Categories
cyber attack cyber security Data and Security Hack hacking Software TikTok

How to Protect Your TikTok Account from Hackers

TikTok

TikTok, a mobile video-sharing service owned by Beijing-based technology company ByteDance, has been around since 2016. Its popularity shifted into hyper-drive over the past two years, with the user count exceeding 2 billion (according to Craig Chapple, a mobile insights strategist) globally at the time of this publication.

TikTok generated a whopping 315 million installs in Q1 2020 alone, which eclipses any other app’s achievements in terms of quarterly growth.

It’s common knowledge that cybercriminals follow the trends.

Cybercriminals are following the trends — so they treat the hype around TikTok as an opportunity to extend their reach. Haters, spammers, con artists, and malware distributors can weaponize hacked accounts in a snap. Therefore, it’s in every user’s interest to ascertain that their video blogging experience isn’t vulnerable to exploitation.

The good news is, you can benefit from TikTok’s built-in security and privacy features to raise the bar for malicious actors. This article provides simple steps to harden the defenses and make your account a hard nut to crack. Before delving into the protection facet of the matter, though, let’s see what security concerns about this service have been unearthed to date.

Known TikTok Security Loopholes

In early January 2020, experts at cybersecurity company Check Point Research discovered a series of TikTok vulnerabilities that might undermine the protection of one’s account. According to the white hats, a hypothetical attacker could take advantage of these flaws to do the following:

  • Compromise an account and alter its content
  • Erase videos
  • Upload new videos
  • Change the status of private videos to “publicâ€�
  • Obtain the victim’s email address and other sensitive information related to the account

SMS link spoofing is one of the malicious techniques piggybacking on TikTok imperfections. It can cause a great deal of harm with very little effort. This foul play is fueled by a somewhat crude implementation of a feature called “Text yourself a link to download TikTok,� which is available through the platform’s official website.

(Image by Check Point Research, “Tik or Tok? Is TikTok secure enough?� article)

A malefactor can use a proxy tool to skew the underlying HTTP query that consists of a user’s phone number and the legitimate app download link. This interference allows the hacker to substitute the URL with a custom value and thereby send malware-riddled text messages on behalf of TikTok.

Malware distribution and scams are the obvious use cases of this technique. The resulting sketchy site can be a credential phishing page or have exploits onboard.

Offensive mechanisms such as cross-site request forgery (CSRF) or cross-site scripting (XSS) may also kick in to execute malicious JavaScript code surreptitiously. This abuse can entail particularly disruptive outcomes, making it easy for an adversary to tamper with the victim’s browser cookies and perform different actions in their name.

What does the cybercriminal do next?

This access can pave the crook’s way towards removing arbitrary videos, adding new ones, approving followers, and making private content public. The info-stealing facet of this exploitation puts the victim’s sensitive data at risk, including their email address, payment details, and birth date. Thankfully, the company behind TikTok has since released patches for these issues.

Another pitfall is that the service isn’t too fair and square when it comes to users’ privacy.

In March 2020, security researchers exposed more than 50 iOS and iPadOS applications that regularly read the clipboard information. TikTok ended up on that list, too.

Whereas it’s not entirely clear what the application does with this data, such activity resembles eavesdropping at its worst. An additional concern is that an attacker who succeeds in compromising the TikTok app will be able to keep a record of everything the user copies to the device’s clipboard, including credit card details and login credentials for other services.

A malefactor with advanced tech skills can broaden the attack surface.

For instance, a feature called Universal Clipboard plays into crooks’ hands in this regard. It is intended to facilitate the process of copying and pasting between different devices under Apple’s umbrella.

Therefore, if an attacker takes over a TikTok account used on an iOS or iPadOS gadget, they may be able to access sensitive information on a related Mac computer.

For the record, the latest version of TikTok is no longer peeking into clipboard data. However, the aftertaste of past foul play remains. All of the reported caveats have called forth some restrictive moves at the level of governments and military branch departments.

In December 2019, the U.S. Navy banned personnel from using this service, and so did the U.S. Army shortly afterward.

TikTok Account Security Tips

Because a TikTok account is a goldmine of the user’s sensitive information, cybercriminals are lured to find ways to circumvent its defenses and get in. The following red flags may indicate a compromise and should urge you to take immediate action:

  • Your TikTok password, security email address, or phone number tied to the account has been changed.
  • Your username or nickname has been modified.
  • Someone is removing or adding videos behind your back.
  • Messages are being sent without your permission.

This brings us to the techniques that will keep perpetrators from gaining unauthorized access to your account. Below is a summary of TikTok security best practices:

1. Use a Strong Password

No matter how vanilla this recommendation may sound, it’s the stronghold of your account’s intactness. In addition to making your password at least 12 characters long, include special characters (%, $, &, etc.), uppercase letters, and numerals.

Also, make sure it looks as random as possible to prevent crooks from guessing it based on your personal details available on publicly accessible resources such as social networks.

2. Refrain from Reusing Passwords

Data breaches happen, so you don’t want your authentication info for another account to match the TikTok password. Using the same password across different services is a classic instance of a potential single point of failure (SPOF).

3. “Log In with Verification� Feature Can Make Your Day

If you enable the verification by adding your phone number to the profile details, the TikTok platform will be creating a one-time password (OTP) every time you sign in. But note the issue above with your phone number.

As opposed to the better-known two-factor authentication (2FA), the phone technique replaces password protection rather than boosting its efficiency. By the way, the video blogging service under scrutiny doesn’t currently provide 2FA.

A text message with TikTok verification code inside

4. Prevent Your Password from Being Automatically Saved

It goes without saying that password saving is a handy option. In fact, TikTok does it by default.

The whole convenience, though, can be overshadowed by the security risks stemming from this mechanism.

Consider turning the auto password save OFF to err on the side of caution.

  • Tap the Me icon at the bottom right of TikTok main screen.
  • Head to Settings and privacy
  • Select Manage my account
  • Then slide the Save login info toggle to the left — that turns it OFF.

Switch OFF the Save login info option

5. Stay Abreast of Account Usage Statistics

The app’s Your Devices pane lets you know what devices your account is opened on your mobile at any given time.

You may have previously signed in from somebody else’s gadget and forgot to exit the account. This is a benign scenario, though.

If the list includes a smartphone you can’t identify, it might be a heads-up. To make sure you are in the clear, go to Manage my Account, proceed to Security, and take a look at the account activity stats and the list of logged-in devices.

TikTok account activity stats

6. Stay Away from Sketchy Links

Cybercriminals may try to social-engineer you into tapping a hyperlink that leads to a malicious web page hosting a harmful payload. These links may arrive via booby-trapped text messages, phishing emails sent by strangers, or malicious redirects caused by malware.

As one of the abuse techniques demonstrates — the messages can as well impersonate TikTok. Don’t be gullible and ignore them.

7. Think What You Share

Don’t spill any personally identifiable information (PII) such as the email address or phone number in video descriptions. A seasoned hacker may mishandle the info to compromise your account.

What to Do If Your TikTok Account Has Been Hacked?

If you spot the slightest sign of a breach, go ahead and change your account password without a second thought.

Here’s how you do it: go to Settings and privacy — proceed to Manage my account, and follow the on-screen prompts to complete the procedure. As part of the attack remediation, be sure to check the accuracy of your account information on the same screen.

In case you are having issues with this, go to the Report a problem subsection under Support to access the Feedback and help screen. Then, tap the paper sheet icon in the top right corner to submit a support ticket describing your situation in detail.

TikTok Feedback and help section

All in all, TikTok is a great service bringing so many bells and whistles to your fingertips and allowing you to express yourself via nifty videos.

It’s not perfect in terms of security, though. Do your homework and tweak some settings to prevent your account from being low-hanging fruit for a cyberattack. Stay safe.

The post How to Protect Your TikTok Account from Hackers appeared first on ReadWrite.

Categories
Data and Security Hack infoSec Platforms security Tech Web WordPress Security

WordPress Security Fundamentals

wordpress security

WordPress dominates the global market of content management systems (CMS). Its tremendous popularity makes it a lure for malicious actors. The WordPress Core in its current state is fairly secure by design, which explains the relatively small number of hacks exploiting it. Here is a guide to WordPress security fundamentals.

Cybercriminals are increasingly adept at piggybacking on flaws related to WP plugins, themes, hosting providers, and website owner’s security hygiene.

Who is Targeting WordPress and Why?

Most incursions zeroing in on WordPress sites are orchestrated through the use of automated tools such as crawlers and bots.

These entities are constantly scouring the Internet for crudely secured websites. If they pinpoint a documented vulnerability, they take advantage of it in a snap.

Spam

Here’s a little bit of wiki information: spam accounts for roughly 50% of all emails sent.

Malefactors may gain a foothold in your server via a security loophole in a plugin or an outdated version of the WordPress engine to repurpose the server for generating spam.

Siphoning Off Server Resources

Cybercrooks may infiltrate poorly secured WordPress sites, access the underlying servers, and harness their processing power to perform coin mining surreptitiously.

Black Hat SEO

One of the growingly common WordPress hack scenarios is to gain unauthorized access to a website’s database and furtively embed keywords and hyperlinks related to another site.

Embedding keywords and hyperlinks is a shortcut to hijacking and boosting the rankings of an attacker’s site on search engines.

Info-Stealing Foul Play

Seasoned hackers know the true value of data, especially in such areas as e-commerce and user behavior patterns. Felons can rake in hefty profits by retrieving this information and selling it to interested parties on the Dark Web.

Your Top Priority 

WordPress security should be every webmaster’s top priority as remediating a hacked WordPress site is easier said than done. You have to assess every single line of code to spot dodgy content, eliminate it, and re-enter valid strings.

Another thing on your to-do list is to change all authentication details, including database and server passwords.

Another facet of the issue is that the search rankings of a compromised website may deteriorate dramatically down the road, which translates to fewer visitors and lower monetization.

An extra thing to consider is that people won’t go to a site unless they trust it. A breach will most likely impact your reputation, which takes a lot of time and effort to restore.

WordPress Security: The CIA Triad

In information security terms, the CIA acronym stands for “confidentiality, integrity, and availability.� This CIA model is the stronghold of every digital security initiative. When it comes to WordPress, the anatomy of CIA is as follows:

Area 1: Confidentiality

  • Sensitive Data

WP plugins, themes, and global variables are a Pandora’s box filled with confidential information or breadcrumbs leading to such data. If you slip up by setting the value of WP_DEBUG parameter to “trueâ€� rather than “false,â€� this will unveil the path to your websites’ root directory. You don’t want that.

Author pages can also be verbose in this context because they often include usernames and email addresses. An attacker may try to guess or brute-force an author’s password. If it isn’t strong enough, a site compromise is imminent.

  • User Credentials

To its credit, the WordPress platform takes password strength seriously, helping users avoid the scourge of weak credentials. However, these efforts might not be enough.

An additional technique that can make an attacker’s life harder is to enable two-factor authentication. Restricting the number of failed sign-in attempts is worthwhile, too.

Area 2: Integrity

  • Data Verification

WordPress is committed to handling data securely and does a lot to ensure this. But, these mechanisms don’t work beyond its core, so web developers should get the hang of validating the rest of the code.

Using a site’s database directly could be a less secure approach than leveraging features like “update_post_meta.� The latter can fend off SQL injection, a sketchy tactic aimed at executing harmful code via forms embedded in a web page.

The harmful code tactic can become a launchpad for depositing dangerous strains of Windows and Mac malware onto visitors’ computers.

To thwart SQL injection raids when running a complex query or when handling a custom table, it’s best to apply the WPDB class combined with the “Prepare� function for all queries.

  • Query Sanitation

Queries related to WordPress site management are generally secure as long as SSL is turned on and you resort to trustworthy hosting services. But not all hosting services are trustworthy, so this isn’t a bulletproof ecosystem.

It’s in your best interest to monitor user intentions and ascertain that an incoming query comes from a registered user.

WordPress employs what’s called nonces to verify actions initiated by users. These security tokens are formed alongside every user-originated request. Since nonces are paired with specific URLs, they are subject to mandatory inspection on the receiving side before the request is executed.

  • Third-Party Code

Most WordPress compromise incidents revolve around vulnerable plugins, themes, and unpatched versions of the WordPress engine. In other words, the less third-party code the smaller the attack surface.

In case you can’t do without a specific WP component of that sort, be sure to do your homework and scrutinize it first. The things you should pay attention to include the user feedback, the date its latest build was released, and the PHP version it supports.

Additionally, check expert reviews on well-established security resources such as Wordfence.

Area 3: Availability

  • Updates

As far as the WordPress engine is concerned, it gets security updates automatically. However, the process isn’t as hassle-free with themes and plugins. You may have to check for updates and install them manually.

Furthermore, it might be a bumpy road because you can’t be sure that these third-party entities work flawlessly until they are tested extensively. Users often go through a lot of trial and error with them.

  • User Roles and Privileges

Sensitive data should be safe as long as it’s in the right hands. Therefore, you need to diversify access permissions to ascertain that each user can’t access more information than they actually need. A great way to manage privileges is to create user roles. The user roll technique will also prevent third-party components from tweaking the WordPress Core files.

  • Email

WordPress works with email at the level of the server it’s installed on. To protect it from snoops, you should consider using the SMTP communication protocol.

There are numerous plugins that facilitate the process of sending emails via a tamper-proof SMTP connection.

You will need to add a new Sender Policy Framework (SPF) record, which requires access to the domain name’s DNS settings. The above-mentioned record is tasked with ensuring that the domain allows the SMTP service to send emails.

  • Auditing

The importance of keeping tabs on data integrity stems from the fact that attackers will be able to modify the code if they manage to access the server.

Thankfully, this issue can be addressed by means of specially crafted plugins. For example, the security plugin by Sucuri is a good choice. It checks your entire file database for a plethora of harmful code samples.

  • Backups

If you’re using a trusted hosting provider, it most likely performs the whole backup routine for you.

Even if your provider doesn’t offer an automatic backup feature for your site, there are plenty of alternative options to choose from. For instance, some services can back it up to cloud storage like Amazon S3 or Dropbox.

  • Hosting services

Low-quality hosting services are a common source for adverse scenarios where WordPress websites run obsolete PHP versions. There tends to be a big gap between managed hosting and one that simply provides a directory with database access.

You would always be better off finding a reputable managed hosting for your WordPress site. Although this could be a pricey option, you can rest assured that the security will be at a decent level.

Summary

The WordPress engine itself is getting regular updates that deliver patches and improvements, and the ecosystem around it isn’t nearly as secure.

The good news is, if you follow safe practices when installing themes and plugins, adding new user roles, and writing new code, your website should be on the safe side.

The post WordPress Security Fundamentals appeared first on ReadWrite.

Categories
Airdrop Data and Security dating Lifestyle Mobile online dating Platforms social apps Tinder

The Curious Case of Using Airdrop as a Tinder Alternative

airdrop as tinder alternative

Back in 2011, Apple engineers masterminded an awesome feature called AirDrop. It’s intended to facilitate file transfers among supported devices. The process is amazingly simple and doesn’t require device pairing at all — it works out of the box and only takes a few clicks or taps to complete a file exchange. Here is the curious case of using Airdrop as a Tinder alternative.

AirDrop uses a combo of Wi-Fi and Bluetooth protocols so the data transfer speeds are huge.

Interestingly, some tricks may allow you to extend the use of this feature beyond simply sending files.

For example, you can find out the phone number of another person who is in the same subway car with you. I’ve been recently using this feature to meet new people on my way to work, in public transport, and all kinds of diners.

Sometimes I walk out of the subway with a new friend. Intrigued? Here are ins and outs I’ve found of using the unorthodox way of using AirDrop.

How AirDrop works

AirDrop is a service for data transfers within a peer-to-peer network. It can function via a classic local network and over the air between any Apple devices. I’m going to dwell on the latter scenario, where two nearby devices don’t have to be connected to the same network.

For instance, two people are riding the subway and their smartphones aren’t connected to the same public Wi-Fi.

To start a data transfer session via AirDrop, the sender’s smartphone broadcasts a BLE (Bluetooth low energy) advertising packet that contains hashed information about the sender’s iCloud account and telephone number.

The packet then requests a connection via AWDL (Apple Wireless Direct Link), which is reminiscent of Android’s Wi-Fi Direct.

On the receiving side, the status of the AirDrop feature can be one of the following:

  • Receiving Off — the device cannot be detected at all.
  • Contacts Only — it can only receive files from the user’s contacts. For the record, a contact is a phone number or email tied to your iCloud account.
  • Everyone — the device can receive files from any users nearby.

Depending on the privacy preferences, the phone will either accept the AWDL connection or it will simply ignore the BLE advertising packet.

If the “Everyoneâ€� option is selected in your privacy settings — then the devices will get connected via AWDS at the next stage. Then, they will form an IPv6 network connection with each other.

AirDrop will be operating within this network as an applied protocol using mDNS (multicast DNS) via standard IP communication.

How to meet new people using AirDrop

You’ve had enough of boring theory, so let’s now move on to practice. Although online dating is very popular, you can grab your smartphone and go hook up with someone offline using modern technology. But first, keep the following nuances in mind:

  • The trick only works if the receiving smartphone is unlocked at the moment.

    Ideally, your target should be gazing at their device. People are mostly looking at their devices places where they are bored — like the subway — or any other place you have to sit there and wait.

  • Take your time.

    A successful “conversion� usually occurs after you send a couple of pics, therefore you need to stay at the same spot for at least five minutes.

    I think of a successful “conversion� as a moment when you negotiate over AirDrop to continue chatting in the messenger. The connection is sometimes hard to do on the go because it could be problematic to figure out right away who has accepted your payload.

    Your target may walk away before you get the chance to settle on further communication.

  • Personalized files work better

    The best payload seems to be an eye-catching piece of media content you’re sending via AirDrop. A vanilla image with a meme in it probably won’t do the trick.

    The content should be aligned with the situation and imply a clear-cut call to action.

The classic method – nothing but the smartphone

This one is suitable for everyone who owns an iPhone, and it doesn’t require any particular skills except the ability to socialize. Turn on the “Everyone� mode in AirDrop settings and head to the subway.

According to my observations, almost all iDevices broadcast the owner’s name, which allows you to easily determine their gender and prep the appropriate payload.

The payload

As previously mentioned, a unique payload is more effective. Ideally, the pic should include the owner’s name. The fun part is that this image used to be shown right on the victim’s display without any extra actions on their end.

The person didn’t even have to tap “Accept� or anything like that, so you could instantly see the reaction.

I mostly created these images using the graphics editing component built into the Notes app, plus a crude version of the mobile Photoshop tool. As a result, I would often have to walk out of the subway car before the right image was ready.

While I was refining my drawing skills, iOS 13 was released. One of the changes introduced in this version is that images received from unfamiliar users are no longer displayed on the screen. Instead of the graphical preview, the person only sees the sender’s name.

In other words, the only way to address the target by name in iOS 13 onward is to specify it in your iPhone settings. For instance, you can rename your device as “Hi Emily!� Speaking of which, here’s a quick tip: you can include emoji in your gadget’s name.

Of course, this technique isn’t nearly as impressive as sending a custom image, but it still increases the odds of the target tapping the “Accept� button.

Further actions are a matter of your creativity and sense of humor. There’s one thing I can say for sure: those who join this game and start replying with images or send you notes are usually very easy-going and interesting people.

On the other hand, those who don’t reply or simply reject your message tend to be snobs who think too highly of themselves. Also, the fear factor plays a role in some cases: shy and oversensitive people are afraid to interact with a pushy stranger.

The bottom line

Your new Airdrop hobby is the perfect way to have fun in the subway. It’s got a wow effect that lures curious people. I bet some of your new acquaintances won’t mind playing along.

Some people might even change their plans and exit the subway at your station to have a coffee together. I’ve met a lot of new people in a year’s time and continue to communicate with some of them.

Unfortunately, not all tricks targeting Apple devices are as harmless as this one. Malicious actors are increasingly infecting Mac computers and iPhones with malware these days, and many of these campaigns also have a flavor of social engineering.

An example is the ongoing adware distribution stratagem that relies on deceptive pop-up alerts stating that your Adobe Flash Player is out of date. Instead of installing the purported update, though, these ads promote browser hijackers and scareware.

To keep your Apple devices safe, avoid application bundles that may conceal malicious code under the guise of benign software. Be sure to keep your operating system and third-party apps up to date – this will address all recently discovered vulnerabilities and harden the overall security of your iOS or macOS device.

Furthermore, refrain from clicking on links received from strangers as they might lead to malware downloads and phishing sites.

It’s a good idea to audit the privacy settings of your most-used apps. In particular, make sure they don’t have access to sensitive data such as your location unless they really need it to work right. Also, keep your devices locked when not in use and specify strong passwords to prevent unauthorized access.

The post The Curious Case of Using Airdrop as a Tinder Alternative appeared first on ReadWrite.