Pages Navigation Menu

The blog of DataDiggers

Categories Navigation Menu

Chipotle customers are saying their accounts have been hacked

Posted by on Apr 17, 2019 in Apps, computer security, credential stuffing, data breach, data security, Food, Hack, multi-factor authentication, Password, Prevention, Privacy, Security, spokesperson | 0 comments

A stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars.

Customers have posted on several Reddit threads complaining of account breaches and many more have tweeted at @ChipotleTweets to alert the fast food giant of the problem. In most cases, orders were put through under a victim’s account and delivered to addresses often not even in the victim’s state.

Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Chipotle spokesperson Laurie Schalow told TechCrunch that credential stuffing was to blame. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

But several customers we spoke to said their password was unique to Chipotle. Another customer said they didn’t have an account but ordered through Chipotle’s guest checkout option.

Tweets from Chipotle customers. (Screenshot: TechCrunch)

When we asked Chipotle about this, Schalow said the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing.

It’s a similar set of complaints made by DoorDash customers last year, who said their accounts had been improperly accessed. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a unique password on the site.

If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication would help prevent the automated login process — and, put an additional barrier between a hacker and a victim’s account.

But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment. “We don’t discuss our security strategies.”

Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers infected its point-of-sale devices with malware, scraping millions of payment cards from unsuspecting restaurant goers. More than a hundred fast food and restaurant chains were also affected by the same malware infections.

In August, three suspects said to be members of the FIN7 hacking and fraud group were charged with the credit card thefts.


Source: The Tech Crunch

Read More

Bill Gates and Jeff Bezos-backed fund invests in a global geothermal energy project developer

Posted by on Mar 3, 2019 in Alphabet, Bill Gates, Breakthrough Energy Ventures, dandelion energy, electricity, Energy, geothermal energy, jack ma, Japan, jeff bezos, spokesperson, steel, TC, United States | 0 comments

Breakthrough Energy Ventures, the investment firm financed by billionaires like Jeff Bezos, Bill Gates, and Jack Ma that invests in companies developing technologies to decarbonize society, is investing $12.5 million in a geothermal project development company called Baseload Capital.

Baseload Capital is a project investment firm that provides capital to develop geothermal energy power plants using technology developed by its Swedish parent company, Climeon.

Like the spinoff from Google’s parent company, Alphabet, Dandelion Energy, which recently raised $16 million in a new round of financing, Climeon builds standardized machines to tap geothermal energy. But Dandelion is targeting consumers with its technology to provide home heating, while Climeon turns geothermal energy into electricty.

The company’s modules — which stand around two meters cubed, produce 150 kilowatts of electricity, which is enough to power roughly 250 European households, according to a company spokesperson.

Climeon, which was founded back in 2011, formed Baseload Capital about a year ago to invest in special purpose vehicles to build the power plants that use Climeon’s technology. Baseload takes an equity stake in these companies and provides debt financing for them.

Through its investment into Baseload Capital, Breakthrough Energy Ventures will help finance and develop these small-scale power plants globally (Baseload has already formed special purpose vehicles that are developing projects in Japan).

Climeon and Baseload Capital focus on three primary industries — geothermal, shipping and heavy industry. “We sell our machines to the [maritime industry] where we turn the waste heat from the engines into electricity (Virgin Voyages has bought several systems), to industries such as steel where they also have a lot of waste heat and then to companies that develop and operate geothermal power plants,” a Climeon spokesperson wrote in an email. “This could be a newly formed SPV or an existing energy company. In the U.S., for example, our modules will be used in an existing geothermal site.”

The company’s pitch is that it’s modular units make it easy to scale up or decommission plants. Modules list for EUR350,000 and customers also spend EUR5,000 per-module, per-year on Climeon’s power plant management software.

So far, the company says it has an order backlog of roughly $88 million.

The investment in Baseload Capital is Breakthrough Energy’s second foray into the geothermal industry. Last year, the company backed Fervo Energy, which uses proven technologies to help speed the development of geothermal energy at a cost of 5 to 7 cents per kilowatt hour.

“We believe that a baseload resource such as low temperature geothermal heat power has the potential to transform the energy landscape. Baseload Capital, together with Climeon’s innovative technology, has the potential to deliver GHG-free electricity at large scale, economically and efficiently,” said Carmichael Roberts of Breakthrough Energy Ventures, in a statement.


