This Week in Tech 619: Honey, I Shrunk the Panel

Amazon buys Whole Foods, and has its eyes on Slack. Apple’s HomePod – Sonos killer? Facebook’s Safety Check causes stress. Twitter’s redesign. Voter fraud conspiracies. E3 announcements.

–Jason’s Pick: Zero Fasting Tracker
–Brian’s Pick: React Native
–Peter’s Pick: Star Trek Bridge Crew
–Dave’s Pick: Boosted Board, EZ Robot

Myspace hack puts at least 360 million users at risk

By | TechSpot

Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years.

Time said earlier today that it first became aware shortly before Memorial Day weekend that stolen Myspace credentials were being made available in an online hacker forum. The data, which consists of usernames, passwords and e-mail addresses, was apparently swiped from the old Myspace platform – or in other words, prior to June 11, 2013, when the site was relaunched with strengthened security.

As of writing, Time says it doesn’t appear as though any financial data was compromised. What’s more, the breach does not impact any of Time’s other systems or subscribers.

Myspace is in the process of notifying affected users and is working with law enforcement in hopes of figuring out who was behind the attack. The site has also wiped all of the passwords of impacted users so at the very least, the data can’t be used to log into Myspace.

This is the second major security breach to surface this week in which the theft of data took place years earlier. Dated breaches like this may seem like less of a concern given their age but in fact, they present some unique challenges.

With data this old, it’s entirely possible that it has already been picked through before being made available on the black market. Furthermore, people weren’t quite as concerned with security and privacy in early 2013 as they are today meaning passwords were probably a bit less complex on average. Using the same password across multiple sites was also more common back then and it’s entirely possible that some haven’t gone back and changed passwords for older accounts they might not use as often these days, like Myspace.

The only real silver lining here is that yes, the data is old and is less likely to be up-to-date.

In a post on Myspace’s blog, the site says it suspects Russian hacker “Peace” is responsible for the attack, the same person that recently posted LinkedIn and Tumblr data on the underground market.

Neither Time nor Myspace would say how many accounts were compromised although a report from LeakedSource says the data set contains a whopping 360,213,024 records. Each “record” may contain a username, e-mail address, password and in some cases, a second password. The site notes that more than 68 million records had a second password attached.

The publication further reports that passwords were hashed and stored using SHA1 encryption without salting. As you may know, salting is a technique that makes it much more difficult to crack passwords. Worse yet, LeakedSource reports that very few passwords were over 10 characters in length and nearly none of them contained an upper case letter, making them even easier to decrypt.

Reports claim that Facebook will soon introduce ads inside Messenger

By | Tech Spot

Facebook’s incredibly popular Messenger service will introduce ads inside the platform sometime within next few months, according to a report from TechCrunch. A document obtained by the site says that businesses will be able to send advertisements as messages, but only to those users who have already initiated a conversation.

The document, which TechCrunch says it acquired from a “verified source” that it is keeping anonymous, also revealed that Facebook has introduced a personalized URL short link for companies to share that, when clicked, will open a chat thread with the business.

As TechCrunch points out, this short link is essentially the next generation version of a customer support number. It uses the format fb.com/msg/ followed by the Facebook username of the page, like fb.com/msg/TechSpot.

Brands will be able to share their personalized short links as a quick way for consumers to get in touch with a customer service agent. And once someone contacts a business on Messenger, they’ll start receiving ads from the company.

The exact nature of the ads is still unclear, although it’s been suggested that they could be used to inform people of upcoming sales and product launches, and possibly use videos or GIFs to promote items. Firms may even contact Messenger users to inform them that a product they previously showed an interest in has been reduced.

If the report proves to be accurate, it appears that you’ll be unable to opt out of receiving ads from companies you make contact with, which could stop people from messaging them at all. It is possible, however, that users may be able to ask firms to stop sending them ads, much like unsubscribing from an email marketing list.

Facebook has talked about increasing Messenger’s use as a B2C platform in the past, so it looks as if this feature really will be implemented, but there’s always the chance that Facebook may alter some elements if the public response is overwhelmingly negative. We’ll no doubt learn more at F8, the company’s annual global developer conference, in April.

Microsoft, global law enforcement agencies disrupt Dorkbot botnet

By | Techspot

Microsoft, in cooperation with a number of law enforcement agencies around the world, managed to disrupt a botnet that’s infected over a million PCs across more than 190 countries.

First discovered in April 2011, Dorkbot is an IRC-based botnet that has been commercialized by its creator and is readily available for purchase on underground online forums as NgrBot. The malware relies on USB drives, social networks, IM clients, spam and drive-by downloads for distribution.

