Yahoo Hacked ! Hackers Selling 200 Million Record on Dark Web

Hardly a day goes without headlines about any significant data breach. In the past few months, over 1 Billion account credentials from popular social network sites, including LinkedIn, Tumblr, MySpace and VK.com were exposed on the Internet.

Now, the same hacker who was responsible for selling data dumps for LinkedIn, MySpace, Tumblr and VK.com is now selling what is said to be the login information of 200 Million Yahoo! users on the Dark Web.

200 Million Yahoo! Logins for 3 BTC

The hacker, who goes by the pseudonym "Peace" or "peace_of_mind," has uploaded 200 Million Yahoo! credentials up for sale on an underground marketplace called The Real Deal for 3 Bitcoins (US$1,824).

Yahoo! admitted the company was "aware" of the potential leak, but did not confirm the authenticity of the data.

The leaked database includes usernames, MD5-hashed passwords and date of births from 200 Million Yahoo! Users. In some cases, there is also the backup email addresses used for the account, country of origin, as well as the ZIP codes for United States users.

Easily Crackable Passwords

Since the passwords are MD5-encrypted, hackers could easily decrypt them using an MD5 decrypter available online, making Yahoo! users open to hackers.

In a brief description, Peace says the Yahoo! database "most likely" comes from 2012, the same year when Marissa Mayer became Yahoo's CEO.

Just last week, Verizon acquired Yahoo! for $4.8 Billion. So, the hacker decided to monetize the stolen user accounts before the data lose its value.

When reached out, the company said in a statement:

"We are committed to protecting the security of our users' information and we take such claim very seriously. Our security team is working to determine the facts...we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."

Use Password Managers to Secure Your Online Accounts

Although the company has not confirmed the breach, users are still advised to change their passwords (and keep a longer and stronger one using a good password manager) and enable two-factor authentication for online accounts immediately, especially if you are using the same password for multiple websites.

You can also adopt a good password manager that allows you to create complex passwords for different sites as well as remember them for you.

We have listed some best password managers here that could help you understand the importance of password manager and help you choose a suitable one, according to your requirement.

Google introduces new Alert Feature on Android - Login Activity Notification

Google has rolled out a new feature for Android users to keep its users account more secure: Native Android Push Notification when a new device accesses your Google account.

Google has already been offering email notification for newly added devices, but since people usually ignore emails, the tech giant will now send a push notification to your device screen, giving you a chance to change your password immediately before an intruder gets in.

Although it's a little change, the company believes people pay four times more attention on push notifications on their devices compared to email notification.

The new feature "increases transparency to the user of what actions they've performed and allows them to flag any suspicious activity they may be seeing on the device," the company says in its official blog post.

So, from now on, when a new device is added to your Google account, or, in other words, when a new device accesses your account, you will receive a push notification on your current Android device, asking:

"Did you just sign in?"

If yes, you can just ignore the notification. But if the activity appears suspicious, you just have to tap the "Review account activity" button to know about the details of the new device.

You can immediately change your password and add two-factor authorization (2FA) if you are worried someone else has accessed your account.

The new feature is rolling out to users gradually, and it may take over two weeks to reach all the users across the world.

Recently, Google is taking several measures to secure its users' account privacy. Google also introduced "Google Prompt" that makes 2-Step Verification (2FV) process much easier for you, allowing you to log in with just a single tap instead of typing codes.

Beware ! Advertisers are Tracking you via Mobile Battery Status

Is my smartphone battery leaking details about me?

Unfortunately, YES!

Forget about supercookies, apps, and malware; your smartphone battery status is enough to monitor your online activity, according to a new report.

In 2015, researchers from Stanford University demonstrated a way to track users' locations – with up to 90 percent accuracy – by measuring the battery usage of the phone over a certain time.

The latest threat is much worse.

Two security researchers, Steve Engelhard and Arvind Narayanan, from Princeton University, have published a paper describing how phone's battery status has already been used to track users across different websites.

The issue is due to the Battery Status API (application programming interface).

How Does Battery Status API Help Advertisers Track You?

The battery status API was first introduced in HTML5 and had already shipped in browsers including Firefox, Chrome, and Opera by August last year.

The API is intended to allow site owners to see the percentage of battery life left on a laptop, tablet, or smartphone in an effort to deliver an energy-efficient version of their sites.

However, researchers warned last year about the API’s potential threat that could turn your battery level into a "fingerprintable" tracking identifier.

The researchers found that a combination of battery life loss in seconds and battery life as a percentage offers 14 Million different combinations, potentially providing a pseudo-unique identifier for each device that can be used to pinpoint specific devices between sites they visit.

Now, the last year's research has grown into a proper threat.

Advertisers Are Tracking You via your Battery Status

One of those researchers named Lukasz Olejnik has published a blog post this week, saying that companies are currently leveraging the potential of this battery status information.

"Some companies may be analyzing the possibility of monetising the access to battery levels," he writes. "When a battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."

Olejnik underlined the latest research by Engelhard and Narayanan, who discovered two tracking scripts of shady code running on the Internet at large scale, which take advantage of battery status API and currently tracking users.

The duo explains that they observed the behavior of two actual scripts and suggested the companies and other entities are perhaps leveraging this technique for their own purposes.

"These features are combined with other identifying features used to fingerprint a device," the researchers write in their paper titled, "Online Tracking: A 1-million-site measurement and analysis."

For in-depth information, you can head on to the research paper [PDF].

Here's come the worst part of this attack:

There's hardly any way to mitigate against this attack. Nothing works: Deleting browser cookies or using VPNs and AdBlockers will not solve your problem.

The only option is to plug your smartphone into the mains.

"Some companies may be analyzing the possibility of monetising the access to battery levels," Olejnik writes.