Source: The Tech Crunch

Read More

Users complain of account hacks, but OkCupid denies a data breach

Posted by on Feb 10, 2019 in Apps, computing, hackers, IAC, major, OkCupid, PlentyofFish, Security, spokesperson | 0 comments

It’s bad enough that dating sites are a pit of exaggerations and inevitable disappointment, they’re also a hot target for hackers.

Dating sites aren’t considered the goldmine of personal information like banks or hospitals, but they’re still an intimate part of millions of people’s lives and have long been in the sights of hackers. If the hackers aren’t hitting the back-end database like with the AdultFriendFinder, Ashley Madison, and Zoosk breaches, the hackers are trying break in through the front door with leaked or guessed passwords.

That’s what appears to be happening with some OkCupid accounts.

A reader contacted TechCrunch after his account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password.

OkCupid didn’t send an email to confirm the address change — it just blindly accepted the change.

“Unfortunately, we’re not able to provide any details about accounts not connected to your email address,” said OkCupid’s customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages.

It wasn’t an isolated case. We found several cases of people saying their OkCupid account had been hacked.

Another user we spoke to eventually got his account back. “It was quite the battle,” he said. “It was two days of constant damage control until [OkCupid] finally reset the password for me.”

Other users we spoke to had better luck than others in getting their accounts back. One person didn’t bother, he said. Even disabled accounts can be re-enabled if a hacker logs in, some users found.

But several users couldn’t explain how their passwords — unique to OkCupid and not used on any other app or site — were inexplicably obtained.

“There has been no security breach at OkCupid,” said Natalie Sawyer, a spokesperson for OkCupid. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

Even on OkCupid’s own support pages, the company says that account takeovers often happen because someone has an account owner’s login information. “If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach,” says the support page.

That’s describes credential stuffing, a technique of running a vast lists of usernames and passwords against a website to see if a combination lets the hacker in. The easiest, most effective way against credential stuffing is for the user to use a unique password on each site. For companies like OkCupid, the other effective blocker is by allowing users to switch on two-factor authentication.

When asked how OkCupid plans to prevent account hacks in the future, the spokesperson said the company had “no further comment.”

In fact, when we checked, OkCupid was just one of many major dating sites — like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony — that didn’t use two-factor authentication at all.

As if dating wasn’t tough enough at the best of times, now you have to defend yourself from hackers, too.


Source: The Tech Crunch

Read More

Facebook, Google and Twitter told to do more to fight fake news ahead of European elections

Posted by on Jan 29, 2019 in Advertising Tech, Artificial Intelligence, Brussels, disinformation, dublin, Europe, European Commission, european parliament, European Union, Facebook, law enforcement, Mariya Gabriel, media literacy, Nick Clegg, online disinformation, Policy, rt, search engine, Singapore, Social, Social Media, social network, Software, spokesperson, The Guardian, Twitter | 0 comments

A first batch of monthly progress reports from tech giants and advertising companies on what they’re doing to help fight online disinformation have been published by the European Commission.

Platforms including Facebook, Google and Twitter signed up to a voluntary EU code of practice on the issue last year.

The first reports cover measures taken by platforms up to December 31, 2018.

The implementation reports are intended to detail progress towards the goal of putting the squeeze on disinformation — such as by proactively identifying and removing fake accounts — but the European Commission has today called for tech firms to intensify their efforts, warning that more needs to be done in the run up to the 2019 European Parliament elections, which take place in May.

The Commission announced a multi-pronged action plan on disinformation two months ago, urging greater co-ordination on the issue between EU Member States and pushing for efforts to raise awareness and encourage critical thinking among the region’s people.

But it also heaped pressure on tech companies, especially, warning it wanted to see rapid action and progress.

A month on and it sounds less than impressed with tech giants’ ‘progress’ on the issue.

Mozilla also signed up to the voluntary Code of Practice, and all the signatories committed to take broad-brush action to try to combat disinformation.

Although, as we reported at the time, the code suffered from a failure to nail down terms and requirements — suggesting not only that measuring progress would be tricky but that progress itself might prove an elusive and slippery animal.

The first response certainly looks to be a mixed bag. Which is perhaps expected given the overarching difficulty of attacking a complex and multi-faceted problem like disinformation quickly.

