels-labs/redact-crypto.git

https://old.reddit.com/r/rust/comments/q79grm/redact_tool_for_building_decentralized_endtoend/

#redact #encryption #websites
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Darknet Diaries - EP 102: Money Maker

Frank Bourassa had an idea. He was going to make money. Literally. Listen to the story of a master counterfeiter.

https://darknetdiaries.com/episode/102/

💡 Read as well:
On Master Counterfeiter Frank Bourassa
https://www.loyalnana.com/stories-1/2019/2/25/on-master-counterfeiter-frank-bourassa

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Restor is a science-based open data platform to support and connect the global restoration movement

Restor is accelerating the global restoration movement by connecting everyone, everywhere to local restoration. Restor connects people to scientific data, supply chains, funding, and each other to increase the impact, scale, and sustainability of restoration efforts. We believe that anyone can be a restoration champion, including you.

https://www.restor.eco/

#restor #nature #restoration #movement #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Unique on Facebook: Formulation and Evidence of (Nano)targeting Individual Users with non-PII Data

The privacy of an individual is bounded by the ability of a third party to reveal their identity. Certain data items such as a passport ID or a mobile phone number may be used to uniquely identify a person. These are referred to as Personal Identifiable Information (PII) items.

Previous literature has also reported that, in datasets including millions of users, a combination of several non-PII items (which alone are not enough to identify an individual) can uniquely identify an individual within the dataset. In this paper, we define a data-driven model to quantify the number of interests from a user that make them unique on Facebook.

https://arxiv.org/abs/2110.06636

#facebook #DeleteFacebook #nanotargeting #targeting #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

If you need another reason to switch to Tor Browser, check out @arthuredelstein's https://privacytests.org, an open-source tool using rigorous automated privacy tests to find out what kind of data different browsers leak.

https://nitter.pussthecat.org/torproject/status/1448411718749593604

via Twitter

https://privacytests.org/

#browser #privacy #tor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Leave no trace: how a teenage hacker lost himself online

Edwin Robbe had a troubled life, but found excitement and purpose by joining an audacious community of hackers. Then the real world caught up with his online activities

José Robbe was leaving her place of work in Rotterdam when she saw a man and a woman walking towards her. It was a Tuesday afternoon, 20 March 2012. “Are you Mrs Robbe?” She nodded. The woman, who was wearing jeans and a black windcheater, explained that she was with the police. “I’d like to talk to you for a minute. It’s about your son, Edwin. We’re arresting him.” José stared, frozen. The woman asked if she would accompany them. Warily, José agreed.

At the police car, the officer told her they intended to surprise her son at the family home in Barendrecht, just south of Rotterdam, and arrest him on the spot. She asked if José wanted to be there for her son’s arrest. “No,” she replied grimly. It felt as if she had just betrayed her son. To stand by and watch would make it even worse. The police asked José for her house keys and dropped her off at a plaza by the local supermarket a few blocks from her house. She felt terrible as the officers drove away to arrest her eldest child, just a troubled 17-year-old. A little while later, three officers emerged from the house, escorting Edwin between them. He offered no resistance.

Edwin was taken to a detention centre in Houten, near Utrecht. Once he was gone, José finally re-entered her house. She sat on the living-room sofa, watching as officers rummaged through cabinets, filed up and down the stairs and bagged up flash drives, CD-Roms and telephones.

https://www.theguardian.com/technology/2021/oct/14/leave-no-trace-how-a-teenage-hacker-lost-himself-online

#teen #hacker
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

UK schools will use facial recognition to speed up lunch payments

Facial recognition may soon play a role in your child's lunch. The Financial Times reports that nine schools in the UK's North Ayrshire will start taking payments for canteen (aka cafeteria) lunches by scanning students' faces. The technology should help minimize touch during the pandemic, but is mainly meant to speed up transaction times. That could be important when you may have roughly 25 minutes to serve an entire school of hungry kids.

Both the schools and system installer CRB Cunningham argued the systems would address privacy and security concerns. CRB Cunningham noted its hardware wasn't using live facial recognition (actively scanning crowds), and was checking against encrypted faceprint templates. Schools were already using fingerprint readers, too, so this was more of a shift in biometric technology than a brand new layer of security. There were also concerns about fraud using conventional PINs — facial recognition is theoretically safer. North Ayrshire's council added that 97 percent of children or parents had offered consent.

https://telegra.ph/UK-schools-will-use-facial-recognition-to-speed-up-lunch-payments--Engadget-10-18

via www.engadget.com

#uk #facial #recognition
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

DPC sent "take down request" to noyb, after publishing a problematic Draft Decision stripping Facebook users of their rights under GDPR

Yesterday night, the Irish Data Protection Commission (DPC) sent an extraordinary letter (PDF) to noyb, saying it would "require [noyb] to remove the draft decision from your website forthwith, and to desist from any further or other publication or disclosure of same". noyb refused to self-censor and limit the public's access to problematic decisions. Alternatively, noyb invited the DPC to bring legal proceedings before the relevant Court in Austria, instead of sending letters that are intended to intimidate complainants.

