Category Archives: Hacker

Quora had a Data Breach Affecting 100 Million Users



Quora is a website where people go to get an answer to whatever random question is on their minds. Now, it appears that Quora users are going to be seeking some incredibly significant answers from the website. Quora has had a data breach that affected about 100 million users.

Quora acknowledged this data breach on The Quora Blog. The data breach was discovered on November 30, 2018. Quora says they discovered that some user data was compromised by a third party who gained unauthorized access to one of their systems. Overall, the turn around time between discovery of data breach – and telling users about it – was reasonably fast.

Quora says the investigation is still ongoing, and has apologized for any concern or inconvenience this may cause. For approximately 100 million Quora users, the following information may have been comprised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages.)

Interestingly, Quora says that questions and answers that were written anonymously are not affected by this breach because they do not store the identities of people who post anonymous content.

How will you know if this data breach affected you? Quora is in the process of notifying users whose data has been compromised. If you were affected, Quora will update you with relevant details in an email.

In addition, Quora is logging out all Quora users who may have been affected by the data breach. Quora will invalidate the passwords of those who used a password as their identification. They recommend you change your passwords.

One thing to pay attention to is that this breach affected “data imported from linked networks when authorized by users”. You might want to change passwords on whatever networks you connected to Quora before the data breach.


Marriott Data Breach Involved 500 Million Starwood Guest Records



Marriott confirmed that its hotel guest database of about 500 million customers was stolen in a data breach.

Those who have concerns that their data may have been stolen may want to read the announcement that Marriott posted on their website. It includes a list of things Marriott is doing in response to the data breach.

Marriott says that on November 19, 2018, their investigation determined that there was unauthorized access to their guest reservation database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotel, and Starwood branded timeshare properties.

Marriott believes that the data breach contained information on up to approximately 500 million guests who made a reservation at a Starwood property.

For approximately 327 million of these guests, the information taken includes some combination of: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

TechCrunch reported that Marriott said an unknown number of records contained encrypted credit card data, but has “not been able to rule out” that the components needed to decrypt the data wasn’t also taken.

This is a mess! I wouldn’t be surprised if people avoided staying at Starwood brands, or Marriott brands, in the future. Once a company has a data breach of customer’s important information, it becomes extremely difficult to regain the trust of people whose information had been stolen. I also find it troubling that it took four years between when the data breach started and when Marriott found out about it.


Sennheiser Discloses Vulnerability for PCs and Macs



Sennheiser has disclosed that a vulnerability has been identified in Sennheiser HeadSetup and HeadSetup Pro. It recommends that both PC and Mac users update their software to the latest versions (which have now been made available).

The latest sofware versions are:
HeadSetup Pro: v.2.6.8235
HeadSetup: v.8.1.6114 (for PC) and HeadSetup: v.5.3.7.011 (for Mac)

Users can access the updates from the Sennheiser website. In addition, Mac users and Windows users who are unable to receive automatic updates from Microsoft, or who choose not to update their HeadSetup and HeadSetup Pro software can visit the Sennheiser website for removal instructions.

Updating the software to its latest version will rid the software of vulnerable certificates. Additionally, the invalidation by Windows on November 27th of the former certificates fully eliminate the possibility to exploit the certificates.

What happened? Ars Technica has a detailed explanation. In short, Ars Technica says that Sennheiser has issued a fix for a “monumental software blunder” that allowed hackers to carry out man-in-the-middle attacks that “cryptographically impersonate any big-name website on the internet.”

This vulnerability was apparently discovered by Secorvo security consulting, who published a report about it. Ars Technica reported that anyone who has ever used the app should ensure that the root certificates it installed are removed or blocked.

It is kind of a weird scenario. Sennheiser’s headphone software was designed to let users connect their headphones to other devices. Hackers exploited the headphone software to use it to forge certificates and impersonate websites.


Clap for Kano’s Camera Kit at CES 2018



Kano‘s mission is to encourage people, particularly children, to see computers not as unchangeable appliances but as tools to be made, shaped, coded and shared. Their kits plug together bits, boards, buttons and cables to make individual and personalised computers. Bruno gives Todd a hand to develop a selfie camera from their new Camera Kit.

Kano’s approach is to challenge each young developer into programming simple apps that achieve technical goals. Using Kano’s development tools it’s really easy to build programs as the tools come with code building blocks for things like taking a picture or responding to noise via a microphone. Consequently, even Todd can code an app to take a picture when someone claps.