Though there’s also little doubt that opaque platforms used to getting their own way with data and content are going to be dragged kicking and screaming towards greater transparency. Hence it suits their purpose to be able to produce multi-page chronicles of ‘steps taken’, which allows them to project an aura of action — while continuing to indulge in their preferred foot-drag.

The Guardian reports especially critical comments made by the Commission vis-a-vis Facebook’s response, for example — with Julian King saying at today’s press conference that the company still hasn’t given independent researchers access to its data.

“We need to do something about that,” he added.

Here’s the Commission’s brief rundown of what’s been done by tech firms but with emphasis firmly placed on what’s yet to be done:

  • Facebook has taken or is taking measures towards the implementation of all of the commitments but now needs to provide greater clarity on how the social network will deploy its consumer empowerment tools and boost cooperation with fact-checkers and the research community across the whole EU.
  • Google has taken steps to implement all its commitments, in particular those designed to improve the scrutiny of ad placements, transparency of political advertisement and providing users with information, tools and support to empower them in their online experience. However some tools are only available in a small number of Member States. The Commission also calls on the online search engine to support research actions on a wider scale.
  • Twitter has prioritised actions against malicious actors, closing fake or suspicious accounts and automated systems/bots. Still, more information is needed on how this will restrict persistent purveyors of disinformation from promoting their tweets.
  • Mozilla is about to launch an upgraded version of its browser to block cross-site tracking by default but the online browser should be more concrete on how this will limit the information revealed about users’ browsing activities, which could potentially be used for disinformation campaigns.

Commenting in a statement, Mariya Gabriel, commissioner for digital economy and society, said: “Today’s reports rightly focus on urgent actions, such as taking down fake accounts. It is a good start. Now I expect the signatories to intensify their monitoring and reporting and increase their cooperation with fact-checkers and research community. We need to ensure our citizens’ access to quality and objective information allowing them to make informed choices.”

Strip out the diplomatic fillip and the message boils down to: Must do better, fast.

All of which explains why Facebook got out ahead of the Commission’s publication of the reports by putting its fresh-in-post European politician turned head of global comms, Nick Clegg, on a podium in Brussels yesterday — in an attempt to control the PR message about what it’s doing (or rather not doing, as the EC sees it) to boot fake activity into touch.

Clegg (re)announced more controls around the placement of political ads, and said Facebook would set up new human-staffed operations centers — in Dublin and Singapore — to monitor how localised political news is distributed on its network.

Although the centers won’t launch until March. So, again, not something Facebook has done.

The staged press event with Clegg making his maiden public speech for his new employer may have backfired a bit because he managed to be incredibly boring. Although making a hot button political issue as tedious as possible is probably a key Facebook strategy.

Anything to drain public outrage to make the real policymakers go away.

(The Commission’s brandished stick remains that if it doesn’t see enough voluntary progress from platforms, via the Code, is to say it could move towards regulating to tackle disinformation.)

Advertising groups are also signed up to the voluntary code. And the World Federation of Advertisers (WFA), European Association of Communication Agencies and Interactive Advertising Bureau Europe have also submitted reports today.

In its report, the WFA writes that the issue of disinformation has been incorporated into its Global Media Charter, which it says identifies “key issues within the digital advertising ecosystem”, as its members see it. It adds that the charter makes the following two obligation statements:

We [advertisers] understand that advertising can fuel and sustain sites which misuse and infringe upon Intellectual Property (IP) laws. Equally advertising revenue may be used to sustain sites responsible for ‘fake news’ content or ‘disinformation’. Advertisers commit to avoiding (and support their partners in the avoidance of) the funding of actors seeking to influence division or seeking to inflict reputational harm on business or society and politics at large through content that appears false and/or misleading.

While the Code of Practice doesn’t contain a great deal of quantifiable substance, some have read its tea-leaves as a sign that signatories are committing to bot detection and identification — by promising to “establish clear marking systems and rules for bots to ensure their activities cannot be confused with human interactions”.

But while Twitter has previously suggested it’s working on a system for badging bots on its platform (i.e. to help distinguish them from human users) nothing of the kind has yet seen the light of day as an actual Twitter feature. (The company is busy experimenting with other kinds of stuff.) So it looks like it also needs to provide more info on that front.

We reached out to the tech companies for comment on the Commission’s response to their implementation reports.

