DragonI

Dangerous liaisons

We took the most popular dating apps and analyzed what sort of user data they were capable of handing over to criminals and under what conditions.

securelist.com|Sidney Fussell

It seems just about everyone has written about the dangers of online dating, from psychology magazines to crime chronicles. But there is one less obvious threat not related to hooking up with strangers – and that is the mobile apps used to facilitate the process. We’re talking here about intercepting and stealing personal information and the de-anonymization of a dating service that could cause victims no end of troubles – from messages being sent out in their names to blackmail.

We studied the following online dating applications:

• Tinder for Android and iOS
• Bumble for Android and iOS
• OK Cupid for Android and iOS
• Badoo for Android and iOS
• Mamba for Android and iOS
• Zoosk for Android and iOS
• Happn for Android and iOS
• WeChat for Android and iOS
• Paktor for Android and iOS

By de-anonymization we mean the user’s real name being established from a social media network profile where use of an alias is meaningless

Location — determining user location (“+” – possible, “-” not possible)

Stalking — finding the full name of the user, as well as their accounts in other social networks, the percentage of detected users (percentage indicates the number of successful identifications)

HTTP — the ability to intercept any data from the application sent in an unencrypted form (“NO” – could not find the data, “Low” – non-dangerous data, “Medium” – data that can be dangerous, “High” – intercepted data that can be used to get account management).

HTTPS — interception of data transmitted inside the encrypted connection (“+” – possible, “-” not possible).

Messages — access to user messages by using root rights (“+” – possible, “-” not possible).

TOKEN — possibility to steal authentication token by using root rights (“+” – possible, “-” not possible).

Russian hackers can reportedly take over unsecured hotel WiFi

The malicious exploit may use leaked NSA tool, EternalBlue.

www.engadget.com

According to networking security website, FireEye, that concern is justified. The security team discovered a malicious document in several emails sent to "multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July."

The document contained a macro that installs GAMEFISH malware, which is associated with a politically-motivated Russian hacking group known as APT28 (or Fancy Bear). This is allegedly the same group that hacked the Democratic National Committee ahead of last year's US election. Even worse, the tool used after the initial malware installation, EternalBlue, reportedly leaked from the NSA itself.

According to FireEye, the EternalBlue exploit could let hackers access anyone's computer connected to the hotel WiFi and silently gather usernames and passwords without victims even having to type them in. "It's definitely a new technique" for this Russian hacker group, FireEye's Ben Read told Wired. "It's a much more passive way to collect on people. You can just sit there and intercept stuff from the WiFi traffic."

Chrysler recalls 1.4 million cars at risk of being remotely hijacked

Chrysler has announced a voluntary recall of 1.4 million vehicles just days after Wired reported a frightening vulnerability that allows hackers to remotely seize control of cars equipped with the...

www.theverge.com|ChrisWelch

Chrysler has announced a voluntary recall of 1.4 million vehicles just days after Wired reported a frightening vulnerability that allows hackers to remotely seize control of cars equipped with the auto maker's UConnect system. Chrysler has integrated UConnect in its vehicles since late 2013, and security experts initially believed all of those cars could susceptible to hijacking. A video published alongside the report demonstrated that someone with the right knowledge could cut a car's brakes, turn off the engine, or potentially overtake the steering wheel.

Affected are certain vehicles equipped with 8.4-inch touchscreens among the following populations:

• 2013-2015 MY Dodge Viper specialty vehicles
• 2013-2015 Ram 1500, 2500 and 3500 pickups
• 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
• 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
• 2014-2015 Dodge Durango SUVs
• 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
• 2015 Dodge Challenger sports coupes

Chrysler owners can visit this website and enter their car's VIN to see if it's included in the recall. If so, you don't have to take your car into the dealership — or anywhere, for that matter. Instead, you'll receive the previously released patch on a USB flash drive. Unlike other connected cars like the Tesla Model S, these impacted Chrysler vehicles apparently lack the capability to receive over-the-air security updates. But that doesn't mean the company is helpless. Today Chrysler also revealed that it's taken "network-level security measures to prevent the type of remote manipulation" that was demonstrated by Wired. We don't exactly know what those steps are, but early reports suggest that they're working.

Hacking Team and Boeing Subsidiary Envisioned Drones Deploying Spyware

The Boeing subsidiary reached out and Hacking Team began work on a malware injector for drones.

firstlook.org

The plan is described in internal emails from the Italian company Hacking Team, which makes off-the-shelf software that can remotely infect a suspect’s computer or smartphone, accessing files and recording calls, chats, emails and more. A hacker attacked the Milan-based firm earlier this month and released hundreds of gigabytes of company information online.

Among the emails is a recap of a meeting in June of this year, which gives a “roadmap” of projects that Hacking Team’s engineers have underway.

On the list: Develop a way to infect computers via drone. One engineer is assigned the task of developing a “mini” infection device, which could be “ruggedized” and “transportable by drone (!)” the write-up notes enthusiastically in Italian.

The request appears to have originated with a query from the Washington-based Insitu, which makes a range of unmanned systems, including the small ScanEagle surveillance drone, which has long been used by the militaries of the U.S. and other countries. Insitu also markets its drones for law enforcement.

An Insitu engineer wrote to Hacking Team this April: “We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System.” (Galileo is the name of the most recent version of Hacking Team’s spyware, known as Remote Control System.)

In an internal email, a Hacking Team account manager suggests that they could do so using a “TNI,” or “tactical network injector.” A TNI is a portable, often laptop-based, physical device, which an operator would use to plug into a network the target is using — such as an open Wi-Fi network in a hotel or coffee shop. When the targeted person uses the Internet for some ordinary activity, like watching a video or downloading an app, the device intercepts that traffic (so long as it is unencrypted) and injects the malicious code that secretly installs Hacking Team’s spyware. (For more technical details on network injectors, see The Intercept’s previous reporting.)