CyberSecurity Pulse 2016-11-17

CyberSecurity Pulse 2016-11-17

“Do not be afraid to take a big step, a precipice hopping is not passed.”

Analyst Insight

Facebook Buys Passwords on the Black Market!

Last week, Facebook’s current CSO, Alex Stamos, gave a lecture in the Web Summit conference held in Portugal about Facebook security concerns. The CSO discussed about the difficulties that building a safe platform imply taking into account that it is being used daily by more than 1300 million users and the fact that, in his own words:”The reuse of passwords is the No. 1 cause of harm on the internet”.CyberSecurity Pulse 2016-11-17In relation to this threat, Stamos himself has stated that his company is buying passwords and credentials in several underground marketplaces. The goal is to cross-reference them with encrypted passwords already stored in their website to provide additional protection to their users.

Sincerely, such a statement is really worrying considering the amount of personal information collected as it would imply being storing credentials and information even linked to users who might not be their customers. Apart from this, Facebook would be contributing to finance the malicious activities of several cybercriminal groups which would be gaining profit by buying and selling data breaches. If we feel that the real problem is password reuse, we should start considering once and for all the implementation of more modern authentication systems to prevent the use of passwords at all.

» More information at The Hacker News

Top Stories

AdultFriendFinder Network Hack Exposes 412 Million Accounts

CyberSecurity Pulse 2016-11-17More than 412 million user accounts have been exposed thanks to the recent FriendFinder Networks hack. The breach included 20 years of historical customer data from six compromised databases:,,,, and another unknown domain. According to LeakedSource, this is the biggest data breach in 2016. The attack happened at around the same time as one security researcher known as Revolver, disclosed a local file inclusion flaw on the AdultFriendFinder site, which, if successfully exploited, could allow an attacker to remotely run malicious code on the web server. But it’s not known who carried out this hack. When asked, Revolver denied being behind the data breach and, instead, blamed users of an underground Russian hacking site.

» More information at ZDNet

The Secretly Installed Android App That Was Sending Your Information Without Permission

CyberSecurity Pulse 2016-11-17This week, the security firm Kryptowire has identified a firmware that would be collecting sensitive personal information from different smartphone models using Android. The failure, initially discovered in the BLU R1 HD device, was sending certain information to external servers related to the body of the text messages, the contact list, the call history and the IMSI and IMEI numbers. Blu Products, which blames for the incident to a third-party application, is providing on its website a guide that let users verify whether or not their devices are vulnerable. In this website, they also collect the list of affected models that include, in addition to the R1 HD others such as Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond.

» More information at Kryptowire and Blu Products

Rest of the Week´s News

US Post-Election: Phishing Emails Targeting NGOs and Think Tanks

Just a few hours after Donald Trump won the 2016 US Presidential Election, a hacking group known as Cozy Bear, APT29, and CozyDuke launched a wave of cyber attacks targeting policy think-tanks with a new spear phishing campaign designed to fool victims into installing PowerDuke malware.

» More information at The Hacker News

The US Military Launches “Hack the Army”

Announced by outgoing secretary of the Army Eric Fanning, this new bugbounty program asks hackers to vet and find flaws in the Army’s digital recruiting infrastructure. “Hack the Army” is more focused on recruitment sites and databases of personal information about both new applicants and already existing army personnel.

» More information at Wired

This Hack Gives Linux Root Shell Just By Pressing Enter for 70 Seconds

A hacker with little more than a minute can bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. The act grants the hacker a shell with root privileges, which allows them to gain complete remote control over encrypted Linux machine.

» More information at The Hacker News

Further Reading

17-year-old Pleads Guilty to Offences Linked to TalkTalk Hack

» More information at SC Magazine UK

OurMine Hackers Hacked Mark Zuckerberg

» Más información at Security Affairs

Google Develops a Neural Network That Can Translate Languages It Hasn’t Been Trained On

» Más información at The Register