Facebook ‘too slow to deal with hack’, says singer

A musician whose Facebook account was hijacked has urged the company to make it easier for people to recover control of their social media pages.

Country and gospel singer Philippa Hanna said Facebook was difficult to contact and took several days to act.

The attacker changed her contact details and username, so Ms Hanna was locked out of her own account, and even mocked her followers.

The company says it has a dedicated reporting channel but is investigating.

Ms Hanna has supported Lionel Ritchie, Leona Lewis and Little Mix on tour and has more than 5,000 friends and 6,000 followers on Facebook.

She was concerned by the hijack because she used her account to promote her music, and her account was linked to another website that stored her bank details.

Automated emails

According to Ms Hanna, South Yorkshire Police told her to look the problem up on Google.

The police force has been contacted by the BBC for comment.

Ms Hanna said she contacted Facebook as soon as she realised what had happened, but found it very difficult to get a response.

“One of the worst things was being stuck in a loop of automated emails telling me to try the same things I had already tried,” she said.

“My friends were trying to report the page, but Facebook kept coming back, saying ‘there’s nothing offensive about this account’.

“There wasn’t the option to say the page had been hijacked. There was a ‘fake account’ option, but mine was not fake. It was stolen.”

Mother ‘unfriended’

Ms Hanna admits that the email address she had used to set up her account was no longer active, so Facebook could not send her a reset link to unlock it.

But she was disappointed that one of Facebook’s automated suggestions was to delete the account.

“After 10 years of building it up, using it for my career as an independent musician, I thought that was not acceptable. It felt like a kick in the guts after 10 years of devoted data entry.”

While the attacker did not make any demands or public posts, the person, who appeared to be logging in from Turkey, did change her friends list and “unfriended” her mother.

The attacker also sent a private message full of laughing emojis to a fan who had messaged the singer about their mental health.

“That was when I got really annoyed – to me this is a public safety issue,” Ms Hanna said.

“I have vulnerable people who trust me and this hacker was mocking that, pretending to be me.”

‘Amazing’ platform

Ms Hanna put a note on Instagram explaining that she had been hacked on Facebook.

When she woke up the following day, she discovered the post had been removed and she had received an email saying somebody had been trying to change her settings.

“It was really eerie – he was censoring my Instagram to keep himself protected.”

She thinks she may have come to the attention of the hacker after a video of her singing an Ed Sheeran song went viral, attracting more than 18 million views.

“I certainly don’t hate Facebook. It’s an amazing platform,” she said.

“But it really needs to give serious thought into how to protect people.”

Dedicated reporting channels

Ms Hanna says she now has her account back.

“The lady who eventually helped me was an angel. There are amazing, clever people at Facebook – but its far too hard to get to them,” she said.

“There should be an emergency helpline. I would gladly have paid a premium charge to speak to someone if only it had been an option. It would have been worth doing to protect my followers.”

Facebook said it was investigating what had happened.

It said: “We want everyone to have a positive experience on Facebook which is why we have a dedicated reporting channel on our Help Centre for people to secure their account if they think it has been compromised.”

Bug hunters: The hackers earning big bucks… ethically

The term hacker is often used pejoratively, but the ability to spot weaknesses in companies’ software and cyber-security systems is in high demand. Ethical hackers are now earning big bucks and the industry is growing.

James Kettle is a bug hunter – not of the insect kind, but of software.

He scans through pages of code looking for mistakes – weaknesses that criminals could exploit to break into a company’s network and steal data.

His computer science degree was a little slow-paced for his tastes so he looked around for something else to do and came across “bug bounty” programmes run by Google and browser maker Mozilla.

These are schemes that pay cash to hackers for spotting mistakes, or bugs, in companies’ software.

“They really made you work hard for each one and it took about 50 hours per valid bug I found,” he recalls.

The payoff, apart from the cash, was that he was struck by an insatiable desire to keep finding flaws in code. And this eventually turned into a lucrative career.

And he’s very good at his job.