Over two months ago, Uber's head of economic research Keith Chen said the company had been monitoring the battery life of its users, as it knows users are more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.

FRANCE Warns Microsoft to stop collecting Windows 10 users Personal data

We have heard a lot about privacy concerns surrounding Windows 10 and accusations on Microsoft ofcollecting too much data about users without their consent.

Now, the French data protection authority has ordered Microsoft to stop it.

France's National Data Protection Commission (CNIL) issued a formal notice on Wednesday, asking Microsoft to "stop collecting excessive data" as well as "tracking browsing by users without their consent."

The CNIL, Commission Nationale de l’Informatique et des Libertés, ordered Microsoft to comply with the French Data Protection Act within 3 months, and if fails, the commission will issue a sanction against the company.

Moreover, the CNIL notified Microsoft that the company must also take "satisfactory measures to ensure the security and confidentiality" of its users' personal data.

The notice comes after a series of investigations between April and June 2016 by French authorities, revealing that Microsoft was still transferring data to the United States under the "Safe Harbor" agreement that a European Court court invalidated in October last year.

Allegations on Windows 10

The CNIL's list of complaints about Windows 10 does not end there, as it goes on to read:

• Microsoft is collecting data on "Windows app and Windows Store usage data," along with monitoring apps its user's download and time spent on each app, which according to the CNIL, is irrelevant and "excessive" data collection.
• Microsoft is also criticized for its lack of security, since there is no limit set on the number of guesses for entering the four-digit PIN used to protect your Microsoft account.
• After Windows 10 installation, Microsoft also activates a user's advertising ID by default, which enables Windows apps as well as other third-party apps to monitor user browsing history and to offer targeted ads "without obtaining users' consent."
• Windows 10 does not give you any option to block cookies.
• And as I mentioned above, Microsoft is transferring its users' personal data to the United States under the "Safe Harbor" agreement.

 In a statement, the CNIL said: "It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory)."

Microsoft Response on the CNIL Notice

Microsoft has responded to the notice, saying the company is happy to work with the CNIL to"understand the agency's concerns fully and to work toward solutions that it will find acceptable." 

What's more interesting is that Microsoft does not deny the allegations set against it and does nothing to defend Windows 10 excessive data collection, as well as fails to address the privacy concerns the CNIL raises.

However, the tech giant does address concerns about the transfer of its users' personal data to the U.S. under the "Safe Harbor" agreement, saying that "the Safe Harbor framework is no longer valid for transferring data from European Union to the United States."

The company says it still complies with the Safe Harbor agreement up until the adoption of Privacy Shield.

"Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and US representatives worked toward the new Privacy Shield," says Microsoft. "We're working now toward meeting the requirements of the Privacy Shield."

Windows 10 Privacy concerns seem to be a never ending topic. Over the last year, Microsoft has annoyed users with a number of weird practices around Windows 10, including aggressive upgrades and transferring too much information about users back to Redmond.

Since there is the promise of a statement about privacy next week, let's see what happens next. You can read Microsoft's full statement, courtesy of David Heiner, vice president and deputy general counsel, on VentureBeat.

Edward Snowden Designed IPHONE case to Detect and Block Wireless Snooping

We just cannot imagine our lives without smartphones, even for a short while, and NSA whistleblowerEdward Snowden had not owned a smartphone since 2013 when he began leaking NSA documents that exposed the government's global surveillance program.

Snowden fears that cellular signals of the smartphone could be used to locate him, but now, to combat this, he has designed an iPhone case that would detect and fight against government snooping.

With help from renowned hardware hacker Andrew "Bunnie" Huang, Snowden has devised the design, which they refer to as an "Introspection Engine," that would keep journalists, activists, and human rights workers from being tracked by their own devices leaking their location details.

"This work aims to give journalists the tools to know when their smartphones are tracking or disclosing their location when the devices are supposed to be in airplane mode," Huang and Snowden wrote in a blog post published Thursday. "We propose to accomplish this via direct introspection of signals controlling the phone’s radio hardware."

For now, the design is aimed only at iPhone 6 models, but the duo hopes to create specifications for a large number of devices.

Snowden, together with Huang, presented on Thursday at the MIT Media Lab the design for a case-like add-on device that could modify an iPhone, allowing you to monitor various radio signals inside the phone to confirm they're not transmitting data when they’re meant to be off.

Here’s How the Introspection Engine Works:

Once built, the hardware case will be a separate minicomputer - work independent from your phone - made up entirely of open source hardware, containing its own battery and a small mono-color screen to provide a real-time status of your phone.

The case will have tiny probe wires to attach to a modified iPhone that physically wires into the phone’s antennas used by its radios, including cellular connectivity, GPS, Bluetooth, and Wi-Fi, through the SIM card slot.

The Introspection Engine will then be able to monitor radio transmissions and alert users to any unauthorized output signals it isn't supposed to.

In addition to alerting users, the case will even be able to shut down all radio signals on a phone to prevent governments as well as hackers from finding your location.

Since this case is designed to be independent of your phone, it would prevent your device from malware that activates radios without your knowledge.

"Malware packages, peddled by hackers at a price accessible to private individuals, can activate radios without any indication from the user interface," the duo wrote. "Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive."

Instead, Snowden and Huang suggest the beauty of using external hardware as a shield is that it would not be affected if malware has infected your phone. "The core principle is simple: if the reporter expects radios to be off, alert the user when they are turned on," they added.

The Introspection Engine’s mission is to warn users when malware or technical glitches are causing your phone to rat out your location.

However, the hardware case is still nothing more than a design for now.

Supported by the Freedom of the Press Foundation, Snowden and Huang are hoping to build a real-world prototype device over the next year in the hopes of making the case available to journalists as soon as possible.