Timehop to Confirm 'Security Incident'

Personal data of 21 000 000 users of popular service is in the hands of attakers
09 July 2018   494

Popular service Timehop, created in 2011, is a kind of "time machine" for users of social networks. It allows to find out what the user or his friends published a few years ago, collecting information from Facebook, Instagram, Twitter and even photos in Dropbox.

Last Sunday, the company reported that on July 4, 2018, Timehop ​​was attacked by unknown intruders, and as a result, data of 21 million people 'leaked'.

Representatives of the company report that they discovered a breach when the hackers were still active and managed to stop the leakage of information, but for many users it was too late. The unknown managed to steal email addresses, names and phone numbers of 21 million users.

In addition, there were compromised "keys that let Timehop read and show you your social media posts (but not private messages)." Developers assure that all keys are already deactivated and no longer work, and users need to re-authenticate in the application.

The official message emphasizes that these tokens do not allow anyone (including Timehop ​​itself) to access Facebook Messenger or personal messages on Twitter or Instagram. Access is granted only to ordinary records. Theoretically, during the incident there was a short period of time during which unauthorized users could access such records of the victims. However, there is no proof that this really happened yet.

Almost no technical details about the incident have yet been reported, as the company continues its internal audit and investigation, involving local and federal law enforcement agencies, as well as third-party cybercriminals.

Representatives of Timehop ​​recognize that the attackers managed to get into the system because of compromising credentials for one of the "cloud" accounts. The fact is that the account was not protected by multifactor authentication, and only now the company decided to attend to additional protection of authorization and access control.

Google to Introduce Tink Cryptographic Library

Google already uses Tink in projects like AdMob, Google Pay, Google Assistant, Firebase and the Android Search App
31 August 2018   845

Google introduced the open cryptographic library called Tink with support for Java, C ++ and Objective-C, as well as experimental support for Go and JavaScript. Product primitives use the BoringSSL and the Java Cryptography Architecture framework.

Even small errors in the use of cryptographic methods can have serious consequences, and they are carefully study for decades. Many developers do not have so much time, so when creating a new tool, the company tried to reduce the number of potential errors with cryptographic APIs. Google already uses Tink in projects like AdMob, Google Pay, Google Assistant, Firebase and the Android Search App.

These primitives are used in the core of the library:

  • AEAD (Authenticated Encryption with Associated Data) for symmetric encryption of blocks and data streams over a fixed key. The tool does not require the definition of specific algorithms and their parameters. With it, you can quickly perform encryption and decryption operations:
    import com.google.crypto.tink.Aead;
     import com.google.crypto.tink.KeysetHandle;
     import com.google.crypto.tink.aead.AeadFactory;
     import com.google.crypto.tink.aead.AeadKeyTemplates;
     // 1. Generate the key material.
     KeysetHandle keysetHandle = KeysetHandle.generateNew(
     // 2. Get the primitive.
     Aead aead = AeadFactory.getPrimitive(keysetHandle);
     // 3. Use the primitive.
     byte[] plaintext = ...;
     byte[] additionalData = ...;
     byte[] ciphertext = aead.(plaintext, additionalData);
  • The MAC (Message Authentication Codes) provides message authentication codes.

In Tink, there are functions for creating a digital signature and its verification, as well as the functions of fast hybrid encryption.

Features of work
Each primitive supports stateless mode operation, secure copy operations and the use of keys with a length of 128 bits. The library automatically blocks potentially unsafe operations, for example, downloading keys from unencrypted files on the disk. Tink provides an API for rotating keys and interacting with external key management systems: Google Cloud KMS, Amazon KMS, Android Keystore and Apple iOS KeyChain.

The library has a modular architecture, allows you to connect custom primitives and replace them with existing code files without changing the final applications. From Tink, you can exclude part of the tools. For example, if the program only uses digital signature verification, you can remove symmetric encryption components to reduce the application code size.

In August 2018, the creators of the VPN protocol, WireGuard, announced the creation of the Zinc cryptographic library, which, upon introduction into the core Linux kernel, will accelerate the process of data encryption through a simplified set of crypto algorithms.