Google emailed us the following statement, attributed to Lie Junius, its director of public policy: 

Supporting elections in Europe and around the world is hugely important to us. We’ll continue to work in partnership with the EU through its Code of Practice on Disinformation, including by publishing regular reports about our work to prevent abuse, as well as with governments, law enforcement, others in our industry and the NGO community to strengthen protections around elections, protect users, and help combat disinformation.

A Twitter spokesperson also told us:

Disinformation is a societal problem and therefore requires a societal response. We continue to work closely with the European Commission to play our part in tackling it. We’ve formed a global partnership with UNESCO on media literacy, updated our fake accounts policy, and invested in better tools to proactively detect malicious activity. We’ve also provided users with more granular choices when reporting platform manipulation, including flagging a potentially fake account.

At the time of writing Facebook had not responded to a request for comment.


Source: The Tech Crunch

Read More

Apple disables group calling in FaceTime in response to eavesdropping bug

Posted by on Jan 29, 2019 in Apple, apple inc, FaceTime, iOS, iOS 10, iPhone, mobile phones, operating systems, Smartphones, spokesperson, TC | 0 comments

Apple has disabled the group calling feature within its FaceTime calling service while it works on a patch to fix a nasty bug that allows eavesdropping.

Apple’s status page shows that group calling via FaceTime is “temporarily unavailable” — that’s a stop-gap move while the company to deliver a more permanent fix to the problem this week. We were unable to set up a group call when we tried, having earlier been able to do and replicate the issue.

All being well, this fix means that users don’t need to completely disable FaceTime due to the bug, but it is understandable if some people are hesitant to switch it on again.

The vulnerability was unearthed on Monday and it is activated when a user initiates a group call but adds themselves as a participant, as we explained in our earlier post:

The bug relies on what appears to be a nasty logic screwup in FaceTime’s group call system. While we’re opting to not outline the steps here, the bug seems to trick the recipient’s phone into thinking a group call is already ongoing. A few quick taps, and FaceTime immediately trips over itself and inexplicably fires up the recipient’s microphone without them actually accepting the call.

Weirder yet: if the recipient presses the volume down button or the power button to try to silence or dismiss the call, their camera turns on as well. Though the recipient’s phone display continues showing the incoming call screen, their microphone/camera are streaming.

Apple told us and other media that it plans to issue a more permanent solution in the coming days.

“We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” a spokesperson said.

It’s interesting to note that the group calling feature actually took longer than planned to arrive in iOS follow a hiccup. It was added then removed from the beta version of iOS 12 in August while it took time to roll out to all users. The feature was absent when iOS 12 shipped to all in September and, instead, it arrived with the launch of iOS 12.1 in October. Apple never provided a reason for the delay.

The bug is an embarrassing incident for Apple, which has long emphasized its focus on privacy as a business and within its products. That included a recent banner at CES which triumphantly proclaimed: “What happens on your iPhone, stays on your iPhone.”


Source: The Tech Crunch

Read More

Flutterwave and Visa launch African consumer payment service GetBarter

Posted by on Jan 17, 2019 in africa, android, Apple, cameroon, ceo, Column, credit cards, E-Commerce, economy, Facebook, Finance, flutterwave, Ghana, greycroft, kenya, M-Pesa, mastercard, money, Nigeria, online payments, rave, San Francisco, South Africa, spokesperson, Uber, Uganda, visa, vodafone | 0 comments

Fintech startup Flutterwave has partnered with Visa to launch a consumer payment product for Africa called GetBarter.

The app based offering is aimed at facilitating personal and small merchant payments within countries and across Africa’s national borders. Existing Visa card holders can send and receive funds at home or internationally on GetBarter.

The product also lets non card-holders (those with accounts or mobile wallets on other platforms) create a virtual Visa card to link to the app.  A Visa spokesperson confirmed the product partnership.

GetBarter allows Flutterwave—which has scaled as a payment gateway for big companies through its Rave product—to pivot to African consumers and traders.

Rave is B2B, this is more B2B2C since we’re reaching the consumers of our customers,” Flutterwave CEO Olugbenga Agboola—aka GB—told TechCrunch.

The app also creates a network for clients on multiple financial platforms, such as Kenyan mobile money service M-Pesa, to make transfers across payment products, national borders, and to shop online.

“The target market is pretty much everyone who has a payment need in Africa. That includes the entire customer base of M-Pesa, the entire bank customer base in Nigeria, mobile money and bank customers in Ghana—pretty much the entire continent,” Agboola said.