It’s most often used to steal login credentials for many of today’s top sites and services including AOL, eBay, Facebook, Gmail, Godaddy, Netflix, PayPal, Steam, Twitter, Yahoo and YouTube.

Over the past six months, Microsoft said it detected Dorkbot on roughly 100,000 systems each month with the majority of infections spotted internationally.

Microsoft said it worked with CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission, the Department of Homeland Security’s United States Computer Emergency Readiness Team, Europol, the Federal Bureau of Investigation, Interpol and the Royal Canadian Mounted Police to disrupt the botnet.

Details on exactly what actions were taken to disrupt Dorkbot weren’t mentioned.

The US Computer Emergency Readiness Team (CERT) advises those that have been infected to use and maintain anti-virus software, change passwords, keep operating system and application software up-to-date, use anti-malware tools and disable Windows Autorun.

Facebook can recognize you without looking at your face

Think you can stop Facebook from automatically tagging photos of you by covering your face? Think again.

The New Scientist reports that Facebook is developing a new facial recognition algorithm so powerful that it can identify individuals even when their faces are hidden or blocked off. Instead the experimental algorithm gathers information based on other unique characteristics like hair style, body shape, and body language. It can even identify individuals based on what types of clothing they typically wear.

“There are a lot of cues we use. People have characteristic aspects, even if you look at them from the back,” Yann LeCun, head of artificial intelligence at Facebook, told the New Scientist. “For example, you can recognize Mark Zuckerberg very easily because he always wears a gray T-shirt.”

““You can recognize Mark Zuckerberg very easily because he always wears a gray T-shirt.””

Facebook’s A.I. research team tested its new facial recognition algorithm using 40,000 public photos from Flickr. Some of the photos had people’s faces clearly visible and some had people’s faces turned away from the camera. The algorithm was able to identify people with 83 percent accuracy.

Facebook is hoping to incorporate this algorithm into its recently launched Moments feature. Moments automatically creates collections of photos using certain data like where and when each photo was taken, tagging all recognizable Facebook friends along the way. If this algorithm ends up giving Moments another data set, pretty soon Facebook could also be able to surface all the photos of you taken with a certain friend, even photos where that friend was wearing a Halloween mask.

The impact on you: Social networks relying on facial recognition to create better products is nothing new. The new Google Photos app can even recognize your pets. But even though facial recognition is getting impressively accurate, it doesn’t mean that most people have gotten comfortable with the idea of being scanned, identified, and recognized by every tech company.

LeCun argues that the Facebook algorithm can be used to alert people whenever a photo of them surfaces on the web. But the flipside has raised serious privacy concerns. Even Tim Cook has expressed his concern. “You might like these so-called free services [from Facebook and Google], but we don’t think they’re worth having your email or your search history or now even your family photos data-mined and sold off for God knows what advertising purpose,” the Apple CEO said at a recent event.

via Facebook can recognize you without looking at your face | PCWorld.

A new black market site is helping users fence stolen accounts and software licenses via Paypal

While we are starting to see newer payment options surfacing like Apple Pay, Paypal is still a popular way to pay for things online. Whether its electronics on eBay, or flights and hotels on Travelocity, Paypal is there for anyone who would rather use it over a credit card. And now, the extremely questionable platform known as PayIvy is allowing individuals to purchase stolen credentials with it.

A security researcher recently spotted several sellers on PayIvy fencing stolen good credentials, Paypal/Minecraft/Netflix/Hulu accounts, software licenses and more. All of which can be purchased with Paypal. While it likely isn’t smart to purchases a stolen Paypal account with a Paypal account, it does appear to be possible here.

As you’re likely imagining, Paypal doesn’t usually just allow things like this to happen for very long and will more than likely make a move to shut it down soon. Even if that does happen, it appears the service accepts much more black market friendly currencies like Dogecoin and Bitcoin.

Like many of these dodgy platforms, it is isn’t interested in the legality of what its users are doing on there. While it appears that it is just a matter of time before both the Paypal functionality and the entire marketplace get torn apart, PayIvy is just the platform and is apparently not doing anything wrong. We have seen this before with other questionable services that simply accommodate their user base without actually getting their own hands dirty. Whether or not PayIvy gets shut down, only time will tell, but it’s hard to imagine it lasting very long.

via A new black market site is helping users fence stolen accounts and software licenses via Paypal – TechSpot.

Tech support scammer threatened to kill man when scam call backfired

“We have your address… they will come to you, they will kill you.”

Tech support scammers should probably just hang up the phone when a scam call goes wrong.