— Take Down" request by the DPC of 14.10.2021 (PDF)
— Response by noyb of 15.10.2021 (PDF)
— noyb's posting on the draft decision

https://noyb.eu/en/dpc-requires-noyb-take-down-documents-website

#schrems #noyb #dpc #irland #austria #gdpr #facebook #DeleteFacebook #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Disinformation guru “Hacker X” names his employer: NaturalNews.com

Statement: 10/18/21

I decided to write this statement after seeing the continued escalation of dis/misinformation towards innocent bystanders, my background, and who the organization is/was. After reading many comments on the Ars article, I realize that many people feel that I am protecting the organization by not naming them. Some also feel that my coming forward was about me seeking to redeem myself publicly, and this couldn’t be further from the truth; I personally was on nobody’s radar prior to voluntarily coming forward, this was completely unforced. I came out a couple years ago masked, and I feel like I had to come forward unmasked to inform the public on how this news traveled, the mechanisms behind it, and the role I played in one of the organizations at the time, so the public could piece together what happened to better understand how to fight it and to help wake people up who are actively being manipulated. I knew there would be fallout from this, and if anyone thinks someone is willing to go under the constant horrible threats that I have gone under willingly to try to wake people up, I don’t know what more I can say.

I see things mentioned about money. I made very little money from this, I was frugal and saved, which is how I was able to have enough to get into the infosec industry full time.

I am seeing many conspiracy theories about Ax Sharma. Ax and I are not the same person. There wasn’t any ‘conspiracy’ associated with the article, or anything between him and I. He was wrongfully fired from Ars Technica. The only times I have spoken to Ax have been him getting quotes from me or asking me something about an article he was doing involving the hacking group I’m a part of.

https://robertwillishacking.com/statement-10-18-21/

#disinformation #hackerX #hacker #infosec #NaturalNews
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Ongoing Cyber Threats to U.S. Water and Wastewater Systems

Note: This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.

To secure #WWS facilities—including Department of Defense (#DoD) water treatment facilities in the United States and abroad—against the TTPs listed below, #CISA, #FBI, #EPA, and #NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.

https://us-cert.cisa.gov/ncas/alerts/aa21-287a

#usa #cyber #threats
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Agencies say agriculture groups being targeted by BlackMatter ransomware

A trio of federal agencies on Monday sounded the alarm about critical infrastructure groups, particularly agricultural organizations, being targeted by a prolific ransomware group.

The FBI, the Cybersecurity and Infrastructure Security Agency #CISA and the National Security Agency #NSA put out a joint advisory warning of targeting by “ #BlackMatter ransomware,” connecting the group to previous attacks this year.

“Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations,” the agencies wrote.

https://thehill.com/policy/cybersecurity/577266-agencies-say-agriculture-groups-being-targeted-by-blackmatter-ransomware

https://us-cert.cisa.gov/ncas/alerts/aa21-291a

#usa #cyber #ransomware #cisa #fbi #cybersecurity #agriculture #blackmatter
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Sinclair Broadcast Group says it suffered a ransomware attack and has had data stolen

Sinclair Broadcast Group, which operates dozens of TV stations across the U.S., said Monday that some of its servers and work stations were encrypted with ransomware and that some of its data was stolen from the company's network.

The company said it started investigating the potential security incident on Saturday and on Sunday it and found that certain office and operational networks were disrupted.

The Hunt Valley, Maryland-based company owns and/or operates 21 regional sports network and owns, operates and/or provides services to 185 television stations in 86 markets.

The broadcast group, which is known for pushing a conservative viewpoint through editorials and reports that it compels its stations to run, did not immediately say how many TV stations were directly affected.

Nashville, Tennessee's WZTV put out a notice on its website Monday about "serious technical issues" at the TV station affecting its ability to stream content.

"We are also currently unable to access our email and your phone calls to the station," it said.

https://www.npr.org/2021/10/18/1047071268/sinclair-broadcast-group-ransomware-attack

#ransomware #usa #WZTV #sinclair #broadcast
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Credit card PINs can be guessed even when covering the ATM pad

Researchers have proven it’s possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands.

The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important.

Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad.

For the experiment, the researchers collected 5,800 videos of 58 different people of diverse demographics, entering 4-digit and 5-digit PINs.

The machine that ran the prediction model was a Xeon E5-2670 with 128 GB of RAM and three Tesla K20m with 5GB of RAM each. Certainly not your average system, but well within a practical economical spectrum.

By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs.

The model can exclude keys based on the non-typing hand coverage, and deduces the pressed digits from the movements of the other hand by evaluating the topological distance between two keys.

https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/

#atm #deeplearning #algorithm #attack
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Windows 11: Microsoft's pointless update

After a couple of weeks using the beta and a week with the final version of Windows 11, I've yet to find a real reason to use it.

Sometimes, Microsoft has no choice but to upgrade Windows. Windows Millennium Edition, aka Windows Me, was awful. Its successor, Windows XP, was much better.

