May 22, 2019

Cache of 49 million Instagram records found online

By Danny Bradbury

A security researcher has discovered a massive cache of data for millions of Instagram accounts, publicly accessible for everyone to see. The account included sensitive information that would be useful to cyberstalkers, among others.

A security researcher calling themselves anurag sen on Twitter discovered the database hosted on Amazon Web Services. It had over 49 million records when discovered and was still growing before it was deleted.

The Instagram data included user bios, profile pictures, follower numbers and location. This information is viewable online. What’s more puzzling is that it also contained the email address and telephone number used to set up the accounts, according to Techcrunch, which broke the story.

Reporters identified the owner of the database as Mumbai-based social media company Chtrbox. It pays social media influencers to publish sponsored content through their accounts. The database has since disappeared from Amazon.

Read more at https://nakedsecurity.sophos.com/2019/05/22/cache-of-49m-instagram-records-found-online/

Some Androids don’t call 911 when you tell them to call an ambulance

By Lisa Vaas

Somebody’s not breathing. You panic, you grab your phone, and you call for an ambulance.

Or do you?

Unfortunately, if you’re using an Android phone, you might not be. You could instead be calling for, say, medical transportation that isn’t authorized to respond to emergencies.

As the Idaho Statesmen reported recently, Android users who use voice commands may tell their smartphones to “call an ambulance” but that phrase doesn’t trigger all Androids to dial the US emergency number of 911. The newspaper didn’t specify which Android models fail to dial 911.

Tell Siri, however, to call an ambulance, and the voice assistant will dial 911. That’s a relief. But when some Android phones are given that voice command, they instead pull up a list of ambulance companies. Alternatively, they may respond with a Google search that returns, say, a blog post on when it’s appropriate to call an ambulance, the Statesman reports.

Dispatchers for Injury Care EMS – a Boise, Idaho-based company that transports patients in its ambulances, including, for example, from hospitals to nursing homes – told the news outlet that they’ve been getting a steady trickle of calls that were meant to go to 911.

Read more at https://nakedsecurity.sophos.com/2019/05/22/some-androids-dont-call-911-when-you-tell-them-to-call-an-ambulance/

Don’t break Windows 10 by deleting SID, Microsoft warns

By John E Dunn

Windows account security identifiers (SIDS) were the subject of a warning issued by Microsoft for users and admins not to delete the sub-type in case they inadvertently break applications.

It’s not clear what prompted Microsoft to issue the caution for a type of SID that has been part of its OS since Windows 8 and Windows Server 2012, but the implication is that a lack of awareness has been causing support problems.

A bit like the Unix UID, SIDS are a fundamental part of the Windows system for identifying users, accounts, and groups and deciding whether one has permission to access the other.

If a Windows user (Alice, let’s say) sets up an account on her computer in her name, Windows identifies the account using a unique SID. Alice can change her account name as often as she wants (to AliceB or even Jeff), but the underlying SID that identifies it to Windows will always stay the same.

The 2012 overhaul expanded SIDS to cover things like file access, drive locations, access to certificates, cameras, removable storage etc. Each one became a ‘capability’ that a user or application could have, or not have, the rights to access.

According to Microsoft, Windows 10 1809 can use more than 300 of these, one of the most commonly encountered of which looks like this:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

It’s not hard to see why this might confuse anyone who delves into their Registry using the editor (Start > Run > regedt32.exe) where it appears as ‘account unknown’ with full read access.

Read more at https://nakedsecurity.sophos.com/2019/05/22/dont-break-windows-10-by-deleting-sid-microsoft-warns/

Most hackers for hire are scammers, research shows

By Lisa as

Hackers for hire are a bunch of swindlers, according to research published last week by Google and academics from the University of California, San Diego.

The researchers were specifically interested in a segment of black-market services known as hackers for hire: the crooks you send in when you lack the hacking skills to do the job yourself and the morals that whisper in your ear that this is not a nice, or legal, thing to do.

Such services offer targeted attacks that remain a potent threat, the researchers said, due to the fact that they’re so tailored. Think of spearphishing or whaling attacks that are so convincing because they get all the details right, such as forging company invoices or setting up copycat log-in sites that steal account credentials.

That kind of thing takes effort. Fortunately, most hackers for hire aren’t up to the task, to say the least. Many were outright scams – not too surprising – and some wouldn’t even take on the job if it involved attacking Gmail. For those services that did agree to take on the challenge of hacking Gmail accounts, the cost ballooned over the course of two years, from $123 to $384 – with a peak of $461 in February 2018.

Yahoo hacking prices have tracked the same as Google, while Facebook and Instagram hacking prices have actually fallen to the current average of $307.

The researchers hypothesize that the price differences for hacking the various email providers and the change in pricing are likely driven by what they call both operational and economic factors: namely, Google and Yahoo have gotten better at protecting email accounts, while prices have increased as the market for a specific service shrinks:

Prices will naturally increase as the market for a specific service shrinks (reducing the ability to amortize sunk costs on back-end infrastructure for evading platform defenses) and also as specific services introduce more, or more effective, protection mechanisms that need to be bypassed (increasing the transactional cost for each hacking attempt).

Read more at https://nakedsecurity.sophos.com/2019/05/22/most-hackers-for-hire-are-scammers-research-shows/

Deep Packet Inspection a threat to net neutrality, say campaigners

By John E Dunn

Some of Europe’s biggest ISPs and mobile operators stand accused of using Deep Packet Inspection (DPI) technology to quietly undermine net neutrality rules and user privacy.

News of the troubling allegation first reached the public domain earlier this year in an analysis by German organization epicenter. Works. It claimed it had detected 186 products offered by providers that appeared to involve applying DPI to their customers’ traffic. Deep packet inspection filters network traffic by looking at the contents of data packets.

Naked Security’s Mark Stockley explains:

Traditional network filtering is like directing road traffic based on the type of vehicle. DPI is like looking at who’s driving and what’s in the trunk.

Now a group of academics and digital rights campaigners headed by European Digital Rights (EDRi) has sent EU authorities an open letter pointing out the implications of this. The EDRi letter states:

Several of these products by mobile operators with large market shares are confirmed to rely on DPI because their products offer providers of applications or services the option of identifying their traffic via criteria such as Domain names, SNI, URLs or DNS snooping.

EU regulation outlaws DPI for anything other than basic traffic management, but it seems that providers in many countries have found a grey area that allows them to bend – and increasingly bypass – those rules.

The frontline of this is something called ‘zero rating’ whereby mobile operators attract subscribers by offering free access to a specific application – a streaming service would be one example – without that counting towards their data allowance.

By its nature, this favors larger application providers, in effect busting the principle of net neutrality that says that all applications and services should be given equal prioritization across networks.

Read more at https://nakedsecurity.sophos.com/2019/05/21/deep-packet-inspection-a-threat-to-net-neutrality-say-campaigners/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation