Connect with us

Twitch’s cybersecurity issues began long before the recent data breach

Published

on

Due to poor cybersecurity measures, data breaches seemed inevitable to former employees.

In a recent massive leak of confidential data from streaming site Twitch, a huge amount of information was revealed regarding the source code of the website, unreleased projects, and even how much the top streamers are making. But Twitch’s troubles began long before this incident. Former Twitch employees told The Verge that during their time at Twitch, the company valued speed and profit over the security of its users and data.

A data breach caused by a “server configuration error” is just one of a number of security and site moderation issues that plague the streaming platform. For example, in August, some Twitch users organized hate raids against streamers. But the hate raids did not come up suddenly this summer. According to a former Twitch employee, the alarm about possible raid abuse had been raised long before that.

According to one of the sources who worked at Twitch from 2017 to 2019, the platform employees were much more concerned about security than the management.

The source characterizes Twitch as a company that cares primarily about profits. If something did not bring income, then it was not valued highly enough.

According to another source, Twitch regularly chooses not to disclose the security issues the company is facing. For example, in 2017, scammers allegedly managed to contact streamers and request information about the division of income from Twitch Prime subscriptions. This resulted in the criminals being able to link Twitch accounts to hacked Amazon accounts.

Attackers were able to see shortcuts and APIs for Amazon’s internal services. As Amazon Prime Gaming offers streamers income through subscriptions, this could be a new attack vector for financially motivated hackers.

Several sources describe Twitch as a company that “verbally” cares about safety, but does not back it up with action. Despite the fact that tech giant Amazon owns Twitch, the streaming service has complete control over its technology. Twitch employs many third-party services that Amazon doesn’t normally use. Twitch used Slack before Amazon and Slask partnered, and the streaming platform has struggled to effectively audit the software and tools it has used in the past.

Some former employees were also asked to “approve and review documents” several months after they left Twitch.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Hackers hacked Trump’s social network prior to launch

Published

on

A few hours after the launch was announced, the attackers created an account on behalf of Trump and posted obscene notes to the address of the founder of another social network.

The social network of ex-US President Donald Trump Truth Social, the creation of which he announced the day before, was subjected to a hacker attack. Writes about this The New York Times (NYT).

The cybercriminals claim that a few hours after the announcement of the creation of TRUTH Social, they were able to gain access to the beta version of the platform. Cybercriminals created fake accounts on behalf of Trump and his former aide Steve Bannon. On the fake page of the ex-President of the United States, they posted a photo of a defecating pig and obscene remarks about the founder of Twitter Jack Dorsey.

The developers had to delete these accounts and close access to the site. Its official release was scheduled for 2022.

The hackers chose to hide their identities, but claim to be associated with the Anonymous group. According to them, the hacking of the social network was part of their “war against hate.” They also wanted to have fun.

Continue Reading

Security

Olympus was attacked by ransomware for the second time in two months

Published

on

The company was attacked by Macaw ransomware developed by Evil Corp.

Japanese tech giant Olympus fell victim to ransomware for the second time in two months. This time, the attack was carried out by the cybercriminal group Evil Corp, against which the US government has imposed sanctions.

The attack on Olympus using a new variant of malware called Macaw began on October 10, 2021. The malware encrypted company systems in the United States, Canada and South America.

Macaw is a variant of WastedLocker ransomware, and both are developed by the cybercriminal group Evil Corp.

This is the second ransomware attack on Olympus in the past two months. The first incident took place in September, when the company’s networks in Europe, the Middle East and Africa were encrypted with BlackMatter ransomware (BlackMatter and Evil Corp. are not related).

“Olympus was attacked by BlackMatter last month and a week or so by the Macaw,” Allan Liska, an analyst at information security firm Recorded Future, told TechCrunch.

According to Liska, the ransomware Macaw left a ransom note on the compromised computers with a data theft statement.

According to the official press release Olympus, the company is investigating “possible data breaches” – a known technique of the so-called “double extortion” in which ransomware steals data from their victims and threatens to publish it if the ransom is not paid.

The company does not provide details about the incident, citing an ongoing investigation.

Continue Reading

Security

Scientists have learned to track gadgets using BLE signals

Published

on

Devices can be tracked by prints of their physical characteristics.

In the past few years, mobile devices have become more likely to use the Bluetooth Low Energy (BLE) protocol to transfer messages, which can pose a significant privacy risk, experts at UC San Diego warn.

Within the framework of research they examined the implementation of BLE in a number of popular models of smartphones, laptops and gadgets and found that devices can be traced back to their physical characteristics. The bottom line is that devices can have a unique fingerprint that can be used to determine where they were and when.

BLE messaging has become more common in phones, laptops, smartwatches and other gadgets due to the support of operating devices for functions such as Apple Continuity or Find My, which imply the use of the BLE standard.

Typically, applications using this protocol try to hide identifiable data by encrypting the device’s MAC address, but this does not help to hide the built-in hardware characteristics of the device, based on which it can be identified.

Experts have tested their theory on several devices, including the iPhone 10, Thinkpad X1 Carbon (Windows), MacBook Pro 2016 (macOS), Apple Watch 4 (watchOS), Google Pixel 5 (Android), and Bose QuietComfort 35. In most cases, they were able to get a fingerprint of the physical BLE chip and distinguish one device from another.

In the course of the study, the scientists faced some difficulties, for example, it turned out to be more difficult to distinguish devices operating on the same chipset model than to distinguish gadgets based on different chips. The device’s ability to identify was also influenced by its temperature and signal transmission power.

Using special equipment, the researchers intercepted BLE signals from 162 devices in public places and were able to identify 40% of them. In addition, the group recorded BLE signals from bystanders’ devices with COVID-19 tracking apps from Apple and Google for two days for 10 hours. Scientists managed to “uniquely identify” 47.1% of 647 MAC addresses.

In theory, the method can be used to track the Apple AirTag and Samsung SmartTag Plus Bluetooth trackers, the researchers noted.

Continue Reading

Most Popular