Flutterwave and Visa will focus on building a GetBarter user base across mobile money and bank clients in Kenya, Ghana, and South Africa, with plans to grow across the continent and reach those off the financial grid.

“In phase one we’ll pursue those who are banked. In phase-two we’ll continue toward those who are unbanked who will be able to use agents to work with GetBarter,” Agboola said.

Flutterwave and Visa will generate revenue through fees from financial institutions on cards created and on fees per transaction. A GetBarter charge for a payment in Nigeria is roughly 40 Naira, or 11 cents, according to Agboola.

With this week’s launch users can download the app for Apple and Android devices and for use on WhatsApp and USSD.

Founded in 2016, Flutterwave has positioned itself as a global B2B payments solutions platform for companies in Africa to pay other companies on the continent and abroad. It allows clients to tap its APIs and work with Flutterwave developers to customize payments applications. Existing customers include Uber, Facebook, Booking.com, and African e-commerce unicorn Jumia.com.

Flutterwave has processed 100 million transactions worth $2.6 billion since inception, according to company data.

The company has raised $20 million from investors including Greycroft, Green Visor Capital, Mastercard, and Visa.

In 2018, Flutterwave was one of several African fintech companies to announce significant VC investment and cross-border expansion—see Paga, Yoco, Cellulant, Mines.ie, and  Jumo.

Flutterwave added operations in Uganda in June and raised a $10 million Series A round in October that saw former Visa CEO Joe Saunders join its board of directors.

The company also plugged into ledger activity in 2018, becoming a payment processing partner to the Ripple and Stellar blockchain networks.

Flutterwave hasn’t yet released revenue or profitability info, according to CEO Olugbenga Agboola.

Headquartered in San Francisco, with its largest operations center in Nigeria, the startup plans to add operations centers to South Africa and Cameroon, which will also become new markets for GetBarter.


Source: The Tech Crunch

Read More

Hackers hijack thousands of Chromecasts to warn of latest security bug

Posted by on Jan 2, 2019 in Amazon, chromecast, computing, echo, Gadgets, Google, Hack, Hardware, ipad, media streamer, Security, smart devices, smart home devices, spokesperson, Technology, wi-fi | 0 comments

Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.

The culprits, known as Hacker Giraffe and J3ws3r, have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.

Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As the two say, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the ability to hijack a media stream and display whatever they want.

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found a hijack bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.

Updated at 9pm ET: with a new, clearer headline to better reflect the flaws over the years, and added additional comment from Google.


Source: The Tech Crunch

Read More

Facebook is still facing ‘intermittent’ outages for advertisers ahead of Black Friday and Cyber Monday

Posted by on Nov 21, 2018 in ad network, adwords, api, digital marketing, Facebook, Facebook ad network, Marketing, Online Advertising, spokesperson, TC, world wide web | 0 comments

One day after experiencing a massive outage across its ad network, Facebook, one of the most important online advertising platforms, is still seeing “intermittent” issues for its ad products at one of the most critical times of the year for advertisers.

According to a spokesperson for the company, while most systems are restored there are still intermittent issues that could affect advertisers.

For most of the day yesterday, advertisers were unable to create and edit campaigns through Ads Manager or the Ads API tools.

The company said that existing ads were delivered, but advertisers could not set new campaigns or make any changes to existing campaigns, according to several users of the network.

Reporting has been restored for all interfaces, according to the company, but conversion data may be delayed throughout the day for the Americas and in the evening for other regions.

The company declined to comment on how many campaigns were affected by the outage or on whether it intends to compensate or make up for the outage with advertisers on the platform.

Some advertisers are still experiencing outages and are not happy about it.

This is a bad look for a company that is already fighting fires on any number of other fronts. But unlike the problems with bullying, hate speech, and disinformation that don’t impact the ways Facebook makes money, selling ads is actually how Facebook makes money.

In the busiest shopping season of the year (and therefore one of the busiest advertising seasons of the year) for Facebook to have no response and for some developers to still be facing intermittent outages on the platform is a bad sign.


Source: The Tech Crunch

Read More

Half a million Android users tricked into downloading malware from Google Play

Posted by on Nov 20, 2018 in app-store, computing, malware, mobile malware, mobile security, Security, spokesperson | 0 comments

More than half a million users have installed Android malware posing as driving games — from Google’s own app store.