What you need to find bugs

  • Insatiable curiosity
  • Solid technical expertise in web and networking technologies
  • Patience and dedication
  • Puzzle-solving abilities

    He’s now one of the top-earning bug finders on Hacker One, a service that matches hackers with companies and governments looking for experts to test their software.

    These elite ethical or “white hat” hackers can earn more than $350,000 (£250,000) a year. Bug bounty programmes award hackers an average of $50,000 a month, with some paying out $1,000,000 a year in total, say industry insiders.

    Finding a bug that has never been found before is very rare and can lead to significant payouts, perhaps in the hundreds of thousands.

    Mr Kettle works for software company PortSwigger, which makes the Burp Suite tool that many hackers use to probe websites to see if they are ripe for exploitation.

    “I find new ways of hacking into websites and automating that, and I use bug bounties to prove my new techniques work,” Mr Kettle tells the BBC.

    “It’s fun and challenging.”

    Most software contains mistakes because it’s been written by fallible humans, and criminals are constantly scanning code for these vulnerabilities, often using automated tools.

    So it’s a race to find these weaknesses before the bad guys, or “black hat” hackers, do.

    The problem is that until recently few firms have had enough eyes to throw at the problem. So they’ve been crowdsourcing expert help from firms such as Hacker One, Bug Crowd and Synack.

    These act like agents for vetted ethical hackers, managing the bug bounty programmes, verifying the work done, and ensuring confidentiality for their clients.

    Hacker One, the largest of the three best-known bug bounty firms, has more than 120,000 hackers on its books and has paid out more than $26m (£18.5m) so far, says Laurie Mercer, a senior engineer at the firm.

    “Bug bounty programmes offer a way for organisations to ‘outsource’ application security testing, but it comes at a cost,” says Bob Egner, vice-president at security firm Outpost24.

    “You have to pay a crowdsource bug bounty vendor to introduce your application to their independent researchers, manage the programme for you, and ultimately pay for any bounties required.”

    But the risk of not doing enough to find these vulnerabilities is a potential hack attack resulting in stolen data, financial loss and damaged reputation. According to a recent report by security firm Nuix, 71% of black hat hackers say they can breach the perimeter of a target within 10 hours.

    Swedish bug hunter Frans Rosen is using his bounty income to fund tech start-ups.

    “We use the bug bounty money as the seeding investment,” he says. “It’s a fun way to use the money.”

    The cash enables the start-ups get established and do some development of their products or apps, he says. As a former web developer, he knows what can go wrong when websites are being set up and run.

    “After that we help them get the scale investment to fund them properly,” he says.

    Not all hackers who find bugs work for an established security firm, however, so being represented by a company such as Hacker One or Bug Crowd gives them credibility when they want to alert companies to security vulnerabilities.

    Security tester Robbie Wiggins says telling a firm that its website or apps can be hacked is always tricky.

    More Technology of Business

    • ‘More than 600 apps had access to my iPhone data’
    • Meet the gargantuan air freighter that looks like a whale
    • Airbus builds a new super-transporter
    • Reaping the wind with the biggest turbines ever made
    • Making deliveries in a badly mapped world

      Often there is no formal reporting structure, he says, apart from a generic admin email address. Bug bounty firms help get the error reports in front of the right people.

      But the rapid growth in bug bounty programmes and the significant cash rewards has made it a crowded field, he says.

      “It’s constantly changing and finding bugs is getting harder.”

      So he specialises in finding firms that have made mistakes with their Amazon cloud storage accounts. So far, he’s found more than 5,000 that look like they are wrongly open to the public.

      “Bug bounty hunting is now a hobby and helps every now and again when I need some extra cash for the kids,” he says.

      Another advantage of such programmes is that they can keep hackers away from the dark side.

      “Bug bounty programmes provide a legal alternative for tech-savvy individuals who might otherwise be inclined to the nefarious activities of actually hacking a system and selling its data illegally,” says Terry Ray, chief technology officer for data security firm Imperva.

      Perhaps it’s time more hackers came in from the cold?