The Camera Kit‘s not expected until next year but you can sign up to hear the latest news. Expect the price to be around US$99.

Todd Cochrane is the host of the twice-weekly Geek News Central Podcast at GeekNewsCentral.com.

Become a GNC Insider today!

Support my CES 2018 Sponsor:
30% off on New GoDaddy Orders cjcgeek30
$.99 for a New or Transferred .com cjcgeek99 @ GoDaddy.com
$2.49 / mo Economy Hosting with a free domain. Promo Code: cjcgeek1h
$2.49 / mo Managed WordPress Hosting with free Domain. Promo Code: cjcgeek1w
Become a GNC Insider: Support this podcast

DDoS Attacks Shut Down Online Gaming Servers



Sony Playstation LogoWas your favorite online video game difficult to access over the weekend? There is a reason for that. A group decided to use a DDoS attack against several of the big gaming companies servers. I’ve no idea what the motivation of this group was, and choose not to speculate as to what they may have been thinking. If you were on Twitter this weekend you may have seen a lot of confused and frustrated tweets from gamers who were just trying to have fun playing some online video games.

The group targeted Blizzard Entertainment’s servers. This caused difficulties for those trying to access Battle Net, World of Warcraft, Diablo III, Hearthstone and other Blizzard games. Riot Games’ League of Legends was attacked and so was Grinding Gear Game’s Path of Exile.

Blizzard was keeping people informed about the outage through their @BlizzardCS account on Twitter. They did not directly mention a DDos attack, and instead tweeted things like “We’re investigating issues where players are unable to connect or log into their characters.” Updates about the situation were provided through that Twitter account.

Sony’s PlayStation Network (PSN) was attacked, too. The PlayStation Blog has a post that gives some details.

The original post started with Like other major networks around the world, the PlayStation Network and Sony Entertainment Network have been impacted by an attempt to overwhelm our network with artificially high traffic. The blog was later updated to say: The PlayStation Network and Sony Entertainment Network are back online and people can now enjoy the services on their PlayStation devices. The networks were taken offline due to a distributed denial of service attack.

Grinding Gear Games sent out a Tweet on their @PathofExile Twitter account about it.

From what I saw via Twitter, it appeared that some of these gaming companies had their servers go down more than once. I am of the impression that stability has been restored to the affected servers now. Hopefully, that is the end of the problem.


Is There a “WarKitteh” in Your Yard?



Not a WarKittehThe innocent looking cat that is wandering through your backyard might be up to something sneaky. Instead of hunting mice, he or she could be hunting for Wi-Fi networks. Of course, the cat probably just thinks it is out for its usual “wander around the neighborhood”.

Gene Bransfield gave a talk at DefCon titled “How to Weaponize Your Pets”. In it, he described how to turn your cat into a “WarKitteh”. Gene Bransfield works for the security company Tenacity, and he created the “WarKitteh” idea because it amused him. The “WarKitteh” name is a reference to an activity called “wardriving”. In short, it is an activity in which a person drives around looking for weak or unprotected Wi-Fi networks. Now, your cat can go do that all by itself, no driving required.

Bransfield put together a specialized collar that contained mini-computers and an antenna (which were sewn into a collar that could be worn by a pet).

The collar was placed on a Siamese cat named Coco, who belonged to Brandsfield’s wife’s grandmother. Coco turned out to be pretty good at wandering the neighborhood. Coco spent three hours exploring some of the backyards nearby.

At the same time, the cat was mapping out dozens of the neighbor’s Wi-Fi networks and was able to gather enough data to determine which would be easy to get into. The “WarKitteh” identified four routers that were using an old form of encryption that could be easily hacked into and four more routers that had no security protection on them at all.

The primary inspiration behind the “WarKitteh” was entertainment. The results, however, showed that the “WarKitteh” could be an effective way to teach people about how to better protect their Wi-Fi networks. The “internet” is in love with cats, so I can see where this has potential.

The photo you see at the top of this blog is one I took of a cat that was wandering through my backyard a few years ago. That was before “WarKitteh” technology existed. The next cat that wanders through your backyard could be a “WarKitteh”, and you would probably not even know it had been there!


Two Million Passwords Stolen by Hackers



Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).