XP's replacement, Vista, was lousy. Microsoft made us forget about Vista with Windows 7, which to many people — I'm one of them — was the best version of Windows. Microsoft then tried, and failed, to replace it with the dismal Windows 8 and 8.1. Then, the company got it right again with Windows 10. That should have been the end of it.

While Windows continued to get major updates, such as Windows 10 version 21H1, the brand was still Windows 10 until it wasn't. So it is that we now have Windows 11.

Do you notice a pattern here? Microsoft seems to alternate bad and then good operating systems releases. If Windows 10 was good, Windows 11 is going to be a poor successor.

After working with Windows 11 for a few weeks, I wouldn't call it bad. Instead, I find it pointless.

Yes, the Windows 11 security updates are good — if you have the right hardware. But as I pointed out recently, you can already use those security updates if you're running the Windows 10 20H2 release (Windows 10 October 2020 Update). So the point in upgrading from Windows 10 to 11 is…what, exactly?

Some people think it looks nice. That's a matter of taste. To me, it's "Meh." It's Windows 10's face with some cosmetic "improvements" such as a taskbar with all your icons centered by default. The Start menu has returned and now comes with pinned and recommended apps. Windows 7 style widgets have also made a comeback. I don't use them, mind you, but they're there. Oh, and Live Tiles, buh-bye! (Did anyone ever use those?)

Upgrading an existing PC to Windows 11 is still something of a crapshoot. Some otherwise-fast processors can't run it. And without Trusted Platform Module (TPM) 2.0, you're going nowhere. Out of the half-dozen Windows 10 systems I or my partner owned in 2020, not one could run Windows 11. Before you even think about moving to Windows 11, you must run Microsoft’s PC Health Check app.

https://www.computerworld.com/article/3636788/windows-11-microsofts-pointless-update.html

#opinion #microsoft #windows #windows11
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

China-linked hacking group accessing calling records worldwide, CrowdStrike says

SAN FRANCISCO, Oct 19 (Reuters) - A hacking group with suspected ties to China burrowed into mobile telephone networks around the world and used specialized tools to grab calling records and text messages from telecommunication carriers, a U.S. cybersecurity company said on Tuesday.

CrowdStrike said the group, which it dubbed LightBasin, had been acting since at least 2016, but had more recently been detected wielding tools that are among the most sophisticated yet discovered.

Telecoms companies have long been a top target for nation-states, with attacks or attempts seen from China, Russia, Iran, and others. The United States also seeks access to calling records, which show which numbers called each other, how often and for how long.

CrowdStrike Senior Vice President Adam Meyers said his company gleaned the information by responding to incidents in multiple countries, which he declined to name. The company on Tuesday published technical details to let other companies check for similar attacks.

Meyers said the programs could retrieve specific data unobtrusively. "I've never seen this degree of purpose-built tools," he told Reuters.

Meyers said his team was not accusing the Chinese government of directing the attacks by the hacking group. But he said the attacks had connections to China including cryptography relying on Pinyin phonetic versions of Chinese language characters, as well as techniques that echoed previous attacks by the Chinese government.

The Chinese embassy in Washington did not respond to questions from Reuters.

https://www.reuters.com/technology/china-linked-hacking-group-accessing-calling-records-worldwide-crowdstrike-says-2021-10-19/

💡Read as well:
LightBasin: A Roaming Threat to Telecommunications Companies
https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/

#crowdstrike #china #hacking #calling #records #worldwide
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Data Scrapers Expose 2.6 Million Instagram and TikTok Users

Security researchers have discovered over two million social media user profiles scraped from the internet after they were unwittingly exposed online by an analytics firm, Infosecurity can reveal.

A team at reviews site SafetyDetectives led by Anurag Sen found the data located on a misconfigured Elasticsearch server, left exposed without any password protection or encryption in place.

It quickly traced the 3.6GB trove of more than 2.6 million TikTok and Instagram profiles to IGBlade, a firm that provides marketing insights on social media users for its customers.

“The scraped data of users on the server is the same data that features each user’s corresponding IGBlade.com page, and the database often provides links back to IGBlade,” the researchers wrote. “This is how we know the database belongs to IGBlade.com.”

Although data scraping is not illegal, and all of the user info contained in the exposed database was publicly available, it breaks the terms of service for TikTok and Instagram.

The leak could also be a boon for cyber-criminals, who can accelerate mass social engineering and fraud campaigns with large volumes of user information collected in one place.

According to the report, the exposed information was left publicly available online for over a month before the research team found it and reached out to IGBlade. The Romanian firm secured it on the same day, July 5.

The trove included full names and usernames, profile pictures, “about” details, email addresses, phone numbers and location data. Celebrities including Alicia Keys, Ariana Grande, Kim Kardashian, Kylie Jenner, and Loren Gray were caught in the privacy issue.

https://www.infosecurity-magazine.com/news/data-scrapers-expose-26-million/

#leak #data #scrapers #instagram #tiktok
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv