FriendFinder breach shows it’s time to be adults about security
Like all sectors — government, retail, finance, and healthcare — adult and porn businesses are feeling the consequences of not making security a priority, in the worst possible ways.
Namely, by getting hacked and pwned, hard. Take for example this week’s breach-bloodbath, in which FriendFinder Networks (FFN) lost their sourcefrie code to criminal hackers and put their users in serious risk. Combined with Ashley Madison’s many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.
We found out this week that “sex and swinger” social network Adult FriendFinder was breached, along with all of their other sites. The FriendFinder Network Inc. (FFN) operates AdultFriendFinder.com, webcam sex work site cams.com, Penthouse.com, and a few others; a total of six databases were reported in the haul.
The hack and dump performed on FFN has exposed 412,214,295 accounts, according to breach notification site Leaked Source, which disclosed the extent of the privacy disaster on Sunday. Leaked Source said “this data set will not be searchable by the general public on our main page temporarily for the time being.”
But as infosec blog Salted Hash put it, “The point is, these records exist in multiple places online. They’re being sold or shared with anyone who might have an interest in them.”
That’s more users than Twitter and a third of Facebook’s global membership. It’s not bigger than Yahoo’s abysmal security apocalypse, in which we just found out 500 million accounts were compromised in 2014. Yet FFN’s epic catastrophe far exceeds the likes of ebay (145M), Anthem (80M), Sony (77M), JP Morgan Chase (76M), Target (70M) and Home Depot (56M).
Making it worse than a typical security fail is what’s in the data.
The snatched records contain usernames, email addresses and passwords — nearly all of which are visible in plain text. Over 900,000 accounts used the password “123456,” 101,046 used “password,” tens of thousands used words like “pussy” and “fuckme” — which we suppose is exactly what FriendFinder did to the user by storing their passwords so recklessly.
But wait, there’s more embarrassment to be had by all. Stolen FriendFinder Networks files show that 78,301 accounts used a .mil email address, 5,650 used a .gov email. Telegraph reports addresses associated with the British government include seven gov.uk email addresses, 1,119 from the Ministry of Defence, 12 from Parliament, 54 UK police email addresses, 437 NHS ones and 2,028 from schools. Suffice to say, federal employees are in the category of pervs who need to make sure they aren’t reusing any of those bad passwords on other accounts.
As we discovered by files exposed in the Ashley Madison breach, FriendFinder wasn’t removing profiles that users believed to have been closed or removed. The records have been found by Leaked Source to contain 15,766,727 million accounts that were supposed to have been deleted. They wrote, “it is impossible to register an account using an email that’s formatted this way which means the addition of “@deleted.com” was done behind the scenes by Adult Friend Finder.”
This breach actually happened last month. Salted Hash first reported the discovery of a serious security issue with FFN, then revealed the beginning of this massive database catastrophe.
In October, a researcher who went by the names “1×0123” and “Revolver” posted screenshots on Twitter showing what’s known as a Local File Inclusion vulnerability on Adult FriendFinder. Revolver is known for finding adult website security issues, and they confirmed to Salted Hash that the flaw was being actively exploited. Right away, LeakedSource.com began to receive files from FriendFinder’s databases — some 100 million records. Everyone involved believed this was just the beginning of a massive data breach.
After their October disclosure got FriendFinder’s attention, Revolver tweeted that FFN’s security issue was resolved and “…no customer information ever left their site” — which was clearly untrue. Their Twitter account is now gone.
Friend Finder Network conceded in a press release that “a security incident involving certain customer usernames, passwords and email addresses” on Monday. It did not acknowledge the number of records exposed. While FFN advised users who might be reading its press release to change their passwords, it still hasn’t notified its customers directly and there are no notifications on any of its compromised websites.
This was the second breach for the site in less than two years. In May 2015, Adult FriendFinder was hacked, and the attackers exposed details of nearly four millions users. The compromised information included sexual preferences and personal details, whether they are gay or straight, and whether they are seeking extramarital affairs, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users’ computers.
In that instance, TekSecurity had discovered the files on a darknet forum, and noted that AFF hadn’t reported the breach. They wrote about the files saying, “there is a ton of personally identifiable information (PII) sitting in a forum on the Darknet that has been viewed 1,756 times.”
Driving home the harm to consumers, the post explained, “It is unknown how many times the breached data files have been downloaded. Though, the files were stripped of credit card data, it is still relatively easy to connect the dots and identify thousands upon thousands of users who subscribe to this adult site.”
Security is one area in which adult and porn sites are far behind, and no matter how you feel about sex work and adult entertainment, they are arenas in which strong security should be a priority for all involved. Porn industry trade association Free Speech Coalition, for its part, is trying to lead the charge. They recently released a brief with the Center for Democracy and Technology (CDT) to try and push porn sites to level up their secure connections and use https. Right now, generally the adult sites which have better security are indies outside the mainstream industry, like queer porn sites and sex culture blogs (like mine).
Hopefully we don’t need to have another OPM-of-adult security tragedy, like the FriendFinder debacle, to see the leading porn sites with the majority of users get up to speed in the fight against hack attacks. Right now, giants like Pornhub and Brazzers don’t have https.
Encouraging adult sites to make small changes for better security, from hookup networks such as FriendFinder to porn tube sites, is a larger undertaking than you’d think. The idea that there is one “adult industry” is little more than that, an idea. In reality it’s a wide variety of small business entrepreneurs and large legacy businesses, with a ton of independent contractors constantly flowing through the global network. Minus access to the regulated business tools and safe promotional channels every other business in the world can use, of course. because of the stigma
That stigma also makes it a highly targeted sector. So it’s refreshing to see organizations like the Center for Democracy and Technology trying to help coordinate security changes like https for such a controversial industry without judgement.
But in order for it to work, adult mega-empires like FriendFinder will need to stop hiding behind press releases and own up to their security shortcomings. They’ll need to be better than the businesses that aren’t forced to live in the shadows, and they’ll need to do what those businesses aren’t doing: listen to hackers.
With the stunning size of this breach, let’s hope they do — for everyone’s sake.
Images: Getty/cruphoto (AFF lead); REUTERS/Pawel Kopczynski (Password); Shutterstock (Darknet)
BMW and Baidu end self-driving car partnership
Last June, BMW and Baidu announced they would work together on self-driving car technology. Reuters reports that the automaker and Chinese tech company are now ending the joint research project. Baidu had been using BMW 3 sedans to perform on-road tests in China and had plans to so the same in the US.
The announcement leaves Baidu searching for a global partner to help meet its lofty goal of making self-driving cars a reality for consumers by 2018. The tech company explained to Reuters that it’s using Ford vehicles for testing now. Baidu already has ties to the US-based automaker as the two both invested in Velodyne, a company that makes LIDAR sensors that are essential for autonomous vehicle navigation. Ford also has plans to put self-driving cars on the road via a ride sharing service by 2021.
BMW China CEO Olaf Kastner told Reuters that the company and Baidu decided to end the partnership after the two parties had a disagreement on how the research project should proceed. “We now have found that the development pace and the ideas of the two companies are a little different,” he said. Kastner didn’t go into specifics, but he did mention that the split comes after BMW and Baidu developed automatic overtaking technology or the ability for autonomous vehicles to pass other cars at various speeds. That behavior is widely seen as a key milestone in bringing self-driving cars to public roads.
While BMW and Baidu may not be working jointly on self-driving tech itself, they will continue their high-definition mapping effort together. Detailed and accurate maps are also crucial to autonomous vehicle navigation. Back in August, Baidu revealed a self-driving Chery EQ: a much smaller EV that’s better suited for the Chinese market. That vehicle can drive around 120 miles before needed to recharge.
Source: Reuters
Samsung Pay on the Gear S3 works with any Android smartphone
Samsung’s constantly trying its hand at exclusive apps and services it hopes will add value to its products, even though this strategy has been responsible for more than a few flops. Samsung Pay is one of these exclusive services, but the company has decided to change tack slightly with its newly launched Gear S3 smartwatches. Samsung confirmed on Twitter that its new wearables support mobile payments regardless of the brand of Android smartphone they’re paired with. Good news for anyone that’s steering clear of the company’s handsets following the Note 7 debacle, then.
Previously, a Samsung smartphone has been a strict requirement, even if you’ve been settling up using the device on your wrist. With the Gear S3 duo, though, all you need is a handset running Android 4.4 KitKat or above for Samsung Pay to work. To be clear, Samsung isn’t releasing its mobile payment app far and wide, squaring up to Android Pay in the process. Instead, you manage your Samsung Pay account within the Samsung Gear app.
Opening the door to other Android handsets makes a lot of a sense, as it means potential customers without a Samsung smartphone won’t be put off by missing out on one of the wearables’ key features. And the news couldn’t come at a better time. The Gear S3 Classic and Frontier have been available in South Korea for a week, but today they’ve launched in several other countries across the world, including in the US and UK.
Whether it’s the sleeker S3 Classic or the busier, more rugged S3 Frontier you’re after, both Tizen-powered wearables start at $350/£349. Various mobile carriers are also on hand to sell you the device, and you might want to check those deals out first if you plan to make use of the Frontier version’s built-in LTE radio.
Via: 9to5Google, Android Central
Source: Samsung (Twitter)
Some Users Experiencing ‘Three Finger Drag’ Issues on New MacBook Pro
A small but growing number of users have reported issues using the “three finger drag” gesture on the new MacBook Pro’s trackpad.
Affected users say the gesture either works only intermittently or does not work whatsoever on both 13-inch and 15-inch late 2016 models.
MacRumors reader Luke said the three finger drag gesture does not work in the upper left side of his MacBook Pro’s trackpad.
I have the new 15-inch MacBook Pro with Touch Bar, and it seems there is an issue with the trackpad. Although it is enabled, the three-finger drag feature doesn’t work in the upper left side of the track pad. It’s most bizarre.
Some users have speculated the trackpad’s palm rejection feature could be to blame, particularly since the gesture appears to be buggiest along the edges.
A handful of topics have been posted about the issue on the MacRumors discussion forums (1, 2, 3, 4) and Apple Support Communities over the past few weeks.
MacRumors reader David:
With the 13-inch MacBook Pro, I switched to three finger drag, and the palm rejection kind of gets in the way. If you go from typing to try and drag a window, you have to hit the center of the trackpad with your finger tips, or it doesn’t register.
MacRumors reader Mustafa:
I always enable 3 finger drag. Ever since OS X 10.11, Apple tucked that feature away under Accessibility. I turned it on as usual and I am finding that it does not always move the windows as intended.
Apple Support Communities user Darren:
Try to enable three finger drag and do a 3 finger drag gesture on the bottom left of the trackpad. There is a 40% chance that it’s wrongly detected as a secondary click. Sometimes it failed to detect 3 finger drag at the middle of the trackpad as well.
MacRumors forum member C.clavin:
Just bought a 2016 15″ MacBook Pro and I am having an issue with the 3 finger drag. Since enabling the gesture, it works about 50-60% of the time. It’s strange because it works at times on one window, and not others, and sometimes not at all.
“Three finger drag” is a Multi-Touch gesture supported on both traditional and Force Touch trackpads on many MacBook Pro models. It lets you use three fingers to move the active window on your screen without clicking.
On OS X Yosemite and later, the gesture can be toggled on by clicking on System Preferences > Accessibility > Mouse & Trackpad > Trackpad Options > Enable Dragging. Select “three finger drag” from the dropdown menu and check off the box.
Apple does not appear to have publicly acknowledged the issue, while it remains unclear if the issue is software or hardware related. If related to software, the issue will likely be addressed in a future macOS Sierra update.
Related Roundup: MacBook Pro
Buyer’s Guide: MacBook Pro (Buy Now)
Discuss this article in our forums
MacRumors Giveaway: Win a Cozmo Robot From Anki
For this week’s giveaway, we’ve teamed up with Anki to offer MacRumors readers a chance to win one of Anki’s new Cozmo robots. Cozmo is an adorable little robot that’s able to explore and react to the environment, play games, and interact with people in unique ways.
Priced at $179.99, Cozmo comes with a charging stand and three interactive Power Cubes that the robot can stack up, knock over, and use for games like Quick Tap and Keepaway. Cozmo rolls along on four tread-covered wheels, manipulating objects with an attached arm, while a front display lets you know just what Cozmo’s feeling. Anki has designed Cozmo to have a mischievous temperament that changes over time.
Each palm-sized Cosmo develops a unique personality based on daily activities and interaction. Cozmo owners are encouraged to play games and meet a series of daily goals listed in the Cozmo app to keep Cozmo healthy and happy, and over time, Cozmo will develop new capabilities and unlock new skills, furthering what Cozmo can do.
At first, Cozmo might only be able to roll and stack cubes, but later, he’ll learn to stack additional cubes and perform tricks like wheelies. Play also unlocks new games and activities, and additional content is added through app updates. There’s also an open source Cozmo SDK that allows Cozmo to be connected to third-party APIs like Twitter, Hue, and IFTTT.
Cozmo is made from more than 300 parts, with four motors and over fifty gears. A 30 fps camera equipped with facial recognition capabilities allows Cozmo to recognize different people and remember interactions over time, while the front display and unique sounds add charm.
Cozmo can be purchased directly from Anki or from Amazon, but we’ve got one to give away. To enter to win, use the Rafflecopter widget below and enter an email address. Email addresses will be used solely for contact purposes to reach the winner and send the prize. You can earn additional entries by subscribing to our weekly newsletter, subscribing to our YouTube channel, following us on Twitter, or visiting the MacRumors Facebook page.
Due to the complexities of international laws regarding giveaways, only U.S. residents who are 18 years of age or older are eligible to enter. To offer feedback or get more information on the giveaway restrictions, please refer to our Site Feedback section, as that is where discussion of the rules will be redirected.
a Rafflecopter giveawayThe contest will run from today (November 18) at 11:30 a.m. Pacific Time through 11:30 a.m. Pacific Time on November 25. The winner will be chosen randomly on November 25 and will be contacted by email. The winner will have 48 hours to respond and provide a shipping address before a new winner is chosen.
Anki is also planning to give away a Cozmo robot on Instagram, so make sure to follow Anki on Instagram, Facebook, and Twitter for more details on Cozmo and a chance to win additional giveaways.
Tags: Anki, giveaway
Discuss this article in our forums
AIVAnet 