But one scammer took things to a new level by threatening to kill a man who pointed out that the scammer was trying to steal money.

As we’ve reported numerous times, scammers pretending to work for Microsoft tech support call potential victims, tell them their computers are infected, convince them to provide remote access, and then charge them hundreds of dollars to fix imaginary problems.

Jakob Dulisse of British Columbia was wise to the ruse and recorded such a call two weeks ago, CBC News reported today. After Dulisse accused the scammer of trying to install malware on his computer that would steal banking information, passwords, and PayPal credentials, things went very wrong.

“You do understand we have each and every information, your address, your phone number,” the scammer said in the recorded call. (You can listen to excerpts at the CBC link.) “We have our group in Canada. I will call them, I will provide your information to them, they will come to you, they will kill you.”

That wasn’t the only disturbing thing the scammer said. CBC reports:

The caller became irritated, but it wasn’t until Dulisse asked why the man would try to steal from unsuspecting people that the conversation took what Dulisse calls a “sinister turn.”

“He started getting kind of nasty and angry.

“He admitted that he was in India… and then he said, ‘If you come to India, you know what we do to Anglo people?’ I said, ‘No.’

“He said, ‘We cut them up in little pieces and throw them in the river.'”

Dulisse found the threats “chilling, but hard to take seriously,” CBC reported.

“He was still trying to get me to do what he was trying to do with my computer,” Dulisse told CBC. “He was actually threatening me as a tactic.”

In the US, federal officials have been shutting down Windows tech support scam operations for years, but new ones using the same tactics keep popping up.

via Tech support scammer threatened to kill man when scam call backfired | Ars Technica.

Hackers target Yahoo, compromise multiple servers using Shellshock bug

Shellshock has claimed another victim as Yahoo recently revealed that three of its servers were compromised over the weekend by hackers that managed to exploit the vulnerability.

In a statement issued to Bloomberg via e-mail, Yahoo spokesperson Elisa Shyu said the company began patching its systems as soon as they became aware of the issue and have been closely monitoring their network. Yahoo isolated a handful of servers that were impacted and at this time, Shyu added, there is no evidence of a compromise to user data.

Security researcher Jonathan Hall was the first to report the breach, the details of which can be found in this lengthy post over at Future South Technologies. To summarize, Hall claims Romanian hackers trying to build a large botnet are responsible for the attack. In addition to Yahoo, he also found evidence of an attack on utility software developer WinZip.

The security flaw, first disclosed publically on September 24, poses an even bigger threat than the Heartbleed bug from earlier in the year as it allows a bad actor to potentially gain complete control over a target system.

Security firm Incapsula estimates that there were nearly a billion attempts to use the bug and its own web application firewall dealt with more than 217,000 exploit attempts in the week following the bug’s disclosure.

There are likely thousands of Shellshock victims at this point although Yahoo is by far the biggest (that we know about).

via Hackers target Yahoo, compromise multiple servers using Shellshock bug – TechSpot.

Classic Facebook “Color Changer” scam makes another comeback

On Facebook, some scams are so alluring that they seem to live forever.

So it goes with “Facebook Color Changer,” a new malware attack that masquerades as a way to change the appearance of Facebook’s Website. Security firm Cheetah Mobile claims that the latest scam has affected more than 10,000 people around the world.

Don’t fall for this.

According to Cheetah Mobile, the app advertises the ability to “select your favourite color scheme for facebook layout,” and appears to direct users to “apps.facebook.com/themsandcolors.” But instead, the app sends users to a phishing site.

Once there, the site asks users to view a tutorial video. Launching the video supposedly provides temporary access to the user’s Access Tokens, letting the malicious site connect to the user’s Facebook friends. If the user doesn’t view the video, the site then attempts to download a pornographic video player on PCs or a bogus malware scanner on Android devices.

Cheetah Mobile blames a “a vulnerability that lives in Facebook’s app page itself, allowing hackers to implant viruses and malicious code into Facebook-based applications directs users to phishing sites.”

As Mashable points out, color-changing capabilities have been a popular hook for Facebook malware peddlers in the past. At least two previous scams have gained traction by inviting users to switch the color of Facebook’s blue menu bar. The color changer joins a number of other recurring scams that pose as oft-requested features, including the fabled ”dislike” button and ability to see who viewed your profile.

There is a legitimate way to change the color of Facebook’s menu bar, using an extension in the Chrome Web Store, but in general it’s best to treat these “feature enhancements” with extreme caution. Just because a friend posts a link your feed doesn’t mean it’s safe to click.

via Classic Facebook “Color Changer” scam makes another comeback | TechHive.