Lukas Stefanko, a security researcher at ESET, tweeted details of 13 gaming apps — made by the same developer — which were at the time of his tweet downloadable from Google Play. Two of the apps were trending on the store, he said, giving the apps greater visibility.

Combined, the apps surpassed 580,000 installs before Google pulled the plug.

Anyone downloading the apps were expecting a truck or car driving game. Instead, they got what appeared to be a buggy app that crashed every time it opened.

In reality, the app was downloading a payload from another domain — registered to an app developer in Istanbul — and installed malware behind the scenes, deleting the app’s icon in the process. It’s not clear exactly what the malicious apps do; none of the malware scanners seemed to agree on what the malware does, based on an uploaded sample to VirusTotal. What is clear is that the malware has persistence — launching every time the Android phone or tablet is started up, and has “full access” to its network traffic, which the malware author can use to steal secrets.

We reached out to the Istanbul-based domain owner, Mert Ozek, but he did not respond to our email. (If that changes, we’ll update).

It’s another embarrassing security lapse by Google, which has long faced criticism for its backseat approach to app and mobile security compared to Apple, which some say is far too restrictive and selective about which apps make it into its walled garden.

Google has spent years trying to double down on Android security by including better security features and more granular app permission controls. But the company continues to battle rogue and malicious apps in the Google Play app store, which have taken over as one of the greatest threats to Android user security. Google pulled more than 700,000 malicious apps from its app store last year alone, and has tried to improve its back-end to prevent malicious apps from getting into the store in the first place. 

And yet — clearly — that isn’t enough.

When reached, a Google spokesperson did not immediately comment.


Source: The Tech Crunch

Read More

Millions of Texas voter records exposed online

Posted by on Aug 23, 2018 in data, elections, Government, presidential election, Security, spokesperson, TC, texas, voter registration | 0 comments

A massive trove of voter records containing personal information on millions of Texas residents has been found online.

The data — a single file containing an estimated 14.8 million records — was left on an unsecured server without a password. Texas has 19.3 million registered voters.

It’s the latest exposure of voter data in a long string of security incidents that have cast doubt on political parties’ abilities to keep voter data safe at a time where nation states are actively trying to influence elections.

TechCrunch obtained a copy of the file, which was first found by a New Zealand-based data breach hunter who goes by the pseudonym Flash Gordon. It’s not clear who owned the server where the exposed file was found, but an analysis of the data reveals that it was likely originally compiled by Data Trust, a Republican-focused data analytics firm created by the GOP to provide campaigns with voter data.

Chris Vickery, director of cyber risk research at security firm UpGuard, analyzed a portion of the data. (It was Vickery who found a larger trove of 198 million voter records last year exposed by a similar data firm Deep Root Analytics, which sourced much of its data from Data Trust.)

A spokesperson for Data Trust declined to comment on the record.

The file — close to 16 gigabytes in size — contained dozens of fields, including personal information like a voter’s name, address, gender and several years’ worth of voting history, including primaries and presidential elections.

Granted, much of that data is public. According to The Texas Tribune, that kind of voter data in Texas is already obtainable for a fee, but information relating to individuals’ political affiliations and party memberships is not. Sam Taylor, communications director for the Texas secretary of state, told TechCrunch in an email that certain data points — like Social Security numbers — are also excluded, and the voter data cannot be used for commercial purposes, like advertising.

But data-driven political firms like Data Trust use the data for political purposes, specializing in supplementing those voter profiles with information that might help a campaign to flip a person who might not vote for a Republican candidate at the ballot box.

That’s where this file fills in the gaps with dozens of other fields, which can be used by campaigns to position their political messaging.

For example, the data includes fields that might score an individual’s believed views on immigration, hunting, abortion rights, government spending and views on the Second Amendment.

Other fields were more relevant to the recent 2016 presidential election, in which the data predictively scored individuals on if they “trust” or have “no trust” for then-Democratic candidate Hillary Clinton.

The data also includes additional personal information, such as a person’s phone numbers and their ethnicity and race.

It’s not known exactly when the data was compiled, but an analysis of the data suggests it was prepared in time for the 2016 presidential election. It’s also not known if the file is a subset of the 198 million records leak last year — or if it’s a standalone data set.

Without an owner to inform of the exposure, it’s unclear if the data is still online.


Source: The Tech Crunch

Read More