Hacking Scandals: The Biggest, Baddest, And Scariest

Biggest Hacking Scandals of all Times

The Internet is a worldwide platform for sharing information. It is a community of common interests. No country is immune to such global challenges as cybercrime, hacking, and invasion of privacy.

—Lu Wei

Biggest Hacking Scandals of all Times

Biggest Hacking Scandals of all Times

Knives and guns are no longer the weapons of choice for criminals. A keyboard is. Hacking has become the most effective way to either gain the most reward or do the most damage in a single crime. And due to the fact that individuals and companies care more about locking their doors and installing security cameras than encrypting and protecting their digital information, it is arguably easier to rob data than a house or an office building. Additionally, as hacking has popularized, a hacking community has emerged, creating competition for the biggest or baddest hack. Here are just a few of the worst:

1. and 2. Yahoo

Yahoo takes the cake when it comes to data breaches. Two breaches that their systems have undergone hold the top two places on this list. In September of 2016, Yahoo announced that two years prior 500 million Yahoo accounts had been breached. The evidence, according to Yahoo, pointed to a state-sponsored actor. A few months later, at the end of 2016, another Yahoo hacking incident came to light. A much bigger one. Yahoo announced that in August of 2013, 1 billion accounts had been breached, making it the largest hack on record. From the evidence that investigators found, the two hacking incidents were not linked. However, in both hacking incidents, everything from dates of birth and email addresses to encrypted security questions and answers and hashed passwords were stolen. Fortunately, no financial information was taken.

3. Myspace

This massive data breach garnered nowhere as much news as Yahoo and other lesser hacks. But that is not because it was not on a wide scale, it is simply because Myspace is no longer a company that garners as much news. The attack compromised 360 million Myspace accounts sometime before June of 2013. Usernames, email addresses, and passwords were all stolen. Myspace, its owner Time Inc., and investigators have not been able to nail down an exact date for when the attack took place, which is not uncommon as many hackers can get access to a system and stay there for months without being detected.

Biggest Hacking Scandals of all Times

4. eBay

In early 2014, the massive online auction house was hacked. 145 million accounts were breached. It was a similar hack to the Yahoo ones, with email addresses, mailing addresses, birth dates and more being stolen. And still similarly to Yahoo’s hacks, no financial information was taken. The route of the hacking was identified: The hackers managed to obtain employee login credentials, which gave them access to the company’s corporate network.

5. LinkedIn

The LinkedIn hack was a special one because the information that was stolen was very publicly sold. In May of 2016, the hacker who stole the information, an individual going by the name ‘Peace’, attempted to sell 117 million LinkedIn emails and passwords—this was 100 million more accounts than the company had originally believed to have been affected by they 2012 hack.

6. Target

The Target hack may not be the largest hack of all time, but it has arguably been the most destructive hack. So destructive, in fact, that Target had to pay out $10 million to the victims of the massive data breach. The breach itself happened in 2013 and it affected 110 million individuals, who had all of their credit or debit card information stolen. This included everything from customer names and card numbers to the magnetic strip code and PIN data. Each victim, who could prove that their card information had been used or their credit history had been tarnished, could claim up to $10,000.

7. AOL

In 2003, a crime was committed by an AOL employee. He hacked into the corporate system to steal a list of AOL customers, their emails, and their screen names. The employee sold this list of 92 million email addresses for $28,000. It was then circulated among spammers who sent unwarranted marketing emails to all of the addresses on the list. It cost the company $400,000, not to mention the loss in customers that it likely triggered. The employee was found guilty in court, sentenced to 15 months in prison and slapped with a hefty fine.

8. Ashley Madison

While no financial harm came to any of the individuals who had their information stolen in the Ashley Madison hack, it has arguably become the most famous hack in recent years. The main reason for this is the loss of privacy. For a dating website that caters to married people, privacy is key. This privacy was lost when, first, the website was hacked and 32 million users’ information was stolen and then, second, that information was posted online for the world to see who was cheating on their spouse. The released data included user information, such as their names, addresses, passwords, and phones numbers, as well as transaction history on the website and descriptions of what the individual users were looking for.

These are just a handful of the hacks that have been perpetrated over the last few years. And these type of attacks are only becoming more and more common. Businesses, of every size and in every sector, as well as individuals, need to protect themselves. This is exactly what OrangeWebsite helps people and organizations do. We provide the highest level of protection against both hacking and governmental collection of private information. Try out our services with a 30-day money back guarantee, utilize our 24/7 technical support, and protect yourself, your information, and the information of those you do business with. For more information, please contact us.

The Increasing OAuth Phishing Threat

OAuth Phishing Threat
OAuth Phishing Threat

OAuth Phishing Threat

People are gradually growing more careful about phishing schemes that impersonate websites and ask for their passwords. But what if they don’t have to give a password to let an unauthorised party get at their data? That’s exactly what happened in a recent phishing campaign aimed at Google users. Hard numbers aren’t available on how many people were affected, but Google said the number was “fewer than 0.1% of Gmail users,” which could be as many as a million.

The Google Docs spoof

People received a message on their Gmail accounts, usually from an address they knew, asking them to open a “Google Doc.” If they did, it asked them to give Google Docs certain permissions, including permission to “read, send, delete, and manage your email.” No password confirmation was necessary, since the victim was already logged in. The only trouble was that the application wasn’t Google Docs but a malicious lookalike web app.

If the victim gave permission, the attacker could then use the account to send the same email to the victim’s contacts. This could have spread without limit if Google hadn’t promptly shut the application down.

The deception took advantage of design and implementation weaknesses in the widely used OAuth2 specification, which allows one Web application privileged access to another. Researchers had warned in 2011 that this kind of spoofing was possible, creating a proof-of-concept application. The 2017 attack may have drawn directly on that code.

What made the attack plausible

A combination of design issues with OAuth, social factors, and implementation choices by Google made the spoofing plausible to anyone without a strong understanding of security issues. The application was in fact hosted on Google, which lets users develop applications for public use. It was a reasonable imitation of Google Docs; the URL was wrong, but it was a Google URL. The mail came from trusted accounts.

The application was called “Google Docs.” Until very recently, Google didn’t prevent user applications from using its name. It still doesn’t provide any warning when an application making this type of request isn’t under Google’s control.

There’s no good reason Google Docs should ask for access to the user’s Gmail account, but people are used to wildly excessive requests for authorization. Websites that let your account connect to a LinkedIn account often ask for permission to post on your behalf. Most people apparently grant it without worrying.

OAuth Phishing Threat

The trouble with OAuth

The deeper problems, which aren’t restricted to Google, lie in the OAuth standard. It’s an authorization system which is weak on authentication. Without strong protections, it makes it easy to trick users into giving untrustworthy applications access to their private data.

In brief, OAuth2 lets a client application request permissions from a server. Only authorized applications can make requests. An application that’s allowed to use OAuth receives a client ID, which is public information, and a client secret (or key), which is confidential.

When the client app invites the user to give it permission, it redirects the user to a server URL. The server will inform the user of the request and give a choice of denying or allowing authorization. If the user allows it, the server redirects back to the client and sends an authorization code, which the client has to retain for as long as it wants to keep the permission. This could be just for a session or permanent. The server can limit its duration.

An obvious problem with this arrangement is that the server needs to trust a client over which it has no control. The client might be trustworthy at the time it gets permission, but a change of policy or a malware infection could change that. Theoretically, users should trust only applications in which they have very high confidence, but many people are far too trusting. The organization operating the server needs to carefully limit the clients it will give access to.

A poor implementation lets a client pretend to be a trusted application. The server has some control over this, since it knows what application is making the request, but it may or may not make it obvious to the user. If it just displays the application’s self-selected name, that’s weak protection.

Users who authorize a rogue application may not even realize there’s a problem. Google and other sites that use OAuth normally make a list of authorized applications available to the user and allow revocation, but it’s buried somewhere in the user settings.

Future risks

It’s a lucky thing that the Gmail attack apparently did little damage. One thing Google did right was to catch the rogue application and revoke its credentials within an hour. We can be sure others will try similar tricks, sometimes with services that don’t react so quickly. Any organization that uses OAuth to grant third-party applications access to its site should review its implementation and policy to make sure it isn’t vulnerable.

The most important precaution is to screen applicants for credentials carefully. A lot of users will give permission to any application that seems to do something useful, so it isn’t enough to trust them to exercise discretion.

Even if what an application currently does is legitimate, the applicant’s reputation needs to be good enough that it isn’t likely to misuse its authorization in the future. Clients should be periodically reviewed to make sure they still deserve trust. If there’s any sign they don’t, it’s important to follow up quickly and, if necessary, revoke authorization. Even an honest organization could have its credentials stolen or its code infected.

The organization should think carefully about what kinds of access it should authorize. The power to speak for the user can be used for fraudulent purposes. The power to read private data could allow theft of secrets. There needs to be a convincing case that the benefits from the application justify the risks.

Authorizing third-party applications can greatly increase the value of a service, but it carries serious responsibility. Anyone who implements it needs to be aware of its dangers and make choices that minimize the chances of abuse.

If you’re concerned with the security of your planned website, OrangeWebsite will provide hosting that will satisfy  your needs. Contact us to learn more.

Web Hosting Talk: Most Common Web Hosting Problems

Web Hosting Talk
Web Hosting Talk

Web Hosting Talk on the Most Common Web Hosting Problems

There are so many web hosting companies to choose from that many people find it confusing to choose one. Even once you’ve signed up with one, how do you know you’ve made the right choice? One of the interesting things about web hosting is that the better it is, the less you think of it. Ideally, your website is running so smoothly that you seldom give much thought to your web hosting company. It’s sort of like the electricity or plumbing in your house. You only notice it when something’s wrong. With this in mind, let’s have a little web hosting talk about some of the typical problems that individuals and businesses have with their hosts. These are all signs that it’s time to rethink your web hosting choice.

Slow or Unreliable Service

You depend on your web host to keep your website online. You also want to work with a company with fast and reliable servers so that your visitors and customers can load pages quickly. Nowadays, people have very little patience for slow-loading pages. Delays of even a few seconds mean losing visitors. That’s why you need web hosting that’s fast and reliable, with high uptime. Before you blame your web host for slow-loading pages, however, remember many factors affect page loading speed. For example, if you have images that aren’t optimized or lots of videos on your site, this can cause slowdowns. If you use WordPress, too many plugins could be the culprit. However, if you find that you’ve done everything possible to optimize your site and it’s still slow, your host may be the problem. If you’re shopping for a web host, try to identify some of their customers and test their websites for speed.

Web Hosting Talk

Unreliable Support

No matter what kind of website you have, it’s likely that you’re going to need support at some point. Whether it’s to ask a question about a certain feature or report a problem, it’s important that you can reach someone promptly and get your issue resolved. If you have a business, it’s even more crucial. Website problems can quickly translate into losing sales and customers. Unfortunately, not all web hosting provides reliable support. One feature to look for is that you can reach someone 24/7, not only during normal business hours. You don’t want to get stuck if a serious issue occurs on a weekend or late at night. Of course, support is more than someone answering the phone. You want to reach a knowledgeable and helpful person, not get stuck on hold or talking to someone who can’t solve your problem. Reading customer reviews of web hosts is a good way to gauge how strong a company is in this department.

Insufficient Security

With issues such as hacking and identity theft in the news, security is another essential element you want in a web host. If your site has already been hacked, this is a sign that your web host isn’t providing the level of security you want. Of course, you should also realize that security is also about the type of plan you choose. No matter who your web host is, a shared hosting plan is always your least secure option. If you have a growing business, you should seriously consider upgrading to VPS or dedicated hosting. However, even with shared hosting, there are different levels of security. Look for a web host with a secure data center (or multiple ones). Another important security feature is For example, your web host should offer security services such as two-factor authentication, which makes it harder for unauthorized parties to log in and access your site. Web hosts should also offer backup services to ensure you don’t lose your data.

Web Hosting Talk

Lack of Flexibility and Scalability

A website is not something static; you want it to grow and evolve along with your needs. As your business grows, your needs expand. A good web host makes it easy to scale your business. As mentioned, you may want to upgrade from shared hosting to VPS or dedicated. Beyond this, however, you want a web host that offers a great deal of flexibility. For example, if you do have VPS (Virtual Private Server) or dedicated hosting, does your host allow for unlimited data transfers? You also don’t want to overpay for hosting. A flexible host offers many plans so you’re only paying for the data you actually use. That way you can upgrade (or downgrade) your service based on your needs. Make sure that your web host is flexible enough to let your website grow.

You Don’t Have All the Features You Need

You shouldn’t have to compromise on the features or level of service you offer customers because your web host limits your capabilities. Does your web hosting company let you install PHP scripts, b2evolution, Joomla, WordPress, e-commerce platforms, or other features you need? Does it offer Windows as well as Linux hosting? While Linux hosting is the most common, some businesses use software that requires Windows hosting. The features you need depend on your own particular needs. When comparing web hosts, it’s wise to look ahead and consider the services you’re likely to want in the future.

Web Hosting Talk

Poor Value

When it comes to web hosting talk, you can’t ignore cost. At the same time, don’t be tempted to sign up with a web host simply because it’s cheap. Low price doesn’t always translate into good value. On the other hand, you don’t want to pay more than you have to for reliable hosting. When looking at plans and prices, make sure you read the fine print. Many web hosts offer cheap introductory prices but keep in mind you’ll have to pay the full price when you renew. Some reasonable plans force you to sign up for long periods such as two or three years. Carefully consider the cost along with all of the features and services the company offers to figure out whether you’re getting solid value.

These are some of the major factors to consider when assessing your web hosting or when shopping for a web host. Web hosting talk covers many issues, so it’s important to make sure that you carefully consider your own needs. If you’re looking for reliable, secure and affordable web hosting, contact us.