      • Click here for more Technology of Business features
      • Follow Technology of Business editor Matthew Wall on Twitter and Facebook

Russia to block Telegram app over encryption

A court in Moscow has approved a request from the Russian media regulator to block the Telegram messaging app immediately.

The media regulator sought to block the app because the firm had refused to hand over encryption keys used to scramble messages.

Security officials say they need to monitor potential terrorists.

But the company said the way the service was built meant it had no access to customers’ encryption keys.

Telegram had missed a deadline of 4 April to hand over the keys.

Russia’s main security agency, the FSB, has said Telegram is the messenger of choice for “international terrorist organisations in Russia”.

A suicide bomber who killed 15 people on a subway train in St Petersburg last April used the app to communicate with accomplices, the FSB said last year.

The app is also widely used by the Russian authorities, Reuters news agency reports.

In its court filing, media regulator Roskomnadzor said Telegram had failed to comply with its legal requirements as a “distributor of information”.

Telegram’s lawyer, Pavel Chikov, said the official attempt to stop the app being used in Russia was “groundless”.

“The FSB’s requirements to provide access to private conversations of users are unconstitutional, baseless, which cannot be fulfilled technically and legally,” he said.

The messaging app is widely used across Russia and many nations in the Middle East, as well as around the rest of the world. It says it has more than 200 million active users.

Its popularity has grown because of its emphasis on encryption, which thwarts many widely used methods of reading confidential communications.

It allows groups of up to 5,000 people to send messages, documents, videos and pictures without charge and with complete encryption.

Telegram has been used by the Islamic State (IS) group and its supporters though the company says it has made efforts to close down pro-IS channels.

Scammers abused Facebook phone number search

Facebook was warned by security researchers that attackers could abuse its phone number and email search facility to harvest people’s data.

On Wednesday, the firm said “malicious actors” had been harvesting profiles for years by abusing the search tool.

It said anybody that had not changed their privacy settings after adding their phone number should assume their information had been harvested.

One security expert told the BBC the attack had been possible “for years”.

How did the attack work?

Until Wednesday, Facebook let people search for their friends’ profiles by typing in a phone number or email address.

The company has now disabled the ability to search by phone number.

Elon Musk fans targeted in crypto-cash scam

Fans of entrepreneur Elon Musk have been targeted in an emerging crypto-currency scam.

The scammers pose as celebrities on Twitter and claim to be giving away crypto-cash such as Bitcoin or Ether to their fans.

They ask people to send them a small amount of crypto-currency to qualify for the giveaway, but victims do not get any bitcoins back.

Twitter has not yet removed the imposter Elon Musk account.

How does the scam work?

The scammers impersonate well-known personalities on Twitter by copying their profile pictures and choosing usernames very similar to the genuine accounts.

They then post replies to popular tweets made by the genuine celebrity. This gives their nefarious messages prominence on Twitter.

Typically, the scammers ask people to send them small amounts of crypto-currency, offering to send a larger amount back as part of a giveaway.

The scam can be convincing, because at first glance it looks like the celebrity has replied to their own tweet.

However, the fake profiles can be detected as they do not have Twitter’s “verified” badge and often have no followers and have never posted before.

Amplified by bots

On Tuesday, an account posing as Elon Musk using the username @elonmuskik tweeted that the entrepreneur was going to “give away” 3,000 Ether, worth about £1.7m.

The scam was amplified by several automated accounts known as bots.

The bots had been dormant since September 2017 and had never posted before, but came to life to chat among themselves about the supposed crypto-cash giveaway.

“Sо nice! Just sent and immediately received back. You’re super fast,” one said.

The founder of the Ethereum (ETH) crypto-currency Vitalik Buterin has been targeted by the scam so many times that he has changed his username to “No I’m not giving away ETH”.

“No, I’m not giving away ETH… y’all are getting nothing,” he tweeted.

Twitter has been criticised for taking a long time to tackle the problem of bots on its platform.

It told the BBC: “We’re aware of this form of manipulation and are proactively implementing a number of signals to prevent these types of accounts from engaging with others in a deceptive manner.”

At the time of publication, the fake Elon Musk post had been up on the platform for 11 hours and remained visible.